1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/js/src/jit-test/tests/basic/testGuardCalleeSneakAttack2.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,32 @@
1.4 +function loop(f, expected) {
1.5 + // This is the loop that breaks us.
1.6 + // At record time, f's parent is a Call object with no fp.
1.7 + // At second execute time, it is a Call object with fp,
1.8 + // and all the Call object's dslots are still JSVAL_VOID.
1.9 + for (var i = 0; i < 9; i++)
1.10 + assertEq(f(), expected);
1.11 +}
1.12 +
1.13 +function C(bad) {
1.14 + var x = bad;
1.15 + function f() {
1.16 + return x; // We trick TR::callProp() into emitting code that gets
1.17 + // JSVAL_VOID (from the Call object's dslots)
1.18 + // rather than the actual value (true or false).
1.19 + }
1.20 + if (bad)
1.21 + void (f + "a!");
1.22 + return f;
1.23 +}
1.24 +
1.25 +var obj = {
1.26 +};
1.27 +
1.28 +// Warm up and trace with C's Call object entrained but its stack frame gone.
1.29 +loop(C.call(obj, false), false);
1.30 +
1.31 +// Sneaky access to f via a prototype method called implicitly by operator +.
1.32 +Function.prototype.toString = function () { loop(this, true); return "hah"; };
1.33 +
1.34 +// Fail hard if we don't handle the implicit call out of C to F.p.toString.
1.35 +C.call(obj, true);
