| OLD | NEW |
|---|
| 1 // Copyright 2012 the V8 project authors. All rights reserved. | 1 // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 // Redistribution and use in source and binary forms, with or without | 2 // Redistribution and use in source and binary forms, with or without |
| 3 // modification, are permitted provided that the following conditions are | 3 // modification, are permitted provided that the following conditions are |
| 4 // met: | 4 // met: |
| 5 // | 5 // |
| 6 // * Redistributions of source code must retain the above copyright | 6 // * Redistributions of source code must retain the above copyright |
| 7 // notice, this list of conditions and the following disclaimer. | 7 // notice, this list of conditions and the following disclaimer. |
| 8 // * Redistributions in binary form must reproduce the above | 8 // * Redistributions in binary form must reproduce the above |
| 9 // copyright notice, this list of conditions and the following | 9 // copyright notice, this list of conditions and the following |
| 10 // disclaimer in the documentation and/or other materials provided | 10 // disclaimer in the documentation and/or other materials provided |
| 11 // with the distribution. | 11 // with the distribution. |
| 12 // * Neither the name of Google Inc. nor the names of its | 12 // * Neither the name of Google Inc. nor the names of its |
| 13 // contributors may be used to endorse or promote products derived | 13 // contributors may be used to endorse or promote products derived |
| 14 // from this software without specific prior written permission. | 14 // from this software without specific prior written permission. |
| 15 // | 15 // |
| 16 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | 16 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| 17 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | 17 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| 18 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | 18 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
| 19 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | 19 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
| 20 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | 20 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 21 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | 21 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| 22 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | 22 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 23 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | 23 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 24 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | 24 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 25 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | 25 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 26 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 26 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | 27 |
| 28 // Flags: --expose-debug-as debug | 28 // Flags: --expose-gc |
| 29 var Debug = debug.Debug; | |
| 30 | 29 |
| 31 function listener(event, exec_state, event_data, data) { | 30 function KeyedStoreIC(a) { a[0] = Math.E; } |
| 32 for (var i = 0, n = exec_state.frameCount(); i < n; i++) { | |
| 33 exec_state.frame().scopeCount(i); | |
| 34 } | |
| 35 exec_state.prepareStep(Debug.StepAction.Continue, 1); | |
| 36 } | |
| 37 | 31 |
| 38 Debug.setListener(listener); | 32 // Create literal with a fast double elements backing store |
| 33 var literal = [1.2]; |
| 39 | 34 |
| 40 var F = function () { | 35 // Specialize the IC for fast double elements |
| 41 1, function () { | 36 KeyedStoreIC(literal); |
| 42 var d = 0; | 37 KeyedStoreIC(literal); |
| 43 (function () { d; }); | |
| 44 debugger; | |
| 45 }(); | |
| 46 }; | |
| 47 | 38 |
| 48 var src = "(" + F.toString() + ")()"; | 39 // Trruncate array to 0 elements, at which point backing store will be replaced |
| 49 eval(src); | 40 // with empty fixed array. |
| 41 literal.length = 0; |
| 50 | 42 |
| 51 Function.prototype.__defineGetter__("f", function () { | 43 // ArrayPush built-in will replace empty fixed array backing store with 19 |
| 52 debugger; | 44 // elements fixed array backing store. This leads to a mismatch between the map |
| 53 return 0; | 45 // and the backing store. Debug mode will crash here in set_elements accessor. |
| 54 }); | 46 literal.push(Math.E, Math.E); |
| 55 | 47 |
| 56 var G = function () { | 48 // Corrupt the backing store! |
| 57 1, function () { | 49 KeyedStoreIC(literal); |
| 58 var d = 0; | |
| 59 (function () { d; }); | |
| 60 debugger; | |
| 61 }['f']; | |
| 62 }; | |
| 63 | 50 |
| 64 var src = "(" + G.toString() + ")()"; | 51 // Release mode will crash here when trying to visit parts of E as pointers. |
| 65 eval(src); | 52 gc(); |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10815034:
Merged r11533 into 3.8 branch. (Closed)
Base URL: https://v8.googlecode.com/svn/branches/3.8