nodejs/deps/v8/test/mjsunit/regress/regress-crbug-1451644.js

// Copyright 2023 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --maglev --allow-natives-syntax

function f(a, b) {
  // This access site has seen PACKED_DOUBLE_ELEMENTS (transition to
  // HOLEY_DOUBLE_ELEMENTS).
  b[13] = 0;

  // This access site has seen HOLEY_DOUBLE_ELEMENTS and HOLEY_ELEMENTS.
  // HOLEY_DOUBLE_ELEMENTS can transition to HOLEY_ELEMENTS.
  a[0] = 0;

  // This access site has seen only HOLEY_DOUBLE_ELEMENTS.
  b[0] = 9.431092e-317;
}
%PrepareFunctionForOptimization(f);

// Call 1
let o1a = new Array(1);
o1a[0] = 'a'; // HOLEY_ELEMENTS

let o1b = [2147483648]; // PACKED_DOUBLE_ELEMENTS

// Before:
// HOLEY_ELEMENTS, PACKED_DOUBLE_ELEMENTS
f(o1a, o1b);
// After:
// HOLEY_ELEMENTS, HOLEY_DOUBLE_ELEMENTS

// Call 2
let o2a = [0.1]; // PACKED_DOUBLE_ELEMENTS

// Before:
// PACKED_DOUBLE_ELEMENTS, PACKED_DOUBLE_ELEMENTS
f(o2a, o2a);
// After:
// HOLEY_DOUBLE_ELEMENTS, HOLEY_DOUBLE_ELEMENTS

// Call 3
let o3 = [, 0.2];

%OptimizeMaglevOnNextCall(f);

// Before: HOLEY_DOUBLE_ELEMENTS, HOLEY_DOUBLE_ELEMENTS.
f(o3, o3);

// The bug was: after the first store (b[13] = 0) we know what b has the map
// HOLEY_DOUBLE_ELEMENTS. However, we failed to track that that map is
// unstable. For the second store (a[0] = 0), we create a transition from
// HOLEY_DOUBLE_ELEMENTS to HOLEY_ELEMENTS. This will also transition b because
// they're the same object. And since we failed to track that the
// HOLEY_DOUBLE_ELEMENTS map is unstable, we didn't take into account that b
// might change maps while the code is executing.
deps: update V8 to 11.8.172.13 PR-URL: https://github.com/nodejs/node/pull/49639 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> 2023-10-05 08:46:07 +02:00			`// Copyright 2023 the V8 project authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`

			`// Flags: --maglev --allow-natives-syntax`

			`function f(a, b) {`
			`// This access site has seen PACKED_DOUBLE_ELEMENTS (transition to`
			`// HOLEY_DOUBLE_ELEMENTS).`
			`b[13] = 0;`

			`// This access site has seen HOLEY_DOUBLE_ELEMENTS and HOLEY_ELEMENTS.`
			`// HOLEY_DOUBLE_ELEMENTS can transition to HOLEY_ELEMENTS.`
			`a[0] = 0;`

			`// This access site has seen only HOLEY_DOUBLE_ELEMENTS.`
			`b[0] = 9.431092e-317;`
			`}`
			`%PrepareFunctionForOptimization(f);`

			`// Call 1`
			`let o1a = new Array(1);`
			`o1a[0] = 'a'; // HOLEY_ELEMENTS`

			`let o1b = [2147483648]; // PACKED_DOUBLE_ELEMENTS`

			`// Before:`
			`// HOLEY_ELEMENTS, PACKED_DOUBLE_ELEMENTS`
			`f(o1a, o1b);`
			`// After:`
			`// HOLEY_ELEMENTS, HOLEY_DOUBLE_ELEMENTS`

			`// Call 2`
			`let o2a = [0.1]; // PACKED_DOUBLE_ELEMENTS`

			`// Before:`
			`// PACKED_DOUBLE_ELEMENTS, PACKED_DOUBLE_ELEMENTS`
			`f(o2a, o2a);`
			`// After:`
			`// HOLEY_DOUBLE_ELEMENTS, HOLEY_DOUBLE_ELEMENTS`

			`// Call 3`
			`let o3 = [, 0.2];`

			`%OptimizeMaglevOnNextCall(f);`

			`// Before: HOLEY_DOUBLE_ELEMENTS, HOLEY_DOUBLE_ELEMENTS.`
			`f(o3, o3);`

			`// The bug was: after the first store (b[13] = 0) we know what b has the map`
			`// HOLEY_DOUBLE_ELEMENTS. However, we failed to track that that map is`
			`// unstable. For the second store (a[0] = 0), we create a transition from`
			`// HOLEY_DOUBLE_ELEMENTS to HOLEY_ELEMENTS. This will also transition b because`
			`// they're the same object. And since we failed to track that the`
			`// HOLEY_DOUBLE_ELEMENTS map is unstable, we didn't take into account that b`
			`// might change maps while the code is executing.`