Reviewers: Michael Achenbach,
Description:
Simpler repro for bug 2989.
We do not correctly handle accesses to f.arguments after one
of the argument has changed (where f is crankshafted).
[email protected]
BUG=v8:2989
Please review this at https://codereview.chromium.org/151403003/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+18, -13 lines):
M test/mjsunit/mjsunit.status
A + test/mjsunit/regress/regress-2989.js
M test/webkit/webkit.status
Index: test/mjsunit/mjsunit.status
diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
index
fa8b9eb48a893bf90015a15df71aad988da4588b..a6cd5c1ce31b81189cd5c071d40b0c1623ef2d91
100644
--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -111,6 +111,9 @@
'compiler/alloc-number-debug': [PASS, ['mode == release', SKIP]],
'regress/regress-634': [PASS, ['mode == debug', SKIP]],
'regress/regress-634-debug': [PASS, ['mode == release', SKIP]],
+
+ # BUG(v8:2989).
+ 'regress/regress-2989': [FAIL, NO_VARIANTS],
}], # ALWAYS
##############################################################################
Index: test/mjsunit/regress/regress-2989.js
diff --git a/test/webkit/instanceof-operator.js
b/test/mjsunit/regress/regress-2989.js
similarity index 87%
copy from test/webkit/instanceof-operator.js
copy to test/mjsunit/regress/regress-2989.js
index
1230181584337c86a13846618b2cefe510239e59..49c4a1cb03ba45b8938e08ab024f0b8d13a66ed6
100644
--- a/test/webkit/instanceof-operator.js
+++ b/test/mjsunit/regress/regress-2989.js
@@ -21,13 +21,15 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS
// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-description(
-"instanceof test"
-);
+// Flags: --allow-natives-syntax
-getterCalled = false;
-try {
- ({} instanceof { get prototype(){ getterCalled = true; } });
-} catch (e) {
-}
-shouldBeFalse("getterCalled");
+(function ArgumentsObjectChange() {
+ function f(x) {
+ x = 42;
+ return f.arguments[0];
+ }
+
+ f(0);
+ %OptimizeFunctionOnNextCall(f);
+ assertEquals(42, f(0));
+})();
Index: test/webkit/webkit.status
diff --git a/test/webkit/webkit.status b/test/webkit/webkit.status
index
298e57522dc9b0386c7ce1a3c60c8b476c805b16..02f7517c757cfb5e951da3c36d48b32ca09b9055
100644
--- a/test/webkit/webkit.status
+++ b/test/webkit/webkit.status
@@ -30,10 +30,10 @@
##############################################################################
# Flaky tests.
# BUG(v8:2989).
- 'dfg-inline-arguments-become-double': [PASS, FLAKY],
- 'dfg-inline-arguments-become-int32': [PASS, FLAKY],
- 'dfg-inline-arguments-reset': [PASS, FLAKY],
- 'dfg-inline-arguments-reset-changetype': [PASS, FLAKY],
+ 'dfg-inline-arguments-become-double': [PASS, FAIL],
+ 'dfg-inline-arguments-become-int32': [PASS, FAIL],
+ 'dfg-inline-arguments-reset': [PASS, FAIL],
+ 'dfg-inline-arguments-reset-changetype': [PASS, FAIL],
}], # ALWAYS
['mode == debug', {
# Too slow in debug mode.
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
