Simpler repro for bug 2989.

We do not correctly handle accesses to f.arguments after one
of the argument has changed (where f is crankshafted).

R=machenbach@chromium.org
BUG=v8:2989
LOG=n

Review URL: https://codereview.chromium.org/151403003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18999 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
index 7d5d452..2c8fe1b 100644 (file)
--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -114,6 +114,9 @@
 
   # BUG(336820). TODO(bmeurer): Investigate.
   'regress/regress-336820': [PASS, FAIL],
+
+  # BUG(v8:2989).
+  'regress/regress-2989': [FAIL, NO_VARIANTS],
 }],  # ALWAYS
 
 ##############################################################################

diff --git a/test/mjsunit/regress/regress-2989.js b/test/mjsunit/regress/regress-2989.js
new file mode 100644 (file)
index 0000000..49c4a1c
--- /dev/null
+++ b/test/mjsunit/regress/regress-2989.js
@@ -0,0 +1,35 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Copyright (C) 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions
+// are met:
+// 1.  Redistributions of source code must retain the above copyright
+//     notice, this list of conditions and the following disclaimer.
+// 2.  Redistributions in binary form must reproduce the above copyright
+//     notice, this list of conditions and the following disclaimer in the
+//     documentation and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+// WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+// DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+// ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+(function ArgumentsObjectChange() {
+  function f(x) {
+      x = 42;
+      return f.arguments[0];
+  }
+
+  f(0);
+  %OptimizeFunctionOnNextCall(f);
+  assertEquals(42, f(0));
+})();

diff --git a/test/webkit/webkit.status b/test/webkit/webkit.status
index ce2bd7a..8400ba7 100644 (file)
--- a/test/webkit/webkit.status
+++ b/test/webkit/webkit.status
@@ -33,10 +33,10 @@
   ##############################################################################
   # Flaky tests.
   # BUG(v8:2989).
-  'dfg-inline-arguments-become-double': [PASS, FLAKY],
-  'dfg-inline-arguments-become-int32': [PASS, FLAKY],
-  'dfg-inline-arguments-reset': [PASS, FLAKY],
-  'dfg-inline-arguments-reset-changetype': [PASS, FLAKY],
+  'dfg-inline-arguments-become-double': [PASS, FAIL],
+  'dfg-inline-arguments-become-int32': [PASS, FAIL],
+  'dfg-inline-arguments-reset': [PASS, FAIL],
+  'dfg-inline-arguments-reset-changetype': [PASS, FAIL],
 }],  # ALWAYS
 ['mode == debug', {
   # Too slow in debug mode.