testGuardCalleeSneakAttack.js (884B)
1 function loop(f, expected) { 2 // This is the loop that breaks us. 3 // At record time, f's parent is a Call object with no fp. 4 // At second execute time, it is a Call object with fp, 5 // and all the Call object's dslots are still JSVAL_VOID. 6 for (var i = 0; i < 9; i++) 7 assertEq(f(), expected); 8 } 9 10 function C(bad) { 11 var x = bad; 12 function f() { 13 return x; // We trick TR::callProp() into emitting code that gets 14 // JSVAL_VOID (from the Call object's dslots) 15 // rather than the actual value (true or false). 16 } 17 this.m = f; 18 return f; 19 } 20 21 var obj = { 22 set m(f) { 23 if (f()) // Call once to resolve x on the Call object, 24 // for shape consistency. Otherwise loop gets 25 // recorded twice. 26 loop(f, true); 27 } 28 }; 29 30 loop(C.call(obj, false), false); 31 C.call(obj, true);