chromium/third_party/blink/web_tests/fast/js/pic/cached-prototype-then-immediate.html

<p>This page tests whether a cached [[put]] consults setters in the prototype chain.
If the test passes, you'll see two PASS messages below.</p>

<pre id="console"></pre>

<script>
if (window.testRunner)
    testRunner.dumpAsText();

function log(s)
{
    document.getElementById("console").appendChild(document.createTextNode(s));
}

(function() {
    function callToString(arg)
    {
        return arg.toString();
    }
    
    // toString() will hit the direct prototype of this object.
    var victim = {};
    
    callToString(victim);
    callToString(victim);
    callToString(victim);
    callToString(1);
    
    log("PASS: I didn't segfault.\n");
})();

(function() {
    function callToString(arg)
    {
        return arg.toString();
    }

    // toString() will have to walk a prototype chain for this object.
    function MyObject() {}
    MyObject.prototype = { someStuff: {} };
    var victim = new MyObject();

    var xSetterCalled = false;

    callToString(victim);
    callToString(victim);
    callToString(victim);
    callToString(1);

    log("PASS: I didn't segfault.\n");
})();
</script>