X-Git-Url: https://git.saurik.com/apple/javascriptcore.git/blobdiff_plain/2d39b0e377c0896910ee49ae70082ba665faf986..ed1e77d3adeb83d26fd1dfb16dd84cabdcefd250:/tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js

diff --git a/tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js b/tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js
new file mode 100644
index 0000000..374b3b0
--- /dev/null
+++ b/tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+// Regression test for https://bugs.webkit.org/show_bug.cgi?id=144020.
+// This test should not crash.
+
+// What happened in the bug:
+function foo(p) {
+    var b = {};
+    b.a = {};
+    if (p)
+        b.a.C = p.q;
+    return b.a.C;
+}
+noInline(foo);
+
+for (var i = 0; i < 10000; i++)
+    foo(true);
+
+// A reduced version:
+function foo2(p) {
+    var o = {};
+    if (p)
+        o.f = {};
+    return o.f;
+}
+noInline(foo2);
+
+for (var i = 0; i < 10000; i++)
+    foo2(true);
+