42 lines
1.4 KiB
JavaScript
42 lines
1.4 KiB
JavaScript
description(
|
|
"Regression test for https://webkit.org/b/139533. This test should not crash."
|
|
);
|
|
|
|
function outer(index, obj)
|
|
{
|
|
function inner(arg)
|
|
{
|
|
return arg + obj.addend;
|
|
}
|
|
|
|
return inner(index);
|
|
}
|
|
|
|
obj = { addend : 1 };
|
|
|
|
// Create an object that will require calling defaultValue which is a native function call
|
|
function MyNumber()
|
|
{
|
|
}
|
|
MyNumber.prototype.toString = function() { return ""; };
|
|
|
|
var limit = 1000;
|
|
var result = 0;
|
|
|
|
for (var i = 0; i < limit; ++i) {
|
|
// The problem fixed in bug 139533 was that the ScopeChain slot of the call frame header
|
|
// is not being restored by OSR exit handler (nor should it). In some cases, especially
|
|
// when we inline we end up overwriting the memory with some other value.
|
|
// After tiering up into the DFG, change the "addend" of obj. This will do two things:
|
|
// 1) We should OSR exit with a BadType (addend is no longer an integer)
|
|
// 2) In the next call to inner, we will call jsAddSlowCase which will make a
|
|
// native call to get the default value of obj.addend.
|
|
// The OSR exit handler will not restore the ScopeChain slot in the header therefore
|
|
// the value might be anything. The native call will copy the ScopeChain slot from
|
|
// inner to the frame for the native call.
|
|
if (i == limit - 10)
|
|
obj.addend = new MyNumber();
|
|
|
|
result = outer(i, obj);
|
|
}
|