]> git.saurik.com Git - apple/javascriptcore.git/blob - tests/stress/throw-from-ftl-call-ic-slow-path.js
projects / apple / javascriptcore.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
JavaScriptCore-7600.1.4.15.12.tar.gz
[apple/javascriptcore.git] / tests / stress / throw-from-ftl-call-ic-slow-path.js
1 // Attempts to induce a crash resulting from the FTL emitting code that clobbers the tag registers and then
2 // throwing an exception without restoring those tag registers' values.
3
4 function ftlFunction(array, callee) {
5 // Gotta use lots of gprs.
6 var x0 = array[0];
7 var x1 = array[1];
8 var x2 = array[2];
9 var x3 = array[3];
10 var x4 = array[4];
11 var x5 = array[5];
12 var x6 = array[6];
13 var x7 = array[7];
14 var x8 = array[8];
15 var x9 = array[9];
16 var x10 = array[10];
17 var x11 = array[11];
18 var x12 = array[12];
19 var x13 = array[13];
20 var x14 = array[14];
21 var x15 = array[15];
22 var x16 = array[16];
23 var x17 = array[17];
24 var x18 = array[18];
25 var x19 = array[19];
26 var x20 = array[20];
27 var x21 = array[21];
28 var x22 = array[22];
29 var x23 = array[23];
30 var x24 = array[24];
31 var x25 = array[25];
32 var x26 = array[26];
33 var x27 = array[27];
34 var x28 = array[28];
35 var x29 = array[29];
36 var x30 = array[30];
37 var x31 = array[31];
38 var x32 = array[32];
39 var x33 = array[33];
40 var x34 = array[34];
41 var x35 = array[35];
42 var x36 = array[36];
43 var x37 = array[37];
44 var x38 = array[38];
45 var x39 = array[39];
46 var x40 = array[40];
47 var x41 = array[41];
48 var x42 = array[42];
49 var x43 = array[43];
50 var x44 = array[44];
51 var x45 = array[45];
52 var x46 = array[46];
53 var x47 = array[47];
54 var x48 = array[48];
55 var x49 = array[49];
56 var x50 = array[50];
57 var x51 = array[51];
58 var x52 = array[52];
59 var x53 = array[53];
60 var x54 = array[54];
61 var x55 = array[55];
62 var x56 = array[56];
63 var x57 = array[57];
64 var x58 = array[58];
65 var x59 = array[59];
66 var x60 = array[60];
67 var x61 = array[61];
68 var x62 = array[62];
69 var x63 = array[63];
70
71 // Make a call that will throw, when we ask it to.
72 callee("hello");
73
74 // Use all of those crazy values.
75 return [x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28, x29, x30, x31, x32, x33, x34, x35, x36, x37, x38, x39, x40, x41, x42, x43, x44, x45, x46, x47, x48, x49, x50, x51, x52, x53, x54, x55, x56, x57, x58, x59, x60, x61, x62, x63]
76 }
77
78 noInline(ftlFunction);
79
80 // Create some callees that are too crazy to get inlined or devirtualized, but that don't have effects.
81
82 function happyCallee0() { return 0 };
83 function happyCallee1() { return 1 };
84 function happyCallee2() { return 2 };
85 function happyCallee3() { return 3 };
86 function happyCallee4() { return 4 };
87 function happyCallee5() { return 5 };
88 function happyCallee6() { return 6 };
89 function happyCallee7() { return 7 };
90 function happyCallee8() { return 8 };
91 function happyCallee9() { return 9 };
92 function happyCallee10() { return 10 };
93 function happyCallee11() { return 11 };
94 function happyCallee12() { return 12 };
95 function happyCallee13() { return 13 };
96 function happyCallee14() { return 14 };
97 function happyCallee15() { return 15 };
98 function happyCallee16() { return 16 };
99 function happyCallee17() { return 17 };
100 function happyCallee18() { return 18 };
101 function happyCallee19() { return 19 };
102 function happyCallee20() { return 20 };
103 function happyCallee21() { return 21 };
104 function happyCallee22() { return 22 };
105 function happyCallee23() { return 23 };
106 function happyCallee24() { return 24 };
107 function happyCallee25() { return 25 };
108 function happyCallee26() { return 26 };
109 function happyCallee27() { return 27 };
110 function happyCallee28() { return 28 };
111 function happyCallee29() { return 29 };
112 function happyCallee30() { return 30 };
113 function happyCallee31() { return 31 };
114 function happyCallee32() { return 32 };
115 function happyCallee33() { return 33 };
116 function happyCallee34() { return 34 };
117 function happyCallee35() { return 35 };
118 function happyCallee36() { return 36 };
119 function happyCallee37() { return 37 };
120 function happyCallee38() { return 38 };
121 function happyCallee39() { return 39 };
122 function happyCallee40() { return 40 };
123 function happyCallee41() { return 41 };
124 function happyCallee42() { return 42 };
125 function happyCallee43() { return 43 };
126 function happyCallee44() { return 44 };
127 function happyCallee45() { return 45 };
128 function happyCallee46() { return 46 };
129 function happyCallee47() { return 47 };
130 function happyCallee48() { return 48 };
131 function happyCallee49() { return 49 };
132 function happyCallee50() { return 50 };
133 function happyCallee51() { return 51 };
134 function happyCallee52() { return 52 };
135 function happyCallee53() { return 53 };
136 function happyCallee54() { return 54 };
137 function happyCallee55() { return 55 };
138 function happyCallee56() { return 56 };
139 function happyCallee57() { return 57 };
140 function happyCallee58() { return 58 };
141 function happyCallee59() { return 59 };
142 function happyCallee60() { return 60 };
143 function happyCallee61() { return 61 };
144 function happyCallee62() { return 62 };
145 function happyCallee63() { return 63 };
146
147 var happyCallees = [happyCallee0, happyCallee1, happyCallee2, happyCallee3, happyCallee4, happyCallee5, happyCallee6, happyCallee7, happyCallee8, happyCallee9, happyCallee10, happyCallee11, happyCallee12, happyCallee13, happyCallee14, happyCallee15, happyCallee16, happyCallee17, happyCallee18, happyCallee19, happyCallee20, happyCallee21, happyCallee22, happyCallee23, happyCallee24, happyCallee25, happyCallee26, happyCallee27, happyCallee28, happyCallee29, happyCallee30, happyCallee31, happyCallee32, happyCallee33, happyCallee34, happyCallee35, happyCallee36, happyCallee37, happyCallee38, happyCallee39, happyCallee40, happyCallee41, happyCallee42, happyCallee43, happyCallee44, happyCallee45, happyCallee46, happyCallee47, happyCallee48, happyCallee49, happyCallee50, happyCallee51, happyCallee52, happyCallee53, happyCallee54, happyCallee55, happyCallee56, happyCallee57, happyCallee58, happyCallee59, happyCallee60, happyCallee61, happyCallee62, happyCallee63];
148
149 for (var i = 0; i < happyCallees.length; ++i)
150 noInline(happyCallees[i]);
151
152 // We want the input array to have an easy-to-deal-with type that isn't exactly the same as the type that
153 // ftlFunction will return.
154 var array = new Int32Array(64);
155 for (var i = 0; i < array.length; ++i)
156 array[i] = i;
157
158 // Now, do some warming up.
159 for (var i = 0; i < 100000; ++i) {
160 var result = ftlFunction(array, happyCallees[i % happyCallees.length]);
161 if (result.length != array.length)
162 throw "Error: bad length: " + result;
163 for (var j = 0; j < result.length; ++j) {
164 if (result[j] != array[j])
165 throw "Error: bad entry at j = " + j + ": " + result;
166 }
167 }
168
169 // Finally, attempt to trigger the bug.
170 var notACell = 42;
171 for (var i = 0; i < 100; ++i) {
172 try {
173 ftlFunction(array, Int8Array);
174 } catch (e) {
175 if (e.message.indexOf("not a function") < 0)
176 throw "Error: bad exception message: " + e.message;
177 var result = notACell.f;
178 if (result !== void 0) {
179 print("Bad outcome of accessing f on notACell.");
180 print("Here's notACell:", notACell, describe(notACell));
181 print("Here's the result:", result, describe(result));
182 throw "Error: bad outcome of accessing f on " + notACell + ": " + result;
183 }
184 var result2 = result + 5;
185 var result3 = notACell + 5;
186 if ("" + result2 != "NaN")
187 throw "Error: bad outcome of adding 5 to result: " + result2;
188 if (result3 != 47)
189 throw "Error: bad outcome of adding 5 to 42: " + result3;
190 }
191 }
192
mirror of JavaScriptCore