OLD | NEW |
1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
2 // Redistribution and use in source and binary forms, with or without | 2 // Redistribution and use in source and binary forms, with or without |
3 // modification, are permitted provided that the following conditions are | 3 // modification, are permitted provided that the following conditions are |
4 // met: | 4 // met: |
5 // | 5 // |
6 // * Redistributions of source code must retain the above copyright | 6 // * Redistributions of source code must retain the above copyright |
7 // notice, this list of conditions and the following disclaimer. | 7 // notice, this list of conditions and the following disclaimer. |
8 // * Redistributions in binary form must reproduce the above | 8 // * Redistributions in binary form must reproduce the above |
9 // copyright notice, this list of conditions and the following | 9 // copyright notice, this list of conditions and the following |
10 // disclaimer in the documentation and/or other materials provided | 10 // disclaimer in the documentation and/or other materials provided |
(...skipping 18 matching lines...) Expand all Loading... |
29 | 29 |
30 function KeyedStoreIC(a) { a[0] = Math.E; } | 30 function KeyedStoreIC(a) { a[0] = Math.E; } |
31 | 31 |
32 // Create literal with a fast double elements backing store | 32 // Create literal with a fast double elements backing store |
33 var literal = [1.2]; | 33 var literal = [1.2]; |
34 | 34 |
35 // Specialize the IC for fast double elements | 35 // Specialize the IC for fast double elements |
36 KeyedStoreIC(literal); | 36 KeyedStoreIC(literal); |
37 KeyedStoreIC(literal); | 37 KeyedStoreIC(literal); |
38 | 38 |
39 // Trruncate array to 0 elements, at which point backing store will be replaced | 39 // Truncate array to 0 elements, at which point backing store will be replaced |
40 // with empty fixed array. | 40 // with empty fixed array. |
41 literal.length = 0; | 41 literal.length = 0; |
42 | 42 |
43 // ArrayPush built-in will replace empty fixed array backing store with 19 | 43 // ArrayPush built-in will replace empty fixed array backing store with 19 |
44 // elements fixed array backing store. This leads to a mismatch between the map | 44 // elements fixed array backing store. This leads to a mismatch between the map |
45 // and the backing store. Debug mode will crash here in set_elements accessor. | 45 // and the backing store. Debug mode will crash here in set_elements accessor. |
46 literal.push(Math.E, Math.E); | 46 literal.push(Math.E, Math.E); |
47 | 47 |
48 // Corrupt the backing store! | 48 // Corrupt the backing store! |
49 KeyedStoreIC(literal); | 49 KeyedStoreIC(literal); |
50 | 50 |
51 // Release mode will crash here when trying to visit parts of E as pointers. | 51 // Release mode will crash here when trying to visit parts of E as pointers. |
52 gc(); | 52 gc(); |
OLD | NEW |