diff --git a/deps/v8/src/arm/codegen-arm.cc b/deps/v8/src/arm/codegen-arm.cc index 0fcaa0b09d..1cd86d1da1 100644 --- a/deps/v8/src/arm/codegen-arm.cc +++ b/deps/v8/src/arm/codegen-arm.cc @@ -7233,6 +7233,9 @@ void CodeGenerator::EmitKeyedStore(StaticType* key_type, ASSERT(we_remembered_the_write_barrier); + // Make sure that r0 holds the value which is the result of the expression. + __ Move(r0, value); + deferred->BindExit(); } else { frame()->CallKeyedStoreIC(strict_mode_flag()); diff --git a/deps/v8/src/arm/lithium-arm.cc b/deps/v8/src/arm/lithium-arm.cc index 54ed4bace3..c04e5ca8e7 100644 --- a/deps/v8/src/arm/lithium-arm.cc +++ b/deps/v8/src/arm/lithium-arm.cc @@ -1936,6 +1936,10 @@ LInstruction* LChunkBuilder::DoParameter(HParameter* instr) { LInstruction* LChunkBuilder::DoUnknownOSRValue(HUnknownOSRValue* instr) { int spill_index = chunk()->GetNextSpillIndex(false); // Not double-width. + if (spill_index > LUnallocated::kMaxFixedIndex) { + Abort("Too many spill slots needed for OSR"); + spill_index = 0; + } return DefineAsSpilled(new LUnknownOSRValue, spill_index); } diff --git a/deps/v8/src/builtins.cc b/deps/v8/src/builtins.cc index ff073883c7..0f9d152f57 100644 --- a/deps/v8/src/builtins.cc +++ b/deps/v8/src/builtins.cc @@ -373,8 +373,7 @@ static bool ArrayPrototypeHasNoElements(Context* global_context, array_proto = JSObject::cast(proto); if (array_proto != global_context->initial_object_prototype()) return false; if (array_proto->elements() != Heap::empty_fixed_array()) return false; - ASSERT(array_proto->GetPrototype()->IsNull()); - return true; + return array_proto->GetPrototype()->IsNull(); } diff --git a/deps/v8/src/compiler.cc b/deps/v8/src/compiler.cc index 367de64881..18f54c2aff 100755 --- a/deps/v8/src/compiler.cc +++ b/deps/v8/src/compiler.cc @@ -1,4 +1,4 @@ -// Copyright 2010 the V8 project authors. All rights reserved. +// Copyright 2011 the V8 project authors. All rights reserved. // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are // met: @@ -223,10 +223,12 @@ static bool MakeCrankshaftCode(CompilationInfo* info) { // // The encoding is as a signed value, with parameters and receiver using // the negative indices and locals the non-negative ones. - const int limit = LUnallocated::kMaxFixedIndices / 2; + const int parameter_limit = -LUnallocated::kMinFixedIndex; + const int locals_limit = LUnallocated::kMaxFixedIndex; Scope* scope = info->scope(); - if ((scope->num_parameters() + 1) > limit || - scope->num_stack_slots() > limit) { + if ((scope->num_parameters() + 1) > parameter_limit || + (info->osr_ast_id() != AstNode::kNoNumber && + scope->num_parameters() + 1 + scope->num_stack_slots() > locals_limit)) { AbortAndDisable(info); // True indicates the compilation pipeline is still going, not // necessarily that we optimized the code. diff --git a/deps/v8/src/hydrogen-instructions.h b/deps/v8/src/hydrogen-instructions.h index 35ff29749b..1bce34beb5 100644 --- a/deps/v8/src/hydrogen-instructions.h +++ b/deps/v8/src/hydrogen-instructions.h @@ -789,15 +789,33 @@ class HBlockEntry: public HTemplateInstruction<0> { }; -class HDeoptimize: public HTemplateControlInstruction<0> { +class HDeoptimize: public HControlInstruction { public: - HDeoptimize() : HTemplateControlInstruction<0>(NULL, NULL) { } + explicit HDeoptimize(int environment_length) + : HControlInstruction(NULL, NULL), + values_(environment_length) { } virtual Representation RequiredInputRepresentation(int index) const { return Representation::None(); } + virtual int OperandCount() { return values_.length(); } + virtual HValue* OperandAt(int index) { return values_[index]; } + + void AddEnvironmentValue(HValue* value) { + values_.Add(NULL); + SetOperandAt(values_.length() - 1, value); + } + DECLARE_CONCRETE_INSTRUCTION(Deoptimize, "deoptimize") + + protected: + virtual void InternalSetOperandAt(int index, HValue* value) { + values_[index] = value; + } + + private: + ZoneList values_; }; diff --git a/deps/v8/src/hydrogen.cc b/deps/v8/src/hydrogen.cc index e40685cd69..b37d3356cc 100644 --- a/deps/v8/src/hydrogen.cc +++ b/deps/v8/src/hydrogen.cc @@ -113,6 +113,21 @@ void HBasicBlock::AddInstruction(HInstruction* instr) { } +HDeoptimize* HBasicBlock::CreateDeoptimize() { + ASSERT(HasEnvironment()); + HEnvironment* environment = last_environment(); + + HDeoptimize* instr = new HDeoptimize(environment->length()); + + for (int i = 0; i < environment->length(); i++) { + HValue* val = environment->values()->at(i); + instr->AddEnvironmentValue(val); + } + + return instr; +} + + HSimulate* HBasicBlock::CreateSimulate(int id) { ASSERT(HasEnvironment()); HEnvironment* environment = last_environment(); @@ -2560,7 +2575,7 @@ void HGraphBuilder::VisitSwitchStatement(SwitchStatement* stmt) { // If we have a non-smi compare clause, we deoptimize after trying // all the previous compares. if (num_smi_clauses < num_clauses) { - last_false_block->Finish(new HDeoptimize); + last_false_block->FinishExitWithDeoptimization(); } // Build statement blocks, connect them to their comparison block and @@ -3230,7 +3245,7 @@ void HGraphBuilder::HandlePolymorphicStoreNamedField(Assignment* expr, HSubgraph* default_graph = CreateBranchSubgraph(environment()); { SubgraphScope scope(this, default_graph); if (!needs_generic && FLAG_deoptimize_uncommon_cases) { - default_graph->exit_block()->FinishExit(new HDeoptimize()); + default_graph->exit_block()->FinishExitWithDeoptimization(); default_graph->set_exit_block(NULL); } else { HInstruction* instr = BuildStoreNamedGeneric(object, name, value); @@ -3567,7 +3582,7 @@ void HGraphBuilder::HandlePolymorphicLoadNamedField(Property* expr, HSubgraph* default_graph = CreateBranchSubgraph(environment()); { SubgraphScope scope(this, default_graph); if (!needs_generic && FLAG_deoptimize_uncommon_cases) { - default_graph->exit_block()->FinishExit(new HDeoptimize()); + default_graph->exit_block()->FinishExitWithDeoptimization(); default_graph->set_exit_block(NULL); } else { HInstruction* instr = BuildLoadNamedGeneric(object, expr); @@ -3928,7 +3943,7 @@ void HGraphBuilder::HandlePolymorphicCallNamed(Call* expr, HSubgraph* default_graph = CreateBranchSubgraph(environment()); { SubgraphScope scope(this, default_graph); if (!needs_generic && FLAG_deoptimize_uncommon_cases) { - default_graph->exit_block()->FinishExit(new HDeoptimize()); + default_graph->exit_block()->FinishExitWithDeoptimization(); default_graph->set_exit_block(NULL); } else { HContext* context = new HContext; diff --git a/deps/v8/src/hydrogen.h b/deps/v8/src/hydrogen.h index 1ac4fc430e..16f0edeaaf 100644 --- a/deps/v8/src/hydrogen.h +++ b/deps/v8/src/hydrogen.h @@ -124,6 +124,10 @@ class HBasicBlock: public ZoneObject { void AddSimulate(int id) { AddInstruction(CreateSimulate(id)); } void AssignCommonDominator(HBasicBlock* other); + void FinishExitWithDeoptimization() { + FinishExit(CreateDeoptimize()); + } + // Add the inlined function exit sequence, adding an HLeaveInlined // instruction and updating the bailout environment. void AddLeaveInlined(HValue* return_value, HBasicBlock* target); @@ -146,6 +150,7 @@ class HBasicBlock: public ZoneObject { void AddDominatedBlock(HBasicBlock* block); HSimulate* CreateSimulate(int id); + HDeoptimize* CreateDeoptimize(); int block_id_; HGraph* graph_; diff --git a/deps/v8/src/ia32/lithium-ia32.cc b/deps/v8/src/ia32/lithium-ia32.cc index ea6d41aa14..ece0ab3d64 100644 --- a/deps/v8/src/ia32/lithium-ia32.cc +++ b/deps/v8/src/ia32/lithium-ia32.cc @@ -1986,6 +1986,10 @@ LInstruction* LChunkBuilder::DoParameter(HParameter* instr) { LInstruction* LChunkBuilder::DoUnknownOSRValue(HUnknownOSRValue* instr) { int spill_index = chunk()->GetNextSpillIndex(false); // Not double-width. + if (spill_index > LUnallocated::kMaxFixedIndex) { + Abort("Too many spill slots needed for OSR"); + spill_index = 0; + } return DefineAsSpilled(new LUnknownOSRValue, spill_index); } diff --git a/deps/v8/src/lithium.h b/deps/v8/src/lithium.h index d85a87c12e..280da47240 100644 --- a/deps/v8/src/lithium.h +++ b/deps/v8/src/lithium.h @@ -143,7 +143,8 @@ class LUnallocated: public LOperand { }; static const int kMaxVirtualRegisters = 1 << (kVirtualRegisterWidth + 1); - static const int kMaxFixedIndices = 128; + static const int kMaxFixedIndex = 63; + static const int kMinFixedIndex = -64; bool HasIgnorePolicy() const { return policy() == IGNORE; } bool HasNoPolicy() const { return policy() == NONE; } diff --git a/deps/v8/src/messages.js b/deps/v8/src/messages.js index 2c94912fdf..f39ea9ff6b 100644 --- a/deps/v8/src/messages.js +++ b/deps/v8/src/messages.js @@ -211,6 +211,7 @@ function FormatMessage(message) { invalid_preparser_data: ["Invalid preparser data for function ", "%0"], strict_mode_with: ["Strict mode code may not include a with statement"], strict_catch_variable: ["Catch variable may not be eval or arguments in strict mode"], + too_many_arguments: ["Too many arguments in function call (only 32766 allowed)"], too_many_parameters: ["Too many parameters in function definition"], strict_param_name: ["Parameter name eval or arguments is not allowed in strict mode"], strict_param_dupe: ["Strict mode function may not have duplicate parameter names"], diff --git a/deps/v8/src/parser.cc b/deps/v8/src/parser.cc index 04e2407e01..6d462bc53c 100644 --- a/deps/v8/src/parser.cc +++ b/deps/v8/src/parser.cc @@ -3490,6 +3490,12 @@ ZoneList* Parser::ParseArguments(bool* ok) { while (!done) { Expression* argument = ParseAssignmentExpression(true, CHECK_OK); result->Add(argument); + if (result->length() > kMaxNumFunctionParameters) { + ReportMessageAt(scanner().location(), "too_many_arguments", + Vector::empty()); + *ok = false; + return NULL; + } done = (peek() == Token::RPAREN); if (!done) Expect(Token::COMMA, CHECK_OK); } diff --git a/deps/v8/src/platform-solaris.cc b/deps/v8/src/platform-solaris.cc index ebe0475f4d..e816e44217 100644 --- a/deps/v8/src/platform-solaris.cc +++ b/deps/v8/src/platform-solaris.cc @@ -1,4 +1,4 @@ -// Copyright 2006-2009 the V8 project authors. All rights reserved. +// Copyright 2011 the V8 project authors. All rights reserved. // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are // met: @@ -105,7 +105,8 @@ uint64_t OS::CpuFeaturesImpliedByPlatform() { int OS::ActivationFrameAlignment() { - return STACK_ALIGN; + // GCC generates code that requires 16 byte alignment such as movdqa. + return Max(STACK_ALIGN, 16); } diff --git a/deps/v8/src/v8natives.js b/deps/v8/src/v8natives.js index 91e19c13d8..823f8ee579 100644 --- a/deps/v8/src/v8natives.js +++ b/deps/v8/src/v8natives.js @@ -147,17 +147,6 @@ function GlobalEval(x) { } -// execScript for IE compatibility. -function GlobalExecScript(expr, lang) { - // NOTE: We don't care about the character casing. - if (!lang || /javascript/i.test(lang)) { - var f = %CompileString(ToString(expr)); - f.call(%GlobalReceiver(global)); - } - return null; -} - - // ---------------------------------------------------------------------------- @@ -177,8 +166,7 @@ function SetupGlobal() { "isFinite", GlobalIsFinite, "parseInt", GlobalParseInt, "parseFloat", GlobalParseFloat, - "eval", GlobalEval, - "execScript", GlobalExecScript + "eval", GlobalEval )); } diff --git a/deps/v8/src/version.cc b/deps/v8/src/version.cc index ccfbd18c5f..f70e405915 100644 --- a/deps/v8/src/version.cc +++ b/deps/v8/src/version.cc @@ -35,7 +35,7 @@ #define MAJOR_VERSION 3 #define MINOR_VERSION 1 #define BUILD_NUMBER 8 -#define PATCH_LEVEL 16 +#define PATCH_LEVEL 25 #define CANDIDATE_VERSION false // Define SONAME to have the SCons build the put a specific SONAME into the diff --git a/deps/v8/src/x64/full-codegen-x64.cc b/deps/v8/src/x64/full-codegen-x64.cc index 0ad6ec2376..60b77b5bfe 100644 --- a/deps/v8/src/x64/full-codegen-x64.cc +++ b/deps/v8/src/x64/full-codegen-x64.cc @@ -1383,13 +1383,17 @@ void FullCodeGenerator::VisitObjectLiteral(ObjectLiteral* expr) { // Fall through. case ObjectLiteral::Property::COMPUTED: if (key->handle()->IsSymbol()) { - VisitForAccumulatorValue(value); - __ Move(rcx, key->handle()); - __ movq(rdx, Operand(rsp, 0)); if (property->emit_store()) { - Handle ic(Builtins::builtin(Builtins::StoreIC_Initialize)); + VisitForAccumulatorValue(value); + __ Move(rcx, key->handle()); + __ movq(rdx, Operand(rsp, 0)); + Handle ic(Builtins::builtin( + is_strict() ? Builtins::StoreIC_Initialize_Strict + : Builtins::StoreIC_Initialize)); EmitCallIC(ic, RelocInfo::CODE_TARGET); PrepareForBailoutForId(key->id(), NO_REGISTERS); + } else { + VisitForEffect(value); } break; } diff --git a/deps/v8/src/x64/lithium-x64.cc b/deps/v8/src/x64/lithium-x64.cc index 18b38e2481..2f413feb9d 100644 --- a/deps/v8/src/x64/lithium-x64.cc +++ b/deps/v8/src/x64/lithium-x64.cc @@ -1939,6 +1939,10 @@ LInstruction* LChunkBuilder::DoParameter(HParameter* instr) { LInstruction* LChunkBuilder::DoUnknownOSRValue(HUnknownOSRValue* instr) { int spill_index = chunk()->GetNextSpillIndex(false); // Not double-width. + if (spill_index > LUnallocated::kMaxFixedIndex) { + Abort("Too many spill slots needed for OSR"); + spill_index = 0; + } return DefineAsSpilled(new LUnknownOSRValue, spill_index); } diff --git a/deps/v8/test/mjsunit/function-names.js b/deps/v8/test/mjsunit/function-names.js index c083f18f5d..5ed0b794e8 100644 --- a/deps/v8/test/mjsunit/function-names.js +++ b/deps/v8/test/mjsunit/function-names.js @@ -128,6 +128,6 @@ var globalFunctions = [ "encodeURI", "encodeURIComponent", "Error", "TypeError", "RangeError", "SyntaxError", "ReferenceError", "EvalError", "URIError", "isNaN", "isFinite", "parseInt", "parseFloat", - "eval", "execScript"]; + "eval"]; TestFunctionNames(this, globalFunctions); diff --git a/deps/v8/test/mjsunit/regress/regress-1122.js b/deps/v8/test/mjsunit/regress/regress-1122.js index 7dc9b248a3..815511d18e 100644 --- a/deps/v8/test/mjsunit/regress/regress-1122.js +++ b/deps/v8/test/mjsunit/regress/regress-1122.js @@ -25,12 +25,14 @@ // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// Test that we can handle functions with up to 32766 arguments, and that -// functions with more arguments throw an exception. +// Test that we can handle function calls with up to 32766 arguments, and +// that function calls with more arguments throw an exception. Apply a +// similar limit to the number of function parameters. -// See http://code.google.com/p/v8/issues/detail?id=1122. +// See http://code.google.com/p/v8/issues/detail?id=1122 and +// http://code.google.com/p/v8/issues/detail?id=1413. -function function_with_n_args(n) { +function function_with_n_params_and_m_args(n, m) { test_prefix = 'prefix '; test_suffix = ' suffix'; var source = 'test_prefix + (function f('; @@ -39,7 +41,7 @@ function function_with_n_args(n) { source += 'arg' + arg; } source += ') { return arg' + (n - n % 2) / 2 + '; })('; - for (var arg = 0; arg < n ; arg++) { + for (var arg = 0; arg < m ; arg++) { if (arg != 0) source += ','; source += arg; } @@ -47,9 +49,20 @@ function function_with_n_args(n) { return eval(source); } -assertEquals('prefix 4000 suffix', function_with_n_args(8000)); -assertEquals('prefix 9000 suffix', function_with_n_args(18000)); -assertEquals('prefix 16000 suffix', function_with_n_args(32000)); +assertEquals('prefix 4000 suffix', + function_with_n_params_and_m_args(8000, 8000)); +assertEquals('prefix 3000 suffix', + function_with_n_params_and_m_args(6000, 8000)); +assertEquals('prefix 5000 suffix', + function_with_n_params_and_m_args(10000, 8000)); +assertEquals('prefix 9000 suffix', + function_with_n_params_and_m_args(18000, 18000)); +assertEquals('prefix 16000 suffix', + function_with_n_params_and_m_args(32000, 32000)); +assertEquals('prefix undefined suffix', + function_with_n_params_and_m_args(32000, 10000)); -assertThrows("function_with_n_args(35000)"); -assertThrows("function_with_n_args(100000)"); +assertThrows("function_with_n_params_and_m_args(35000, 35000)"); +assertThrows("function_with_n_params_and_m_args(100000, 100000)"); +assertThrows("function_with_n_params_and_m_args(35000, 30000)"); +assertThrows("function_with_n_params_and_m_args(30000, 35000)"); diff --git a/deps/v8/test/mjsunit/regress/regress-1257.js b/deps/v8/test/mjsunit/regress/regress-1257.js new file mode 100644 index 0000000000..c20fb86068 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-1257.js @@ -0,0 +1,58 @@ +// Copyright 2011 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +function g(y) { assertEquals(y, 12); } + +var X = 0; + +function foo () { + var cnt = 0; + var l = -1; + var x = 0; + while (1) switch (l) { + case -1: + var y = x + 12; + l = 0; + break; + case 0: + // Loop for to hit OSR. + if (cnt++ < 10000000) { + l = 0; + break; + } else { + l = 1; + break; + } + case 1: + // This case will contain deoptimization + // because it has no type feedback. + g(y); + return; + }; +} + +foo(); diff --git a/deps/v8/test/mjsunit/regress/regress-1341167.js b/deps/v8/test/mjsunit/regress/regress-1401.js similarity index 80% rename from deps/v8/test/mjsunit/regress/regress-1341167.js rename to deps/v8/test/mjsunit/regress/regress-1401.js index 194a7b886a..33eb0677eb 100644 --- a/deps/v8/test/mjsunit/regress/regress-1341167.js +++ b/deps/v8/test/mjsunit/regress/regress-1401.js @@ -1,4 +1,4 @@ -// Copyright 2008 the V8 project authors. All rights reserved. +// Copyright 2011 the V8 project authors. All rights reserved. // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are // met: @@ -25,9 +25,21 @@ // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// Make sure that 'this' is bound to the global object when using -// execScript. +// See: http://code.google.com/p/v8/issues/detail?id=1401 -var result; -execScript("result = this"); -assertTrue(result === this); +var bottom = 0; +var sizes = new Array(); + +for (i = 0; i < 10; i++) { + sizes[i] = 0; +} + +function foo() { + var size = bottom + 1 + 10; + var t = (sizes[++bottom] = size); + return t; +} + +for (i = 0; i < 5; i++) { + assertEquals(i + 11, foo()); +} diff --git a/deps/v8/test/mjsunit/execScript-case-insensitive.js b/deps/v8/test/mjsunit/regress/regress-1403.js similarity index 85% rename from deps/v8/test/mjsunit/execScript-case-insensitive.js rename to deps/v8/test/mjsunit/regress/regress-1403.js index 468d65747e..f2520ccbc9 100644 --- a/deps/v8/test/mjsunit/execScript-case-insensitive.js +++ b/deps/v8/test/mjsunit/regress/regress-1403.js @@ -1,4 +1,4 @@ -// Copyright 2008 the V8 project authors. All rights reserved. +// Copyright 2011 the V8 project authors. All rights reserved. // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are // met: @@ -25,10 +25,12 @@ // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -var x = 0; -execScript('x = 1', 'javascript'); -assertEquals(1, x); +// See: http://code.google.com/p/v8/issues/detail?id=1403 -execScript('x = 2', 'JavaScript'); -assertEquals(2, x); +a = []; +Object.prototype.__proto__ = { __proto__: null }; +a.shift(); +a = []; +Array.prototype.__proto__ = { __proto__: null }; +a.shift(); diff --git a/deps/v8/test/mjsunit/regress/splice-missing-wb.js b/deps/v8/test/mjsunit/regress/splice-missing-wb.js new file mode 100644 index 0000000000..5ff0d81e8b --- /dev/null +++ b/deps/v8/test/mjsunit/regress/splice-missing-wb.js @@ -0,0 +1,56 @@ +// Copyright 2011 the V8 project authors. All rights reserved. +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials provided +// with the distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived +// from this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Flags: --expose-gc + +// Create array large enough to span several page regions. +var a = new Array(500); + +// Fill it with values. +for (var i = 0; i < a.length; i++) a[i] = {idx:i}; + +// Force it into oldspace. +gc(); +gc(); + +// Array should be in old space now. Store young object into array. +// Region will be marked. +a[0] = {idx:0}; + +// Delete elements a[2] .. a[201]. Internally we will use +// trimming of backing store. a[0] a[1] will be moved to +// memory location previously occupied by a[200] a[201]. +a.splice(2, 200); + +// Force gc and heap verification. +gc(); + +// Try accessing a[0].idx. It will segfault if write-barrier was accidentally +// omitted. +assertEquals(0, a[0].idx); +assertEquals(1, a[1].idx); +assertEquals(202, a[2].idx);