AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
17e80e76e7
v8/test/mjsunit/regress
History
kmillikin@chromium.org 3c0d77f32e Fix stack corruption when calling non-function. 
Fix for issue 603.

Revision r3484 removed the property name from the call stack for
call ICs.  When a non-function was called via a call IC and
Function.prototype.call, an extra value was left on the stack that the
caller could not know to clean up.

Fix is to change the JS builtin used for calling non-functions.  It
now gets the callee as receiver, rather than iterating stack frames
and finding it on the expression stack of its JS caller.

Review URL: http://codereview.chromium.org/604064

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3882 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2010-02-17 08:26:50 +00:00
..
regress-6-9-regexp.js Fix regexp bug reported by Ian where [6-9] would match any digit. 2009-06-20 17:57:09 +00:00
regress-35.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-57.js Quick fix: copyright header 2008-09-10 13:05:26 +00:00
regress-69.js Fix http://code.google.com/p/v8/issues/detail?id=69 : 2008-09-16 11:23:02 +00:00
regress-74.js Change the handling of catch blocks to use context extension objects 2009-01-16 09:42:08 +00:00
regress-86.js Fix issue 86 by keeping track of the fact that finally blocks 2008-10-01 07:43:00 +00:00
regress-87.js Regular Expression literal flags may contain unicode escapes. If these escape any of the 2009-02-12 09:09:28 +00:00
regress-91.js Fix for issue 91 (http://code.google.com/p/v8/issues/detail?id=91) 2009-01-07 09:58:58 +00:00
regress-114.js Fixed bug 114 2008-10-14 09:13:23 +00:00
regress-116.js Fix issue 116 by returning the value from SetFastElement. 2008-10-17 06:36:35 +00:00
regress-124.js Remove special-case for arguments.toString to match ES5 2009-11-11 11:28:37 +00:00
regress-137.js If a HeapNumber is the incoming value, it must be converted to Smi before 2008-11-03 13:33:13 +00:00
regress-149.js Merge regexp2000 back into bleeding_edge 2008-11-25 11:07:48 +00:00
regress-171.js Fix for issue 171: 2009-01-07 23:26:31 +00:00
regress-176.js Added clearing of captures before entering the body of a loop. This 2009-01-14 11:32:23 +00:00
regress-186.js Fix issue 186: 2009-01-14 12:13:26 +00:00
regress-187.js Irregexp: Backtrack past look-aheads works correctly. 2009-01-26 14:38:17 +00:00
regress-189.js Fix handling of const initialization. We did not handle the fact that 2009-01-22 13:53:06 +00:00
regress-191.js Fix issue 191: 2009-01-15 11:31:08 +00:00
regress-192.js Fix issue 192 by propagating out exceptions from object literal 2009-01-26 13:10:26 +00:00
regress-193.js Make sure that eval and try-catch introduced context extension objects 2009-01-23 12:16:03 +00:00
regress-201.js Do not violate the assumption that fast-case arrays have Smi length 2009-01-23 13:08:29 +00:00
regress-219.js Allow duplicate flags in regexps to match other browsers. 2009-01-30 12:36:40 +00:00
regress-220.js Follow the spec in disallowing function declarations without a name. We 2009-10-02 12:47:15 +00:00
regress-221.js Fix issue 221: 2009-02-02 13:18:20 +00:00
regress-225.js Fix bug 225 in regexp replace with function. 2009-02-05 13:24:13 +00:00
regress-227.js Issue 227 Fixed. Properly handles non-ASCII characters in quick-check on ASCII strings. 2009-02-11 11:54:30 +00:00
regress-231.js Issue 231 - Irregexp backtracking stack pointer could become corrupted. 2009-02-12 13:07:58 +00:00
regress-233.js Missing handle check. Triggers bug if the runtime stack overflows and it is detected by a global regexp. 2009-02-13 09:40:15 +00:00
regress-244.js X64: Fix bug in left-shift. 2009-07-09 08:00:12 +00:00
regress-246.js Add regression test case for http://crbug.com/18639 which 2009-09-08 07:22:35 +00:00
regress-253.js Fixed issue 253. No longer assuming that the target of a property lookup is a JSObject. 2009-03-04 11:57:24 +00:00
regress-254.js Add regression test case for http://crbug.com/18639 which 2009-09-08 07:22:35 +00:00
regress-259.js Reapply r1434 and port to ARM. 2009-03-06 14:18:03 +00:00
regress-260.js Work around issue 260 for now by disabling duplication of the loop 2009-03-09 14:12:20 +00:00
regress-263.js Fix issue 263: 2009-03-09 10:51:57 +00:00
regress-265.js Fix issue 265 by handling extra statement state on the frame based on 2009-03-11 06:17:19 +00:00
regress-267.js Issue 267: Calls to arguments in eval-tainted function scope uses global object as receiver. 2009-03-10 12:28:34 +00:00
regress-269.js Fixed the step in handling for function.apply. 2009-04-07 09:54:53 +00:00
regress-279.js Reapply revisions 1432, 1433, 1469 and 1472 while fixing issue 279. 2009-03-23 07:27:47 +00:00
regress-284.js Fix issue 284. 2009-03-24 08:29:24 +00:00
regress-286.js Fix issue 286. Ensure frame elements are invalidated by 2009-03-24 12:42:28 +00:00
regress-294.js Fix issue 294 by ensuring that we don't lose the copy flag on memory 2009-03-31 14:01:25 +00:00
regress-312.js Change the function name collector to tolerate expressions that contain 2009-04-15 13:14:23 +00:00
regress-317.js Fix for Issue 317 - bug in string.replace(string, "$foo"). 2009-04-22 11:43:05 +00:00
regress-318.js Fix regression test by wrapping expression in a thunk^H^H^H^H^Hstring. 2009-04-22 17:44:28 +00:00
regress-326.js Fix Issue 326. Handle sorting of non-array objects correctly. 2009-04-27 11:16:59 +00:00
regress-334.js Fix bug 344: always keep attributes of existing properties. 2009-05-13 10:46:28 +00:00
regress-341.js Fix for issue 341. In the stub for instanceof, we could try to read 2009-05-12 11:40:14 +00:00
regress-345.js Fix issue 345 by avoiding duplicates in the list of escaping labels 2009-07-15 08:57:25 +00:00
regress-349.js Fix for issue 349: Make initial boundary check for BM text search. 2009-05-19 09:01:03 +00:00
regress-351.js Fix for issue 351 - lastIndexOf. 2009-05-26 15:42:06 +00:00
regress-386.js Fix issue 386, a bug in JSObject::ReplaceSlowProperty with constant transitions. 2009-06-22 07:41:15 +00:00
regress-392.js Fix issue 392 by disabling the TakeValue optimization for 2009-06-29 06:20:52 +00:00
regress-394.js Handle JavaScript accessors on the global object. 2009-07-01 11:20:33 +00:00
regress-396.js Add regression test case for issue 396. 2009-07-02 09:08:15 +00:00
regress-397.js Fix issue 397 and issue 399. 2009-07-07 11:57:09 +00:00
regress-399.js Fix issue 397 and issue 399. 2009-07-07 11:57:09 +00:00
regress-406.js Fix ARM compiler crash in short-circuited boolean expressions. 2009-07-23 11:40:14 +00:00
regress-416.js Add safe handling of NaN to Posix platform-dependent time functions. 2009-08-04 09:41:18 +00:00
regress-475.js Fix issue 475 2009-10-20 12:13:31 +00:00
regress-483.js Fix issue with running some constructors having only this.x = ... assignments. 2009-10-23 12:18:47 +00:00
regress-485.js Issue 485: Fix leak of builtins object through call and apply functions. 2009-10-28 13:51:30 +00:00
regress-486.js Fix bug 486, Cyrillic character ranges in case independent regexps. 2009-11-06 11:15:20 +00:00
regress-490.js Don't use string slices when processing RexExp replace (re-apply r3153) 2009-11-02 12:21:43 +00:00
regress-491.js Fix issue 491: constantpool dump violates ARM debugger assertion for return point 2009-11-04 14:45:50 +00:00
regress-492.js Fix xssue 492: ARM debug crash: mozilla/ecma/FunctionObjects/15.3.1.1-3 2009-11-04 10:04:22 +00:00
regress-496.js Fix case where we treat an unaliased call to eval as an aliased call 2009-11-05 11:19:37 +00:00
regress-502.js Fix inline constructor code bailout. 2009-11-11 09:00:09 +00:00
regress-503.js Fix bug 503: undefined <= undefined should return false on ARM. 2009-11-16 14:12:27 +00:00
regress-515.js Fix crash in string replace with regexp. If the suffix of the subject 2009-11-18 18:48:04 +00:00
regress-524.js Extend the maximum size map space 2009-12-17 08:53:18 +00:00
regress-526.js Fix bug in the fast compiler's object literal code 2009-11-26 21:13:20 +00:00
regress-540.js The toplevel code generator assumed that declarations did not shadow 2009-12-07 13:31:47 +00:00
regress-545.js Fix for issue 545: don't reuse this VariableProxy. 2009-12-08 09:43:51 +00:00
regress-580.js Fix V8 issue 580: Arithmetic on some integer constants gives wrong anwers. 2010-01-20 17:01:34 +00:00
regress-603.js Fix stack corruption when calling non-function. 2010-02-17 08:26:50 +00:00
regress-612.js Normalize the object before updating getter/setter info. 2010-02-17 06:53:19 +00:00
regress-155924.js Fix an error in a keyed lookup stub - HeapNumbers treated as strings. 2009-07-23 13:01:17 +00:00
regress-588599.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-662254.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-666721.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-667061.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-670147.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-674753.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-676025.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-678525.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-682649.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-734862.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-737588.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-780423.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-799761.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-806473.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-842017.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-874178.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-875031.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-877615.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-892742.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-900055.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-900966.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-925537.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-937896.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-990205.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-992733.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-996542.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-998565.js Changed the debugger API to allow only one debug event listener to be registered. The public API now only has SetDebugEventListener instead of AddDebugEventListener and RemoveDebugEventListener. 2009-02-03 07:59:12 +00:00
regress-1030466.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1036894.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1039610.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1050043.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1062422.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1066899.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1081309.js Redo "running" field in debug-delay.js and support "suspend" command 2009-10-15 20:06:08 +00:00
regress-1102760.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1110164.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1112051.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1114040.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1134697.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1170187.js Changed the debugger API to allow only one debug event listener to be registered. The public API now only has SetDebugEventListener instead of AddDebugEventListener and RemoveDebugEventListener. 2009-02-03 07:59:12 +00:00
regress-1173979.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1175390.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1177518.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1177809.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1178598.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1182832.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1187524.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1199401.js X64: Convert smis to holding 32 bits of payload. 2009-10-08 12:36:12 +00:00
regress-1199637.js This change removes the %AddProperty native JavaScript function from V8. 2008-10-03 12:14:29 +00:00
regress-1200351.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1201933.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1203459.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1207276.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1213516.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1213575.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1215653.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1254366.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1327557.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1341167.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1346700.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-1439135.js Fix bug 1439135 (slicedstring on constring not flat) 2008-10-21 08:08:17 +00:00
regress-1493017.js Simplify the map collection regression test. This test is the minimal 2009-03-10 07:23:22 +00:00
regress-1919169.js Fix bug in static type inference for loops. 2009-06-22 12:36:01 +00:00
regress-2249423.js Add a regression test that exposes a stack corruption problem. 2009-11-13 13:58:48 +00:00
regress-20070207.js Changed copyright header from google inc. to v8 project authors. 2008-09-09 20:08:45 +00:00
regress-crbug-3184.js Fix build problems. 2010-01-15 20:15:47 +00:00
regress-crbug-3867.js Handle insertion order for simple constructors 2010-02-02 13:33:29 +00:00
regress-crbug-18639.js Add regression test case for http://crbug.com/18639 which 2009-09-08 07:22:35 +00:00
regress-r3391.js Fix toLocaleString-related breakage on buildbot. 2009-12-01 14:19:23 +00:00