]>
Commit | Line | Data |
---|---|---|
40a37d08 A |
1 | // Attempts to induce a crash resulting from the FTL emitting code that clobbers the tag registers and then |
2 | // throwing an exception without restoring those tag registers' values. | |
3 | ||
4 | function ftlFunction(array, callee) { | |
5 | // Gotta use lots of gprs. | |
6 | var x0 = array[0]; | |
7 | var x1 = array[1]; | |
8 | var x2 = array[2]; | |
9 | var x3 = array[3]; | |
10 | var x4 = array[4]; | |
11 | var x5 = array[5]; | |
12 | var x6 = array[6]; | |
13 | var x7 = array[7]; | |
14 | var x8 = array[8]; | |
15 | var x9 = array[9]; | |
16 | var x10 = array[10]; | |
17 | var x11 = array[11]; | |
18 | var x12 = array[12]; | |
19 | var x13 = array[13]; | |
20 | var x14 = array[14]; | |
21 | var x15 = array[15]; | |
22 | var x16 = array[16]; | |
23 | var x17 = array[17]; | |
24 | var x18 = array[18]; | |
25 | var x19 = array[19]; | |
26 | var x20 = array[20]; | |
27 | var x21 = array[21]; | |
28 | var x22 = array[22]; | |
29 | var x23 = array[23]; | |
30 | var x24 = array[24]; | |
31 | var x25 = array[25]; | |
32 | var x26 = array[26]; | |
33 | var x27 = array[27]; | |
34 | var x28 = array[28]; | |
35 | var x29 = array[29]; | |
36 | var x30 = array[30]; | |
37 | var x31 = array[31]; | |
38 | var x32 = array[32]; | |
39 | var x33 = array[33]; | |
40 | var x34 = array[34]; | |
41 | var x35 = array[35]; | |
42 | var x36 = array[36]; | |
43 | var x37 = array[37]; | |
44 | var x38 = array[38]; | |
45 | var x39 = array[39]; | |
46 | var x40 = array[40]; | |
47 | var x41 = array[41]; | |
48 | var x42 = array[42]; | |
49 | var x43 = array[43]; | |
50 | var x44 = array[44]; | |
51 | var x45 = array[45]; | |
52 | var x46 = array[46]; | |
53 | var x47 = array[47]; | |
54 | var x48 = array[48]; | |
55 | var x49 = array[49]; | |
56 | var x50 = array[50]; | |
57 | var x51 = array[51]; | |
58 | var x52 = array[52]; | |
59 | var x53 = array[53]; | |
60 | var x54 = array[54]; | |
61 | var x55 = array[55]; | |
62 | var x56 = array[56]; | |
63 | var x57 = array[57]; | |
64 | var x58 = array[58]; | |
65 | var x59 = array[59]; | |
66 | var x60 = array[60]; | |
67 | var x61 = array[61]; | |
68 | var x62 = array[62]; | |
69 | var x63 = array[63]; | |
70 | ||
71 | // Make a call that will throw, when we ask it to. | |
72 | callee("hello"); | |
73 | ||
74 | // Use all of those crazy values. | |
75 | return [x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28, x29, x30, x31, x32, x33, x34, x35, x36, x37, x38, x39, x40, x41, x42, x43, x44, x45, x46, x47, x48, x49, x50, x51, x52, x53, x54, x55, x56, x57, x58, x59, x60, x61, x62, x63] | |
76 | } | |
77 | ||
78 | noInline(ftlFunction); | |
79 | ||
80 | // Create some callees that are too crazy to get inlined or devirtualized, but that don't have effects. | |
81 | ||
82 | function happyCallee0() { return 0 }; | |
83 | function happyCallee1() { return 1 }; | |
84 | function happyCallee2() { return 2 }; | |
85 | function happyCallee3() { return 3 }; | |
86 | function happyCallee4() { return 4 }; | |
87 | function happyCallee5() { return 5 }; | |
88 | function happyCallee6() { return 6 }; | |
89 | function happyCallee7() { return 7 }; | |
90 | function happyCallee8() { return 8 }; | |
91 | function happyCallee9() { return 9 }; | |
92 | function happyCallee10() { return 10 }; | |
93 | function happyCallee11() { return 11 }; | |
94 | function happyCallee12() { return 12 }; | |
95 | function happyCallee13() { return 13 }; | |
96 | function happyCallee14() { return 14 }; | |
97 | function happyCallee15() { return 15 }; | |
98 | function happyCallee16() { return 16 }; | |
99 | function happyCallee17() { return 17 }; | |
100 | function happyCallee18() { return 18 }; | |
101 | function happyCallee19() { return 19 }; | |
102 | function happyCallee20() { return 20 }; | |
103 | function happyCallee21() { return 21 }; | |
104 | function happyCallee22() { return 22 }; | |
105 | function happyCallee23() { return 23 }; | |
106 | function happyCallee24() { return 24 }; | |
107 | function happyCallee25() { return 25 }; | |
108 | function happyCallee26() { return 26 }; | |
109 | function happyCallee27() { return 27 }; | |
110 | function happyCallee28() { return 28 }; | |
111 | function happyCallee29() { return 29 }; | |
112 | function happyCallee30() { return 30 }; | |
113 | function happyCallee31() { return 31 }; | |
114 | function happyCallee32() { return 32 }; | |
115 | function happyCallee33() { return 33 }; | |
116 | function happyCallee34() { return 34 }; | |
117 | function happyCallee35() { return 35 }; | |
118 | function happyCallee36() { return 36 }; | |
119 | function happyCallee37() { return 37 }; | |
120 | function happyCallee38() { return 38 }; | |
121 | function happyCallee39() { return 39 }; | |
122 | function happyCallee40() { return 40 }; | |
123 | function happyCallee41() { return 41 }; | |
124 | function happyCallee42() { return 42 }; | |
125 | function happyCallee43() { return 43 }; | |
126 | function happyCallee44() { return 44 }; | |
127 | function happyCallee45() { return 45 }; | |
128 | function happyCallee46() { return 46 }; | |
129 | function happyCallee47() { return 47 }; | |
130 | function happyCallee48() { return 48 }; | |
131 | function happyCallee49() { return 49 }; | |
132 | function happyCallee50() { return 50 }; | |
133 | function happyCallee51() { return 51 }; | |
134 | function happyCallee52() { return 52 }; | |
135 | function happyCallee53() { return 53 }; | |
136 | function happyCallee54() { return 54 }; | |
137 | function happyCallee55() { return 55 }; | |
138 | function happyCallee56() { return 56 }; | |
139 | function happyCallee57() { return 57 }; | |
140 | function happyCallee58() { return 58 }; | |
141 | function happyCallee59() { return 59 }; | |
142 | function happyCallee60() { return 60 }; | |
143 | function happyCallee61() { return 61 }; | |
144 | function happyCallee62() { return 62 }; | |
145 | function happyCallee63() { return 63 }; | |
146 | ||
147 | var happyCallees = [happyCallee0, happyCallee1, happyCallee2, happyCallee3, happyCallee4, happyCallee5, happyCallee6, happyCallee7, happyCallee8, happyCallee9, happyCallee10, happyCallee11, happyCallee12, happyCallee13, happyCallee14, happyCallee15, happyCallee16, happyCallee17, happyCallee18, happyCallee19, happyCallee20, happyCallee21, happyCallee22, happyCallee23, happyCallee24, happyCallee25, happyCallee26, happyCallee27, happyCallee28, happyCallee29, happyCallee30, happyCallee31, happyCallee32, happyCallee33, happyCallee34, happyCallee35, happyCallee36, happyCallee37, happyCallee38, happyCallee39, happyCallee40, happyCallee41, happyCallee42, happyCallee43, happyCallee44, happyCallee45, happyCallee46, happyCallee47, happyCallee48, happyCallee49, happyCallee50, happyCallee51, happyCallee52, happyCallee53, happyCallee54, happyCallee55, happyCallee56, happyCallee57, happyCallee58, happyCallee59, happyCallee60, happyCallee61, happyCallee62, happyCallee63]; | |
148 | ||
149 | for (var i = 0; i < happyCallees.length; ++i) | |
150 | noInline(happyCallees[i]); | |
151 | ||
152 | // Unlike the other test (throw-from-ftl-call-ic-slow-path.js), we want to populate the registers with cells in | |
153 | // this test. | |
154 | var array = new Array(); | |
155 | for (var i = 0; i < 64; ++i) | |
156 | array[i] = new Object(); | |
157 | ||
158 | // Now, do some warming up. | |
159 | for (var i = 0; i < 100000; ++i) { | |
160 | var result = ftlFunction(array, happyCallees[i % happyCallees.length]); | |
161 | if (result.length != array.length) | |
162 | throw "Error: bad length: " + result; | |
163 | for (var j = 0; j < result.length; ++j) { | |
164 | if (result[j] != array[j]) | |
165 | throw "Error: bad entry at j = " + j + ": " + result; | |
166 | } | |
167 | } | |
168 | ||
169 | // Finally, attempt to trigger the bug. | |
170 | var notACell = 42; | |
171 | for (var i = 0; i < 100; ++i) { | |
172 | try { | |
173 | ftlFunction(array, Int8Array); | |
174 | } catch (e) { | |
175 | if (e.message.indexOf("not a function") < 0) | |
176 | throw "Error: bad exception message: " + e.message; | |
177 | var result = notACell.f; | |
178 | if (result !== void 0) { | |
179 | print("Bad outcome of accessing f on notACell."); | |
180 | print("Here's notACell:", notACell, describe(notACell)); | |
181 | print("Here's the result:", result, describe(result)); | |
182 | throw "Error: bad outcome of accessing f on " + notACell + ": " + result; | |
183 | } | |
184 | var result2 = result + 5; | |
185 | var result3 = notACell + 5; | |
186 | if ("" + result2 != "NaN") | |
187 | throw "Error: bad outcome of adding 5 to result: " + result2; | |
188 | if (result3 != 47) | |
189 | throw "Error: bad outcome of adding 5 to 42: " + result3; | |
190 | } | |
191 | } | |
192 |