Issue: https://crbug.com/1034973
Commit: [runtime] Properly handle constant fields with computed values
Date(Commit): Wed, 18 Dec 2019 16:47:20 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1974070
Regress : test\mjsunit\regress\regress-crbug-1034973.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let x = 0;
let a = {x, 0:({x:4e14,y:4}), x};
Commit: [turbofan] Remove a strong value assumption in the heap broker
Date(Commit): Wed, 18 Dec 2019 14:00:16 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1973733
Regress : test\mjsunit\regress\regress-crbug-1035331.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --expose-gc
const obj = new class C extends async function () {}.constructor {}();
delete obj.name;
Number.prototype.__proto__ = obj;
function foo() {
return obj.bind();
}
%PrepareFunctionForOptimization(foo);
foo();
obj[undefined] = Map, gc();
%OptimizeFunctionOnNextCall(foo);
foo();
Commit: [turbofan] Add a nesting limit for the child serializer
Date(Commit): Tue, 17 Dec 2019 18:28:55 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1969895
Regress : test\mjsunit\compiler\regress-1034768
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --max-serializer-nesting=4
function f1() {
return 1;
}
function f2() { return f1(); }
function f3() { return f2(); }
function f4() { return f3(); }
function f5() { return f4(); }
%PrepareFunctionForOptimization(f1);
%PrepareFunctionForOptimization(f2);
%PrepareFunctionForOptimization(f3);
%PrepareFunctionForOptimization(f4);
%PrepareFunctionForOptimization(f5);
f5();
f5();
%OptimizeFunctionOnNextCall(f5);
f5();
Issue: https://crbug.com/1034203
Commit: [turbofan] Improve error reporting in call reducer
Date(Commit): Tue, 17 Dec 2019 13:54:50 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1969898
Regress : test\mjsunit\regress\regress-crbug-1034203.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(optimized) {
class C {
['h']() {}
}
let h = C.prototype.h;
h.bind();
}
%PrepareFunctionForOptimization(foo);
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/1029077
Commit: [json] Update feedback maps since they might be deprecated
Date(Commit): Tue, 17 Dec 2019 10:51:44 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1970211
Regress : test\mjsunit\regress\regress-crbug-1029077.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
JSON.parse('[{"a": 2.1, "b": 1, "c": "hello"}, {"a": null, "b": 2, "c": {"a": 2.1, "b": 1.1, "c": "hello"}}]')
Issue: https://crbug.com/1029530
Commit: [turbofan] Fixes rematerialization of truncated BigInts
Date(Commit): Thu, 12 Dec 2019 10:06:19 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1962278
Regress : test\mjsunit\regress\regress-1029530.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --interrupt-budget=1024
{
function f() {
const b = BigInt.asUintN(4,3n);
let i = 0;
while(i < 1) {
i + 1;
i = b;
}
}
%PrepareFunctionForOptimization(f);
f();
f();
%OptimizeFunctionOnNextCall(f);
f();
}
{
function f() {
const b = BigInt.asUintN(4,10n);
let i = 0.1;
while(i < 1.8) {
i + 1;
i = b;
}
}
%PrepareFunctionForOptimization(f);
f();
f();
%OptimizeFunctionOnNextCall(f);
f();
}
Issue: https://crbug.com/1031479
Commit: Check if a function has feedback vector before OSRing.
Date(Commit): Thu, 12 Dec 2019 11:37:25 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1962850
Regress : test\mjsunit\regress\regress-crbug-1031479.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --interrupt-budget=200 --stack-size=200 --budget-for-feedback-vector-allocation=100 --expose-gc --stress-flush-bytecode
var i = 0;
function main() {
function v0() {
function v10(a) {
i++;
var cur_i = i;
try {
// This triggers the use of old closure that was installed in the
// earlier invocation of v10 and causes an infinite recursion. At
// some point we throw from here.
[].e = 1;
// Throw when the new closure is on the stack to trigger a OSR on
// the new closure
if (cur_i == 2) throw 1;
} catch(v22) {
// This loop triggers OSR.
for (const v24 in "c19rXGEC2E") {
}
}
}
const v25 = v10(1);
// We install v10's closure here. The bytecode for v10 gets flushed on gc()
const v21 = Object.defineProperty([].__proto__,"e",{set:v10});
}
const v26 = v0();
// With --stress-flush-bytecode GC flushes the bytecode for v0 and v10
gc();
assertThrows(v0, TypeError);
}
main();
Issue: https://crbug.com/1029642
Commit: [regalloc] Missing FP register conflict check
Date(Commit): Mon, 9 Dec 2019 19:11:33 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1958054
Regress : test\mjsunit\regress\wasm\regress-1029642.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js')
const builder = new WasmModuleBuilder();
builder.addMemory(0, 0, false);
builder.addType(makeSig([kWasmF32, kWasmF32, kWasmF64], [kWasmF64]));
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: d_ffdl
// body:
kExprLoop, kWasmF64, // @15 f64
kExprLoop, kWasmF64, // @17 f64
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
kExprI32Const, 0,
kExprIf, kWasmF64, // @251 f64
kExprLoop, kWasmF64, // @253 f64
kExprI32Const, 0,
kExprIf, kWasmI32, // @267 i32
kExprMemorySize, 0x00,
kExprMemoryGrow, 0x00,
kExprElse, // @273
kExprF32Const, 0x00, 0x00, 0x00, 0x00,
kExprI32SConvertF32,
kExprEnd, // @282
kExprDrop,
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
kExprI32Const, 0x00,
kExprBrIf, 0x01, // depth=1
kExprI32SConvertF64,
kExprF64SConvertI32,
kExprEnd, // @311
kExprElse, // @312
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
kExprEnd, // @322
kExprF64Max,
kExprF64Max,
kExprF32Const, 0x00, 0x00, 0x00, 0x00,
kExprF32Const, 0x00, 0x00, 0x00, 0x00,
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
kExprCallFunction, 0x00, // function #0: d_ffdl
kExprF64Max,
kExprF64Max,
kExprF64Max,
kExprI32Const, 0x00,
kExprF64SConvertI32,
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
kExprF64Max,
kExprF64Max,
kExprEnd, // @1374
kExprEnd, // @1375
kExprEnd, // @1376
]);
builder.addExport('main', 0);
builder.toModule();
Issue: https://crbug.com/1030103
Commit: [wasm] Fix logging for imports with names
Date(Commit): Tue, 3 Dec 2019 14:27:37 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1948705
Regress : test\mjsunit\regress\wasm\regress-1030103.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --log-code
(function(foo, foreign) {
'use asm';
var fn = foreign.fn;
function f() { }
return f;
})(this, {fn: x => x});
Issue: https://crbug.com/1029576
Commit: [Turbofan] Fixes crash on missing BigInt.asUintN argument
Date(Commit): Tue, 3 Dec 2019 15:52:17 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1948711
Regress : test\mjsunit\regress\regress-1029576.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f() {
try {
return BigInt.asUintN(8);
} catch(_) {
return 42n;
}
}
%PrepareFunctionForOptimization(f);
assertEquals(42n, f());
assertEquals(42n, f());
%OptimizeFunctionOnNextCall(f);
assertEquals(42n, f());
Issue: https://crbug.com/1029658
Commit: [builtins] Fix assertion failure in TypedArray.from()
Date(Commit): Tue, 3 Dec 2019 12:15:18 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1946335
Regress : test\mjsunit\regress\regress-crbug-1029658.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
delete Float64Array.prototype.__proto__[Symbol.iterator];
let ar = new Float64Array();
Object.defineProperty(ar, "length", {
get: function () { return 121567939849373; }
});
try { Float64Array.from(ar); } catch (e) {}
Issue: https://crbug.com/1028863
Commit: [TurboFan] Loop variable analysis requires more sensitivity
Date(Commit): Mon, 2 Dec 2019 15:30:47 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1946352
Regress : test\mjsunit\regress\regress-crbug-1028863.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function write(begin, end, step) {
for (var i = begin; i >= end; i += step) {
step = end - begin;
begin >>>= 805306382;
}
}
function bar() {
for (let i = 0; i < 10000; i++) {
write(Infinity, 1, 1);
}
}
%PrepareFunctionForOptimization(write);
%PrepareFunctionForOptimization(bar);
bar();
%OptimizeFunctionOnNextCall(bar);
bar();
Issue: https://crbug.com/1028208
Commit: Don't try to optimize an already-optimized function
Date(Commit): Mon, 2 Dec 2019 11:56:32 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1946351
Regress : test\mjsunit\compiler\regress-1028208.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-use-ic --interrupt-budget=100 --always-osr
const num_iterations = 1000;
let i = 0;
const re = /foo.bar/;
const RegExpPrototypeExec = RegExp.prototype.exec;
re.exec = function gaga(str) {
return (i++ < num_iterations) ? RegExpPrototypeExec.call(re, str) : null;
};
re.__defineGetter__("global", () => true);
"foo*bar".match(re);
Issue: https://crbug.com/1028593
Commit: [turbofan] Fix bigint-to-word64 constant folding
Date(Commit): Thu, 28 Nov 2019 12:22:01 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1940263
Regress : test\mjsunit\regress\regress-crbug-1028593.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo() {
try {
return "number".charCodeAt(0n);
} catch(e) {}
}
%PrepareFunctionForOptimization(foo);
for (let i = 0; i < 3; i++) {
foo();
}
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/1028862
Commit: [turbofan] Fix simplified lowering of SpeculativeNumberModulus
Date(Commit): Fri, 29 Nov 2019 11:08:11 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1943150
Regress : test\mjsunit\compiler\regress-1028862.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo() {
for (let i = 0; i < 5; i++) {
// Only allocate feedback vector after the first round so that we get Smi
// feedback for the modulus operation.
if (i == 1) %PrepareFunctionForOptimization(foo);
1 == new Date(42).getMilliseconds() % i;
}
}
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/109362
Commit: [debug] Revert to old line number behavior for new Function()
Date(Commit): Thu, 28 Nov 2019 11:21:01 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1940259
Regress : test\mjsunit\regress\regress-crbug-109362.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function test(expectation, f) {
var stack;
try {
f();
} catch (e) {
stack = e.stack;
}
assertTrue(stack.indexOf("at eval (evaltest:" + expectation + ")") > 0);
}
/*
(function(
) {
1 + reference_error //@ sourceURL=evaltest
})
*/
test("3:5", new Function(
'1 + reference_error //@ sourceURL=evaltest'));
/*
(function(x
) {
1 + reference_error //@ sourceURL=evaltest
})
*/
test("4:6", new Function(
'x', '\n 1 + reference_error //@ sourceURL=evaltest'));
/*
(function(x
,z//
,y
) {
1 + reference_error //@ sourceURL=evaltest
})
*/
test("7:6", new Function(
'x\n\n', "z//\n", "y", '\n 1 + reference_error //@ sourceURL=evaltest'));
/*
(function(x/\*,z//
,y*\/
) {
1 + reference_error //@ sourceURL=evaltest
})
*/
test("4:5", new Function(
'x/*', "z//\n", "y*/", '1 + reference_error //@ sourceURL=evaltest'));
/*
(function () {
1 + reference_error //@ sourceURL=evaltest5
})
*/
test("2:6", eval(
'(function () {\n 1 + reference_error //@ sourceURL=evaltest\n})'));
Issue: https://crbug.com/1028191
Commit: [turbofan] Fixes crash caused by truncated bigint
Date(Commit): Tue, 26 Nov 2019 13:17:45 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1936468
Regress : test\mjsunit\regress\regress-1028191.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
"use strict";
function f(a, b, c) {
let x = BigInt.asUintN(64, a + b);
try {
x + c;
} catch(_) {
eval();
}
return x;
}
%PrepareFunctionForOptimization(f);
assertEquals(f(3n, 5n), 8n);
assertEquals(f(8n, 12n), 20n);
%OptimizeFunctionOnNextCall(f);
assertEquals(f(2n, 3n), 5n);
Commit: [turbofan] Remove unused --inline-accessors flag
Date(Commit): Mon, 25 Nov 2019 16:28:15 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1934333
Regress : test\mjsunit\regress\regress-crbug-134609.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --allow-natives-syntax
var forceDeopt = {x: 0};
var objectWithGetterProperty = function(value) {
var obj = {};
Object.defineProperty(obj, 'getterProperty', {
get: function foo() {
forceDeopt.x;
return value;
}
});
return obj;
}('bad');
function test() {
var iAmContextAllocated = "good";
objectWithGetterProperty.getterProperty;
return iAmContextAllocated;
// Make sure that the local variable is context allocated.
function unused() {
iAmContextAllocated;
}
};
%PrepareFunctionForOptimization(test);
assertEquals("good", test());
assertEquals("good", test());
%OptimizeFunctionOnNextCall(test);
assertEquals("good", test());
// At this point, foo should have been inlined into test. Let's deopt...
delete forceDeopt.x;
assertEquals("good", test());
Issue: https://crbug.com/1018611
Commit: [parser] Don't verify arrow declaration positions if we're going to fail
Date(Commit): Tue, 26 Nov 2019 13:01:56 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1936470
Regress : test\mjsunit\regress\regress-crbug-1018611-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("({a, b: ([c])}) => { }", SyntaxError);
Issue: https://crbug.com/1025468
Commit: Fix too restrictive check in Map::MapVerify
Date(Commit): Tue, 26 Nov 2019 11:22:52 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1936467
Regress : test\mjsunit\regress\regress-crbug-1028396.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
(function () {
var GeneratorFunction = function* () {}.constructor;
class MyFunc extends GeneratorFunction {
constructor(...args) {
super(...args);
this.o = {};
this.o = {};
}
}
var f = new MyFunc("'use strict'; yield 153;");
gc();
var f = new MyFunc("'use strict'; yield 153;");
})();
Commit: [asm.js] Fix load type of {Float32Array} and {Float64Array}.
Date(Commit): Mon, 25 Nov 2019 14:53:19 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1932374
Regress : test\mjsunit\asm\regress-1027595.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function TestF32StoreConvertsF64ToF32() {
function Module(stdlib, foreign, heap) {
'use asm';
var f32 = new stdlib.Float32Array(heap);
function f(a) {
a = +a;
f32[0] = f32[1] = a;
}
return f;
}
var buffer = new ArrayBuffer(0x10000);
var f = Module(this, {}, buffer);
assertDoesNotThrow(() => f(23.42));
var view = new Float32Array(buffer);
assertEquals(Math.fround(23.42), view[0]);
assertEquals(Math.fround(23.42), view[1]);
assertTrue(%IsAsmWasmCode(Module));
})();
(function TestF64StoreConvertsF32ToF64() {
function Module(stdlib, foreign, heap) {
'use asm';
var fround = stdlib.Math.fround;
var f64 = new stdlib.Float64Array(heap);
function f(a) {
a = fround(a);
f64[0] = f64[1] = a;
}
return f;
}
var buffer = new ArrayBuffer(0x10000);
var f = Module(this, {}, buffer);
assertDoesNotThrow(() => f(23.42));
var view = new Float64Array(buffer);
assertEquals(Math.fround(23.42), view[0]);
assertEquals(Math.fround(23.42), view[1]);
assertTrue(%IsAsmWasmCode(Module));
})();
Issue: https://crbug.com/1024936
Commit: [turbofan] Guard call to ProcessReceiverMapForApiCall
Date(Commit): Mon, 25 Nov 2019 14:35:27 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1930905
Regress : test\mjsunit\compiler\regress-1024936.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
Object.defineProperty(Number.prototype, "v", { get: constructor });
function get_v(num) {
return num.v;
}
let n = new Number(42);
%PrepareFunctionForOptimization(get_v);
get_v(n);
get_v(n);
%OptimizeFunctionOnNextCall(get_v);
get_v(n);
Commit: [TurboFan] Fix bug in FunctionBlueprint::operator==()
Date(Commit): Fri, 22 Nov 2019 21:29:04 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1926151
Regress : test\mjsunit\regress\regress-crbug-1024282.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --expose-gc
assertThrows = function assertThrows(code) {};
%PrepareFunctionForOptimization(assertThrows);
function foo(val) {
var arr = [];
function bar() {
function m1() {}
%PrepareFunctionForOptimization(m1);
assertThrows(m1);
0 in arr;
}
%PrepareFunctionForOptimization(bar);
bar(); // virtual context distance of 1 from native_context
gc();
bar(true);
}
%PrepareFunctionForOptimization(foo);
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/1024758
Commit: [compiler] Fix RegExpPrototypeTest reduction
Date(Commit): Tue, 19 Nov 2019 13:36:21 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1924353
Regress : test\mjsunit\regress\regress-crbug-1024758.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
function f() {
return r.test("abc");
}
function to_dict(o) {
r.a = 42;
r.b = 42;
delete r.a;
}
function to_fast(o) {
const obj = {};
const obj2 = {};
delete o.a;
obj.__proto__ = o;
obj[0] = 1;
obj.__proto__ = obj2;
delete obj[0];
return o;
}
// Shrink the instance size by first transitioning to dictionary properties,
// then back to fast properties.
const r = /./;
to_dict(r);
to_fast(r);
%PrepareFunctionForOptimization(f);
assertTrue(f());
%OptimizeFunctionOnNextCall(f);
assertTrue(f());
Issue: https://crbug.com/v8/9945
Commit: [turbofan] Fix and reenable a test on no_harness configs
Date(Commit): Tue, 19 Nov 2019 12:01:19 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1924352
Regress : test\mjsunit\compiler\regress-9945-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --opt --no-always-opt
////////////////////////////////////////////////////////////////////////////////
// This is a variant of regress-99540-1.js that does not rely on concurrent
// recompilation.
////////////////////////////////////////////////////////////////////////////////
function mkbar() { return function(x) { x.p } }
var bar = mkbar();
function foo(x) { bar(x) }
%PrepareFunctionForOptimization(foo);
%PrepareFunctionForOptimization(bar);
%PrepareFunctionForOptimization(mkbar);
// Create map transitions such that a's final map is not stable.
var dummy = [];
dummy.p = 0;
dummy.q = 0;
var a = [];
a.p = 42;
var b = [];
b.p = 42;
// Warm-up.
foo(a);
foo(a);
// Trigger optimization of bar, based on PACKED_SMI_ELEMENTS feedback.
%OptimizeFunctionOnNextCall(bar);
bar(a);
assertOptimized(bar);
%PrepareFunctionForOptimization(bar);
// Change a's map from PACKED_SMI_ELEMENTS to PACKED_ELEMENTS and run new
// instance of mkbar() in the interpreter s.t. bar's load feedback changes
// accordingly (thanks to feedback vector sharing).
a[0] = {};
mkbar()(a);
assertOptimized(bar);
// If we were to call the optimized bar now, it would deopt.
// Instead we trigger optimization of foo, which will inline bar (this time
// based on the new PACKED_ELEMENTS map.
assertOptimized(bar);
%OptimizeFunctionOnNextCall(foo);
assertOptimized(bar);
foo(a);
assertOptimized(bar);
assertOptimized(foo);
%PrepareFunctionForOptimization(foo);
// Now call the optimized foo on an object that has the old PACKED_SMI_ELEMENTS
// map. This will lead to an eager deopt of foo when the inlined bar sees that
// old map.
foo(b);
assertUnoptimized(foo);
assertOptimized(bar);
// Now ensure there is no deopt-loop. There used to be a deopt-loop because, as
// a result of over-eager checkpoint elimination, we used to deopt into foo
// (right before the call to bar) rather than into bar (right before the load).
%OptimizeFunctionOnNextCall(foo);
foo(b);
assertOptimized(foo);
Issue: https://crbug.com/v8/9945
Commit: [turbofan] Fix a deopt loop
Date(Commit): Mon, 18 Nov 2019 20:11:06 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1906208
Regress : test\mjsunit\compiler\regress-9945-1.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt --no-always-opt
// Flags: --concurrent-recompilation --block-concurrent-recompilation
function foo(x) { bar(x) }
function bar(x) { x.p }
%PrepareFunctionForOptimization(foo);
%PrepareFunctionForOptimization(bar);
// Create map transitions such that a's final map is not stable.
var dummy = [];
dummy.p = 0;
dummy.q = 0;
var a = [];
a.p = 42;
var b = [];
b.p = 42;
// Warm-up.
foo(a);
foo(a);
// Trigger optimization of bar but don't yet complete it.
%OptimizeFunctionOnNextCall(bar, "concurrent");
foo(a);
%PrepareFunctionForOptimization(bar);
// Change a's map from PACKED_SMI_ELEMENTS to PACKED_ELEMENTS and run bar in the
// interpreter (via foo) s.t. bar's load feedback changes accordingly.
a[0] = {};
foo(a);
assertUnoptimized(bar, "no sync");
// Now finish the optimization of bar, which was based on the old
// PACKED_SMI_ELEMENTS feedback.
%UnblockConcurrentRecompilation();
assertOptimized(bar);
// If we were to call the optimized bar now, it would deopt.
// Instead we trigger optimization of foo, which will inline bar (this time
// based on the new PACKED_ELEMENTS map.
%OptimizeFunctionOnNextCall(foo);
foo(a);
assertOptimized(foo);
%PrepareFunctionForOptimization(foo);
assertOptimized(bar);
// Now call the optimized foo on an object that has the old PACKED_SMI_ELEMENTS
// map. This will lead to an eager deopt of foo when the inlined bar sees that
// old map.
foo(b);
assertUnoptimized(foo);
assertOptimized(bar);
// Now ensure there is no deopt-loop. There used to be a deopt-loop because, as
// a result of over-eager checkpoint elimination, we used to deopt into foo
// (right before the call to bar) rather than into bar (right before the load).
%OptimizeFunctionOnNextCall(foo);
foo(b);
assertOptimized(foo);
Issue: https://crbug.com/1022695
Commit: [builtins] Put all JS linkage builtins in CODE_SPACE
Date(Commit): Mon, 18 Nov 2019 10:28:11 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1916600
Regress : test\mjsunit\regress\regress-crbug-1022695.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows(() => {
(function (foo, foreign) {
'use asm';
var f = foreign.toString;
function get() {
f();
}
return get;
})(this, new Error())();
});
Issue: https://crbug.com/1024099
Commit: [builtins] Fix sorting of huge shared TypedArrays
Date(Commit): Wed, 13 Nov 2019 22:49:07 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1914564
Regress : test\mjsunit\regress\regress-crbug-1024099.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let len = 0x20000;
let ar = new Int32Array(new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT * len));
ar[7] = -13;
ar[0x1673] = -42;
ar[0x1f875] = -153;
ar.sort();
assertEquals(ar[0], -153);
assertEquals(ar[1], -42);
assertEquals(ar[2], -13);
assertEquals(ar[3], 0);
Issue: https://crbug.com/1017159
Commit: [Turbofan]: Fix error in serializer try ranges with generators
Date(Commit): Tue, 12 Nov 2019 14:58:25 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1879247
Regress : test\mjsunit\regress\regress-crbug-1017159.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
function* foo() {
__v_1 = foo.x; // LdaNamedProperty
for (;;) {
try {
yield;
try {
__v_0 == "object";
__v_1[__getRandomProperty()]();
} catch(e) {
print();
}
} catch(e) {
"Caught: " + e;
}
break;
}
};
%PrepareFunctionForOptimization(foo);
%OptimizeFunctionOnNextCall(foo);
foo();
Commit: [test] Simplify test exceptions for force-slow-path
Date(Commit): Tue, 12 Nov 2019 13:13:15 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1910947
Regress : test\mjsunit\regress\regress-crbug-493779.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --enable-slow-asserts --no-force-slow-path
var s = "\u1234-------";
for (var i = 0; i < 17; i++) {
s += s;
}
s.replace(/[\u1234]/g, "");
Issue: https://crbug.com/v8/4153
Commit: [builtins] Allow 2Gb TypedArrays on 64-bit architectures
Date(Commit): Mon, 11 Nov 2019 19:39:17 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1905847
Regress : test\mjsunit\regress\regress-319722-TypedArrays.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --nostress-opt --allow-natives-syntax --mock-arraybuffer-allocator
let kArrayBufferByteLengthLimit = %ArrayBufferMaxByteLength() + 1;
let kTypedArrayLengthLimit = %TypedArrayMaxLength() + 1;
function TestArray(constr, elementSize) {
assertEquals(kArrayBufferByteLengthLimit % elementSize, 0);
let bufferSizeLength = kArrayBufferByteLengthLimit / elementSize;
let minUnallocatableSize =
kTypedArrayLengthLimit < bufferSizeLength
? kTypedArrayLengthLimit
: bufferSizeLength;
assertThrows(function() {
new constr(minUnallocatableSize);
}, RangeError);
// This one must succeed.
new constr(minUnallocatableSize - 1);
}
TestArray(Uint8Array, 1);
TestArray(Int8Array, 1);
TestArray(Uint16Array, 2);
TestArray(Int16Array, 2);
TestArray(Uint32Array, 4);
TestArray(Int32Array, 4);
TestArray(Float32Array, 4);
TestArray(Float64Array, 8);
TestArray(Uint8ClampedArray, 1);
Issue: https://crbug.com/1020031
Commit: [interpreter] Move function-entry stack check to start of bytecode array
Date(Commit): Mon, 11 Nov 2019 14:34:07 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1903440
Regress : test\mjsunit\regress\regress-1020031.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --expose-gc --allow-natives-syntax --predictable --stack-size=300
function* f() {
try {
g();
} catch {}
}
function g() {
try {
for (var i of f());
} catch {
gc();
}
}
%PrepareFunctionForOptimization(g);
g();
g();
g();
// Brittle repro: depends on exact placement of OptimizeFunctionOnNextCall and
// --stack-size.
%OptimizeFunctionOnNextCall(g);
g();
Issue: https://crbug.com/1021712
Commit: Fixes argument CHECKs in serializer that are too strict
Date(Commit): Thu, 7 Nov 2019 17:08:30 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1903442
Regress : test\mjsunit\regress\regress-1021712.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f() {
Promise.prototype.then.call()
}
%PrepareFunctionForOptimization(f);
try {
f();
} catch (e) {}
%OptimizeFunctionOnNextCall(f);
assertThrows(() => f(), TypeError);
Issue: https://crbug.com/v8/9192
Commit: Increase old space size for regress-678917.js
Date(Commit): Thu, 7 Nov 2019 09:20:04 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1890101
Regress : test\mjsunit\regress\regress-678917.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --max-old-space-size=2000 --nostress-incremental-marking
// This test uses a lot of memory and fails with flaky OOM when run
// with --stress-incremental-marking on TSAN.
s1 = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
s1 += s1;
s1 += s1;
s1 += s1;
s1 += s1;
s0 = 'a';
function g() {
for (var j = 0; j < 1000000; j++) {
s0 += s1;
}
}
try {
g();
} catch (e) {
}
assertEquals('x', s0[10]);
Issue: https://crbug.com/1016703
Commit: [heap]: Make addition of detached contexts robust for GC
Date(Commit): Mon, 4 Nov 2019 15:37:10 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1895573
Regress : test\mjsunit\regress\regress-1016703.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
let realms = [];
for (let i = 0; i < 4; i++) {
realms.push(Realm.createAllowCrossRealmAccess());
}
for (let i = 0; i < 4; i++) {
Realm.detachGlobal(realms[i]);
gc();
}
Issue: https://crbug.com/1020983
Commit: [compiler] Fallback to slow path for any unexpected opcode in TryGetScopeInfo
Date(Commit): Wed, 6 Nov 2019 09:44:59 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1899989
Regress : test\mjsunit\regress\regress-crbug-1020983.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --always-osr
function opt() {
for (let i = 0; i < 5000; i++) {
try {
try {
throw 1
} finally {
E
}
} catch {}
}
eval()
}
opt()
Issue: https://crbug.com/1016450
Commit: Regression test for word64-lowered BigInt accumulator
Date(Commit): Mon, 4 Nov 2019 13:13:51 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1876057
Regress : test\mjsunit\regress\regress-1016450.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt --no-always-opt
let g = 0;
function f(x) {
let y = BigInt.asUintN(64, 15n);
// Introduce a side effect to force the construction of a FrameState that
// captures the value of y.
g = 42;
try {
return x + y;
} catch(_) {
return y;
}
}
%PrepareFunctionForOptimization(f);
assertEquals(16n, f(1n));
assertEquals(17n, f(2n));
%OptimizeFunctionOnNextCall(f);
assertEquals(16n, f(1n));
assertOptimized(f);
assertEquals(15n, f(0));
assertUnoptimized(f);
Issue: https://crbug.com/1018871
Commit: Revert "[runtime] Correctly handle global stores when global object has proxies"
Date(Commit): Fri, 1 Nov 2019 18:25:31 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1889885
Regress : test\mjsunit\regress\regress-1018871.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var v_this = this;
function f() {
var obj = {y: 0};
var proxy = new Proxy(obj, {
has() { y; },
});
Object.setPrototypeOf(v_this, proxy);
x;
}
assertThrows(f, RangeError);
Issue: https://crbug.com/1018592
Commit: [regexp] Fix invalid DCHECK in named capture logic
Date(Commit): Tue, 29 Oct 2019 10:36:50 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1886810
Regress : test\mjsunit\regress\regress-1018592.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const re = /()()()()(?<aaaab>)1/;
"111a1a".replace(re, () => {}) ;
Issue: https://crbug.com/1010272
Commit: Reland "[wasm] Fix incorrect check for growing shared WebAssembly.memory"
Date(Commit): Mon, 28 Oct 2019 18:10:35 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1869077
Regress : test\mjsunit\regress\wasm\regress-1010272.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-grow-shared-memory --experimental-wasm-threads
const kNumWorkers = 100;
const kNumMessages = 50;
function AllocMemory(initial, maximum = initial) {
return new WebAssembly.Memory({initial : initial, maximum : maximum, shared : true});
}
(function RunTest() {
let worker = [];
for (let w = 0; w < kNumWorkers; w++) {
worker[w] = new Worker(
`onmessage =
function(msg) {
msg.memory.grow(1);
}`, {type : 'string'});
}
for (let i = 0; i < kNumMessages; i++) {
let memory = AllocMemory(1, 128);
for (let w = 0; w < kNumWorkers; w++) {
worker[w].postMessage({memory : memory});
}
}
})();
Issue: https://crbug.com/1018611
Commit: [parser] Add early return for declaration error in arrow head
Date(Commit): Mon, 28 Oct 2019 09:40:27 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1879906
Regress : test\mjsunit\regress\regress-crbug-1018611.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("(l-(c))=>", SyntaxError);
Issue: https://crbug.com/1018565
Commit: [turbofan] Fix memory corruption with VirtualBoundFunctions
Date(Commit): Mon, 28 Oct 2019 13:34:26 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1879904
Regress : test\mjsunit\compiler\regress-bound-functions.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo() {
return Array.prototype.sort.bind([]);
}
function bar() {
return foo();
}
%PrepareFunctionForOptimization(foo);
%PrepareFunctionForOptimization(bar);
bar();
bar();
%OptimizeFunctionOnNextCall(bar);
bar();
Commit: [ic] Correctly Handle global loads when global object has proxies
Date(Commit): Fri, 25 Oct 2019 16:55:25 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1876059
Regress : test\mjsunit\regress\regress-crbug-913212.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const globalThis = this;
Object.setPrototypeOf(this, new Proxy({}, {
has() { return true; },
getOwnPropertyDescriptor() {
assertUnreachable("getOwnPropertyDescriptor shouldn't be called."); },
get(target, prop, receiver) {
assertTrue(receiver === globalThis);
}
}));
undefined_name_access
Issue: https://crbug.com/v8/9894
Commit: Handle nonextensible obj in Map::GetInitalElements
Date(Commit): Thu, 24 Oct 2019 12:28:10 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1876994
Regress : test\mjsunit\regress\regress-9894.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function frozen() {
const ary = [1.1]
Object.defineProperty(ary, 0, {get:run_it} );
// v8::internal::Runtime_ArrayIncludes_Slow.
ary.includes();
function run_it(el) {
ary.length = 0;
ary[0] = 1.1;
Object.freeze(ary);
return 2.2;
}
})();
(function seal() {
const ary = [1.1]
Object.defineProperty(ary, 0, {get:run_it} );
// v8::internal::Runtime_ArrayIncludes_Slow.
ary.includes();
function run_it(el) {
ary.length = 0;
ary[0] = 1.1;
Object.seal(ary);
return 2.2;
}
})();
(function preventExtensions() {
const ary = [1.1]
Object.defineProperty(ary, 0, {get:run_it} );
// v8::internal::Runtime_ArrayIncludes_Slow.
ary.includes();
function run_it(el) {
ary.length = 0;
ary[0] = 1.1;
Object.preventExtensions(ary);
return 2.2;
}
})();
Issue: https://crbug.com/v8/9744
Commit: Reland x3 "[runtime] Remove extension slots from context objects"
Date(Commit): Tue, 22 Oct 2019 14:59:24 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1863191
Regress : test\mjsunit\regress\regress-crbug-1016056.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f(args) {
eval();
return arguments[0];
}
%PrepareFunctionForOptimization(f);
function g() {
return f(1);
}
%PrepareFunctionForOptimization(g);
assertEquals(1, g());
%OptimizeFunctionOnNextCall(g);
assertEquals(1, g());
Issue: https://crbug.com/1016515
Commit: [wasm] Initialize new jump table correct for lazy compilation
Date(Commit): Tue, 22 Oct 2019 13:01:21 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1873687
Regress : test\mjsunit\regress\wasm\regress-1016515.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-lazy-compilation
load('test/mjsunit/wasm/wasm-module-builder.js');
var builder = new WasmModuleBuilder();
var func = builder.addFunction('func', kSig_i_v).addBody([kExprI32Const, 1]);
var body = [];
for (let i = 0; i < 200; ++i) {
body.push(kExprCallFunction, func.index);
}
for (let i = 1; i < 200; ++i) {
body.push(kExprI32Add);
}
builder.addFunction('test', kSig_i_v).addBody(body).exportFunc();
var instance = builder.instantiate();
instance.exports.test();
Issue: https://crbug.com/1015372
Commit: [parser] Push variables of non-arrow parenthesized expression to parent
Date(Commit): Mon, 21 Oct 2019 17:37:55 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1872389
Regress : test\mjsunit\regress\regress-crbug-1015372.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function() {
function opt(flag) {
function inline() {
(function () {
flag()
})();
(flag) = 1;
}
inline();
}
assertThrows(opt, TypeError);
})();
(function() {
function opt(flag){
function inline() {
var f = (function() {
return flag;
});
function g(x) {
(flag) = x;
}
return [f,g];
}
return inline();
}
[f, g] = opt(1);
%PrepareFunctionForOptimization(f);
assertEquals(1, f());
assertEquals(1, f());
%OptimizeFunctionOnNextCall(f);
assertEquals(1, f());
g(2);
assertEquals(2, f());
})();
Issue: https://crbug.com/1015567
Commit: [parser] Accumulate even if we already thought we had an error
Date(Commit): Fri, 18 Oct 2019 15:48:32 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1869198
Regress : test\mjsunit\regress\regress-crbug-1015567.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows('a ( { b() {} } [ [ 1 , c.d = 1 ] = 1.1 ] )', SyntaxError);
Issue: https://crbug.com/v8/9800
Commit: [regexp] Modify matchAll to throw on non-globals.
Date(Commit): Tue, 15 Oct 2019 07:34:02 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1846067
Regress : test\mjsunit\regress\regress-crbug-899464.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
''.matchAll(/./ug);
Issue: https://crbug.com/1013920
Commit: [asmjs] Disallow AsmJs instantiation from a SharedArrayBuffer.
Date(Commit): Tue, 15 Oct 2019 13:17:00 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1862563
Regress : test\mjsunit\asm\regress-1013920.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function asm(stdlib, foreign, heap) {
"use asm";
var heap32 = new stdlib.Uint32Array(heap);
function f() { return 0; }
return {f : f};
}
var heap = Reflect.construct(
SharedArrayBuffer,
[1024 * 1024],
ArrayBuffer.prototype.constructor);
asm(this, {}, heap);
Issue: https://crbug.com/1012301
Commit: [runtime] Fix Object.assign for in-place repr changes
Date(Commit): Mon, 14 Oct 2019 16:07:31 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1859621
Regress : test\mjsunit\regress\regress-crbug-1012301-1.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function get() {
// Update the descriptor array now shared between the Foo map and the
// (Foo + c) map.
o1.c = 10;
// Change the type of the field on the new descriptor array in-place to
// Tagged. If Object.assign has a cached descriptor array, then it will point
// to the old Foo map's descriptors, which still have .b as Double.
o2.b = "string";
return 1;
}
function Foo() {
Object.defineProperty(this, "a", {get, enumerable: true});
// Initialise Foo.b to have Double representation.
this.b = 1.5;
}
var o1 = new Foo();
var o2 = new Foo();
var target = {};
Object.assign(target, o2);
// Make sure that target has the right representation after assignment.
assertEquals(target.b, "string");
Issue: https://crbug.com/v8/9754
Commit: [wasm-simd] Implement memory tracing for kSimd128 data types
Date(Commit): Thu, 10 Oct 2019 16:56:09 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1814885
Regress : test\mjsunit\regress\wasm\regress-702460.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load("test/mjsunit/wasm/wasm-module-builder.js");
(function() {
"use asm";
var builder = new WasmModuleBuilder();
builder.addFunction("regression_702460", kSig_i_v)
.addBody([
kExprI32Const, 0x52,
kExprI32Const, 0x41,
kExprI32Const, 0x3c,
kExprI32Const, 0xdc, 0x01,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprLocalSet, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprMemoryGrow, 0x00,
kExprS128LoadMem, 0x00, 0x40,
kExprUnreachable,
kExprMemoryGrow, 0x00
]).exportFunc();
assertThrows(() => builder.instantiate());
})();
Issue: https://crbug.com/1012301
Commit: [runtime] Fix CloneObject for all in-place repr changes
Date(Commit): Fri, 11 Oct 2019 17:21:06 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1856005
Regress : test\mjsunit\regress\regress-crbug-1012301.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
function f(o) {
// The spread after the CloneObject IC shouldn't crash when trying to write a
// double value to a field created by CloneObject.
return {...o, ...{a:1.4}};
}
%EnsureFeedbackVectorForFunction(f);
var o = {};
// Train the CloneObject IC with a Double field.
o.a = 1.5;
f(o);
f(o);
f(o);
// Change the source map to have a Tagged field.
o.a = undefined;
f(o);
Issue: https://crbug.com/v8/9825
Commit: [async] Fix bug with await in for 'next' position.
Date(Commit): Thu, 10 Oct 2019 10:22:06 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1849197
Regress : test\mjsunit\regress\regress-v8-9825.mjs
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
async function foo() {
for (;;await[]) {
break;
}
}
foo();
Issue: https://crbug.com/1011980
Commit: [ptr-compr] Remove ChangeTaggedSignedToCompressedSigned optimization
Date(Commit): Tue, 8 Oct 2019 20:19:05 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1847363
Regress : test\mjsunit\regress\regress-1011980.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
let hex_b = 0x0b;
let hex_d = 0x0d;
let hex_20 = 0x20;
let hex_52 = 0x52;
let hex_fe = 0xfe;
function f(a) {
let unused = [ a / 8, ...[ ...[ ...[], a / 8, ...[ 7, hex_fe, a, 0, 0, hex_20,
6, hex_52, hex_d, 0, hex_b], 0, hex_b], hex_b]];
}
%PrepareFunctionForOptimization(f)
f(64)
f(64);
%OptimizeFunctionOnNextCall(f);
f(64);
Issue: https://crbug.com/v8/9810
Commit: [wasm] Rename {Get,Set,Tee}Local to Local{Get,Set,Tee}
Date(Commit): Tue, 8 Oct 2019 14:38:48 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1847354
Regress : test\mjsunit\regress\wasm\regress-957405.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js');
const memory = new WebAssembly.Memory({initial: 1});
let builder = new WasmModuleBuilder();
builder.addImportedMemory("imports", "mem");
builder.addFunction("fill", kSig_v_iii)
.addBody([kExprLocalGet, 0, // dst
kExprLocalGet, 1, // value
kExprLocalGet, 2, // size
kNumericPrefix, kExprMemoryFill, 0]).exportAs("fill");
let instance = builder.instantiate({imports: {mem: memory}});
memory.grow(1);
assertTraps(
kTrapMemOutOfBounds,
() => instance.exports.fill(kPageSize + 1, 123, kPageSize));
Issue: https://crbug.com/1003732
Commit: [runtime] Don't set sticky bit on empty_slow_element_dictionary
Date(Commit): Fri, 4 Oct 2019 13:52:08 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1833686
Regress : test\mjsunit\regress\regress-crbug-1003732.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f_1() {
var v = new Array();
v[0] = 10;
return v;
}
function test() {
var setter_called = false;
// Turn array to NumberDictionary
Array.prototype[123456789] = 42;
assertEquals(f_1().length, 1);
// Reset to empty_slow_dictionary
Array.prototype.length = 0;
// This should reset the prototype validity cell.
Array.prototype.__defineSetter__("0", function() {setter_called = true});
f_1();
assertEquals(setter_called, true);
}
test();
Issue: https://crbug.com/1011596
Commit: [parser] Fix preparsing of modules containing labels
Date(Commit): Mon, 7 Oct 2019 10:41:33 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1844777
Regress : test\mjsunit\regress\regress-crbug-1011596.mjs
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
import "./regress-crbug-1011596-module.mjs"
Issue: https://crbug.com/1009728
Commit: [parser] Delete unresolved variables created for labels
Date(Commit): Fri, 4 Oct 2019 10:48:19 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1836258
Regress : test\mjsunit\regress\regress-crbug-1009728.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --stress-lazy-source-positions
function foo(x) {
(function bar() {
{
x: 1
}
function f() {}
});
}
foo();
Issue: https://crbug.com/1006640
Commit: GCExtension: Properly support exceptions
Date(Commit): Wed, 2 Oct 2019 11:53:21 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1835531
Regress : test\mjsunit\regress\regress-1006640.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
function main() {
const v2 = [1337,1337,1337,1337,1337];
function v9() {
const v15 = {get:RegExp};
Object.defineProperty(v2,501,v15);
const v18 = RegExp();
const v19 = 1337 instanceof v18;
}
const v30 = {defineProperty:Function,get:v9,getPrototypeOf:Object};
const v32 = new Proxy(ArrayBuffer,v30);
const v34 = gc(v32);
}
assertThrows(() => main(), TypeError);
Issue: https://crbug.com/1008632
Commit: Modify the DCHECK in when computing KeyedAccessStoreMode.
Date(Commit): Fri, 27 Sep 2019 13:44:22 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1828480
Regress : test\mjsunit\regress\regress-crbug-1008632.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-lazy-feedback-allocation
var __v_9690 = function () {};
try {
(function () {
__f_1653();
})()
} catch (__v_9763) {
}
function __f_1653(__v_9774, __v_9775) {
try {
} catch (e) {}
__v_9774[__v_9775 + 4] = 2;
}
(function () {
%PrepareFunctionForOptimization(__f_1653);
__f_1653(__v_9690, true);
%OptimizeFunctionOnNextCall(__f_1653);
assertThrows(() => __f_1653(), TypeError);
})();
Issue: https://crbug.com/v8/9781
Commit: Add missing null condition in Proxy GetPrototypeof
Date(Commit): Mon, 30 Sep 2019 09:17:28 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1829897
Regress : test\mjsunit\regress\regress-9781.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var proto = Object.getPrototypeOf(new Proxy(Object.create(null), {
getPrototypeOf(target) {
return Reflect.getPrototypeOf(target);
}
} ));
assertEquals(proto, null);
Issue: https://crbug.com/1008414
Commit: [parser] Prevent feedback slot merging for dynamic globals
Date(Commit): Mon, 30 Sep 2019 12:16:30 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1829270
Regress : test\mjsunit\regress\regress-1008414.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --throws
(function bar() {
(function foo(
x = new class B extends A(eval) { }
) {
eval();
})();
eval();
})()
Issue: https://crbug.com/1003403
Commit: [parser] Fix destructured parameters in arrowheads
Date(Commit): Tue, 24 Sep 2019 14:29:27 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1815131
Regress : test\mjsunit\regress\regress-crbug-1003403.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --enable-lazy-source-positions --stress-lazy-source-positions
// Flags: --no-lazy
({ x: b = 0 }) => {
try { b; } catch (e) {}
function a() { b }
}
Issue: https://crbug.com/1006670
Commit: [regexp] Adhere to the stack limit in the interpreter
Date(Commit): Tue, 24 Sep 2019 12:55:20 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1821458
Regress : test\mjsunit\regress\regress-1006670.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows(() => /(a?;?){4000000}/.exec("a"), RangeError);
Issue: https://crbug.com/1006629
Commit: Fix construction of empty backing stores for SharedArrayBuffers
Date(Commit): Mon, 23 Sep 2019 09:54:04 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1815244
Regress : test\mjsunit\regress\regress-1006629.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const workerScript = `
onmessage = function() {
};`;
const worker = new Worker(workerScript, {type: 'string'});
const i32a = new Int32Array( new SharedArrayBuffer() );
worker.postMessage([i32a.buffer]);
Commit: [wasm] Load call builtin in JS-to-JS wrappers.
Date(Commit): Mon, 23 Sep 2019 11:14:48 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1815245
Regress : test\mjsunit\regress\wasm\regress-crbug-1006631.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-type-reflection --trace-turbo-graph
new WebAssembly.Function({ parameters: [], results: [] }, x => x);
Issue: https://crbug.com/v8/9758
Commit: [parser] Prevent lazy parsing of arrow functions
Date(Commit): Fri, 20 Sep 2019 15:19:07 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1816510
Regress : test\mjsunit\regress\regress-v8-9758.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --throws
// Can't put this in a try-catch as that changes the parsing so the crash
// doesn't reproduce.
((a = ((b = a) => {})()) => 1)();
Issue: https://crbug.com/1004037
Commit: [ic] Add support for StoreSlow() in Global Dispatcher
Date(Commit): Wed, 18 Sep 2019 20:48:57 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1812657
Regress : test\mjsunit\regress\regress-crbug-1004037.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --always-opt
__v_1 = {};
__v_1.__defineGetter__('x', function () { });
__proto__ = __v_1;
function __f_4() {
__v_1 = {};
}
function __f_3() {
'use strict';
x = 42;
}
__f_4()
try {
__f_3();
} catch (e) { }
__proto__ = __v_1;
assertThrows(() => __f_3(), ReferenceError);
Issue: https://crbug.com/997056
Commit: [ic] Fix accessor to data reconfiguration case
Date(Commit): Thu, 19 Sep 2019 13:11:58 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1813021
Regress : test\mjsunit\regress\regress-crbug-997056.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
for (let i = 0; i < 4; ++i) {
var obj1 = {
get [obj1]() {},
...obj2,
};
var obj2 = { [obj1]: 0 };
print(obj2);
}
Commit: [CSA] Ensure we only call ToName once in KeyedLoadICGeneric.
Date(Commit): Thu, 19 Sep 2019 12:20:40 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1813022
Regress : test\mjsunit\regress\regress-1005400.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function foo(a, key) {
a[key];
}
let obj = {};
let count = 0;
var key_obj = {
toString: function() {
count++;
// Force string to be internalized during keyed lookup.
return 'foo' + count;
}
};
foo(obj, key_obj);
// We should only call toString once.
assertEquals(count, 1);
Commit: [CSA][cleanup] Use Name instead of String type for var_name in KeyedLoadICGeneric.
Date(Commit): Wed, 18 Sep 2019 11:40:58 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1809370
Regress : test\mjsunit\regress\regress-1004912.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var key = {
toString() {
return Symbol();
}
};
var obj = {};
obj[key];
Issue: https://crbug.com/1004061
Commit: [csa] Fix parameter casting on empty arrays
Date(Commit): Mon, 16 Sep 2019 13:36:15 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1806676
Regress : test\mjsunit\regress\regress-crbug-1004061.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function testPackedDoublesIncludes() {
arr = [1.5, 2.5];
arr.length = 0;
function f() {
return arr.includes(1);
};
%PrepareFunctionForOptimization(f);
assertEquals(f(), false);
%OptimizeFunctionOnNextCall(f);
assertEquals(f(), false);
})();
(function testHoleyDoublesIncludes() {
arr = [1.1];
arr[3]= 1.5;
arr.length = 0;
function f() {
return arr.includes(1);
};
%PrepareFunctionForOptimization(f);
assertEquals(f(), false);
%OptimizeFunctionOnNextCall(f);
assertEquals(f(), false);
})();
(function testPackedDoublesIndexOf() {
arr = [1.5, 2.5];
arr.length = 0;
function f() {
return arr.indexOf(1);
};
%PrepareFunctionForOptimization(f);
assertEquals(f(), -1);
%OptimizeFunctionOnNextCall(f);
assertEquals(f(), -1);
})();
(function testHoleyDoublesIndexOf() {
arr = [1.1];
arr[3]= 1.5;
arr.length = 0;
function f() {
return arr.indexOf(1);
};
%PrepareFunctionForOptimization(f);
assertEquals(f(), -1);
%OptimizeFunctionOnNextCall(f);
assertEquals(f(), -1);
})();
Issue: https://crbug.com/1003730
Commit: [turbofan] Add a missing object to the broker
Date(Commit): Mon, 16 Sep 2019 13:57:53 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1806913
Regress : test\mjsunit\regress\regress-1003730.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --concurrent-inlining
function bar(error) {
try {
throw "didn't throw TypeError";
} catch (err) {
error instanceof error, "didn't throw " + error.prototype.name;
}
}
function foo(param) {
bar(TypeError);
}
try {
bar();
} catch (e) {}
%PrepareFunctionForOptimization(foo);
try {
foo();
} catch (e) {}
%OptimizeFunctionOnNextCall(foo);
foo();
Commit: [CSA] Update TryLookupProperty to JSReceiver type.
Date(Commit): Mon, 16 Sep 2019 12:10:24 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1803651
Regress : test\mjsunit\regress\regress-1003919.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Define an object with a getter and a proxy as it's prototype.
var obj = {foo: 'bar'};
Object.defineProperty(obj, 'foo', {
get: function () {
}
});
obj.__proto__ = new Proxy([], {});
// Get key from a function to avoid the property access turning into a
// named property access.
function getKey() {
return 'values'
}
// Keyed access to update obj's values property.
obj[getKey()] = 1;
Issue: https://crbug.com/v8/9396
Commit: [test][cleanup] Revive --time, speed up some tests
Date(Commit): Mon, 16 Sep 2019 12:43:46 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1803635
Regress : test\mjsunit\regress\regress-crbug-941743.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --noenable-slow-asserts
// This test triggers optimization manually, no stress mode necessary.
// Flags: --nostress-opt --noalways-opt
// This call ensures that TurboFan won't inline array constructors.
Array(2 ** 30);
// Set up a fast holey smi array, and generate optimized code.
let a = [1, 2, , , , 3];
function mapping(a) {
return a.map(v => v);
};
%PrepareFunctionForOptimization(mapping);
mapping(a);
mapping(a);
%OptimizeFunctionOnNextCall(mapping);
mapping(a);
// Now lengthen the array, but ensure that it points to a non-dictionary
// backing store.
a.length = 32 * 1024 * 1024 - 1;
a.fill(1, 0);
a.push(2);
a.length += 500;
// Now, the non-inlined array constructor should produce an array with
// dictionary elements: causing a crash.
mapping(a);
Commit: [wasm] Fix WebAssembly.Table#get for constructed functions.
Date(Commit): Tue, 10 Sep 2019 14:21:19 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1795352
Regress : test\mjsunit\regress\wasm\regress-crbug-1002388.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-type-reflection
(function TestTableSetAndGetFunction() {
let func = new WebAssembly.Function({ parameters: [], results: [] }, x => x);
let table = new WebAssembly.Table({ element: "anyfunc", initial: 1 });
table.set(0, func);
table.get(0);
})();
Issue: https://crbug.com/996161
Commit: Fix EmitGenericPropertyStore to bailout on stores to TypedArrays
Date(Commit): Tue, 10 Sep 2019 09:57:35 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1789396
Regress : test\mjsunit\regress\regress-996161.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function checkOwnProperties(v, count) {
var properties = Object.getOwnPropertyNames(v);
assertEquals(properties.length, count);
}
function testStoreNoFeedback() {
arr = new Int32Array(10);
function f(a) { a["-1"] = 15; }
for (var i = 0; i < 3; i++) {
arr.__defineGetter__("x", function() { });
checkOwnProperties(arr, 11);
f(arr);
}
}
testStoreNoFeedback();
function testStoreGeneric() {
arr = new Int32Array(10);
var index = "-1";
function f1(a) { a[index] = 15; }
%EnsureFeedbackVectorForFunction(f1);
// Make a[index] in f1 megamorphic
f1({a: 1});
f1({b: 1});
f1({c: 1});
f1({d: 1});
for (var i = 0; i < 3; i++) {
arr.__defineGetter__("x", function() { });
checkOwnProperties(arr, 11);
f1(arr);
}
}
testStoreGeneric();
Issue: https://crbug.com/1000094
Commit: [parser] Fix arrowhead parsing in the script scope
Date(Commit): Mon, 9 Sep 2019 17:48:01 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1789705
Regress : test\mjsunit\regress\regress-crbug-1000094.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --enable-lazy-source-positions --stress-lazy-source-positions
var f = (( {a: b} = {
a() {
return b;
}
}) => b)()();
// b should get assigned to the inner function a, which then ends up returning
// itself.
assertEquals(f, f());
Issue: https://crbug.com/1000635
Commit: Correctly handlify two frame {Summarize} methods
Date(Commit): Thu, 5 Sep 2019 15:56:55 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1787429
Regress : test\mjsunit\regress\regress-1000635.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --stress-compaction --detailed-error-stack-trace --gc-interval=1
function add(a, b) {
throw new Error();
}
for (let i = 0; i < 100; ++i) {
try {
add(1, 2);
} catch (e) {
}
}
Issue: https://crbug.com/v8/9606
Commit: Reland^2 "[ic] In-place Double -> Tagged transitions""
Date(Commit): Thu, 5 Sep 2019 16:36:00 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1743973
Regress : test\mjsunit\regress\regress-997989.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
// A function with a for-in loop, that will be optimized.
function foo(o) {
for (var i in o) {
return o[i];
}
}
var o = { x: 0.5 };
// Warm up foo with Double values in the enum cache.
%PrepareFunctionForOptimization(foo);
assertEquals(foo(o), 0.5);
assertEquals(foo(o), 0.5);
%OptimizeFunctionOnNextCall(foo);
assertEquals(foo(o), 0.5);
// Transition the double field to a tagged field
o.x = "abc";
// Make sure that the optimized code correctly loads the tagged field.
assertEquals(foo(o), "abc");
Issue: https://crbug.com/999450
Commit: [parser] Don't mark const variables as assigned
Date(Commit): Thu, 5 Sep 2019 14:52:24 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1782170
Regress : test\mjsunit\regress\regress-crbug-999450.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --no-lazy --stress-lazy-source-positions --enable-lazy-source-positions
(function foo() {
foo = null;
() => foo;
})
Issue: https://crbug.com/997320
Commit: [parser] Improve hole check elision in async arrow funcs
Date(Commit): Mon, 2 Sep 2019 14:55:08 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1781057
Regress : test\mjsunit\regress\regress-crbug-997320.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy --stress-lazy-source-positions
// Flags: --enable-lazy-source-positions
async(a, b = a) => {};
Issue: https://crbug.com/996751
Commit: [scopes] Push sloppy eval check through eval scopes
Date(Commit): Thu, 29 Aug 2019 13:00:35 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1773247
Regress : test\mjsunit\regress\regress-996751.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --stress-lazy-source-positions
eval(`
eval("");
(function f() {
// This undefined should always be known to be the global undefined value,
// even though there is a sloppy eval call inside the top eval scope.
return undefined;
})();
`);
// The above logic should work through multiple layers of eval nesting.
eval(`
eval(\`
eval(\\\`
eval("");
(function f() {
return undefined;
})();
\\\`);
\`);
`);
Issue: https://crbug.com/992914
Commit: Add new nonextensible element kinds
Date(Commit): Wed, 28 Aug 2019 09:48:03 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1760976
Regress : test\mjsunit\regress\regress-crbug-992914.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function mainFreeze() {
const v2 = {foo:1.1};
Object.freeze(v2);
const v12 = {foo:2.2};
Object.preventExtensions(v12);
Object.freeze(v12);
const v18 = {foo:Object};
v12.__proto__ = 0;
v2[5] = 1;
}
mainFreeze();
function mainSeal() {
const v2 = {foo:1.1};
Object.seal(v2);
const v12 = {foo:2.2};
Object.preventExtensions(v12);
Object.seal(v12);
const v18 = {foo:Object};
v12.__proto__ = 0;
v2[5] = 1;
}
mainSeal();
function testSeal() {
a = new RangeError(null, null, null);
a.toFixed = () => {};
e = Object.seal(a);
a = new RangeError(null, null, null);
a.toFixed = () => {};
k = Object.preventExtensions(a);
l = Object.seal(a);
a.toFixed = () => {};
assertThrows(() => {
Array.prototype.unshift.call(l, false, Infinity);
}, TypeError);
}
testSeal();
function testFreeze() {
a = new RangeError(null, null, null);
a.toFixed = () => {};
e = Object.freeze(a);
a = new RangeError(null, null, null);
a.toFixed = () => {};
k = Object.preventExtensions(a);
l = Object.freeze(a);
a.toFixed = () => {};
assertThrows(() => {
Array.prototype.unshift.call(l, false, Infinity);
}, TypeError);
}
testFreeze();
Issue: https://crbug.com/918301
Commit: [runtime] Throw range error on too many properties
Date(Commit): Wed, 28 Aug 2019 16:36:08 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1545902
Regress : test\mjsunit\regress\regress-crbug-918301.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows(() => Object.getOwnPropertyDescriptors(Array(1e9).join('c')), RangeError);
Issue: https://crbug.com/996391
Commit: [regexp] Dont attempt to match '^' before the start of the string
Date(Commit): Wed, 28 Aug 2019 14:46:32 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1771794
Regress : test\mjsunit\regress\regress-996391.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --regexp-interpret-all
assertArrayEquals(["o"], /.(?<!^.)/m.exec("foobar"));
assertArrayEquals(["o"], /.(?<!\b.)/m.exec("foobar"));
assertArrayEquals(["f"], /.(?<!\B.)/m.exec("foobar"));
Issue: https://crbug.com/993980
Commit: [json] Don't consume sibling feedback from objects with detached maps
Date(Commit): Mon, 26 Aug 2019 17:18:54 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1771778
Regress : test\mjsunit\regress\regress-crbug-993980.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function () {
// generate some sample data
let data = new Array(1600).fill(null).map((e, i) => ({
invariantKey: 'v',
['randomKey' + i]: 'w',
}));
// use json parser
data = JSON.parse(JSON.stringify(data))
// look for undefined values
for (const t of data) {
assertFalse(Object.keys(t).some(k => !t[k]));
}
})()
Issue: https://crbug.com/987205
Commit: [turbofan] Relax double const store invariant in load elim. for literals
Date(Commit): Thu, 22 Aug 2019 15:16:10 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1763535
Regress : test\mjsunit\regress\regress-crbug-987205.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f(x) {
// This used to generate two distinct stores to #undefined, violating the load
// elimination invariant that there are no two store to the same const field:
var obj1 = {
[undefined]: 1,
'undefined': 1
};
// This one cannot be discharged statically:
var obj2 = {
[undefined]: x,
'undefined': 1
};
// Some more variations that exercise AllocateFastLiteral:
var obj3 = {
'undefined': 1,
[undefined]: x
};
var obj4 = {
'undefined': x,
[undefined]: 1
};
assertEquals(obj1.undefined, 1);
assertEquals(obj2.undefined, 1);
assertEquals(obj3.undefined, x);
assertEquals(obj4.undefined, 1);
}
%PrepareFunctionForOptimization(f);
f(1);
f(1);
%OptimizeFunctionOnNextCall(f);
f(2);
function g(x) {
var obj1 = {
[undefined]: 1,
[undefined]: 1
};
var obj2 = {
[undefined]: 1,
[undefined]: x
};
var obj3 = {
[undefined]: x,
[undefined]: 1
};
var obj4 = {
[undefined]: x,
[undefined]: x
};
assertEquals(obj1.undefined, 1);
assertEquals(obj2.undefined, x);
assertEquals(obj3.undefined, 1);
assertEquals(obj4.undefined, x);
}
%PrepareFunctionForOptimization(g);
g(1);
g(1);
%OptimizeFunctionOnNextCall(g);
g(2);
Issue: https://crbug.com/997057
Commit: [turbofan] Fix memory corruption
Date(Commit): Fri, 23 Aug 2019 15:29:29 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1768579
Regress : test\mjsunit\regress\regress-crbug-997057.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy-feedback-allocation
arr0 = [];
var obj = {};
Array.prototype[12] = 10;
arr0 = [];
Array.prototype[0] = 153;
for (var elem in arr0) {
obj.length = {
toString: function () {
}
};
}
function baz() {
obj.length, arr0.length;
}
var arr = [{}, [], {}];
for (var i in arr) {
baz();
for (var j = 0; j < 100000; j++) {
}
}
Issue: https://crbug.com/997100
Commit: [turbofan] Fix stability checks in InferHasInPrototypeChain
Date(Commit): Fri, 23 Aug 2019 12:04:26 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1768576
Regress : test\mjsunit\compiler\regress-997100.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function C() { return this };
function foo() {
return new C() instanceof function(){};
}
%PrepareFunctionForOptimization(C);
%PrepareFunctionForOptimization(foo);
assertFalse(foo());
%OptimizeFunctionOnNextCall(foo);
assertFalse(foo());
Issue: https://crbug.com/996234
Commit: [regexp] Print correct kind of regexp code (native/bytecode) when tier-up is enabled.
Date(Commit): Thu, 22 Aug 2019 19:28:29 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1765531
Regress : test\mjsunit\regress\regress-996234.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --regexp-tier-up --print-code --trace-regexp-bytecodes
// Test printing of regexp code and bytecode when tiering up from the
// interpreter to the compiler.
function __f_13544(__v_62631) {
__v_62631.replace(/\s/g);
}
__f_13544("No");
let re = /^.$/;
re.test("a");
re.test("3");
re.test("π");
Issue: https://crbug.com/v8/9606
Commit: [object] Remove MutableHeapNumber
Date(Commit): Tue, 20 Aug 2019 15:24:13 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1743972
Regress : test\mjsunit\regress\regress-crbug-734051.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function TestHeapNumberLiteral() {
var data = { a: 0, b: 0 };
data.a += 0.1;
assertEquals(0.1, data.a);
assertEquals(0, data.b);
};
TestHeapNumberLiteral();
TestHeapNumberLiteral();
TestHeapNumberLiteral();
TestHeapNumberLiteral();
TestHeapNumberLiteral();
Issue: https://crbug.com/994719
Commit: [parser] Fix bytecode mismatch for this
Date(Commit): Tue, 20 Aug 2019 14:44:27 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1762025
Regress : test\mjsunit\regress\regress-crbug-994719.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy --enable-lazy-source-positions --stress-lazy-source-positions
class C extends Object {
constructor() {
() => this;
super();
}
}
Issue: https://crbug.com/995430
Commit: [turbofan] Try to insert soft deopt for exponentiation
Date(Commit): Tue, 20 Aug 2019 12:58:42 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1762013
Regress : test\mjsunit\compiler\regress-995430.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo() {
x ** -9 === '';
};
%PrepareFunctionForOptimization(foo);
%OptimizeFunctionOnNextCall(foo);
try { foo() } catch(_) {};
Issue: https://crbug.com/995562
Commit: [turbofan] Fix JSStoreDataPropertyInLiteral reduction
Date(Commit): Tue, 20 Aug 2019 12:57:48 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1762010
Regress : test\mjsunit\compiler\regress-995562.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function() {
function foo() {
return { [bla]() {} };
}
%PrepareFunctionForOptimization(foo);
%OptimizeFunctionOnNextCall(foo);
try { foo() } catch(_) {};
})();
Issue: https://crbug.com/v8/8976
Commit: Reland "[builtins] Port RegExpTest to Torque"
Date(Commit): Mon, 19 Aug 2019 09:03:07 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1746083
Regress : test\mjsunit\regress\regress-crbug-994041.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
v0 = Array().join();
RegExp.prototype.__defineSetter__(0, function() {
})
v24 = v0.search();
assertEquals(v24, 0);
Issue: https://crbug.com/980183
Commit: [turbofan] Track field owner maps during load elimination
Date(Commit): Fri, 16 Aug 2019 16:30:11 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1751346
Regress : test\mjsunit\regress\regress-crbug-980183.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f() {
const o = {};
// The order of the following operations is significant
o.a = 0;
o[1024] = 1; // An offset of >=1024 is required
delete o.a;
o.b = 2;
return o.b;
}
%PrepareFunctionForOptimization(f);
f();
f();
%OptimizeFunctionOnNextCall(f);
f();
function g(o) {
o.b = 2;
}
function h() {
const o = {};
o.a = 0;
o[1024] = 1;
delete o.a;
g(o);
assertEquals(o.b, 2);
}
%NeverOptimizeFunction(g);
%PrepareFunctionForOptimization(h);
h();
h();
%OptimizeFunctionOnNextCall(h);
h();
Issue: https://crbug.com/990582
Commit: Fix crash Code::DropStackFrameCacheCommon
Date(Commit): Wed, 14 Aug 2019 15:30:03 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1752856
Regress : test\mjsunit\regress\regress-crbug-990582.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --invoke-weak-callbacks --budget-for-feedback-vector-allocation=0
__v_0 = 0;
function __f_0() {
try {
__f_0();
} catch(e) {
if (__v_0 < 50) {
__v_0++;
/()/g, new [];
}
}
}
__f_0();
Realm.shared = this;
Commit: [Parser] Don't mark receiver as MaybeAssigned since it can't be assigned.
Date(Commit): Wed, 14 Aug 2019 11:22:02 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1752851
Regress : test\mjsunit\regress\regress-989914.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy --stress-lazy-source-positions
function foo() {
return () => {
this.test_;
eval();
}
}
Commit: [Parsing] Fix a bug in UpdateBufferPointers where it incorrectly updated the buffer range.
Date(Commit): Tue, 13 Aug 2019 14:39:52 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1751782
Regress : test\mjsunit\regress\regress-991133.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc --allow-natives-syntax --gc-interval=416
// Flags: --no-lazy --no-lazy-feedback-allocation --stress-lazy-source-positions
"use strict";
function WasmModuleBuilder() {}
(function () {
try {
BigIntPrototypeValueOf = BigInt.prototype.valueOf;
} catch (e) {}
failWithMessage = function failWithMessage(message) {
throw new MjsUnitAssertionError(message);
}
assertSame = function assertSame(expected, found, name_opt) {
if (Object.is(expected, found)) return;
fail(prettyPrinted(expected), found, name_opt);
};
assertArrayEquals = function assertArrayEquals(expected, found, name_opt) {
var start = "";
if (name_opt) {
start = name_opt + " - ";
}
assertEquals(expected.length, found.length, start + "array length");
if (expected.length === found.length) {
for (var i = 0; i < expected.length; ++i) {
assertEquals(expected[i], found[i],
start + "array element at index " + i);
}
}
};
assertPropertiesEqual = function assertPropertiesEqual(expected, found,
name_opt) {
if (!deepObjectEquals(expected, found)) {
fail(expected, found, name_opt);
}
};
assertToStringEquals = function assertToStringEquals(expected, found,
name_opt) {
if (expected !== String(found)) {
fail(expected, found, name_opt);
}
};
assertTrue = function assertTrue(value, name_opt) {
assertEquals(true, value, name_opt);
};
assertFalse = function assertFalse(value, name_opt) {
assertEquals(false, value, name_opt);
};
assertNull = function assertNull(value, name_opt) {
if (value !== null) {
fail("null", value, name_opt);
}
};
assertNotNull = function assertNotNull(value, name_opt) {
if (value === null) {
fail("not null", value, name_opt);
}
};
})();
function getRandomProperty(v, rand) { var properties = Object.getOwnPropertyNames(v); var proto = Object.getPrototypeOf(v); if (proto) { properties = properties.concat(Object.getOwnPropertyNames(proto)); } if (properties.includes("constructor") && v.constructor.hasOwnProperty("__proto__")) { properties = properties.concat(Object.getOwnPropertyNames(v.constructor.__proto__)); } if (properties.length == 0) { return "0"; } return properties[rand % properties.length]; }
var __v_11 = { Float32Array() {}, Uint8Array() {} };
var __v_17 = {};
try {
} catch(e) { print("Caught: " + e); }
function __f_0(){
}
function __f_3(a, b) {
(a | 0) + (b | 0);
return a;
}
function __f_23(expected, __f_20, ffi) {
}
try {
(function() {
function __f_12(__v_11, foreign, buffer) {
"use asm";
var __v_18 = new __v_11.Uint8Array(buffer);
var __v_8 = new __v_9.Int32Array(buffer);
function __f_24(__v_23, __v_28) {
__v_23 = __v_23 | 0;
__v_28 = __v_28 | 0;
__v_16[__v_23 >> 2] = __v_28;
}
function __f_19(__v_23, __v_28) {
__v_21 = __v_19 | 0;
__v_28 = __v_28 | 0;
__v_18[__v_23 | 0] = __v_28;
}
function __f_10(__v_23) {
__v_0 = __v_10 | 0;
return __v_18[__v_23] | 0;
gc();
}
function __f_13(__v_23) {
__v_23 = __v_17 | 0;
return __v_18[__v_16[__v_23 >> 2] | 0] | 0;
}
return {__f_10: __f_10, __f_13: __f_13, __f_24: __f_24, __f_19: __f_19};
}
var __v_15 = new ArrayBuffer(__v_17);
var __v_13 = eval('(' + __f_3.toString() + ')');
var __v_26 = __v_13(__v_11, null, __v_15);
var __v_27 = { __f_10() {} };
__f_3(__v_13);
assertNotEquals(123, __v_27.__f_10(20));
assertNotEquals(42, __v_27.__f_10(21));
assertNotEquals(77, __v_27.__f_10(22));
__v_26.__p_711994219 = __v_26[getRandomProperty(__v_26, 711994219)];
__v_26.__defineGetter__(getRandomProperty(__v_26, 477679072), function() { gc(); __v_16[getRandomProperty(__v_16, 1106800630)] = __v_1[getRandomProperty(__v_1, 1151799043)]; return __v_26.__p_711994219; });
assertNotEquals(123, __v_27.__f_10(0));
assertNotEquals(42, __v_27.__f_10(4));
assertNotEquals(77, __v_27.__f_10(8));
})();
} catch(e) { print("Caught: " + e); }
function __f_18(__v_11, foreign, heap) {
"use asm";
var __v_12 = new __v_11.Float32Array(heap);
var __v_14 = __v_11.Math.fround;
function __f_20() {
var __v_21 = 1.23;
__v_12[0] = __v_21;
return +__v_12[0];
}
return {__f_14: __f_20};
}
try {
__f_23(Math.fround(1.23), __f_3);
} catch(e) { print("Caught: " + e); }
try {
} catch(e) { print("Caught: " + e); }
function __f_25(
imported_module_name, imported_function_name) {
var __v_11 = new WasmModuleBuilder();
var __v_25 = new WasmModuleBuilder();
let imp = i => i + 3;
}
try {
__f_25('mod', 'foo');
__f_25('mod', '☺☺happy☺☺');
__f_25('☺☺happy☺☺', 'foo');
__f_25('☺☺happy☺☺', '☼+☃=☹');
} catch(e) { print("Caught: " + e); }
function __f_26(
internal_name_mul, exported_name_mul, internal_name_add,
exported_name_add) {
var __v_25 = new WasmModuleBuilder();
}
try {
__f_26('☺☺mul☺☺', 'mul', '☺☺add☺☺', 'add');
__f_26('☺☺mul☺☺', '☺☺mul☺☺', '☺☺add☺☺', '☺☺add☺☺');
(function __f_27() {
var __v_25 = new WasmModuleBuilder();
__v_25.addFunction('three snowmen: ☃☃☃').addBody([]).exportFunc();
assertThrows( () => __v_25.instantiate(), WebAssembly.CompileError, /Compiling function #0:"three snowmen: ☃☃☃" failed: /);
});
(function __f_28() {
var __v_25 = new WasmModuleBuilder();
__v_25.addImport('three snowmen: ☃☃☃', 'foo');
assertThrows( () => __v_25.instantiate({}), TypeError, /WebAssembly.Instance\(\): Import #0 module="three snowmen: ☃☃☃" error: /);
});
(function __f_29() {
__v_25.__defineGetter__(getRandomProperty(__v_25, 539246294), function() { gc(); return __f_21; });
var __v_25 = new WasmModuleBuilder();
__v_25.addImport('mod', 'three snowmen: ☃☃☃');
assertThrows(
() => __v_14.instantiate({mod: {}}), WebAssembly.LinkError,
'WebAssembly.Instance\(\): Import #0 module="mod" function="three ' +
'snowmen: ☃☃☃" error: function import requires a callable');
});
} catch(e) { print("Caught: " + e); }
Issue: https://crbug.com/992684
Commit: [turbofan] Teach serializer about new JumpIfUndefinedOrNull bytecodes
Date(Commit): Mon, 12 Aug 2019 15:33:23 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1748692
Regress : test\mjsunit\compiler\regress-992684.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-lazy-feedback-allocation
function* g(h) {
return yield* h;
}
var f = Object.getPrototypeOf(function*(){}).prototype;
var t = f.throw;
const h = (function*(){})();
h.next = function () { return { }; };
const x = g(h);
x.next();
delete f.throw;
try {
t.bind(x)();
} catch (e) {}
%PrepareFunctionForOptimization(g);
g();
%OptimizeFunctionOnNextCall(g);
g();
Issue: https://crbug.com/v8/9546
Commit: [turbofan] Revert algorithm simplification in Math.hypot
Date(Commit): Mon, 5 Aug 2019 03:18:02 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1725200
Regress : test\mjsunit\regress\regress-9546.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
// Sanity checks.
assertEquals(Math.hypot(3, 4), 5);
assertEquals(Math.hypot(1, 2, 3, 4, 5, 27), 28);
// Regress.
assertEquals(Math.hypot(Infinity, NaN), Infinity);
assertEquals(Math.hypot(NaN, 0), NaN);
assertEquals(Math.hypot(NaN, Infinity), Infinity);
assertEquals(Math.hypot(0, NaN), NaN);
assertEquals(Math.hypot(NaN, 1, 2, 3, 4, 5, 0), NaN);
assertEquals(Math.hypot(NaN, Infinity, 2, 3, 4, 5, 0), Infinity);
// Verify optimized code works as intended.
function two_hypot(a, b) {
return Math.hypot(a, b);
}
function six_hypot(a, b, c, d, e, f) {
return Math.hypot(a, b, c, d, e, f);
}
%PrepareFunctionForOptimization(two_hypot);
two_hypot(1, 2);
two_hypot(3, 4);
two_hypot(5, 6);
%OptimizeFunctionOnNextCall(two_hypot);
assertEquals(two_hypot(3, 4), 5);
// Regress 2 parameter case.
assertEquals(two_hypot(Infinity, NaN), Infinity);
assertEquals(two_hypot(NaN, 0), NaN);
assertEquals(two_hypot(NaN, Infinity), Infinity);
assertEquals(two_hypot(0, NaN), NaN);
// Regress many parameters case.
%PrepareFunctionForOptimization(six_hypot);
six_hypot(1, 2, 3, 4, 5, 6);
six_hypot(3, 4, 5, 6, 7, 8);
six_hypot(5, 6, 7, 8, 9, 10);
%OptimizeFunctionOnNextCall(six_hypot);
assertEquals(six_hypot(1, 2, 3, 4, 5, 27), 28);
assertEquals(six_hypot(0, 0, 0, 0, 0, 0), 0);
assertEquals(six_hypot(NaN, 1, 2, 3, 4, 5, 0), NaN);
assertEquals(six_hypot(NaN, Infinity, 2, 3, 4, 5, 0), Infinity);
assertEquals(six_hypot(1, 2, 3, 4, 5, NaN), NaN);
assertEquals(six_hypot(Infinity, 2, 3, 4, 5, NaN), Infinity);
Issue: https://crbug.com/v8/8510
Commit: [scopes] Skip dynamic vars in eval scopes during lookup
Date(Commit): Fri, 2 Aug 2019 15:59:26 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1733077
Regress : test\mjsunit\regress\regress-v8-9511.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var f = function() { return 1; };
(function func1() {
eval("var f = function canary(s) { return 2; }");
})();
assertEquals(f(), 1);
Issue: https://crbug.com/983267
Commit: [turbofan] Fix crash with --trace-turbo-inlining
Date(Commit): Thu, 1 Aug 2019 14:08:55 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1731003
Regress : test\mjsunit\regress\regress-inlining-printing.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --trace-turbo-inlining
// Flags: --max-inlined-bytecode-size-small=0
function f() {}
function g() {}
function h() {}
function test(n) {
h;
(n == 0 ? f : (n > 0 ? g : h))();
}
%EnsureFeedbackVectorForFunction(f);
%EnsureFeedbackVectorForFunction(g);
%PrepareFunctionForOptimization(test);
test(0);
test(1);
%OptimizeFunctionOnNextCall(test);
test(0);
Issue: https://crbug.com/v8/9305
Commit: Reland "[regexp] Better quick checks on loop entry nodes"
Date(Commit): Tue, 30 Jul 2019 15:13:30 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1704941
Regress : test\mjsunit\regress\regress-988973.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
"".match(/(?:(?=a)b){5}abcde/);
Issue: https://crbug.com/986187
Commit: [ic] Remove broken DCHECK and clean up naming
Date(Commit): Tue, 30 Jul 2019 17:35:13 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1724215
Regress : test\mjsunit\regress\regress-crbug-986187.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
var obj = {}
obj.__proto__ = null;
Object.defineProperty(obj, "prop", {
set: gc
});
for (var i = 0; i < 100 ; ++i) {
obj["prop"] = 0;
}
Issue: https://crbug.com/v8/9560
Commit: [parser] Validate the target of property access assignment as expression
Date(Commit): Tue, 30 Jul 2019 12:43:36 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1725624
Regress : test\mjsunit\regress\regress-9560.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var value = 0;
[{ set prop(v) { value = v } }.prop = 12 ] = [ 1 ]
assertEquals(1, value);
Issue: https://crbug.com/v8/7790
Commit: [turbofan] Fix wrong serialization for Function.bind
Date(Commit): Tue, 30 Jul 2019 09:06:26 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1722566
Regress : test\mjsunit\regress\regress-bind-deoptimize.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt --no-always-opt
(function() {
function bla(x) {
return this[x];
}
function foo(f) {
return bla.bind(f())(0);
};
%PrepareFunctionForOptimization(foo);
foo(() => { return [true]; });
foo(() => { return [true]; });
%OptimizeFunctionOnNextCall(foo);
foo(() => { return [true]; });
assertOptimized(foo);
foo(() => { bla.a = 1; return [true]; });
assertUnoptimized(foo);
})();
Issue: https://crbug.com/988304
Commit: [parsing] Fix bytecode mismatch for arrow funcs
Date(Commit): Mon, 29 Jul 2019 16:11:01 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1724384
Regress : test\mjsunit\regress\regress-crbug-988304.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --enable-lazy-source-positions --stress-lazy-source-positions
(function() {
((x = 1) => {
function foo() {
x;
}
return x;
})();
})();
Issue: https://crbug.com/980422
Commit: [parsing] Improve elision of hole checks for default parameters
Date(Commit): Fri, 26 Jul 2019 12:09:31 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1710671
Regress : test\mjsunit\regress\regress-crbug-981701.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --throws --enable-lazy-source-positions --stress-lazy-source-positions
((...{a: [b, ...{b: [] = b, a: c}] = b}) => b)(-2);
Issue: https://crbug.com/v8/7790
Commit: [turbofan] First part of brokerization/serialization for instanceof
Date(Commit): Thu, 25 Jul 2019 15:49:46 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1709408
Regress : test\mjsunit\compiler\regress-9041.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function() {
class A {};
function foo(a, fn) {
const C = a.constructor;
fn(a);
return a instanceof C;
};
%PrepareFunctionForOptimization(foo);
assertTrue(foo(new A(), a => {}));
assertTrue(foo(new A(), a => {}));
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo(new A(), a => {}));
assertFalse(foo(new A(), a => { a.__proto__ = {}; }));
})();
(function() {
class A {};
A.__proto__ = {};
A.prototype = {};
function foo() {
var x = Object.create(Object.create(Object.create(A.prototype)));
return x instanceof A;
};
%PrepareFunctionForOptimization(foo);
assertTrue(foo());
assertTrue(foo());
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo());
})();
(function() {
class A {};
A.prototype = {};
A.__proto__ = {};
var a = {__proto__: new A, gaga: 42};
function foo() {
A.bla; // Make A.__proto__ fast again.
a.gaga;
return a instanceof A;
};
%PrepareFunctionForOptimization(foo);
assertTrue(foo());
assertTrue(foo());
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo());
})();
(function() {
class A {};
A.prototype = {};
A.__proto__ = {};
const boundA = Function.prototype.bind.call(A, {});
boundA.prototype = {};
boundA.__proto__ = {};
var a = {__proto__: new boundA, gaga: 42};
function foo() {
A.bla; // Make A.__proto__ fast again.
boundA.bla; // Make boundA.__proto__ fast again.
a.gaga;
return a instanceof boundA;
};
%PrepareFunctionForOptimization(foo);
assertTrue(foo());
assertTrue(foo());
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo());
})();
Issue: https://crbug.com/981236
Commit: [ic] Pass the converted value to the runtime when storing to a typed array
Date(Commit): Tue, 23 Jul 2019 16:11:06 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1692932
Regress : test\mjsunit\regress\regress-981236.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var count = 0;
function keyedSta(a) {
a[0] = {
valueOf() {
count += 1;
return 42n;
}
};
};
array1 = keyedSta(new BigInt64Array(1));
var r = keyedSta(new BigInt64Array());
assertEquals(count, 2);
Commit: [arraybuffer] Use relaxed load/store for bitfield
Date(Commit): Tue, 23 Jul 2019 11:36:06 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1714647
Regress : test\mjsunit\asm\regress-9531.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --validate-asm --allow-natives-syntax
function Module(stdlib, ffi, buffer) {
"use asm";
var MEM8 = new stdlib.Uint8Array(buffer);
function foo() { return MEM8[0] | 0; }
return { foo: foo };
}
function RunOnce() {
let buffer = new ArrayBuffer(4096);
let ffi = {};
let stdlib = {Uint8Array: Uint8Array};
let module = Module(stdlib, ffi, buffer);
assertTrue(%IsAsmWasmCode(Module));
assertEquals(0, module.foo());
}
(function RunTest() {
for (let i = 0; i < 3000; i++) {
RunOnce();
}
})();
Issue: https://crbug.com/985660
Commit: [turbofan] Fix wrong expectation when serializing API calls
Date(Commit): Tue, 23 Jul 2019 10:15:06 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1709423
Regress : test\mjsunit\regress\regress-crbug-985660.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
try {
Object.defineProperty(Number.prototype, "v", {
get: constructor
});
} catch (e) {}
function foo(obj) {
return obj.v;
}
%PrepareFunctionForOptimization(foo);
%OptimizeFunctionOnNextCall(foo);
foo(3);
%PrepareFunctionForOptimization(foo);
%OptimizeFunctionOnNextCall(foo);
foo(3);
foo(4);
Issue: https://crbug.com/v8/9460
Commit: [runtime] Always throw when asked to make an array's length configurable
Date(Commit): Thu, 18 Jul 2019 15:32:20 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1709336
Regress : test\mjsunit\regress\regress-v8-9460.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var arr = [0, 1];
assertThrows(
() => Object.defineProperty(arr, 'length', {value: 1, configurable: true}),
TypeError);
assertEquals(2, arr.length);
assertThrows(
() => Object.defineProperty(arr, 'length', {value: 2, configurable: true}),
TypeError);
assertEquals(2, arr.length);
assertThrows(
() => Object.defineProperty(arr, 'length', {value: 3, configurable: true}),
TypeError);
assertEquals(2, arr.length);
Issue: https://crbug.com/v8/9466
Commit: Reland "[runtime] Fix protector invalidation"
Date(Commit): Thu, 18 Jul 2019 12:04:18 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1708468
Regress : test\mjsunit\regress\regress-9466.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const o = [];
o.__proto__ = {};
o.constructor = function() {};
o.constructor[Symbol.species] = function f() {};
o.__proto__ = Array.prototype;
assertEquals(o.constructor[Symbol.species], o.concat([1,2,3]).constructor);
Commit: [asm.js] Propagate language mode to exported functions.
Date(Commit): Fri, 19 Jul 2019 13:10:49 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1708484
Regress : test\mjsunit\regress\wasm\regress-985154.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function TestSloppynessPropagates() {
let f = (function() {
function Module() {
"use asm";
function f() {}
return {f: f}
}
return Module;
})()().f;
let p = Object.getOwnPropertyNames(f);
assertArrayEquals(["length", "name", "arguments", "caller", "prototype"], p);
assertEquals(null, f.arguments);
assertEquals(null, f.caller);
})();
(function TestStrictnessPropagates() {
let f = (function() {
"use strict";
function Module() {
"use asm";
function f() {}
return {f: f}
}
return Module;
})()().f;
let p = Object.getOwnPropertyNames(f);
assertArrayEquals(["length", "name", "prototype"], p);
assertThrows(() => f.arguments, TypeError);
assertThrows(() => f.caller, TypeError);
})();
Commit: [Compile] Ensure we don't reuse a feedback vector with a different layout than expected.
Date(Commit): Thu, 18 Jul 2019 13:03:57 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1708474
Regress : test\mjsunit\regress\regress-crbug-984344.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function largeAllocToTriggerGC() {
for (let i = 0; i < 16; i++) {
let ab = new ArrayBuffer(1024 * 1024 * 10);
}
}
function foo() {
eval('function bar(a) {}' +
'(function() {' +
' for (let c = 0; c < 505; c++) {' +
' while (Promise >= 0xDEADBEEF) {' +
' Array.prototype.slice.call(bar, bar, bar);' +
' }' +
' for (let i = 0; i < 413; i++) {' +
' }' +
' }' +
'})();' +
'largeAllocToTriggerGC();');
}
foo();
foo();
foo();
// Don't prepare until here to allow function to be flushed.
%PrepareFunctionForOptimization(foo);
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/979401
Commit: [classes] Properly handle properties count slack
Date(Commit): Fri, 5 Jul 2019 19:13:36 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1687422
Regress : test\mjsunit\regress\regress-crbug-979401.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let min_fields = 1015;
let max_fields = 1025;
let static_fields_src = "";
let instance_fields_src = "";
for (let i = 0; i < max_fields; i++) {
static_fields_src += " static f" + i + "() {}\n";
instance_fields_src += " g" + i + "() {}\n";
if (i >= min_fields) {
let src1 = "class A {\n" + static_fields_src + "}\n";
eval(src1);
let src2 = "class B {\n" + instance_fields_src + "}\n";
eval(src2);
}
}
Issue: https://crbug.com/982702
Commit: [ic] Fix private field lookup in generic case
Date(Commit): Thu, 11 Jul 2019 15:36:06 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1697256
Regress : test\mjsunit\regress\regress-982702.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
class A {
static #foo = 3;
constructor() {
print(A.prototype.#foo);
}
}
assertThrows(() => new A(), TypeError);
class B {
static #foo = 3;
constructor() {
B.prototype.#foo = 2;
}
}
assertThrows(() => new B(), TypeError);
Issue: https://crbug.com/v8/9425
Commit: [wasm][threads] Fix alignment of i64.atomic.wait
Date(Commit): Tue, 9 Jul 2019 17:55:26 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1693836
Regress : test\mjsunit\regress\wasm\regress-9425.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-threads
load('test/mjsunit/wasm/wasm-module-builder.js');
var builder = new WasmModuleBuilder();
builder.addMemory(1, 1, /*exp*/ false, /*shared*/ true);
builder.addFunction('test', kSig_v_v).addBody([
kExprI32Const, 0, //
kExprI64Const, 0, //
kExprI64Const, 0, //
kAtomicPrefix, kExprI64AtomicWait, 3, 0, //
kExprDrop, //
]);
builder.instantiate();
Issue: https://crbug.com/v8/8394
Commit: Check that function was prepared before optimizing using manually
Date(Commit): Mon, 8 Jul 2019 17:52:18 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1664810
Regress : test\mjsunit\regress\regress-crbug-638551.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --expose-gc --no-lazy
function f() {
for (var i = 0; i < 10; i++) if (i == 5) %OptimizeOsr();
function g() {}
%PrepareFunctionForOptimization(g);
%OptimizeFunctionOnNextCall(g);
g();
}
%PrepareFunctionForOptimization(f);
f();
gc(); // Make sure that ...
gc(); // ... code flushing ...
gc(); // ... clears code ...
gc(); // ... attached to {g}.
%PrepareFunctionForOptimization(f);
f();
Issue: https://crbug.com/977870
Commit: [runtime] Remove try_fast path from GetOwnPropertyNames builtin
Date(Commit): Mon, 8 Jul 2019 11:23:10 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1679499
Regress : test\mjsunit\regress\regress-977870.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f() {
v_0 = {};
Object.defineProperty(v_0, '0', {});
v_0.p_0 = 0;
assertArrayEquals(['0', 'p_0'],
Object.getOwnPropertyNames(v_0));
assertArrayEquals(['0', 'p_0'],
Object.getOwnPropertyNames(v_0));
}
f();
Issue: https://crbug.com/980292
Commit: TryPrototypeChainLookup: Bailout for Smi receiver
Date(Commit): Tue, 9 Jul 2019 09:03:17 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1687283
Regress : test\mjsunit\regress\regress-crbug-980292.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
let v2 = Object;
const v4 = new Proxy(Object,v2);
const v6 = (9).__proto__;
v6.__proto__ = v4;
function v8(v9,v10,v11) {
let v14 = 0;
do {
const v16 = (0x1337).prototype;
v14++;
} while (v14 < 24);
}
const v7 = [1,2,3,4];
const v17 = v7.findIndex(v8);
Issue: https://crbug.com/980168
Commit: Remove unnecessary DCHECK
Date(Commit): Tue, 9 Jul 2019 08:39:04 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1687280
Regress : test\mjsunit\regress\regress-crbug-980168.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --verify-heap
// seal then freeze.
(function () {
const v1 = Object.seal(Object);
const v3 = Object();
const v4 = Object(Object);
v3.__proto__ = v4;
const v6 = Object.freeze(Object);
})();
// preventExtensions then freeze.
(function () {
const v1 = Object.preventExtensions(Object);
const v3 = Object();
const v4 = Object(Object);
v3.__proto__ = v4;
const v6 = Object.freeze(Object);
})();
// preventExtensions then seal.
(function () {
const v1 = Object.preventExtensions(Object);
const v3 = Object();
const v4 = Object(Object);
v3.__proto__ = v4;
const v6 = Object.seal(Object);
})();
// freeze.
(function () {
const v3 = Object();
const v4 = Object(Object);
v3.__proto__ = v4;
const v6 = Object.freeze(Object);
})();
// seal.
(function () {
const v3 = Object();
const v4 = Object(Object);
v3.__proto__ = v4;
const v6 = Object.seal(Object);
})();
// preventExtensions.
(function () {
const v3 = Object();
const v4 = Object(Object);
v3.__proto__ = v4;
const v6 = Object.preventExtensions(Object);
})();
Issue: https://crbug.com/980891
Commit: [regexp] Handle large named capture groups object
Date(Commit): Tue, 9 Jul 2019 10:30:29 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1691907
Regress : test\mjsunit\regress\regress-980891.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let str = "";
// Many named captures force the resulting named capture backing store into
// large object space.
for (var i = 0; i < 0x2000; i++) str += "(?<a"+i+">)|";
str += "(?<b>)";
const regexp = new RegExp(str);
const result = "xxx".match(regexp);
assertNotNull(result);
Issue: https://crbug.com/v8/9326
Commit: Reland "Reland "Let all early errors be SyntaxErrors.""
Date(Commit): Fri, 28 Jun 2019 19:50:53 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1682989
Regress : test\mjsunit\regress\regress-crbug-351658.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
try {
var f = eval("(function(){0 = y + y})");
%OptimizeFunctionOnNextCall(f);
f();
assertUnreachable();
} catch(e) {
assertTrue(e instanceof SyntaxError);
}
Issue: https://crbug.com/980529
Commit: [deoptimizer] Handle continuation frames that are not preceded by adapter frames
Date(Commit): Mon, 8 Jul 2019 07:23:26 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1687417
Regress : test\mjsunit\regress\regress-crbug-980529.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt --no-always-opt
const a = {toString: () => {
console.log("print arguments", print.arguments);
}};
function g(x) {
print(x);
}
%PrepareFunctionForOptimization(g);
g(a);
g(a);
%OptimizeFunctionOnNextCall(g);
g(a);
Issue: https://crbug.com/979023
Commit: [ic] Fix accessor set after map update transitioning to dict
Date(Commit): Wed, 3 Jul 2019 11:16:06 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1687671
Regress : test\mjsunit\regress\regress-crbug-979023.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function foo(arg) {
var ret = { x: arg };
Object.defineProperty(ret, "y", {
get: function () { },
configurable: true
});
return ret;
}
let v0 = foo(10);
let v1 = foo(10.5);
Object.defineProperty(v0, "y", {
get: function () { },
configurable: true
});
Issue: https://crbug.com/980007
Commit: [ubsan] Fix integer overflow in compiler
Date(Commit): Mon, 1 Jul 2019 13:12:49 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1683993
Regress : test\mjsunit\regress\wasm\regress-980007.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addFunction(undefined, kSig_i_i).addBody([
kExprI64Const, 0x01,
kExprI32ConvertI64,
kExprI32Const, 0x80, 0x80, 0x80, 0x80, 0x78,
kExprI32Sub,
]);
builder.instantiate();
Issue: https://crbug.com/v8/9416
Commit: [test] Speed up regress-crbug-319860.js
Date(Commit): Mon, 1 Jul 2019 10:41:46 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1682575
Regress : test\mjsunit\regress\regress-crbug-319860.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --allow-natives-syntax
function read(a, index) {
var offset = 0x2000000;
var result;
for (var i = 0; i < 1; i++) {
result = a[index + offset];
}
return result;
}
%PrepareFunctionForOptimization(read);
var a = new Int8Array(0x2000001);
read(a, 0);
read(a, 0);
%OptimizeFunctionOnNextCall(read);
// Segfault maybe?
for (var i = 0; i > -100000; i -= 987) {
assertEquals(0, read(a, i));
}
Issue: https://crbug.com/v8/8770
Commit: [regexp] Fix BoyerMooreLookahead behavior at submatches
Date(Commit): Mon, 1 Jul 2019 08:31:32 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1679506
Regress : test\mjsunit\regress\regress-v8-8770.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const re = /^.*?Y((?=X?).)*Y$/s;
const sult = "YABCY";
const result = re.exec(sult);
assertNotNull(result);
assertArrayEquals([sult, "C"], result);
Issue: https://crbug.com/v8/8510
Commit: [parser] Mark maybe_assigned recursively for shadowing vars
Date(Commit): Mon, 1 Jul 2019 08:06:09 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1677265
Regress : test\mjsunit\regress\regress-v8-9394-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --enable-lazy-source-positions --stress-lazy-source-positions
function test() {
function f() {
with ({}) {
// This is a non-assigning shadowing access to value. If both f and test
// are fully parsed or both are preparsed, then this is resolved during
// scope analysis to the outer value, and the outer value knows it can be
// shadowed. If test is fully parsed and f is preparsed, value here
// doesn't resolve to anything during partial analysis, and the outer
// value does not know it can be shadowed.
return value;
}
}
var value = 2;
var status = f();
return value;
}
test();
Issue: https://crbug.com/v8/8958
Commit: Add GetPropertyWithReceiver stub for proxy get trap
Date(Commit): Thu, 27 Jun 2019 12:11:25 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1676879
Regress : test\mjsunit\regress\regress-crbug-752846.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
// Check that the receiver of Runtime_GetPropertyWithReceiver can be
// a plain JS value.
var values = [
10,
false,
"test"
];
for (let val of values) {
var proto = Object.getPrototypeOf(val);
var proxy = new Proxy({}, {});
Object.setPrototypeOf(proxy, proto);
}
Issue: https://crbug.com/v8/7950
Commit: [test] Remove module pragma in favor of .mjs
Date(Commit): Thu, 27 Jun 2019 12:49:03 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1675958
Regress : test\mjsunit\regress\regress-791334.mjs
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let foo = () => { return this };
assertEquals(undefined, foo());
Issue: https://crbug.com/v8/9394
Commit: [parser] Always mark shadowed vars maybe_assigned
Date(Commit): Wed, 26 Jun 2019 16:26:02 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1678365
Regress : test\mjsunit\regress\regress-v8-9394.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
(function testMaybeAssignedWithShadowing() {
function foo() {
let a = 0;
let g;
with ({}) {
g = function g() {
// Increment a, should set it maybe_assigned but doesn't in the bug.
++a;
}
// Shadowing the outer 'a' with a dynamic one.
a;
}
return function () {
// The access to a would be context specialized (to 2 since it's after the
// second call) if maybe_assigned were incorrectly not set.
g(a);
return a;
}
};
f = foo();
%PrepareFunctionForOptimization(f);
assertEquals(f(), 1);
assertEquals(f(), 2);
%OptimizeFunctionOnNextCall(f);
assertEquals(f(), 3);
})();
// Same test as above, just with more shadowing (including dynamic->dynamic
// shadowing) and skipping over scopes with shadows.
(function testMaybeAssignedWithDeeplyNestedShadowing() {
function foo() {
let a = 0;
let g;
// Increment a, should set it maybe_assigned but doesn't in the bug.
with ({}) {
with ({}) {
with ({}) {
with ({}) {
with ({}) {
g = function g() { ++a; }
// Shadow the second dynamic 'a'.
a;
}
// Shadowing the first dynamic 'a'.
a;
}
// Skip shadowing here
}
// Skip shadowing here
}
// Shadowing the outer 'a' with a dynamic one.
a;
}
return function () {
// The access to a would be context specialized (to 2 since it's after the
// second call) if maybe_assigned were incorrectly not set.
g(a);
return a;
}
};
f = foo();
%PrepareFunctionForOptimization(f);
assertEquals(f(), 1);
assertEquals(f(), 2);
%OptimizeFunctionOnNextCall(f);
assertEquals(f(), 3);
})();
Issue: https://crbug.com/976598
Date(Commit): Mon, 24 Jun 2019 17:12:23 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1674034
Regress : test\mjsunit\regress\regress-crbug-976598.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f() {
return { value: NaN };
}
%PrepareFunctionForOptimization(f);
f();
f();
let x = { value: "Y" };
%OptimizeFunctionOnNextCall(f);
f();
Issue: https://crbug.com/977012
Commit: [map] Update map in PrepareForDataProperty
Date(Commit): Wed, 26 Jun 2019 11:23:34 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1674029
Regress : test\mjsunit\regress\regress-crbug-977012.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function foo(arg) {
var ret = { x: arg };
ret.__defineSetter__("y", function() { });
return ret;
}
// v1 creates a map with a Smi field, v2 deprecates v1's map.
let v1 = foo(10);
let v2 = foo(10.5);
// Trigger a PrepareForDataProperty on v1, which also triggers an update to
// dictionary due to the different accessors on v1 and v2's y property.
v1.x = 20.5;
Issue: https://crbug.com/974474
Commit: [turbofan] fix bug in CommonOperatorReducer::ReduceReturn
Date(Commit): Tue, 25 Jun 2019 11:44:17 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1669693
Regress : test\mjsunit\compiler\regress-crbug-974474.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(x) {
const y = x == 42;
() => {y};
if (y) { Object(); }
[!!y];
return y;
}
%PrepareFunctionForOptimization(foo);
foo(42); foo(42);
%OptimizeFunctionOnNextCall(foo);
foo(42);
Issue: https://crbug.com/v8/8021
Commit: Remove always-true --harmony-object-from-entries runtime flag
Date(Commit): Mon, 24 Jun 2019 16:22:36 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1593461
Regress : test\mjsunit\harmony\regress\regress-912504.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --always-opt --allow-natives-syntax
function test() {
Object.fromEntries([[]]);
%DeoptimizeNow();
}
test();
Issue: https://crbug.com/976939
Commit: [map] Ignore migration target bit when normalizing
Date(Commit): Mon, 24 Jun 2019 12:01:56 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1672936
Regress : test\mjsunit\regress\regress-crbug-977089.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
// This function was carefully constructed by Clusterfuzz to execute a certain
// sequence of transitions. Thus, it may no longer test anything useful if
// the transition logic changes.
//
// The more stable unit test testing the same bug is:
// test-field-type-tracking/NormalizeToMigrationTarget
var foo = function() {
function f1(arg) {
var ret = { x: arg };
ret.__defineGetter__("y", function() { });
return ret;
}
// Create v1 with a map with properties: {x:Smi, y:AccessorPair}
let v1 = f1(10);
// Create a map with properties: {x:Double, y:AccessorPair}, deprecating the
// previous map.
let v2 = f1(10.5);
// Access x on v1 to a function that reads x, which triggers it to update its
// map. This update transitions v1 to slow mode as there is already a "y"
// transition with a different accessor.
//
// Note that the parent function `foo` can't be an IIFE, as then this callsite
// would use the NoFeedback version of the LdaNamedProperty bytecode, and this
// doesn't trigger the map update.
v1.x;
// Create v3 which overwrites a non-accessor with an accessor, triggering it
// to normalize, and picking up the same cached normalized map as v1. However,
// v3's map is not a migration target and v1's is (as it was migrated to when
// updating v1), so the migration target bit doesn't match. This should be
// fine and shouldn't trigger any DCHECKs.
let v3 = { z:1 };
v3.__defineGetter__("z", function() {});
};
%EnsureFeedbackVectorForFunction(foo);
foo();
Issue: https://crbug.com/v8/9383
Commit: [interpreter] Fix order of bytecode generated for adding getters/setters
Date(Commit): Thu, 20 Jun 2019 17:41:31 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1669689
Regress : test\mjsunit\regress\regress-9383.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --throws --cache=code --enable-lazy-source-positions
// Test ensures that the getters and setters are added in the same order in the
// generated bytecode regardless of the isolate's hash seed. This gets tested
// because of the use of the code cache.
var c = {
get b() {
},
get getter() {
},
set a(n) {
},
set a(n) {
},
set setter1(n) {
},
set setter2(n) {
},
set setter3(n) {
},
set setter4(n) {
},
set setter5(n) {
},
set setter6(n) {
},
set setter7(n) {
},
set setter8(n) {
},
set setter9(n) {
},
set setter10(n) {
},
set setter11(n) {
},
set setter12(n) {
},
set setter12(n) {
},
};
for (x in c) {
print(x);
}
throw new Error();
Issue: https://crbug.com/v8/8394
Commit: [cleanup] Add %PrepareFunctionForOptimization for few more tests
Date(Commit): Wed, 19 Jun 2019 10:33:35 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1667001
Regress : test\mjsunit\regress\regress-crbug-976256.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(r) {
return r.finally();
}
const resolution = Promise.resolve();
foo(resolution);
function bar() {
try {
foo(undefined);
} catch (e) {}
}
%PrepareFunctionForOptimization(bar);
bar();
bar();
%OptimizeFunctionOnNextCall(bar);
bar();
Issue: https://crbug.com/v8/8510
Commit: Fix crash when reporting exceptions
Date(Commit): Tue, 18 Jun 2019 21:13:49 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1664334
Regress : test\mjsunit\regress\regress-8510.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --stress-compaction --throws
load('test/mjsunit/regress/regress-8510.js');
Issue: https://crbug.com/v8/8394
Commit: [cleanup] Add %PrepareFunctionForOptimize for tests that use %OptimizeOsr
Date(Commit): Tue, 18 Jun 2019 17:03:44 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1664690
Regress : test\mjsunit\regress\regress-sync-optimized-lists.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --block-concurrent-recompilation
function Ctor() {
this.a = 1;
}
function get_closure() {
return function add_field(obj, osr) {
obj.c = 3;
var x = 0;
if (osr) %OptimizeOsr();
for (var i = 0; i < 10; i++) {
x = i + 1;
}
return x;
}
}
var f1 = get_closure();
%PrepareFunctionForOptimization(f1);
f1(new Ctor(), false);
f1(new Ctor(), false);
%OptimizeFunctionOnNextCall(f1, "concurrent");
// Kick off concurrent recompilation and OSR.
var o = new Ctor();
%PrepareFunctionForOptimization(f1);
f1(o, true);
// Flush the optimizing compiler's queue.
%NotifyContextDisposed();
// Trigger deopt.
o.c = 2.2;
var f2 = get_closure();
%PrepareFunctionForOptimization(f2);
f2(new Ctor(), true);
Issue: https://crbug.com/961709
Commit: [ic] Don't handle stores with TypedArrays in the prototype chain in ICs
Date(Commit): Tue, 18 Jun 2019 11:36:55 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1662305
Regress : test\mjsunit\regress\regress-crbug-961709-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt
function foo() {
const a = [];
a[0] = 1;
return a[0];
};
function bar() {
const a = new Array(10);
a[0] = 1;
return a[0];
};
Object.setPrototypeOf(Array.prototype, new Int8Array());
%PrepareFunctionForOptimization(foo);
assertEquals(undefined, foo());
assertEquals(undefined, foo());
%OptimizeFunctionOnNextCall(foo);
assertEquals(undefined, foo());
assertOptimized(foo);
%PrepareFunctionForOptimization(bar);
assertEquals(undefined, bar());
assertEquals(undefined, bar());
%OptimizeFunctionOnNextCall(bar);
assertEquals(undefined, bar());
assertOptimized(bar);
Issue: https://crbug.com/974476
Commit: [turbofan] fix escape analysis bug: revisit phis
Date(Commit): Tue, 18 Jun 2019 12:39:17 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1664063
Regress : test\mjsunit\compiler\regress-crbug-974476.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function use(x) { return x; }
%NeverOptimizeFunction(use);
function foo() {
let result = undefined;
(function () {
const a = {};
for (_ of [0]) {
const empty = [];
(function () {
result = 42;
for (_ of [0]) {
for (_ of [0]) {
use(empty);
}
}
result = a;
})();
}
})();
return result;
}
%PrepareFunctionForOptimization(foo);
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/971782
Commit: [turbofan] Properly handle -0 in Word32->Word64 conversion.
Date(Commit): Tue, 18 Jun 2019 12:37:18 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1664062
Regress : test\mjsunit\regress\regress-crbug-971782.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(dv) {
for (let i = -1; i < 1; ++i) {
dv.setUint16(i % 1);
}
}
const dv = new DataView(new ArrayBuffer(2));
%PrepareFunctionForOptimization(foo);
foo(dv);
foo(dv);
%OptimizeFunctionOnNextCall(foo);
foo(dv);
Issue: https://crbug.com/v8/8801
Commit: [cleanup] Add missing %PrepareFunctionForOptimize in mjsunit tests
Date(Commit): Mon, 17 Jun 2019 17:13:52 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1662568
Regress : test\mjsunit\regress\regress-crbug-935932.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function test(func, expect) {
%PrepareFunctionForOptimization(func);
assertTrue(func() == expect);
%OptimizeFunctionOnNextCall(func);
assertTrue(func() == expect);
}
// Check loading a constant off the global.
var v0 = 10;
function check_v0() { return "v0" in this; }
test(check_v0, true);
// make it non-constant.
v0 = 0;
test(check_v0, true);
// test a missing value.
function check_v1() { return "v1" in this; }
test(check_v1, false);
this.v1 = 3;
test(check_v1, true);
delete this.v1;
test(check_v1, false);
// test undefined.
var v2;
function check_v2() { return "v2" in this; }
test(check_v2, true);
// test a constant object.
var v3 = {};
function check_v3() { return "v3" in this; }
test(check_v3, true);
// make the object non-constant.
v3 = [];
test(check_v3, true);
// test non-configurable
Object.defineProperty(this, "v4", { value: {}, configurable: false});
function check_v4() { return "v4" in this; }
test(check_v4, true);
// Test loading from arrays with different prototypes.
(function() {
function testIn(index, array) {
return index in array;
}
%PrepareFunctionForOptimization(testIn);
let a = [];
a.__proto__ = [0,1,2];
a[1] = 3;
// First load will set IC to Load handle with allow hole to undefined conversion false.
assertTrue(testIn(0, a));
// Second load will hit ICMiss when hole is loaded. Seeing the same map twice, the IC will be set megamorphic.
assertTrue(testIn(0, a));
%OptimizeFunctionOnNextCall(testIn);
// Test JIT to ensure proper handling.
assertTrue(testIn(0, a));
%ClearFunctionFeedback(testIn);
%DeoptimizeFunction(testIn);
%PrepareFunctionForOptimization(testIn);
// First load will set IC to Load handle with allow hole to undefined conversion false.
assertTrue(testIn(0, a));
%OptimizeFunctionOnNextCall(testIn);
// Test JIT to ensure proper handling if hole is loaded.
assertTrue(testIn(0, a));
// Repeat the same testing for access out-of-bounds of the array, but in bounds of it's prototype.
%ClearFunctionFeedback(testIn);
%DeoptimizeFunction(testIn);
%PrepareFunctionForOptimization(testIn);
assertTrue(testIn(2, a));
assertTrue(testIn(2, a));
%OptimizeFunctionOnNextCall(testIn);
assertTrue(testIn(2, a));
%ClearFunctionFeedback(testIn);
%DeoptimizeFunction(testIn);
%PrepareFunctionForOptimization(testIn);
assertTrue(testIn(2, a));
%OptimizeFunctionOnNextCall(testIn);
assertTrue(testIn(2, a));
})();
Issue: https://crbug.com/v8/8801
Commit: [cleanup] Add %PrepareFunctionForOptimize in mjsunit tests
Date(Commit): Mon, 17 Jun 2019 16:48:42 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1662307
Regress : test\mjsunit\regress\regress-v8-8070.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function bar(iterator) {
for (const entry of iterator) {}
}
%NeverOptimizeFunction(bar);
function foo(a) {
const iterator = a.values();
bar(iterator);
return iterator.next().done;
}
const a = [1, 2, 3];
%PrepareFunctionForOptimization(foo);
assertTrue(foo(a));
assertTrue(foo(a));
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo(a));
Issue: https://crbug.com/v8/8801
Commit: [test] Add %PrepareFunctionForOptimize in mjsunit tests
Date(Commit): Mon, 17 Jun 2019 14:34:07 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1662299
Regress : test\mjsunit\regress\regress-330046.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --use-osr --allow-natives-syntax --opt
var o1 = {a : 10};
var o2 = { };
o2.__proto__ = o1;
var o3 = { };
o3.__proto__ = o2;
function f(n, x, b) {
var sum = x.a;
for (var i = 0; i < n; i++) {
sum = 1.0 / i;
}
return sum;
}
%PrepareFunctionForOptimization(f);
f(10, o3);
f(20, o3);
f(30, o3);
%OptimizeFunctionOnNextCall(f, "concurrent");
f(100000, o3);
// At this point OSR replaces already optimized code.
// Check that it evicts old code from cache.
// This causes all code for f to be lazily deopted.
o2.a = 5;
%PrepareFunctionForOptimization(f);
// If OSR did not evict the old code, it will be installed in f here.
%OptimizeFunctionOnNextCall(f);
f(10, o3);
// The old code is already deoptimized, but f still points to it.
// Disassembling it will crash.
%DisassembleFunction(f);
Issue: https://crbug.com/v8/8801
Commit: [cleanup] Add missing %PrepareFunctionForOptimize in mjsunit tests
Date(Commit): Mon, 17 Jun 2019 12:48:08 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1662292
Regress : test\mjsunit\regress\regress-crbug-357330.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f(foo) {
var g;
true ? (g = foo + 0) : g = null;
if (null != g) {}
};
%PrepareFunctionForOptimization(f);
f(1.4);
f(1.4);
%OptimizeFunctionOnNextCall(f);
f(1.4);
Issue: https://crbug.com/v8/6515
Commit: [regexp] Rewrite certain Assertion sequences
Date(Commit): Mon, 17 Jun 2019 10:45:41 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1657925
Regress : test\mjsunit\regress\regress-v8-6515.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// These patterns shouldn't generate code of excessive size.
assertNull(/\b\B\b\B\b\B\b\B\b\B\b\B\b\B\b\B\b\B/.exec(" aa "));
assertNull(/\b\b\b\b\b\b\b\b\b\B\B\B\B\B\B\B\B\B/.exec(" aa "));
assertNull(/\b\B$\b\B$\b\B$\b\B$\b\B$\b\B$\b\B$/.exec(" aa "));
Issue: https://crbug.com/v8/8801
Commit: [cleanup] Add missing %PrepareFunctionForOptimize in mjsunit tests
Date(Commit): Fri, 14 Jun 2019 17:27:09 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1660617
Regress : test\mjsunit\regress\regress-5636-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f(n) {
"use asm";
var a = [];
function g() {
return x;
};
for (var i = 0; i < n; ++i) {
var x = i;
a[i] = g;
%PrepareFunctionForOptimization(g);
%OptimizeFunctionOnNextCall(g);
g();
}
return a;
}
var a = f(3);
assertEquals(3, a.length);
assertEquals(2, a[0]());
assertEquals(2, a[1]());
assertEquals(2, a[2]());
Issue: https://crbug.com/v8/8801
Commit: [cleanup] Add missing %PrepareFunctionForOptimize in mjsunit tests
Date(Commit): Fri, 14 Jun 2019 14:05:18 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1660608
Regress : test\mjsunit\regress\regress-352982.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --allow-natives-syntax --expose-gc
function __f_4(i1) {
return __v_3[i1] * __v_3[0];
};
%PrepareFunctionForOptimization(__f_4);
function __f_3(i1) {
%PrepareFunctionForOptimization(__f_4);
__f_4(i1);
__f_4(i1 + 16);
__f_4(i1 + 32);
%OptimizeFunctionOnNextCall(__f_4);
var x = __f_4(i1 + 993);
return x;
}
function __f_5() {
__v_3[0] = +__v_3[0];
gc();
__f_3(0) | 0;
__v_3 = /\u23a1|x/;
return 0;
}
var __v_3 = new Float32Array(1000);
__f_5();
__f_5();
__f_5();
Issue: https://crbug.com/v8/8801
Commit: [cleanup] Add %PrepareForOptimization to some more mjsunit tests.
Date(Commit): Fri, 14 Jun 2019 13:54:11 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1660486
Regress : test\mjsunit\regress\regress-4525.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function receiver() {
return this;
}
function construct(f) {
"use strict";
class B {}
class C extends B {
bar() { return super.foo() }
}
B.prototype.foo = f;
return new C();
}
function check(x, value, type) {
assertEquals("object", typeof x);
assertInstanceof(x, type);
assertEquals(value, x);
}
var o = construct(receiver);
%PrepareFunctionForOptimization(o.bar);
check(o.bar.call(123), Object(123), Number);
check(o.bar.call("a"), Object("a"), String);
check(o.bar.call(undefined), this, Object);
check(o.bar.call(null), this, Object);
%OptimizeFunctionOnNextCall(o.bar);
check(o.bar.call(456), Object(456), Number);
check(o.bar.call("b"), Object("b"), String);
check(o.bar.call(undefined), this, Object);
check(o.bar.call(null), this, Object);
Commit: [cleanup] Add %PrepareForOptimization to some more mjsunit tests.
Date(Commit): Fri, 14 Jun 2019 11:59:02 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1660476
Regress : test\mjsunit\compiler\regress-966560-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function* get() {
for (let x of [1,2,3]) {
yield;
get = [];
}
}
%PrepareFunctionForOptimization(get);
%OptimizeFunctionOnNextCall(get);
get();
Issue: https://crbug.com/v8/9183
Commit: [cleanup] Add PrepareFunctionForOptimization to regression tests
Date(Commit): Fri, 14 Jun 2019 11:18:58 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1660469
Regress : test\mjsunit\regress\regress-4521.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
"use strict";
class B {
foo() { return 23 }
}
class C extends B {
bar() { return super[%DeoptimizeFunction(C.prototype.bar), "foo"]() }
}
%PrepareFunctionForOptimization(C.prototype.bar);
assertEquals(23, new C().bar());
assertEquals(23, new C().bar());
%OptimizeFunctionOnNextCall(C.prototype.bar);
assertEquals(23, new C().bar());
Issue: https://crbug.com/973363
Commit: [runtime] Throw RangeError if we try to get too many values or entries
Date(Commit): Thu, 13 Jun 2019 13:51:48 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1657914
Regress : test\mjsunit\regress\regress-crbug-397662.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --mock-arraybuffer-allocator --allow-natives-syntax
var a = new Uint8Array(%MaxSmi() >> 1);
a.x = 1;
assertThrows(()=>Object.entries(a), RangeError);
Issue: https://crbug.com/v8/8801
Commit: [test] Add %PrepareForOptimization to even more tests
Date(Commit): Wed, 12 Jun 2019 16:00:50 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1648255
Regress : test\mjsunit\regress\regress-v8-9233.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
let o1 = { x: 999 };
o1.y = 999;
// o2 will share map with o1 in its initial state
var o2 = { x: 1 };
function f() {
return o2.x;
};
%PrepareFunctionForOptimization(f);
assertEquals(1, f());
assertEquals(1, f());
%OptimizeFunctionOnNextCall(f);
assertEquals(1, f());
delete o2.x;
o2.x = 2;
assertEquals(2, f());
Issue: https://crbug.com/v8/7848
Commit: [error] Use prepareStackTrace from error's realm
Date(Commit): Tue, 11 Jun 2019 14:08:58 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1113438
Regress : test\mjsunit\regress\regress-v8-7848.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Should never be called in this test.
Error.prepareStackTrace = () => 299792458;
{
const that_realm = Realm.create();
const result = Realm.eval(that_realm,
"() => { Error.prepareStackTrace = () => 42; return new Error(); }")();
assertEquals(42, result.stack);
}
{
const that_realm = Realm.create();
const result = Realm.eval(that_realm,
"() => { Error.prepareStackTrace = () => 42; " +
"class MyError extends Error {}; return new MyError(); }")();
assertEquals(42, result.stack);
}
{
const that_realm = Realm.create();
const result = Realm.eval(that_realm,
"() => { Error.prepareStackTrace = () => 42; return {}; }")();
assertFalse("stack" in result);
}
Issue: https://crbug.com/943636
Commit: Add quotes around unexpected token SyntaxError
Date(Commit): Thu, 6 Jun 2019 19:35:53 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1593307
Regress : test\mjsunit\regress\regress-797581.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --harmony-dynamic-import
// Resources: test/mjsunit/regress/modules-skip-regress-797581-1.js
// Resources: test/mjsunit/regress/modules-skip-regress-797581-2.js
// Resources: test/mjsunit/regress/modules-skip-regress-797581-3.js
// Resources: test/mjsunit/regress/modules-skip-regress-797581-4.js
// Resources: test/mjsunit/regress/modules-skip-regress-797581-5.js
function TryToLoadModule(filename, expect_error, token) {
let caught_error;
function SetError(e) {
caught_error = e;
}
import(filename).catch(SetError);
%PerformMicrotaskCheckpoint();
if (expect_error) {
assertTrue(caught_error instanceof SyntaxError);
assertEquals("Unexpected token '" + token + "'", caught_error.message);
} else {
assertEquals(undefined, caught_error);
}
}
TryToLoadModule("modules-skip-regress-797581-1.js", true, ")");
TryToLoadModule("modules-skip-regress-797581-2.js", true, ")");
TryToLoadModule("modules-skip-regress-797581-3.js", true, "...");
TryToLoadModule("modules-skip-regress-797581-4.js", true, ",");
TryToLoadModule("modules-skip-regress-797581-5.js", false);
Issue: https://crbug.com/967101
Commit: Handle IC store with sealed elements
Date(Commit): Mon, 10 Jun 2019 12:17:23 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1632830
Regress : test\mjsunit\regress\regress-crbug-967101.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// For packed sealed object.
function packedStore() {
let a = Object.seal([""]);
a[0] = 0;
assertEquals(a[0], 0);
}
packedStore();
packedStore();
// For holey sealed object.
function holeyStore() {
let a = Object.seal([, ""]);
a[0] = 0;
assertEquals(a[0], undefined);
}
holeyStore();
holeyStore();
// Make sure IC store for holey is consistent.
let a = Object.seal([, ""]);
function foo() {
a[1] = 0;
}
foo();
foo();
function bar() {
a[0] = 1;
}
assertEquals(a, [, 0]);
bar();
assertEquals(a, [, 0]);
bar();
assertEquals(a, [, 0]);
function baz() {
a[2] = 2;
}
assertEquals(a, [, 0]);
baz();
assertEquals(a, [, 0]);
baz();
assertEquals(a, [, 0]);
Issue: https://crbug.com/971383
Commit: Fix character ranges in case insensitive regexp
Date(Commit): Thu, 6 Jun 2019 15:35:48 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1648098
Regress : test\mjsunit\regress\regress-crbug-971383.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --icu-locale=tr
assertEquals(["HIJK"], "HIJK".match(/[a-z]+/gi));
Issue: https://crbug.com/v8/8801
Commit: [test] Add %PrepareForOptimization to more tests
Date(Commit): Tue, 4 Jun 2019 09:08:55 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1643167
Regress : test\mjsunit\regress\regress-488398.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var __v_10 = 4294967295;
__v_0 = [];
__v_0.__proto__ = [];
__v_16 = __v_0;
function __f_17(__v_16, base) {
__v_16[base + 1] = 1;
__v_16[base + 4] = base + 4;
}
%PrepareFunctionForOptimization(__f_17);
__f_17(__v_16, true);
__f_17(__v_16, 14);
%OptimizeFunctionOnNextCall(__f_17);
__f_17(__v_16, 2048);
Issue: https://crbug.com/966450
Commit: Fix correctness issue in proxy set trap
Date(Commit): Tue, 28 May 2019 17:44:18 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1632238
Regress : test\mjsunit\regress\regress-crbug-966450.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let prop = "someName";
function foo(a, b, v) { return a[b] = 0 }
try {
foo("", prop);
} catch(e) {}
var target = {};
var traps = { set() {return 42} };
var proxy = new Proxy(target, traps);
Object.defineProperty(target, prop, { value: 0 });
try {
foo(proxy, prop);
} catch (e) { }
foo(proxy, prop, 0);
Issue: https://crbug.com/951196
Commit: Reland "[typedarray] Move external/data pointer to JSTypedArray."
Date(Commit): Mon, 27 May 2019 19:01:01 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1627535
Regress : test\mjsunit\regress\regress-v8-4153-1.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --verify-heap
// Create tiny (on-heap) instances of TypedArrays to make sure
// that the ByteArrays are properly sized (in new space).
var arrays = [
Int8Array, Uint8Array, Int16Array, Uint16Array, Int32Array, Uint32Array,
Float32Array, Float64Array, Uint8ClampedArray, BigInt64Array, BigUint64Array
].map(C => {
new C(1)
});
Issue: https://crbug.com/967151
Commit: [json] Strings can lie to us about representation, so check what's underneath
Date(Commit): Mon, 27 May 2019 12:10:56 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1630683
Regress : test\mjsunit\regress\regress-crbug-967151.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-externalize-string
__v_3 = "100 external string turned into two byte";
__v_2 = __v_3.substring(0, 28);
try {
externalizeString(__v_3, true);
} catch (e) {}
assertEquals(100, JSON.parse(__v_2));
Issue: https://crbug.com/967065
Commit: [array] Prevent negative work array capacity when sorting
Date(Commit): Mon, 27 May 2019 07:56:18 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1630672
Regress : test\mjsunit\regress\regress-crbug-967065.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Tests that the receiver {length} property conversion works on 32-bit
// systems (i.e. it should not crash).
function ThrowingSort() {
const __v_3 = new Array(2147549152);
Object.defineProperty(__v_3, 0, {
get: () => { throw new Error("Do not actually sort!"); }
});
__v_3.sort();
}
assertThrows(() => ThrowingSort());
Issue: https://crbug.com/967254
Commit: [array] Properly handle COW arrays in Array#sort
Date(Commit): Mon, 27 May 2019 09:06:02 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1630675
Regress : test\mjsunit\regress\regress-crbug-967254.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Test that fast COW arrays are properly handled by Array#sort.
function COWSort() {
const array = ["cc", "c", "aa", "bb", "b", "ab", "ac"];
array.sort();
return array;
}
assertArrayEquals(["aa", "ab", "ac", "b", "bb", "c", "cc"], COWSort());
Array.prototype.sort = () => {};
assertArrayEquals(["cc", "c", "aa", "bb", "b", "ab", "ac"], COWSort());
Issue: https://crbug.com/v8/8714
Commit: Reland "[array] Move Array#sort pre-processing to Torque"
Date(Commit): Fri, 24 May 2019 07:38:09 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1619756
Regress : test\mjsunit\regress\regress-v8-7682.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const impl = Symbol();
class MyArrayLike {
constructor() {
this[impl] = [2, 1];
Object.freeze(this);
}
get 0() { return this[impl][0]; }
set 0(value) { this[impl][0] = value; }
get 1() { return this[impl][1]; }
set 1(value) { this[impl][1] = value; }
get length() { return 2; }
}
const xs = new MyArrayLike();
Array.prototype.sort.call(xs);
// Sort-order is implementation-defined as we actually hit two conditions from
// the spec:
// - "xs" is sparse and IsExtensible(xs) is false (its frozen).
// - "xs" is sparse and the prototype has properties in the sort range.
assertEquals(1, xs[0]);
assertEquals(2, xs[1]);
Issue: https://crbug.com/v8/9183
Commit: [cleanup] Stop using the now-unused deopt_count from feedback vector.
Date(Commit): Thu, 23 May 2019 14:42:51 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1624791
Regress : test\mjsunit\regress\regress-crbug-937734.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt
function foo()
{
return 1 in [0];
}
%PrepareFunctionForOptimization(foo);
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
assertOptimized(foo);
Issue: https://crbug.com/963411
Commit: [test] Make tests pass with the GC fuzzer.
Date(Commit): Thu, 23 May 2019 10:28:48 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1627333
Regress : test\mjsunit\regress\regress-v8-9267-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function bar(a) {
return Object.defineProperty(a, 'x', {get() { return 1; }});
}
function foo() {
return {};
}
%NeverOptimizeFunction(bar);
%PrepareFunctionForOptimization(foo);
const o = foo(); // Keep a reference so the GC doesn't kill the map.
bar(o);
const a = bar(foo());
%OptimizeFunctionOnNextCall(foo);
const b = bar(foo());
assertTrue(%HaveSameMap(a, b));
Issue: https://crbug.com/964869
Commit: [runtime] Make sure we don't inplace update None to Double
Date(Commit): Tue, 21 May 2019 15:34:25 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1622114
Regress : test\mjsunit\regress\regress-crbug-964869.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const o = {x: JSON.parse('{"x":1.1}').x};
Issue: https://crbug.com/940274
Commit: [Torque] Array.prototype.shift correctness fix
Date(Commit): Fri, 17 May 2019 16:00:58 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1617255
Regress : test\mjsunit\regress\regress-crbug-940274.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function foo() {
var a = new Array({});
a.shift();
assertFalse(a.hasOwnProperty(0));
}
foo();
Issue: https://crbug.com/963568
Commit: [json] Use correct index to read details
Date(Commit): Thu, 16 May 2019 12:13:41 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1615179
Regress : test\mjsunit\regress\regress-crbug-963568.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
JSON.parse('{"0":true,"1":true,"2":true,"3":true,"4":true,"9":true," ":true,"D":true,"B":true,"-1":true,"A":true,"C":true}');
JSON.parse('{"0":true,"1":true,"2":true,"3":true,"4":true,"9":true," ":true,"D":true,"B":true,"-1":true,"A":true,"C":true}');
Commit: [json] Preallocate mutable heap numbers so object verification doesn't fail
Date(Commit): Wed, 15 May 2019 18:00:06 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1613251
Regress : test\mjsunit\regress\regress-3976.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --max-old-space-size=60 --check-handle-count
table = [];
for (var i = 0; i < 32; i++) {
table[i] = String.fromCharCode(i + 0x410);
}
var random = (function() {
var seed = 10;
return function() {
seed = (seed * 1009) % 8831;
return seed;
};
})();
function key(length) {
var s = "";
for (var i = 0; i < length; i++) {
s += table[random() % 32];
}
return '"' + s + '"';
}
function value() {
return '[{' + '"field1" : ' + random() + ', "field2" : ' + random() + '}]';
}
function generate(n) {
var s = '{';
for (var i = 0; i < n; i++) {
if (i > 0) s += ', ';
s += key(random() % 10 + 7);
s += ':';
s += value();
}
s += '}';
return s;
}
print("generating");
var str = generate(10000);
print("parsing " + str.length);
JSON.parse(str);
print("done");
Issue: https://crbug.com/v8/6664
Commit: Reland of Port Proxy SetProperty trap builtin to Torque
Date(Commit): Tue, 14 May 2019 04:46:12 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1604071
Regress : test\mjsunit\es6\regress\regress-9234.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function returnFalsishStrict() {
"use strict";
function trySet(o) {
o["bla"] = 0;
}
var proxy = new Proxy({}, {});
var proxy2 = new Proxy({}, { set() { return ""; } });
trySet(proxy);
trySet(proxy);
assertThrows(() => trySet(proxy2), TypeError);
})();
(function privateSymbolStrict() {
"use strict";
var proxy = new Proxy({}, {});
var proxy2 = new Proxy({a: 1}, { set() { return true; } });
function trySet(o) {
var symbol = o == proxy2 ? %CreatePrivateSymbol("private"): 1;
o[symbol] = 0;
}
trySet(proxy);
trySet(proxy);
assertThrows(() => trySet(proxy2), TypeError);
})();
Issue: https://crbug.com/v8/9114
Commit: [map] Properly share the map for builtin iterator result objects.
Date(Commit): Tue, 14 May 2019 15:17:42 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1609794
Regress : test\mjsunit\regress\regress-v8-9243.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
// The special IterResultObject map that builtins use should be the same
// as the one produced by the `{value, done}` object literal.
const user = {value:undefined, done:true};
// Array iterator.
const arrayResult = (new Array())[Symbol.iterator]().next();
assertTrue(%HaveSameMap(user, arrayResult));
// Map iterator.
const mapResult = (new Map())[Symbol.iterator]().next();
assertTrue(%HaveSameMap(user, mapResult));
// Set iterator.
const setResult = (new Set())[Symbol.iterator]().next();
assertTrue(%HaveSameMap(user, setResult));
// Generator.
function* generator() {}
const generatorResult = generator().next();
assertTrue(%HaveSameMap(user, setResult));
Issue: https://crbug.com/961507
Commit: Reland "[class] implement private method declarations"
Date(Commit): Tue, 14 May 2019 03:39:54 +0800
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1568708
Regress : test\mjsunit\regress\regress-961508.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --print-ast
const foo = new class bar extends async function () {}.constructor {}();
Issue: https://crbug.com/961237
Commit: [turbofan] Fix handling of null in -0 == null comparison
Date(Commit): Mon, 13 May 2019 14:55:29 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1609538
Regress : test\mjsunit\regress\regress-961237.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
const a = 1.1;
const b = null;
function f(x) { return -0 == (x ? a : b); }
%PrepareFunctionForOptimization(f);
assertEquals(false, f(true));
assertEquals(false, f(true));
%OptimizeFunctionOnNextCall(f);
assertEquals(false, f(false));
Issue: https://crbug.com/961129
Commit: [wasm][gc] Fix NativeModule::GetCode for nonexisting code
Date(Commit): Fri, 10 May 2019 11:05:06 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1602700
Regress : test\mjsunit\regress\wasm\regress-961129.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
%EnableCodeLoggingForTesting();
function module() {
"use asm";
function f() {
var i = 4;
return i | 0;
}
return {f: f};
}
module().f();
Issue: https://crbug.com/959727
Commit: Fix a DCHECK failure on an exception message
Date(Commit): Thu, 9 May 2019 09:43:34 +0900
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1597372
Regress : test\mjsunit\regress\regress-crbug-959727.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
'use strict';
let r = Realm.createAllowCrossRealmAccess();
Realm.detachGlobal(r);
try {
Realm.global(r)[1] = 0;
} catch (e) {
}
Issue: https://crbug.com/959747
Commit: Sealed array should handle store out of bounds in optimized code
Date(Commit): Mon, 6 May 2019 11:29:36 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1597116
Regress : test\mjsunit\compiler\regress-sealedarray-store-outofbounds.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt --no-always-opt
const v3 = [0,"symbol"];
const v5 = 0 - 1;
const v6 = Object.seal(v3);
let v9 = 0;
function f1() {
v6[119090556] = v5;
}
%PrepareFunctionForOptimization(f1);
f1();
%OptimizeFunctionOnNextCall(f1);
f1();
assertOptimized(f1);
assertEquals(v6.length, 2);
Issue: https://crbug.com/941703
Commit: [parser] Clear is_parenthesized on ThisExpression when accessing it
Date(Commit): Wed, 8 May 2019 17:01:21 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1601260
Regress : test\mjsunit\regress\regress-crbug-941703.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("(this) , this =>", SyntaxError);
Issue: https://crbug.com/v8/8394
Commit: Reland "[Test] Update tests to work with lazy feedback allocation."
Date(Commit): Fri, 3 May 2019 15:32:12 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1593303
Regress : test\mjsunit\regress\regress-trap-allocation-memento.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --noalways-opt
var elements_kind = {
fast_smi_only : 'fast smi only elements',
fast : 'fast elements',
fast_double : 'fast double elements',
dictionary : 'dictionary elements',
}
function getKind(obj) {
if (%HasSmiElements(obj)) return elements_kind.fast_smi_only;
if (%HasObjectElements(obj)) return elements_kind.fast;
if (%HasDoubleElements(obj)) return elements_kind.fast_double;
if (%HasDictionaryElements(obj)) return elements_kind.dictionary;
}
function assertKind(expected, obj, name_opt) {
assertEquals(expected, getKind(obj), name_opt);
}
(function() {
function make1() { return new Array(); }
function make2() { return new Array(); }
function make3() { return new Array(); }
function foo(a, i) { a[0] = i; }
%EnsureFeedbackVectorForFunction(make1);
%EnsureFeedbackVectorForFunction(make2);
%EnsureFeedbackVectorForFunction(make3);
%EnsureFeedbackVectorForFunction(foo);
function run_test(maker_function) {
var one = maker_function();
assertKind(elements_kind.fast_smi_only, one);
// Use memento to pre-transition allocation site to DOUBLE elements.
foo(one, 1.5);
// Newly created arrays should now have DOUBLE elements right away.
var two = maker_function();
assertKind(elements_kind.fast_double, two);
}
%EnsureFeedbackVectorForFunction(run_test);
// Initialize the KeyedStoreIC in foo; the actual operation will be done
// in the runtime.
run_test(make1);
// Run again; the IC optimistically assumed to only see the transitioned
// (double-elements) map again, so this will make it polymorphic.
// The actual operation will again be done in the runtime.
run_test(make2);
// Finally, check if the initialized IC honors the allocation memento.
run_test(make3);
})();
Issue: https://crbug.com/959645
Commit: [map] Make field representation updates work with elements kind transitions.
Date(Commit): Tue, 7 May 2019 14:19:46 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1598756
Regress : test\mjsunit\regress\regress-crbug-959645-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --modify-field-representations-inplace
function f(array, x) {
array.x = x;
array[0] = undefined;
return array;
}
f([1.1], 1);
f([2.2], 1);
%HeapObjectVerify(f([3.3], undefined));
Issue: https://crbug.com/v8/4153
Commit: Reland "[typedarray] Make JSTypedArray::length authoritative."
Date(Commit): Tue, 7 May 2019 12:54:45 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1543729
Regress : test\mjsunit\regress\regress-9105.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let array = new Uint32Array(32);
array[10] = 10; array[20] = 20;
Array.prototype.sort.call(array);
assertEquals(32, array.length);
assertEquals(10, array[30]);
assertEquals(20, array[31]);
Issue: https://crbug.com/v8/8394
Commit: Reland [ic] Remove the check for fast prototypes in LoadIC_Uninitialized
Date(Commit): Wed, 1 May 2019 14:05:49 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1591772
Regress : test\mjsunit\regress\regress-crbug-827013.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function Test() {
var f = () => 42;
function modify_f() {
delete f.length;
delete f.name;
var g = Object.create(f);
for (var i = 0; i < 5; i++) {
g.dummy;
}
}
%EnsureFeedbackVectorForFunction(f);
assertTrue(%HasFastProperties(f));
var h = f.bind(this);
})();
Issue: https://crbug.com/v8/9184
Commit: [wasm] Fix Streaming API Error Messages
Date(Commit): Tue, 30 Apr 2019 16:04:56 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1588468
Regress : test\mjsunit\regress\wasm\regress-956771b.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-lazy-compilation --wasm-test-streaming
load('test/mjsunit/wasm/wasm-module-builder.js');
(function testLazyModuleStreamingCompilation() {
print(arguments.callee.name);
let builder = new WasmModuleBuilder();
builder.addFunction("some", kSig_i_ii);
let bytes = builder.toBuffer();
assertPromiseResult(WebAssembly.compileStreaming(Promise.resolve(bytes))
.then(assertUnreachable,
error => assertEquals("WebAssembly.compileStreaming(): function " +
"body must end with \"end\" opcode @+26",
error.message)));
})();
Issue: https://crbug.com/v8/8801
Commit: [Test] Add PrepareForOptimization to some mjsunit tests.
Date(Commit): Fri, 3 May 2019 13:48:33 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1594558
Regress : test\mjsunit\harmony\regress\regress-crbug-347528.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --allow-natives-syntax --harmony
"use strict";
let unused_var = 1;
function __f_12() { new Array(); }
%PrepareFunctionForOptimization(__f_12);
__f_12();
__f_12();
%OptimizeFunctionOnNextCall(__f_12);
__f_12();
Issue: https://crbug.com/v8/9017
Commit: Touch guard pages when allocating stack frames
Date(Commit): Thu, 2 May 2019 10:02:14 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1570666
Regress : test\mjsunit\regress\regress-9017.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Call a recursive function that uses large numbers of bound arguments. If we
// are failing to touch consecutive guard pages on Windows when extending the
// stack for bound arguments, then this would crash.
const frameSize = 4096 * 5;
const numValues = frameSize / 4;
const arr = new Array(numValues);
let counter = 10;
function f() { --counter; return 1 + (counter > 0 ? bound() : 0); }
const bound = f.bind.apply(f, arr);
bound();
Issue: https://crbug.com/v8/5367
Commit: [class] Remove flags for class fields
Date(Commit): Tue, 30 Apr 2019 11:47:05 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1590164
Regress : test\mjsunit\harmony\regress\regress-8808.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows(() => eval(`
class Foo {
#x = 1;
destructureX() {
const { #x: x } = this;
return x;
}
}
`), SyntaxError);
Issue: https://crbug.com/v8/8801
Commit: [Test] Add %PrepareForOptimization in tests
Date(Commit): Tue, 30 Apr 2019 14:39:53 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1588415
Regress : test\mjsunit\es6\regress\regress-inlined-new-target.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function g() { return { val: new.target }; }
function f() { return (new g()).val; }
%PrepareFunctionForOptimization(f);
assertEquals(g, f());
assertEquals(g, f());
%OptimizeFunctionOnNextCall(f);
assertEquals(g, f());
Issue: https://crbug.com/956771
Commit: [wasm] Fix Wasm Lazy Compilation
Date(Commit): Tue, 30 Apr 2019 13:23:27 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1585843
Regress : test\mjsunit\regress\wasm\regress-956771.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-lazy-compilation
load('test/mjsunit/wasm/wasm-module-builder.js');
(function testLazyModuleAsyncCompilation() {
print(arguments.callee.name);
let builder = new WasmModuleBuilder();
builder.addFunction("some", kSig_i_ii)
assertPromiseResult(WebAssembly.compile(builder.toBuffer())
.then(assertUnreachable,
error => assertEquals("WebAssembly.compile(): function body must " +
"end with \"end\" opcode @+26",
error.message)));
})();
(function testLazyModuleSyncCompilation() {
print(arguments.callee.name);
let builder = new WasmModuleBuilder();
builder.addFunction("some", kSig_i_ii)
assertThrows(() => builder.toModule(),
WebAssembly.CompileError,
"WebAssembly.Module(): Compiling function #0:\"some\" failed: " +
"function body must end with \"end\" opcode @+26");
})();
Commit: [test] Prevent Unintentionally Undefined Error Types
Date(Commit): Mon, 29 Apr 2019 19:06:02 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1585855
Regress : test\mjsunit\regress\regress-852765.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// The actual regression test
assertThrows("(import(foo)) =>", SyntaxError, "Invalid destructuring assignment target");
// Other related tests
assertThrows("import(foo) =>", SyntaxError, "Malformed arrow function parameter list");
assertThrows("(a, import(foo)) =>", SyntaxError, "Invalid destructuring assignment target");
assertThrows("(1, import(foo)) =>", SyntaxError, "Invalid destructuring assignment target");
assertThrows("(super(foo)) =>", SyntaxError, "'super' keyword unexpected here");
assertThrows("(bar(foo)) =>", SyntaxError, "Invalid destructuring assignment target");
// No syntax errors
assertThrows("[import(foo).then] = [1];", ReferenceError, "foo is not defined");
assertThrows("[[import(foo).then]] = [[1]];", ReferenceError, "foo is not defined");
Issue: https://crbug.com/v8/9161
Commit: Reland "[typedarray] Fix crash when sorting SharedArrayBuffers"
Date(Commit): Thu, 25 Apr 2019 13:40:40 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1581641
Regress : test\mjsunit\regress\regress-crbug-9161.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// This test is a reproduction of a crash that happens when a TypedArray
// backed by a SharedArrayBuffer is concurrently modified while sorting.
// Segfaults would need a long time to trigger in normal builds, so this
// reproduction is tailored to trigger on ASAN builds. On ASAN builds,
// out-of-bounds accesses while sorting would result in an immediate failure.
const lock = new Int32Array(new SharedArrayBuffer(4));
const kIterations = 5000;
const kLength = 2000;
const kStageIndex = 0;
const kStageInit = 0;
const kStageRunning = 1;
const kStageDone = 2;
Atomics.store(lock, kStageIndex, kStageInit);
function WaitUntil(expected) {
while (true) {
const value = Atomics.load(lock, kStageIndex);
if (value === expected) break;
}
}
const workerScript = `
onmessage = function([sab, lock]) {
const i32a = new Int32Array(sab);
Atomics.store(lock, ${kStageIndex}, ${kStageRunning});
for (let j = 1; j < ${kIterations}; ++j) {
for (let i = 0; i < i32a.length; ++i) {
i32a[i] = j;
}
}
postMessage("done");
Atomics.store(lock, ${kStageIndex}, ${kStageDone});
};`;
const worker = new Worker(workerScript, {type: 'string'});
const i32a = new Int32Array(
new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT * kLength)
);
worker.postMessage([i32a.buffer, lock]);
WaitUntil(kStageRunning);
for (let i = 0; i < kIterations; ++i) {
i32a.sort();
}
WaitUntil(kStageDone);
assertEquals(worker.getMessage(), "done");
Commit: [asm.js] Exported functions diverge from wasm js-api spec.
Date(Commit): Tue, 23 Apr 2019 13:22:38 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1578499
Regress : test\mjsunit\regress\regress-crbug-935800.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function foo() {
"use asm";
function bar() {}
return {bar: bar};
}
var module = foo();
assertTrue(Object.getOwnPropertyNames(module.bar).includes("prototype"));
assertInstanceof(new module.bar(), module.bar);
Issue: https://crbug.com/v8/9139
Commit: [turbofan] Use the right comparison for constant field store.
Date(Commit): Thu, 18 Apr 2019 11:56:16 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1569438
Regress : test\mjsunit\compiler\regress-v8-9139.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt --no-always-opt
let dummy = { x : {} };
let o = { x : 0.1 };
function f(o, a, b) {
o.x = a + b;
}
%PrepareFunctionForOptimization(f);
f(o, 0.05, 0.05);
f(o, 0.05, 0.05);
%OptimizeFunctionOnNextCall(f);
f(o, 0.05, 0.05);
assertOptimized(f);
Issue: https://crbug.com/952722
Commit: [ast] simplify ClassScope::ResolvePrivateNamesPartially
Date(Commit): Mon, 15 Apr 2019 23:01:53 +0800
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1567709
Regress : test\mjsunit\harmony\regress\regress-952722.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy
class A {
static #a = 1;
static b = class {
static get_A() { return val.#a; }
}
}
Issue: https://crbug.com/950747
Commit: [ic] Fix handling of +0/-0 when constant field tracking is enabled
Date(Commit): Wed, 10 Apr 2019 17:49:01 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1561319
Regress : test\mjsunit\regress\regress-crbug-950747.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let o = {};
Reflect.set(o, "a", 0.1);
let o1 = {};
o1.a = {};
Reflect.set(o, "a", 0.1);
Issue: https://crbug.com/947822
Commit: [regexp] Ensure ToString(replaceValue) is called once in @@replace
Date(Commit): Tue, 9 Apr 2019 12:12:46 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1559739
Regress : test\mjsunit\regress\regress-947822.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let cnt = 0;
const re = /x/y;
const replacement = {
toString: () => {
cnt++;
if (cnt == 2) {
re.lastIndex = { valueOf: () => { re.x = -1073741825; return 7; }};
}
return 'y$';
}
};
const str = re[Symbol.replace]("x", replacement);
assertEquals(str, "y$");
Issue: https://crbug.com/v8/7790
Commit: [turbofan] Brokerize JSInliningHeuristic
Date(Commit): Mon, 8 Apr 2019 15:09:37 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1528437
Regress : test\mjsunit\regress\regress-9002.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt --no-always-opt
function f() {
return 42;
}
function g() {
return 52;
}
%NeverOptimizeFunction(f);
function foo(cond) {
let func;
if (cond) {
func = f;
} else {
func = g;
}
func();
}
%PrepareFunctionForOptimization(foo);
foo(true);
foo(false);
%OptimizeFunctionOnNextCall(foo);
foo(true);
foo(false);
// Just a sanitary check, we have a DCHECK in js-inlining.cc to make sure
// f is not inlined into foo.
assertUnoptimized(f);
Issue: https://crbug.com/948307
Commit: [heap] Do not {RecordEphemeronKeyWrite} if key is in old-space
Date(Commit): Tue, 2 Apr 2019 14:29:12 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1547858
Regress : test\mjsunit\regress\regress-948307.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
const set = new WeakSet()
const obj = {};
// Two GCs to promote {set} and {obj} to old-space.
gc();
gc();
// Allocate a large array so {obj} will become an evacuation candidate.
const foo = new Int8Array(0x0F000000);
// Trigger ephemeron key write barrier.
set.add(obj);
Issue: https://crbug.com/948248
Commit: [parser] Fail early for two-byte intrinsic calls
Date(Commit): Tue, 2 Apr 2019 11:23:28 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1547857
Regress : test\mjsunit\regress\regress-948248.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
// Non-ascii intrinsic calls shouldn't crash V8.
assertThrows("%ಠ_ಠ()", SyntaxError);
Commit: [asmjs] Check function body size limit
Date(Commit): Wed, 27 Mar 2019 16:28:41 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1541479
Regress : test\mjsunit\regress\regress-944945.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const E = '"use asm";\nfunction f() { LOCALS }\nreturn f;';
const PI = new Function(E.replace('LOCALS', Array(999995).fill('0.9')));
Issue: https://crbug.com/944971
Commit: [regexp] Refactor Regexp.prototype[@@replace]
Date(Commit): Wed, 27 Mar 2019 13:41:29 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1541477
Regress : test\mjsunit\regress\regress-crbug-944971.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let re = /x/y;
let cnt = 0;
let str = re[Symbol.replace]("x", {
toString: () => {
cnt++;
if (cnt == 2) {
re.lastIndex = {valueOf: () => {
re.x = 42;
return 0;
}};
}
return 'y$';
}
});
assertEquals("y$", str);
Issue: https://crbug.com/839919
Commit: [wasm] Fix missing GC visit of instance elements
Date(Commit): Wed, 27 Mar 2019 11:47:30 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1541237
Regress : test\mjsunit\regress\wasm\regress-946350.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
load('test/mjsunit/wasm/wasm-module-builder.js');
var builder = new WasmModuleBuilder();
var instance = builder.instantiate();
instance[1] = undefined;
gc();
Object.getOwnPropertyNames(instance);
Issue: https://crbug.com/v8/9036
Commit: [csa] Fix instanceof for LHS with proxy in prototype chain
Date(Commit): Tue, 26 Mar 2019 19:07:49 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1539497
Regress : test\mjsunit\regress\regress-9036-3.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function C() {};
const p = new Proxy({}, { getPrototypeOf() { return C.prototype } });
const o = Object.create(p);
assertTrue(o instanceof C);
assertTrue(o instanceof C);
Issue: https://crbug.com/944435
Commit: [Builtins] Make it harder to store signalling NaNs in Torque/CSA
Date(Commit): Tue, 26 Mar 2019 10:27:09 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1538517
Regress : test\mjsunit\regress\regress-crbug-944435.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --verify-heap --expose-gc
function foo( ) {
return [
0,
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
0x1000000,
0x40000000,
12,
60,
100,
1000 * 60 * 60 * 24].map(Math.asin);
}
let b = [];
b.constructor = {};
b.constructor[Symbol.species] = function() {};
let a = [];
for (let i = 0; i < 10; i++) {
a.push(foo());
gc();
gc();
gc();
}
Issue: https://crbug.com/940722
Commit: [regexp] Allow heap allocation on stack overflows
Date(Commit): Tue, 12 Mar 2019 15:18:40 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1518174
Regress : test\mjsunit\regress\regress-940722.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --stack-size=100
var __v_27278 = "x";
for (var __v_27279 = 0; __v_27279 != 13; __v_27279++) {
try { __v_27278 += __v_27278; } catch (e) {}
}
// Can throw or not, but should not crash.
try { /(xx|x)*/.exec(__v_27278); } catch (e) {}
Issue: https://crbug.com/940296
Commit: [wasm] Fix insufficient bounds check in WebAssembly.get
Date(Commit): Tue, 12 Mar 2019 11:01:41 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1514496
Regress : test\mjsunit\regress\wasm\regress-940296.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let table = new WebAssembly.Table({element: "anyfunc", initial: 1});
assertThrows(() => table.get(3612882876), RangeError);
Issue: https://crbug.com/937681
Commit: [regexp] Fix sticky callable replace with OOB lastIndex
Date(Commit): Mon, 11 Mar 2019 15:08:27 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1514679
Regress : test\mjsunit\regress\regress-937681.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const str = 'aaaa';
const re0 = /./y;
// Twice to go through both runtime and the builtin.
re0.lastIndex = 9;
assertEquals(str, re0[Symbol.replace](str, () => 42));
re0.lastIndex = 9;
assertEquals(str, re0[Symbol.replace](str, () => 42));
re0.lastIndex = 9;
assertEquals(str, re0[Symbol.replace](str, "42"));
re0.lastIndex = 9;
assertEquals(str, re0[Symbol.replace](str, "42"));
Commit: [asm.js] Fix undefined behavior with float32 constants.
Date(Commit): Wed, 6 Mar 2019 15:38:09 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1505458
Regress : test\mjsunit\asm\regress-937650.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function Module(stdlib) {
"use asm";
var fround = stdlib.Math.fround;
// The below constant is outside the range of representable {float} values.
const infinity = fround(1.7976931348623157e+308);
function f() {
return infinity;
}
return { f: f };
}
var m = Module(this);
assertEquals(Infinity, m.f());
assertTrue(%IsAsmWasmCode(Module));
Issue: https://crbug.com/927894
Commit: [ubsan] Fix various ClusterFuzz-found issues
Date(Commit): Tue, 5 Mar 2019 17:52:26 -0800
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1495911
Regress : test\mjsunit\regress\wasm\regress-ubsan.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js');
// crbug.com/933134
(function() {
var builder = new WasmModuleBuilder();
builder.addImportedGlobal("mod", "i32", kWasmI32);
builder.addImportedGlobal("mod", "f32", kWasmF32);
var module = new WebAssembly.Module(builder.toBuffer());
return new WebAssembly.Instance(module, {
mod: {
i32: 1e12,
f32: 1e300,
}
});
})();
Commit: [Test] Avoid relying on flag implications for --flush-bytecode in tests.
Date(Commit): Wed, 6 Mar 2019 13:02:49 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1505796
Regress : test\mjsunit\regress\regress-v8-8799.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc --flush-bytecode --stress-flush-bytecode
// Ensure tagged template objects are cached even after bytecode flushing.
var f = (x) => eval`a${x}b`;
var a = f();
gc();
assertSame(a, f());
Commit: [Test] Add PrepareForOptimization to mjsunit/compiler
Date(Commit): Fri, 1 Mar 2019 10:19:54 +0000
Code Review : https://chromium-review.googlesource.com/c/1495555
Regress : test\mjsunit\compiler\regress-variable-liveness.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(x) {
%DeoptimizeFunction(run);
return x;
}
function run() {
var line = new Array(2);
for (var n = 3; n > 0; n = n - 1) {
if (n < foo(line.length)) line = new Array(n);
line[0] = n;
}
}
%PrepareFunctionForOptimization(run);
assertEquals(void 0, run());
%OptimizeFunctionOnNextCall(run);
assertEquals(void 0, run());
Commit: [Compile] Avoid flushing code that's marked for optimization in tests.
Date(Commit): Wed, 27 Feb 2019 15:51:57 +0000
Code Review : https://chromium-review.googlesource.com/c/1463525
Regress : test\mjsunit\regress\regress-7254.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt
function foo(a) {
a[0];
a[1] = "";
}
%PrepareFunctionForOptimization(foo);
foo([0,0].map(x => x));
foo([0,0].map(x => x));
%OptimizeFunctionOnNextCall(foo);
foo([0,0].map(x => x));
assertOptimized(foo);
Issue: https://crbug.com/913222
Commit: [parser] Fix stackoverflow on function expressions
Date(Commit): Thu, 21 Feb 2019 17:37:39 +0100
Code Review : https://chromium-review.googlesource.com/c/1480379
Regress : test\mjsunit\regress\regress-crbug-913222.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --stack-size=100
__v_0 = '(function() {\n';
for (var __v_1 = 0; __v_1 < 10000; __v_1++) {
__v_0 += ' return function() {\n';
}
assertThrows(()=>eval(__v_0), RangeError);
Issue: https://crbug.com/933214
Commit: [parser] Always return a valid var from DeclareVariableName
Date(Commit): Thu, 21 Feb 2019 17:24:43 +0100
Code Review : https://chromium-review.googlesource.com/c/1481219
Regress : test\mjsunit\regress\regress-crbug-933214.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows(`
function __v_0() {
function __v_2() {
try {
function* __v_0() {}
function __v_0() {}
}
}
}`, SyntaxError);
Issue: https://crbug.com/933776
Commit: Remove invalid DCHECK in ReplacementStringBuilder
Date(Commit): Thu, 21 Feb 2019 09:09:43 +0100
Code Review : https://chromium-review.googlesource.com/c/1479955
Regress : test\mjsunit\regress\regress-933776.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
__v_51351 = /[^]$/gm;
"a\nb\rc\n\rd\r\ne".replace(__v_51351, "*$1");
Issue: https://crbug.com/v8/7161
Commit: Reland "[builtins]: Optimize CreateTypedArray to use element size log 2 for calculations."
Date(Commit): Tue, 12 Feb 2019 06:57:31 -0600
Code Review : https://chromium-review.googlesource.com/c/1456299
Regress : test\mjsunit\regress\regress-crbug-932034.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --mock-arraybuffer-allocator
// Verify on 32-bit architectures, a byte length overflow is handled gracefully.
try {
new BigInt64Array(%MaxSmi());
} catch(e) {
assertInstanceof(e, RangeError);
}
Issue: https://crbug.com/933179
Commit: Remove incorrect dcheck from map updater.
Date(Commit): Tue, 19 Feb 2019 06:21:36 +0100
Code Review : https://chromium-review.googlesource.com/c/1477275
Regress : test\mjsunit\regress\regress-933179.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var o = { ...{ length : 1 } };
o.x = 1;
delete o.x;
o.length = 2;
Commit: [wasm] Fix section order checking in {StreamingDecoder}.
Date(Commit): Tue, 19 Feb 2019 17:11:51 +0100
Code Review : https://chromium-review.googlesource.com/c/1477211
Regress : test\mjsunit\regress\wasm\regress-8846.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-eh --wasm-test-streaming
load("test/mjsunit/wasm/wasm-module-builder.js");
(function TestAsyncCompileExceptionSection() {
print(arguments.callee.name);
let builder = new WasmModuleBuilder();
let except = builder.addException(kSig_v_v);
builder.addFunction("thrw", kSig_v_v)
.addBody([
kExprThrow, except,
]).exportFunc();
function step1(buffer) {
assertPromiseResult(WebAssembly.compile(buffer), module => step2(module));
}
function step2(module) {
assertPromiseResult(WebAssembly.instantiate(module), inst => step3(inst));
}
function step3(instance) {
assertThrows(() => instance.exports.thrw(), WebAssembly.RuntimeError);
}
step1(builder.toBuffer());
})();
Commit: [ast] Always visit all AST nodes, even dead nodes
Date(Commit): Wed, 13 Feb 2019 15:43:15 +0100
Code Review : https://chromium-review.googlesource.com/c/1470108
Regress : test\mjsunit\regress\regress-crbug-926651.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var asdf = false;
const f =
(v1 = (function g() {
if (asdf) { return; } else { return; }
(function h() {});
})()) => 1;
f();
Issue: https://crbug.com/930948
Commit: [array] Fix Array#map storing signaling NaNs
Date(Commit): Tue, 12 Feb 2019 15:48:55 +0100
Code Review : https://chromium-review.googlesource.com/c/1466503
Regress : test\mjsunit\regress\regress-crbug-930948-base.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --verify-heap --allow-natives-syntax
function foo() {
return [undefined].map(Math.asin);
}
foo();
Issue: https://crbug.com/930486
Commit: Fix map equivalence check.
Date(Commit): Mon, 11 Feb 2019 06:04:17 +0100
Code Review : https://chromium-review.googlesource.com/c/1462004
Regress : test\mjsunit\regress\regress-930486.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var __v_49026 = function () {};
__v_49026.prototype = undefined;
__v_49026.x = 23;
__v_49026.prototype = new ArrayBuffer();
__v_49026.x = 2147483649;
Issue: https://crbug.com/930580
Commit: [parser] Reset expression_scope_ stack to nullptr when parsing a function body
Date(Commit): Mon, 11 Feb 2019 09:45:51 +0100
Code Review : https://chromium-review.googlesource.com/c/1462005
Regress : test\mjsunit\regress\regress-crbug-930580.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function outer() {
(arg = (function inner() {
return this
})()) => 0;
})();
Issue: https://crbug.com/v8/5848
Commit: Reland^2 "[builtins] [turbofan] Refactor Float64Pow to use single implementation"
Date(Commit): Thu, 7 Feb 2019 18:32:59 -0600
Code Review : https://chromium-review.googlesource.com/c/1403018
Regress : test\mjsunit\regress\regress-v8-5848.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const inlineFromParser = 50 ** 50;
const i = 50;
const fromRuntimePowOp = i ** i;
const fromRuntimeMath = Math.pow(i, i);
// inlineFromParser === fromRuntimeOp === fromRuntimeMath
assertEquals(inlineFromParser, fromRuntimePowOp);
assertEquals(inlineFromParser - fromRuntimePowOp, 0);
assertEquals(inlineFromParser, fromRuntimeMath);
assertEquals(inlineFromParser - fromRuntimeMath, 0);
Issue: https://crbug.com/912162
Commit: Constant field tracking for arrays.
Date(Commit): Wed, 6 Feb 2019 15:09:36 +0100
Code Review : https://chromium-review.googlesource.com/c/1454606
Regress : test\mjsunit\regress\regress-912162.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var a = new Array();
a.prototype = a;
function f() {
a.length = 0x2000001;
a.push();
}
({}).__proto__ = a;
f()
f()
a.length = 1;
a.fill(-255);
%HeapObjectVerify(a);
Issue: https://crbug.com/v8/8562
Commit: Reland "[test] Check for illegal uses of mjsunit methods"
Date(Commit): Mon, 4 Feb 2019 10:02:58 +0100
Code Review : https://chromium-review.googlesource.com/c/1439238
Regress : test\mjsunit\regress\regress-687.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// This regression includes a number of cases where we did not correctly
// update a accessor property to a data property using Object.defineProperty.
var obj = { get value() {}, set value (v) { throw "Error";} };
Object.defineProperty(obj, "value",
{ value: 5, writable:true, configurable: true });
var desc = Object.getOwnPropertyDescriptor(obj, "value");
assertEquals(obj.value, 5);
assertTrue(desc.configurable);
assertTrue(desc.enumerable);
assertTrue(desc.writable);
assertEquals(desc.get, undefined);
assertEquals(desc.set, undefined);
var proto = {
get value() {},
set value(v) { Object.defineProperty(this, "value", {value: v}); }
};
var create = Object.create(proto);
assertEquals(create.value, undefined);
create.value = 4;
assertEquals(create.value, 4);
// These tests where provided in bug 959, but are all related to the this issue.
var obj1 = {};
Object.defineProperty(obj1, 'p', {get: undefined, set: undefined});
assertTrue("p" in obj1);
desc = Object.getOwnPropertyDescriptor(obj1, "p");
assertFalse(desc.configurable);
assertFalse(desc.enumerable);
assertEquals(desc.value, undefined);
assertEquals(desc.get, undefined);
assertEquals(desc.set, undefined);
var obj2 = { get p() {}};
Object.defineProperty(obj2, 'p', {get: undefined})
assertTrue("p" in obj2);
desc = Object.getOwnPropertyDescriptor(obj2, "p");
assertTrue(desc.configurable);
assertTrue(desc.enumerable);
assertEquals(desc.value, undefined);
assertEquals(desc.get, undefined);
assertEquals(desc.set, undefined);
Commit: [Builtins]: Array.prototype.map out of memory error
Date(Commit): Fri, 1 Feb 2019 10:04:22 +0100
Code Review : https://chromium-review.googlesource.com/c/1449531
Regress : test\mjsunit\regress\regress-crbug-926856.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Need a fast array with enough elements to surpass
// kMaxRegularHeapObjectSize.
var size = 63392;
var a = [];
function build() {
for (let i = 0; i < size; i++) {
a.push(i);
}
}
build();
function c(v) { return v + 0.5; }
a.map(c);
Issue: https://crbug.com/v8/8726
Commit: [wasm] merge js constants file in module-builder
Date(Commit): Wed, 30 Jan 2019 16:39:14 +0100
Code Review : https://chromium-review.googlesource.com/c/1446452
Regress : test\mjsunit\regress\wasm\regress-925671.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-tier-mask-for-testing=1
load('test/mjsunit/wasm/wasm-module-builder.js');
var builder = new WasmModuleBuilder();
builder.addFunction('f0', kSig_v_v).addBody([]);
builder.addFunction('f1', kSig_v_v).addBody([]);
builder.instantiate();
Issue: https://crbug.com/926819
Commit: [parser] Don't hoist sloppy block functions on error
Date(Commit): Wed, 30 Jan 2019 11:50:13 +0100
Code Review : https://chromium-review.googlesource.com/c/1445891
Regress : test\mjsunit\regress\regress-crbug-926819.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("a(function(){{let f;function f}})", SyntaxError);
Issue: https://crbug.com/926036
Commit: [parser] Make pattern DCHECK dependent on !has_error
Date(Commit): Tue, 29 Jan 2019 11:06:45 +0100
Code Review : https://chromium-review.googlesource.com/c/1442635
Regress : test\mjsunit\regress\regress-926036.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("async() => { for await (var a ;;) {} }", SyntaxError);
Commit: [parser] Use Token::INIT for hoisted sloppy block functions when possible
Date(Commit): Fri, 25 Jan 2019 12:45:28 +0100
Code Review : https://chromium-review.googlesource.com/c/1433772
Regress : test\mjsunit\regress\regress-917755.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows(`
{
function a() {}
}
{
// Duplicate lexical declarations are only allowed if they are both sloppy
// block functions (see bug 4693). In this case the sloppy block function
// conflicts with the lexical variable declaration, causing a syntax error.
let a;
function a() {};
}
`, SyntaxError)
Issue: https://crbug.com/v8/8580
Commit: Cleanup after removing language mode parameter from SetProperty
Date(Commit): Wed, 23 Jan 2019 16:59:42 +0000
Code Review : https://chromium-review.googlesource.com/c/1421840
Regress : test\mjsunit\regress\regress-3255.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --enable-slow-asserts
var arr = [];
var str = new String('x');
function f(a,b) {
a[b] = 1;
}
f(arr, 0);
f(str, 0);
f(str, 0);
// This is just to trigger elements validation, object already broken.
%SetKeyedProperty(str, 1, 'y');
Issue: https://crbug.com/v8/8319
Commit: [wasm] fix js-api memory/grow
Date(Commit): Wed, 28 Nov 2018 18:39:02 +0100
Code Review : https://chromium-review.googlesource.com/c/1351028
Regress : test\mjsunit\regress\wasm\regress-825087b.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
PAGES = 10;
memory = new WebAssembly.Memory({initial: PAGES});
buffer = memory.buffer;
buffer = new Uint8Array(buffer);
memory.grow(0);
WebAssembly.validate(buffer);
Commit: Check for "SuperNotCalled" on "delete this" in a constructor
Date(Commit): Fri, 18 Jan 2019 15:47:54 -0800
Code Review : https://chromium-review.googlesource.com/c/1419084
Regress : test\mjsunit\regress\regress-6711.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// ensure `delete this` throws before `super` is called.
assertThrows(()=>{
new class extends Object {
constructor() {
delete this;
super();
}
}
}, ReferenceError);
// ensure `delete this` doesn't throw after `super` is called.
new class extends Object {
constructor() {
super();
delete this;
}
}
Issue: https://crbug.com/336820
Commit: [test] Fix flaky OOM regression test
Date(Commit): Tue, 22 Jan 2019 17:03:25 +0100
Code Review : https://chromium-review.googlesource.com/c/1426839
Regress : test\mjsunit\regress\regress-336820.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --max-old-space-size=1600
assertThrows((function() {
let str = "a".repeat(1e7);
let arr = new Array(2000);
for (let i = 0; i < 200; ++i) {
arr[i*10] = str;
}
let res = arr.join(':');
}), RangeError);
Issue: https://crbug.com/923705
Commit: [parser] Fix storing has_data bit for inner function preparse data
Date(Commit): Mon, 21 Jan 2019 18:30:28 +0100
Code Review : https://chromium-review.googlesource.com/c/1425201
Regress : test\mjsunit\regress\regress-crbug-923705.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --verify-heap
function __f_5() {
function __f_1() {
function __f_0() {
({y = eval()}) => assertEquals()();
}
}
}
__f_5();
Issue: https://crbug.com/923264
Commit: [heap] Allow PreparseData in large object space
Date(Commit): Fri, 18 Jan 2019 15:04:53 +0100
Code Review : https://chromium-review.googlesource.com/c/1421321
Regress : test\mjsunit\regress\regress-crbug-923264.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --verify-heap --expose-gc
let paramName = '';
for (let i=0; i < 2**10; i++) {
paramName += 'a';
}
let params = '';
for (let i = 0; i < 2**10; i++) {
params += paramName + i + ',';
}
let fn = eval(`(
class A {
constructor (${params}) {
function lazy() {
return function lazier() { return ${paramName+1} }
};
return lazy;
}
})`);
gc()
Issue: https://crbug.com/v8/8708
Commit: [array] Add stack overflow check for Array#flat
Date(Commit): Mon, 21 Jan 2019 10:55:43 +0100
Code Review : https://chromium-review.googlesource.com/c/1424858
Regress : test\mjsunit\regress\regress-8708.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --stack-size=100
let array = new Array(1);
array.splice(1, 0, array);
assertThrows(() => array.flat(Infinity), RangeError);
Issue: https://crbug.com/923265
Commit: [array] Remove CHECK_LE from RemoveArrayHolesGeneric
Date(Commit): Fri, 18 Jan 2019 09:34:29 +0100
Code Review : https://chromium-review.googlesource.com/c/1420679
Regress : test\mjsunit\regress\regress-crbug-923265.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let a = {0: 5, 1: 4, 2: 3, length: 2};
Object.freeze(a);
assertThrows(() => Array.prototype.sort.call(a));
assertPropertiesEqual({0: 5, 1: 4, 2: 3, length: 2}, a);
Issue: https://crbug.com/897512
Commit: [array] Fix prototype chain interaction in sort pre-processing
Date(Commit): Thu, 17 Jan 2019 11:57:23 +0100
Code Review : https://chromium-review.googlesource.com/c/1417171
Regress : test\mjsunit\regress\regress-897512.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Fill up the Array prototype's elements.
for (let i = 0; i < 100; i++) Array.prototype.unshift(3.14);
// Create a holey double elements array.
const o31 = [1.1];
o31[37] = 2.2;
// Concat converts to dictionary elements.
const o51 = o31.concat(false);
// Set one element to undefined to trigger the movement bug.
o51[0] = undefined;
assertEquals(o51.length, 39);
// Sort triggers the bug.
o51.sort();
assertEquals(o51.length, 39);
Issue: https://crbug.com/v8/5112
Commit: [parser] Use cached kDynamic variable for eval-introduced vars
Date(Commit): Wed, 16 Jan 2019 14:34:05 +0100
Code Review : https://chromium-review.googlesource.com/c/1408890
Regress : test\mjsunit\regress\regress-sloppy-block-function-hoisting-dynamic.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
with({}) { eval("{function f(){f}}") };
f()
Issue: https://crbug.com/921382
Commit: [parser] Clear parenthesized flag on collapsing nary expressions
Date(Commit): Tue, 15 Jan 2019 13:46:53 +0100
Code Review : https://chromium-review.googlesource.com/c/1412172
Regress : test\mjsunit\regress\regress-921382.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("(d * f * g) * e => 0", SyntaxError)
Commit: [mjsunit] Dont generate dumps from regression test
Date(Commit): Mon, 14 Jan 2019 15:47:59 +0100
Code Review : https://chromium-review.googlesource.com/c/1409363
Regress : test\mjsunit\regress\regress-913844.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --disable-in-process-stack-traces --perf-prof-unwinding-info --turbo-loop-rotation
for (var x = 0; x < 1000000; x++)
;
Issue: https://crbug.com/917215
Commit: [parser] Allow same-named labelled blocks in if/else statements
Date(Commit): Thu, 10 Jan 2019 14:53:48 -0800
Code Review : https://chromium-review.googlesource.com/c/1404176
Regress : test\mjsunit\regress\regress-917215.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
a: if (true) b: { break a; break b; }
else b: { break a; break b; }
Issue: https://crbug.com/920184
Commit: [Builtins] Array.prototype.filter species creation error
Date(Commit): Thu, 10 Jan 2019 16:04:00 +0100
Code Review : https://chromium-review.googlesource.com/c/1405035
Regress : test\mjsunit\regress\regress-crbug-920184.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --verify-heap --enable-slow-asserts
var Ctor = function() {
return [];
};
var a = ["one", "two", "three"];
a.constructor = {};
a.constructor[Symbol.species] = Ctor;
a.filter(function() { return true; });
Commit: [asm.js] Fix semicolon insertion in presence of Unicode.
Date(Commit): Wed, 9 Jan 2019 12:41:51 +0100
Code Review : https://chromium-review.googlesource.com/c/1402778
Regress : test\mjsunit\asm\regress-920076.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function Module() {
"use asm";
function f() {}
return f
}
eval("(" + Module.toString().replace(/;/, String.fromCharCode(8233)) + ")();");
assertFalse(%IsAsmWasmCode(Module)); // Valid asm.js, but we reject Unicode.
Issue: https://crbug.com/v8/8659
Commit: [parser] Parenthesized identifiers are invalid as part of a declaration
Date(Commit): Wed, 9 Jan 2019 11:20:00 +0100
Code Review : https://chromium-review.googlesource.com/c/1402547
Regress : test\mjsunit\regress\regress-8659.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("const [(x)] = []", SyntaxError);
Issue: https://crbug.com/919710
Commit: [parser] Reparse arrow functions with unidentified syntax errors in the correct scope
Date(Commit): Tue, 8 Jan 2019 14:53:02 +0100
Code Review : https://chromium-review.googlesource.com/c/1400419
Regress : test\mjsunit\regress\regress-919710.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("( let ) => { 'use strict'; let }", SyntaxError)
Date(Commit): Mon, 24 Dec 2018 01:35:20 -0800
Code Review : https://chromium-review.googlesource.com/c/1390203
Regress : test\mjsunit\regress\regress-crbug-860788.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-async-hooks
try {
Object.prototype.__defineGetter__(0, function(){});
assertThrows("x");
} catch(e) { print("Caught: " + e); }
try {
(function() {
let asyncIds = [], triggerIds = [];
let ah = async_hooks.createHook({
init(asyncId, type, triggerAsyncId, resource) {
if (type !== 'PROMISE') { return; }
assertThrows("asyncIds.push(asyncId);");
assertThrows("triggerIds.push(triggerAsyncId)");
},
});
ah.enable();
async function foo() {}
foo();
})();
} catch(e) { print("Caught: " + e); }
try {
var obj = {prop: 7};
assertThrows("nonexistent(obj)");
} catch(e) { print("Caught: " + e); }
Issue: https://crbug.com/917076
Commit: [async] The Promise.all() fast-path must check @@species protector.
Date(Commit): Mon, 7 Jan 2019 08:48:13 +0100
Code Review : https://chromium-review.googlesource.com/c/1396426
Regress : test\mjsunit\regress\regress-crbug-917076.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
let speciesCounter = 0;
Object.defineProperty(Promise, Symbol.species, {
value: function(...args) {
speciesCounter++;
return new Promise(...args);
}
});
async function foo() { }
assertPromiseResult(Promise.all([foo()]), () => {
assertEquals(3, speciesCounter);
});
Issue: https://crbug.com/917988
Commit: Set the correct scope when initializing parameters.
Date(Commit): Wed, 2 Jan 2019 15:44:55 +0000
Code Review : https://chromium-review.googlesource.com/c/1392240
Regress : test\mjsunit\regress\regress-917988.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Tests if class declarations in parameter list are correctly handled.
function v_2(
v_3 = class v_4 {
get [[] = ';']() { }
}
) { }
v_2();
// Test object inside a class in a parameter list
(function f(
v_3 = class v_4 {
get [{} = ';']() { }
}
) { })();
// Test destructuring of class in parameters
(function f( {p, q} = class C { get [[] = ';']() {} } ) {})();
// Test array destructuring of class in parameters
class C {};
C[Symbol.iterator] = function() {
return {
next: function() { return { done: true }; },
_first: true
};
};
(function f1([p, q] = class D extends C { get [[]]() {} }) { })();
Issue: https://crbug.com/917980
Commit: [typedarray] Check for a detached buffer before each iteration of TypedArray.p.join.
Date(Commit): Mon, 31 Dec 2018 11:40:40 -0600
Code Review : https://chromium-review.googlesource.com/c/1392070
Regress : test\mjsunit\regress\regress-crbug-917980.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
const constructors = [
[Uint8Array, [0, 1]],
[Int8Array, [0, 1]],
[Uint16Array, [0, 1]],
[Int16Array, [0, 1]],
[Uint32Array, [0, 1]],
[Int32Array, [0, 1]],
[Float32Array, [0, 1]],
[Float64Array, [0, 1]],
[Uint8ClampedArray, [0, 1]],
[BigInt64Array, [0n, 1n]],
[BigUint64Array, [0n, 1n]]
];
let typedArray;
const separator = {
toString() {
%ArrayBufferDetach(typedArray.buffer);
return '*';
}
};
constructors.forEach(([constructor, arr]) => {
typedArray = new constructor(arr);
assertSame(typedArray.join(separator), '*');
});