js/src/jit-test/tests/basic/testGuardCalleeSneakAttack.js@6474c204b198
js/src/jit-test/tests/basic/testGuardCalleeSneakAttack.js
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 function loop(f, expected) {
2 // This is the loop that breaks us.
3 // At record time, f's parent is a Call object with no fp.
4 // At second execute time, it is a Call object with fp,
5 // and all the Call object's dslots are still JSVAL_VOID.
6 for (var i = 0; i < 9; i++)
7 assertEq(f(), expected);
8 }
10 function C(bad) {
11 var x = bad;
12 function f() {
13 return x; // We trick TR::callProp() into emitting code that gets
14 // JSVAL_VOID (from the Call object's dslots)
15 // rather than the actual value (true or false).
16 }
17 this.m = f;
18 return f;
19 }
21 var obj = {
22 set m(f) {
23 if (f()) // Call once to resolve x on the Call object,
24 // for shape consistency. Otherwise loop gets
25 // recorded twice.
26 loop(f, true);
27 }
28 };
30 loop(C.call(obj, false), false);
31 C.call(obj, true);
