The Tor Browser / file comparison
comparison: js/src/jit-test/tests/basic/bigLoadStoreDisp.js
js/src/jit-test/tests/basic/bigLoadStoreDisp.js
- branch
- TOR_BUG_3246
- changeset 7
- 129ffea94266
equal
deleted
inserted
replaced
| -1:000000000000 | 0:9749471f22d0 |
|---|---|
| 1 // In Nanojit, loads and stores have a maximum displacement of 16-bits. Any | |
| 2 // displacements larger than that should be split off into a separate | |
| 3 // instruction that adds the displacement to the base pointer. This | |
| 4 // program tests if this is done correctly. | |
| 5 // | |
| 6 // x.y ends up having a dslot offset of 79988, because of the 20000 array | |
| 7 // elements before it. If Nanojit incorrectly stores this offset into a | |
| 8 // 16-bit value it will truncate to 14452 (because 79988 - 65536 == 14452). | |
| 9 // This means that the increments in the second loop will be done to one of | |
| 10 // the array elements instead of x.y. And so x.y's final value will be | |
| 11 // (99 + 8) instead of 1099. | |
| 12 // | |
| 13 // Note that setting x.y to 99 and checking its value at the end will | |
| 14 // access the correct location because those lines are interpreted. Phew. | |
| 15 | |
| 16 var x = {} | |
| 17 for (var i = 0; i < 20000; i++) | |
| 18 x[i] = 0; | |
| 19 x.y = 99; // not traced, correctly accessed | |
| 20 | |
| 21 for (var i = 0; i < 1000; ++i) { | |
| 22 x.y++; // traced, will access an array elem if disp was truncated | |
| 23 } | |
| 24 assertEq(x.y, 1099); // not traced, correctly accessed | |
| 25 |
