From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 02:47:55 +0200 Subject: Adding upstream version 124.0.1. Signed-off-by: Daniel Baumann --- js/src/jit-test/tests/ion/bug1568397.js | 50 +++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 js/src/jit-test/tests/ion/bug1568397.js (limited to 'js/src/jit-test/tests/ion/bug1568397.js') diff --git a/js/src/jit-test/tests/ion/bug1568397.js b/js/src/jit-test/tests/ion/bug1568397.js new file mode 100644 index 0000000000..c03bb0283d --- /dev/null +++ b/js/src/jit-test/tests/ion/bug1568397.js @@ -0,0 +1,50 @@ +// |jit-test| error:TypeError: can't access property +let obj = {x: 1}; +obj.x = 1.1; + +function Foo(val, phase){ + if (phase == 3) { + // Phase 3: Modify the prototype of this constructor. + Foo.prototype.__proto__ = proto; + } + + // Phase 4: Trigger the getter on the new proto. + this.d; + + this.c = val; + + if (phase == 2) { + // Phase 2: Stash |this| in a global variable. + g_partial = this; + + // Trigger Phase 3. + new Foo(1.1, 3); + } + this.b = 2.2; +} + +let proto = {get d() { + function accessC(arg){ + var tmp = arg.c; + return tmp.x; + } + + // Phase 5: Ion-compile |accessC|, using the stashed |this| from phase 2. + // This is a partially initialized object with a C property but not a B + // property. + for (var i = 0; i < 100000; i++) { + accessC(g_partial); + } + + // Phase 6: call |accessC| with |this|, which is a partially initialized + // object *without* a C (and B) property. + x = accessC(this); +}}; + +// Phase 1: Warm up the |Foo| constructor with normal data. +for(let i = 0;i < 100;i++){ + new Foo(obj, 1); +} + +// Trigger Phase 2. +new Foo(obj, 2); -- cgit v1.2.3