| description( |
| "Regression test for https://webkit.org/b/139533. This test should not crash." |
| ); |
| |
| function outer(index, obj) |
| { |
| function inner(arg) |
| { |
| return arg + obj.addend; |
| } |
| |
| return inner(index); |
| } |
| |
| obj = { addend : 1 }; |
| |
| // Create an object that will require calling defaultValue which is a native function call |
| function MyNumber() |
| { |
| } |
| MyNumber.prototype.toString = function() { return ""; }; |
| |
| var limit = 1000; |
| var result = 0; |
| |
| for (var i = 0; i < limit; ++i) { |
| // The problem fixed in bug 139533 was that the ScopeChain slot of the call frame header |
| // is not being restored by OSR exit handler (nor should it). In some cases, especially |
| // when we inline we end up overwriting the memory with some other value. |
| // After tiering up into the DFG, change the "addend" of obj. This will do two things: |
| // 1) We should OSR exit with a BadType (addend is no longer an integer) |
| // 2) In the next call to inner, we will call jsAddSlowCase which will make a |
| // native call to get the default value of obj.addend. |
| // The OSR exit handler will not restore the ScopeChain slot in the header therefore |
| // the value might be anything. The native call will copy the ScopeChain slot from |
| // inner to the frame for the native call. |
| if (i == limit - 10) |
| obj.addend = new MyNumber(); |
| |
| result = outer(i, obj); |
| } |