blob: 9bf3c0c383eee0556ce823f505df6e2c4a76f93a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
function loop(f, expected) {
// This is the loop that breaks us.
// At record time, f's parent is a Call object with no fp.
// At second execute time, it is a Call object with fp,
// and all the Call object's dslots are still JSVAL_VOID.
for (var i = 0; i < 9; i++)
assertEq(f(), expected);
}
function C(bad) {
var x = bad;
function f() {
return x; // We trick TR::callProp() into emitting code that gets
// JSVAL_VOID (from the Call object's dslots)
// rather than the actual value (true or false).
}
if (bad)
void (f + "a!");
return f;
}
var obj = {
};
// Warm up and trace with C's Call object entrained but its stack frame gone.
loop(C.call(obj, false), false);
// Sneaky access to f via a prototype method called implicitly by operator +.
Function.prototype.toString = function () { loop(this, true); return "hah"; };
// Fail hard if we don't handle the implicit call out of C to F.p.toString.
C.call(obj, true);
|
