From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 21:33:14 +0200
Subject: Adding upstream version 115.7.0esr.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 js/src/jit-test/tests/auto-regress/bug1765249.js | 34 ++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 js/src/jit-test/tests/auto-regress/bug1765249.js

(limited to 'js/src/jit-test/tests/auto-regress/bug1765249.js')

diff --git a/js/src/jit-test/tests/auto-regress/bug1765249.js b/js/src/jit-test/tests/auto-regress/bug1765249.js
new file mode 100644
index 0000000000..9c6ae09b92
--- /dev/null
+++ b/js/src/jit-test/tests/auto-regress/bug1765249.js
@@ -0,0 +1,34 @@
+  // |jit-test| --fast-warmup; --no-threads
+
+function main() {
+  // Disable Warp compilation, so we don't inline |f|.
+  with ({}) {}
+
+  let begin = 0;
+  for (let i = 1; i < 30; i++) {
+    f(begin);
+    begin = undefined;
+  }
+}
+main();
+
+function g(i) {
+  return i < 3;
+}
+
+function f(begin) {
+  // Loop body is only reachable on the first invocation.
+  for (let i = begin; i < 5; i++) {
+    // |arguments| with out-of-bounds access. This adds a guard on the prototype
+    // of the arguments object.
+    arguments[100];
+
+    // Loop with a call expression. This ensures we emit bail instructions for
+    // unreachable code after the first invocation.
+    for (let j = 0; g(j); j++) {}
+
+    // Change the prototype of the arguments object. This will cause a failure
+    // on the prototype guard added above.
+    arguments.__proto__ = {};
+  }
+}
-- 
cgit v1.2.3