AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
b29993f419
v8/test/mjsunit/regress/regress-crbug-935932.js
Matt Gardner 803ad32414 Reland "Optimize in operator" 
The original was reverted for breaking webkit layout tests:
https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8-Blink%20Linux%2064/30270

It also caused the following clusterfuzz failures:

chromium:935832
This was a correctness bug due to not properly handling the case of arrays with prototypes other
than Array.prototype. Accesses that were TheHole were not being handled property, both in bounds
holes in holey arrays and out of bounds on either holey or packed arrays. Handling was incorrect
both in access-assembler and in Turbofan.

chromium:935932
This bug was that there was no handling for Has checks on the global object. Turbofan was emitting
code for a store (the 'else' condition on 'access_mode == AccessMode::kLoad'). It hit a DCHECK in
debug builds but in release could show up in different places. This is the bug that caused the
webkit layout test failure that led to the revert.

Both bugs are fixed by in CL, and tests are added for those cases.

Bug: v8:8733, chromium:935932, chromium:935832
Change-Id: Iba0dfcfce6e15d2c0815a7670ece67bc13ba1925
Reviewed-on: https://chromium-review.googlesource.com/c/1493132
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Matt Gardner <magardn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#59958}
2019-03-01 09:01:18 +00:00

91 lines
2.4 KiB
JavaScript
Raw Blame History

// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function test(func, expect) {
assertTrue(func() == expect);
%OptimizeFunctionOnNextCall(func);
assertTrue(func() == expect);
}
// Check loading a constant off the global.
var v0 = 10;
function check_v0() { return "v0" in this; }
test(check_v0, true);
// make it non-constant.
v0 = 0;
test(check_v0, true);
// test a missing value.
function check_v1() { return "v1" in this; }
test(check_v1, false);
this.v1 = 3;
test(check_v1, true);
delete this.v1;
test(check_v1, false);
// test undefined.
var v2;
function check_v2() { return "v2" in this; }
test(check_v2, true);
// test a constant object.
var v3 = {};
function check_v3() { return "v3" in this; }
test(check_v3, true);
// make the object non-constant.
v3 = [];
test(check_v3, true);
// test non-configurable
Object.defineProperty(this, "v4", { value: {}, configurable: false});
function check_v4() { return "v4" in this; }
test(check_v4, true);
// Test loading from arrays with different prototypes.
(function() {
function testIn(index, array) {
return index in array;
}
let a = [];
a.__proto__ = [0,1,2];
a[1] = 3;
// First load will set IC to Load handle with allow hole to undefined conversion false.
assertTrue(testIn(0, a));
// Second load will hit ICMiss when hole is loaded. Seeing the same map twice, the IC will be set megamorphic.
assertTrue(testIn(0, a));
%OptimizeFunctionOnNextCall(testIn);
// Test JIT to ensure proper handling.
assertTrue(testIn(0, a));
%ClearFunctionFeedback(testIn);
%DeoptimizeFunction(testIn);
// First load will set IC to Load handle with allow hole to undefined conversion false.
assertTrue(testIn(0, a));
%OptimizeFunctionOnNextCall(testIn);
// Test JIT to ensure proper handling if hole is loaded.
assertTrue(testIn(0, a));
// Repeat the same testing for access out-of-bounds of the array, but in bounds of it's prototype.
%ClearFunctionFeedback(testIn);
%DeoptimizeFunction(testIn);
assertTrue(testIn(2, a));
assertTrue(testIn(2, a));
%OptimizeFunctionOnNextCall(testIn);
assertTrue(testIn(2, a));
%ClearFunctionFeedback(testIn);
%DeoptimizeFunction(testIn);
assertTrue(testIn(2, a));
%OptimizeFunctionOnNextCall(testIn);
assertTrue(testIn(2, a));
})();
Reference in New Issue View Git Blame Copy Permalink