From 2aa4a82499d4becd2284cdb482213d541b8804dd Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 16:29:10 +0200 Subject: Adding upstream version 86.0.1. Signed-off-by: Daniel Baumann --- .../object/clear-dictionary-accessor-getset.js | 55 ++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 js/src/tests/non262/object/clear-dictionary-accessor-getset.js (limited to 'js/src/tests/non262/object/clear-dictionary-accessor-getset.js') diff --git a/js/src/tests/non262/object/clear-dictionary-accessor-getset.js b/js/src/tests/non262/object/clear-dictionary-accessor-getset.js new file mode 100644 index 0000000000..f0d9e11ca6 --- /dev/null +++ b/js/src/tests/non262/object/clear-dictionary-accessor-getset.js @@ -0,0 +1,55 @@ +/* + * Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/licenses/publicdomain/ + */ + +var gTestfile = "clear-dictionary-accessor-getset.js"; +var BUGNUMBER = 1082662; +var summary = + "Properly handle GC of a dictionary accessor property whose [[Get]] or " + + "[[Set]] has been changed to |undefined|"; + +print(BUGNUMBER + ": " + summary); + +/************** + * BEGIN TEST * + **************/ + +function test(field) +{ + var prop = "[[" + field[0].toUpperCase() + field.substring(1) + "]]"; + print("Testing for GC crashes after setting " + prop + " to undefined..."); + + function inner() + { + // Create an object with an accessor property. + var obj = { x: 42, get y() {}, set y(v) {} }; + + // 1) convert it to dictionary mode, in the process 2) creating a new + // version of that accessor property whose [[Get]] and [[Set]] are objects + // that trigger post barriers. + delete obj.x; + + var desc = {}; + desc[field] = undefined; + + // Overwrite [[field]] with undefined. Note #1 above is necessary so this + // is an actual *overwrite*, and not (possibly) a shape-tree fork that + // doesn't overwrite. + Object.defineProperty(obj, "y", desc); + + } + + inner(); + gc(); // In unfixed code, this crashes trying to mark a null [[field]]. +} + +test("get"); +test("set"); + +/******************************************************************************/ + +if (typeof reportCompare === "function") + reportCompare(true, true); + +print("Tests complete"); -- cgit v1.2.3