v8/test/mjsunit/compiler/call-with-arraylike-or-spread-5.js
Paolo Severini 9fa7ce514e [turbofan] Fix iterator-generator issue with --turbo-optimize-apply
Fuzzing found a problem with --turbo-optimize-apply when the
Array.prototype iterator is replaced with a generator function.
We can the issue by installing a protector on the array iterator.

This CL also defines the --turbo-optimize-apply as 'future' to get
more test coverage.

Bug: v8:9974
Change-Id: Id5bc68fde98ea5d1f6a951c4381ca6283b892632
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2966058
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75197}
2021-06-17 06:40:30 +00:00

56 lines
1.7 KiB
JavaScript

// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --turbo-optimize-apply --opt
// These tests do not work well if this script is run more than once (e.g.
// --stress-opt); after a few runs the whole function is immediately compiled
// and assertions would fail. We prevent re-runs.
// Flags: --nostress-opt --no-always-opt
// Some of the tests rely on optimizing/deoptimizing at predictable moments, so
// this is not suitable for deoptimization fuzzing.
// Flags: --deopt-every-n-times=0
// Test for optimization of CallWithSpread when the array iterator is replaced
// with a generator function.
//
// Note: this test must be in a separate file because the test invalidates a
// protector, which then remains invalidated.
(function () {
"use strict";
// This invalidates the DependOnArrayIteratorProtector.
Object.defineProperty(Array.prototype, Symbol.iterator, {
value: function* () {
yield 42;
},
});
var log_got_interpreted = true;
function log(a) {
assertEquals(1, arguments.length);
log_got_interpreted = %IsBeingInterpreted();
return a;
}
function foo() {
return log(...[1]);
}
%PrepareFunctionForOptimization(log);
%PrepareFunctionForOptimization(foo);
assertEquals(42, foo());
assertTrue(log_got_interpreted);
// Compile foo.
%OptimizeFunctionOnNextCall(log);
%OptimizeFunctionOnNextCall(foo);
assertEquals(42, foo());
// The call with spread should not have been inlined, because of the
// generator/iterator.
assertFalse(log_got_interpreted);
assertOptimized(foo);
})();