Reviewers: Michael Starzinger,
Message:
Could you take a look, please?
Description:
Test for wrong arguments object materialization.
The test demonstrates a bad interaction between arguments object
materialization, escape analysis and exception handling.
We can return a wrong arguments object if we materialize arguments
object (using f.arguments) and then throw around f's frame so that f
does not clean up the materialized frame information (see the
MaterializedObjectStore in deoptimizer.h/.cc). If we enter another
function that has the same frame pointer and request an arguments object
of (or lazily deoptimize) that function, we can get the materialized
object of the original function.
We should clean up the materialized object store when we unwind the
stack.
BUG=v8:3985
LOG=n
Please review this at https://codereview.chromium.org/1032623003/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+49, -0 lines):
M test/mjsunit/mjsunit.status
A test/mjsunit/regress/regress-3985.js
Index: test/mjsunit/mjsunit.status
diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
index
9bb41d0bcd7d5698787776fae0cf3574eeacdf01..3485dbb637d2e17bf809c377d2f88f225081d627
100644
--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -184,6 +184,10 @@
# nosse2. Also for arm novfp3.
'regress/regress-2989': [FAIL, NO_VARIANTS, ['system == linux and arch
== x87 or arch == arm and simulator == True', PASS]],
+ # BUG(v8:3985). Wrong materialization of arguments object after throwing
+ # an exception.
+ 'regress/regress-3985': [PASS, FAIL],
+
# Skip endain dependent test for mips due to different typed views of
the same
# array buffer.
'nans': [PASS, ],
Index: test/mjsunit/regress/regress-3985.js
diff --git a/test/mjsunit/regress/regress-3985.js
b/test/mjsunit/regress/regress-3985.js
new file mode 100644
index
0000000000000000000000000000000000000000..6dbc4bdadd3c2511f4cf0da877844a6b76fa8ae7
--- /dev/null
+++ b/test/mjsunit/regress/regress-3985.js
@@ -0,0 +1,45 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var shouldThrow = false;
+
+function h() {
+ try { // Prevent inlining in Crankshaft.
+ } catch(e) { }
+ var res = g.arguments[0].x;
+ if (shouldThrow) {
+ throw res;
+ }
+ return res;
+}
+
+function g(o) { h(); }
+
+function f1() {
+ var o = { x : 1 };
+ g(o);
+ return o.x;
+}
+
+function f2() {
+ var o = { x : 2 };
+ g(o);
+ return o.x;
+}
+
+f1();
+f2();
+f1();
+f2();
+%OptimizeFunctionOnNextCall(f1);
+%OptimizeFunctionOnNextCall(f2);
+shouldThrow = true;
+try { f1(); } catch(e) {
+ assertEquals(e, 1);
+}
+try { f2(); } catch(e) {
+ assertEquals(e, 2);
+}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
