tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

bug1401014.js (897B)

      1 // Prevent optimizing top-level
      2 with ({}) { }
      3 
      4 
      5 // Unboxed object constructor candidate
      6 function Thing() {
      7    this.a = {};    // Object || null
      8    this.b = {};    // Object || null
      9 }
     10 
     11 (new Thing());
     12 (new Thing()).a = null;
     13 (new Thing()).b = null;
     14 
     15 
     16 var arr = new Array(1000);
     17 arr[0];
     18 
     19 var ctx = new Thing();
     20 
     21 function funPsh(t, x) {
     22    t.a = x;
     23 }
     24 
     25 function funBug(t, i) {
     26    t.b = t.a;      // GETPROP t.a
     27    t.a = null;     // SETPROP t.a
     28    arr[i] = 0;     // Bailout on uninitialized elements
     29    return t.b;
     30 }
     31 
     32 // Ion compile
     33 for (var i = 0; i < 20000; ++i) {
     34    funBug(ctx, 0);
     35    funPsh(ctx, {});
     36 }
     37 
     38 // Invalidate
     39 let tmp = { a: null, b: {} };
     40 funBug(tmp, 0);
     41 
     42 // Ion compile
     43 for (var i = 0; i < 20000; ++i) {
     44    funBug(ctx, 0);
     45    funPsh(ctx, {});
     46 }
     47 
     48 // Trigger bailout
     49 let res = funBug(ctx, 500);
     50 
     51 // Result should not be clobbered by |t.a = null|
     52 assertEq(res === null, false);