35 lines
1.1 KiB
JavaScript
35 lines
1.1 KiB
JavaScript
|
// Copyright 2017 the V8 project authors. All rights reserved.
|
||
|
// Use of this source code is governed by a BSD-style license that can be
|
||
|
// found in the LICENSE file.
|
||
|
|
||
|
// Flags: --allow-natives-syntax
|
||
|
|
||
|
function f() {
|
||
|
function g(arg) { return arg; }
|
||
|
// The closure contains a call IC slot.
|
||
|
return function() { return g(42); };
|
||
|
}
|
||
|
|
||
|
const a = Realm.create();
|
||
|
const b = Realm.create();
|
||
|
|
||
|
// Create two closures in different contexts sharing the same
|
||
|
// SharedFunctionInfo (shared due to code caching).
|
||
|
const x = Realm.eval(a, f.toString() + " f()");
|
||
|
const y = Realm.eval(b, f.toString() + " f()");
|
||
|
|
||
|
// Run the first closure to create SFI::code.
|
||
|
x();
|
||
|
|
||
|
// At this point, SFI::code is set and `x` has a feedback vector (`y` does not).
|
||
|
|
||
|
// Enabling block code coverage deoptimizes all functions and triggers the
|
||
|
// buggy code path in which we'd unconditionally replace JSFunction::code with
|
||
|
// its SFI::code (but skip feedback vector setup).
|
||
|
%DebugToggleBlockCoverage(true);
|
||
|
|
||
|
// Still no feedback vector set on `y` but it now contains code. Run it to
|
||
|
// trigger the crash when attempting to write into the non-existent feedback
|
||
|
// vector.
|
||
|
y();
|