X-Git-Url: https://git.saurik.com/apple/javascriptcore.git/blobdiff_plain/2d39b0e377c0896910ee49ae70082ba665faf986..ed1e77d3adeb83d26fd1dfb16dd84cabdcefd250:/tests/stress/load-varargs-elimination-bounds-check-barely.js

diff --git a/tests/stress/load-varargs-elimination-bounds-check-barely.js b/tests/stress/load-varargs-elimination-bounds-check-barely.js
new file mode 100644
index 0000000..83c1328
--- /dev/null
+++ b/tests/stress/load-varargs-elimination-bounds-check-barely.js
@@ -0,0 +1,35 @@
+function foo() {
+    var result = 0;
+    for (var i = 0; i < arguments.length; ++i)
+        result += arguments[i];
+    return result;
+}
+
+function bar() {
+    return foo.apply(this, arguments);
+}
+
+function baz(p) {
+    if (p)
+        return bar(1, 42);
+    return 0;
+}
+
+noInline(baz);
+
+// Execute baz() once with p set, so that the call has a valid prediction.
+baz(true);
+
+// Warm up profiling in bar and foo. Convince this profiling that bar()'s varargs call will tend to
+// pass a small number of arguments;
+for (var i = 0; i < 1000; ++i)
+    bar(1);
+
+// Now compile baz(), but don't run the bad code yet.
+for (var i = 0; i < 10000; ++i)
+    baz(false);
+
+// Finally, trigger the bug.
+var result = baz(true);
+if (result != 43)
+    throw "Error: bad result: " + result;