Bug 1574119 - Add a test for bug 1568029 r=jandem
authorJon Coppeard <jcoppeard@mozilla.com>
Thu, 15 Aug 2019 16:23:30 +0000
changeset 488263 0f32ec38b8ff3c28ab0312d5503f3668105dfbeb
parent 488262 31f858085f7cbfccf75359c3a583f5b27a33e50a
child 488264 e7ff4966b99e57346c8bff748b0dc06c074cfb00
push id36440
push userncsoregi@mozilla.com
push dateFri, 16 Aug 2019 03:57:48 +0000
treeherdermozilla-central@a58b7dc85887 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1574119, 1568029
milestone70.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1574119 - Add a test for bug 1568029 r=jandem This adds a testcase for the fix in bug 1568029. This adds a testing function markObjectPropertiesUnknown() which will hopefully be useful for fuzzing. Differential Revision: https://phabricator.services.mozilla.com/D42093
js/src/builtin/TestingFunctions.cpp
js/src/jit-test/tests/basic/bug1568029.js
--- a/js/src/builtin/TestingFunctions.cpp
+++ b/js/src/builtin/TestingFunctions.cpp
@@ -5683,16 +5683,38 @@ static bool MonitorType(JSContext* cx, u
   } else {
     typeSet->addType(sweep, cx, TypeSet::GetValueType(val));
   }
 
   args.rval().setUndefined();
   return true;
 }
 
+static bool MarkObjectPropertiesUnknown(JSContext* cx, unsigned argc,
+                                        Value* vp) {
+  CallArgs args = CallArgsFromVp(argc, vp);
+  RootedObject callee(cx, &args.callee());
+
+  if (!args.get(0).isObject()) {
+    ReportUsageErrorASCII(cx, callee, "Argument must be an object");
+    return false;
+  }
+
+  RootedObject obj(cx, &args[0].toObject());
+  RootedObjectGroup group(cx, JSObject::getGroup(cx, obj));
+  if (!group) {
+    return false;
+  }
+
+  MarkObjectGroupUnknownProperties(cx, group);
+
+  args.rval().setUndefined();
+  return true;
+}
+
 JSScript* js::TestingFunctionArgumentToScript(
     JSContext* cx, HandleValue v, JSFunction** funp /* = nullptr */) {
   if (v.isString()) {
     // To convert a string to a script, compile it. Parse it as an ES6 Program.
     RootedLinearString linearStr(cx, StringToLinearString(cx, v.toString()));
     if (!linearStr) {
       return nullptr;
     }
@@ -6696,16 +6718,20 @@ gc::ZealModeHelpText),
 "  Baseline-compiles the given JS function or script.\n"
 "  Without arguments, baseline-compiles the caller's script; but note\n"
 "  that extra boilerplate is needed afterwards to cause the VM to start\n"
 "  running the jitcode rather than staying in the interpreter:\n"
 "    baselineCompile();  for (var i=0; i<1; i++) {} ...\n"
 "  The interpreter will enter the new jitcode at the loop header unless\n"
 "  baselineCompile returned a string or threw an error.\n"),
 
+    JS_FN_HELP("markObjectPropertiesUnknown", MarkObjectPropertiesUnknown, 1, 0,
+"markObjectPropertiesUnknown(obj)",
+"  Mark all objects in obj's object group as having unknown properties.\n"),
+
     JS_FS_HELP_END
 };
 // clang-format on
 
 // clang-format off
 static const JSFunctionSpecWithHelp FuzzingUnsafeTestingFunctions[] = {
 #ifdef DEBUG
     JS_FN_HELP("parseRegExp", ParseRegExp, 3, 0,
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1568029.js
@@ -0,0 +1,22 @@
+function TestObject(a) {
+    this.a = 1;
+    if (a >= 0) {
+        this.b = 2;
+    }
+
+    if (a > 0) {
+        new TestObject(a - 1);
+    }
+    if (a == 0) {
+        markObjectPropertiesUnknown(this);
+    }
+}
+
+// Force analysis. There may be a better way.
+for (let i = 0; i < 1000; i++) {
+    new TestObject(-1);
+}
+
+let x = new TestObject(1);
+assertEq(x.a, 1);
+assertEq(x.b, 2);