[ tor-browser ].git.dasho

bug1876425.js (1276B)
      1 // 1) Trial inline f1 => g (g1) => h.
      2 // 2) Set g to g2, to fail the f1 => g1 call site.
      3 // 3) Set g to g1 again.
      4 // 4) Make g1's generic ICScript trial inline a different callee, h2.
      5 // 5) Bail out from f1 => g1 => h.
      6 //
      7 // The bailout must not confuse the ICScripts of h1 and h2.
      8 
      9 function noninlined1(x) {
     10    with (this) {};
     11    if (x === 4002) {
     12        // Step 4.
     13        f2();
     14        // Step 5.
     15        return true;
     16    }
     17    return false;
     18 }
     19 function noninlined2(x) {
     20    with (this) {};
     21    if (x === 4000) {
     22        // Step 2.
     23        g = (h, x) => {
     24            return x + 1;
     25        };
     26    }
     27    if (x === 4001) {
     28        // Step 3.
     29        g = g1;
     30    }
     31 }
     32 var h = function(x) {
     33    if (noninlined1(x)) {
     34        // Step 5.
     35        bailout();
     36    }
     37    return x + 1;
     38 };
     39 var g = function(callee, x) {
     40    return callee(x) + 1;
     41 };
     42 var g1 = g;
     43 
     44 function f2() {
     45    var h2 = x => x + 1;
     46    for (var i = 0; i < 300; i++) {
     47        var x = (i % 2 === 0) ? "foo" : i; // Force trial inlining.
     48        g1(h2, x);
     49    }
     50 }
     51 
     52 function f1() {
     53    for (var i = 0; i < 4200; i++) {
     54        var x = (i < 900 && i % 2 === 0) ? "foo" : i; // Force trial inlining.
     55        g(h, x);
     56        noninlined2(i);
     57        if (i === 200) {
     58            trialInline();
     59        }
     60    }
     61 }
     62 f1();
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE