1// Copyright 2012 the V8 project authors. All rights reserved. 2// Redistribution and use in source and binary forms, with or without 3// modification, are permitted provided that the following conditions are 4// met: 5// 6// * Redistributions of source code must retain the above copyright 7// notice, this list of conditions and the following disclaimer. 8// * Redistributions in binary form must reproduce the above 9// copyright notice, this list of conditions and the following 10// disclaimer in the documentation and/or other materials provided 11// with the distribution. 12// * Neither the name of Google Inc. nor the names of its 13// contributors may be used to endorse or promote products derived 14// from this software without specific prior written permission. 15// 16// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 19// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 20// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 22// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 26// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 28// Flags: --allow-natives-syntax 29 30// Create elements in a constructor function to ensure map sharing. 31function TestConstructor() { 32 this[0] = 1; 33 this[1] = 2; 34 this[2] = 3; 35} 36 37function bad_func(o,a) { 38 var s = 0; 39 for (var i = 0; i < 1; ++i) { 40 o.newFileToChangeMap = undefined; 41 var x = a[0]; 42 s += x; 43 } 44 return s; 45} 46 47o = new Object(); 48a = new TestConstructor(); 49bad_func(o, a); 50 51// Make sure that we're out of pre-monomorphic state for the member add of 52// 'newFileToChangeMap' which causes a map transition. 53o = new Object(); 54a = new TestConstructor(); 55bad_func(o, a); 56 57// Optimize, before the fix, the element load and subsequent tagged-to-i were 58// hoisted above the map check, which can't be hoisted due to the map-changing 59// store. 60o = new Object(); 61a = new TestConstructor(); 62%OptimizeFunctionOnNextCall(bad_func); 63bad_func(o, a); 64 65// Pass in a array of doubles. Before the fix, the optimized load and 66// tagged-to-i will treat part of a double value as a pointer and de-ref it 67// before the map check was executed that should have deopt. 68o = new Object(); 69// Pass in an elements buffer where the bit representation of the double numbers 70// are two adjacent small 32-bit values with the lowest bit set to one, causing 71// tagged-to-i to SIGSEGV. 72a = [2.122e-314, 2.122e-314, 2.122e-314]; 73bad_func(o, a); 74