0f94c96cbc
The test demonstrates a bad interaction between arguments object materialization, escape analysis and exception handling. We can return a wrong arguments object if we materialize arguments object (using f.arguments) and then throw around f's frame so that f does not clean up the materialized frame information (see the MaterializedObjectStore in deoptimizer.h/.cc). If we enter another function that has the same frame pointer and request an arguments object of (or lazily deoptimize) that function, we can get the materialized object of the original function. We should clean up the materialized object store when we unwind the stack. BUG=v8:3985 LOG=n Review URL: https://codereview.chromium.org/1032623003 Cr-Commit-Position: refs/heads/master@{#27406}
46 lines
747 B
JavaScript
46 lines
747 B
JavaScript
// Copyright 2015 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
var shouldThrow = false;
|
|
|
|
function h() {
|
|
try { // Prevent inlining in Crankshaft.
|
|
} catch(e) { }
|
|
var res = g.arguments[0].x;
|
|
if (shouldThrow) {
|
|
throw res;
|
|
}
|
|
return res;
|
|
}
|
|
|
|
function g(o) { h(); }
|
|
|
|
function f1() {
|
|
var o = { x : 1 };
|
|
g(o);
|
|
return o.x;
|
|
}
|
|
|
|
function f2() {
|
|
var o = { x : 2 };
|
|
g(o);
|
|
return o.x;
|
|
}
|
|
|
|
f1();
|
|
f2();
|
|
f1();
|
|
f2();
|
|
%OptimizeFunctionOnNextCall(f1);
|
|
%OptimizeFunctionOnNextCall(f2);
|
|
shouldThrow = true;
|
|
try { f1(); } catch(e) {
|
|
assertEquals(e, 1);
|
|
}
|
|
try { f2(); } catch(e) {
|
|
assertEquals(e, 2);
|
|
}
|