• file
• revisions
• annotate
• diff
• comparison
• raw

js/src/jit-test/tests/basic/testGuardCalleeSneakAttack2.js@6474c204b198 (annotated)

js/src/jit-test/tests/basic/testGuardCalleeSneakAttack2.js

Wed, 31 Dec 2014 06:09:35 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Wed, 31 Dec 2014 06:09:35 +0100

changeset 0

6474c204b198

permissions

-rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

michael@0	1	function loop(f, expected) {
michael@0	2	// This is the loop that breaks us.
michael@0	3	// At record time, f's parent is a Call object with no fp.
michael@0	4	// At second execute time, it is a Call object with fp,
michael@0	5	// and all the Call object's dslots are still JSVAL_VOID.
michael@0	6	for (var i = 0; i < 9; i++)
michael@0	7	assertEq(f(), expected);
michael@0	8	}
michael@0	9
michael@0	10	function C(bad) {
michael@0	11	var x = bad;
michael@0	12	function f() {
michael@0	13	return x; // We trick TR::callProp() into emitting code that gets
michael@0	14	// JSVAL_VOID (from the Call object's dslots)
michael@0	15	// rather than the actual value (true or false).
michael@0	16	}
michael@0	17	if (bad)
michael@0	18	void (f + "a!");
michael@0	19	return f;
michael@0	20	}
michael@0	21
michael@0	22	var obj = {
michael@0	23	};
michael@0	24
michael@0	25	// Warm up and trace with C's Call object entrained but its stack frame gone.
michael@0	26	loop(C.call(obj, false), false);
michael@0	27
michael@0	28	// Sneaky access to f via a prototype method called implicitly by operator +.
michael@0	29	Function.prototype.toString = function () { loop(this, true); return "hah"; };
michael@0	30
michael@0	31	// Fail hard if we don't handle the implicit call out of C to F.p.toString.
michael@0	32	C.call(obj, true);