Issue: https://crbug.com/v8/7624
Commit: [runtime] Remove %AddNamedProperty and %AddElement
Date(Commit): Thu, 20 Dec 2018 15:45:00 -0800
Code Review : https://chromium-review.googlesource.com/c/1387990
Regress : test\mjsunit\regress\regress-cntl-descriptors-enum.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --allow-natives-syntax --expose-gc
var o = {};
Object.defineProperty(o, "a", {
value: 0, configurable: true, writable: true, enumerable: false
});
var o2 = {};
Object.defineProperty(o2, "a", {
value: 0, configurable: true, writable: true, enumerable: false
});
assertTrue(%HaveSameMap(o, o2));
o.y = 2;
for (var v in o) { print(v); }
o = {};
gc();
for (var v in o2) { print(v); }
Issue: https://crbug.com/916288
Commit: [parser] Eagerly throw pattern error even if we lazily throw lhs error for calls
Date(Commit): Wed, 19 Dec 2018 11:21:17 +0100
Code Review : https://chromium-review.googlesource.com/c/1384084
Regress : test\mjsunit\regress\regress-crbug-916288.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("(a()=0)=>0", SyntaxError)
Issue: https://crbug.com/v8/8607
Commit: [parser] Fix late-checked destructuring pattern followed by property (2)
Date(Commit): Tue, 18 Dec 2018 20:22:32 +0100
Code Review : https://chromium-review.googlesource.com/c/1382749
Regress : test\mjsunit\regress\regress-8607.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("[({ p: this }), [][0]] = x", SyntaxError);
assertThrows("[...a, [][0]] = []", SyntaxError);
assertThrows("[...o=1,[][0]] = []", SyntaxError);
assertThrows("({x(){},y:[][0]} = {})", SyntaxError);
Issue: https://crbug.com/v8/7706
Commit: Fix ObjectToString builtin to work for subclasses
Date(Commit): Tue, 18 Dec 2018 11:02:13 +0000
Code Review : https://chromium-review.googlesource.com/c/1378176
Regress : test\mjsunit\es6\regress\regress-7706.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function toString(o) {
%ToFastProperties(o.__proto__);
return Object.prototype.toString.call(o);
}
class TestNumber extends Number {}
TestNumber.prototype[Symbol.toStringTag] = "TestNumber";
assertEquals("[object TestNumber]", toString(new TestNumber), "Try #1");
assertEquals("[object TestNumber]", toString(new TestNumber), "Try #2");
class TestBoolean extends Boolean {}
TestBoolean.prototype[Symbol.toStringTag] = "TestBoolean";
assertEquals("[object TestBoolean]", toString(new TestBoolean), "Try #1");
assertEquals("[object TestBoolean]", toString(new TestBoolean), "Try #2");
class TestString extends String {}
TestString.prototype[Symbol.toStringTag] = "TestString";
assertEquals("[object TestString]", toString(new TestString), "Try #1");
assertEquals("[object TestString]", toString(new TestString), "Try #2");
class base {}
class TestBigInt extends base {}
TestBigInt.prototype[Symbol.toStringTag] = 'TestBigInt';
var b = new TestBigInt();
b.__proto__.__proto__ = BigInt.prototype;
assertEquals("[object TestBigInt]", toString(b), "Try #1");
assertEquals("[object TestBigInt]", toString(b), "Try #2");
class TestSymbol extends base {}
TestSymbol.prototype[Symbol.toStringTag] = 'TestSymbol';
var sym = new TestSymbol();
sym.__proto__.__proto__ = Symbol.prototype;
assertEquals("[object TestSymbol]", toString(sym), "Try #1");
assertEquals("[object TestSymbol]", toString(sym), "Try #2");
Issue: https://crbug.com/v8/7980
Commit: Reland "Use CopyElements (which uses memcpy) to copy FixedDoubleArray."
Date(Commit): Tue, 18 Dec 2018 16:56:56 +0100
Code Review : https://chromium-review.googlesource.com/c/1280308
Regress : test\mjsunit\regress\regress-907479.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
'use strict';
{
const x = [42];
x.splice(0, 0, 23);
assertEquals([23, 42], x);
x.length++;
assertEquals([23, 42, ,], x);
assertFalse(x.hasOwnProperty(2));
}
{
const x = [4.2];
x.splice(0, 0, 23);
assertEquals([23, 4.2], x);
x.length++;
assertEquals([23, 4.2, ,], x);
assertFalse(x.hasOwnProperty(2));
}
Issue: https://crbug.com/v8/2728
Commit: [parser] Detect duplciate lexical declarations in preparser
Date(Commit): Tue, 18 Dec 2018 16:54:28 +0100
Code Review : https://chromium-review.googlesource.com/c/1382736
Regress : test\mjsunit\regress\regress-crbug-806388.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --enable-slow-asserts --expose-gc
class Derived extends Array {
constructor(a) { throw "error" }
}
// Derived is not a subclass of RegExp
let o = Reflect.construct(RegExp, [], Derived);
o.lastIndex = 0x1234;
%HeapObjectVerify(o);
gc();
%HeapObjectVerify(o);
Issue: https://crbug.com/915783
Commit: [typedarray] Add TA.p.toLocaleString check for a detached buffer.
Date(Commit): Tue, 18 Dec 2018 08:10:55 -0600
Code Review : https://chromium-review.googlesource.com/c/1382553
Regress : test\mjsunit\regress\regress-crbug-915783.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
const constructors = [
[Uint8Array, [0, 1]],
[Int8Array, [0, 1]],
[Uint16Array, [0, 1]],
[Int16Array, [0, 1]],
[Uint32Array, [0, 1]],
[Int32Array, [0, 1]],
[Float32Array, [0, 1]],
[Float64Array, [0, 1]],
[Uint8ClampedArray, [0, 1]],
[BigInt64Array, [0n, 1n]],
[BigUint64Array, [0n, 1n]]
];
let typedArray;
function detachBuffer() {
%ArrayBufferDetach(typedArray.buffer);
return 'a';
}
Number.prototype.toString = detachBuffer;
BigInt.prototype.toString = detachBuffer;
Number.prototype.toLocaleString = detachBuffer;
BigInt.prototype.toLocaleString = detachBuffer;
constructors.forEach(([constructor, arr]) => {
typedArray = new constructor(arr);
assertSame(typedArray.join(), '0,1');
assertSame(typedArray.toLocaleString(), 'a,');
});
Commit: [parser] Replacing ExpressionClassifier with ExpressionScope that knows what it's tracking
Date(Commit): Mon, 17 Dec 2018 10:28:27 +0100
Code Review : https://chromium-review.googlesource.com/c/1367809
Regress : test\mjsunit\regress\regress-903874.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var code = "function f(" + ("{o(".repeat(10000));
assertThrows(code, SyntaxError);
Commit: [asm.js] Fix semicolon insertion in presence of comments.
Date(Commit): Wed, 12 Dec 2018 10:57:29 +0100
Code Review : https://chromium-review.googlesource.com/c/1373551
Regress : test\mjsunit\asm\regress-913822.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function TestNewlineInCPPComment() {
function Module() {
"use asm" // Crash by comment!
function f() {}
return f
}
Module();
assertTrue(%IsAsmWasmCode(Module));
})();
(function TestNewlineInCComment() {
function Module() {
"use asm" /* Crash by
comment! */ function f() {}
return f
}
Module();
assertTrue(%IsAsmWasmCode(Module));
})();
Commit: [typedarrays] Use Detach instead of Neuter
Date(Commit): Tue, 11 Dec 2018 11:22:02 +0100
Code Review : https://chromium-review.googlesource.com/c/1370036
Regress : test\mjsunit\regress\regress-crbug-867776.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --expose-gc
for (var i = 0; i < 3; i++) {
var array = new BigInt64Array(200);
function evil_callback() {
%ArrayBufferDetach(array.buffer);
gc();
return 1094795585n;
}
var evil_object = {valueOf: evil_callback};
var root;
try {
root = BigInt64Array.of.call(function() { return array }, evil_object);
} catch(e) {}
gc();
}
Issue: https://crbug.com/v8/8319
Commit: [wasm] fix js-api Memory and Table constructor
Date(Commit): Sat, 8 Dec 2018 10:58:18 +0100
Code Review : https://chromium-review.googlesource.com/c/1354043
Regress : test\mjsunit\regress\wasm\regress-816226.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(new Int8Array((new WebAssembly.Memory({initial: 0})).buffer)).buffer;
Issue: https://crbug.com/911416
Commit: Add test case for RO-space string used as property key.
Date(Commit): Fri, 7 Dec 2018 15:57:54 +0100
Code Review : https://chromium-review.googlesource.com/c/1362952
Regress : test\mjsunit\regress\regress-crbug-911416.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertEquals(7, ({[Symbol.hasInstance.description]:7})["Symbol.hasInstance"]);
Commit: Replace %RunMicrotasks with %PerformMicrotaskCheckpoint
Date(Commit): Tue, 4 Dec 2018 15:12:49 +0900
Code Review : https://chromium-review.googlesource.com/c/1360095
Regress : test\mjsunit\regress\regress-800651.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
var list = [];
function log(item) { list.push(item); }
async function f() {
try {
let namespace = await import(/a/);
} catch(e) {
log(1);
}
}
f();
async function importUndefined() {
try {
await import({ get toString() { return undefined; }})
} catch(e) {
log(2);
}
}
function g() {
let namespace = Promise.resolve().then(importUndefined);
}
g();
%PerformMicrotaskCheckpoint();
assertEquals(list, [1,2]);
Issue: https://crbug.com/909614
Commit: [bigint] Make kMaxLength platform-independent.
Date(Commit): Thu, 29 Nov 2018 17:32:13 -0800
Code Review : https://chromium-review.googlesource.com/c/1355625
Regress : test\mjsunit\regress\regress-crbug-909614.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let just_under = 2n ** 30n - 1n;
let just_above = 2n ** 30n;
assertDoesNotThrow(() => { var dummy = 2n ** just_under; });
assertThrows(() => { var dummy = 2n ** just_above; });
Issue: https://crbug.com/906043
Commit: Revert "[runtime] Reduce spread/apply call max arguments"
Date(Commit): Fri, 30 Nov 2018 09:12:21 +0000
Code Review : https://chromium-review.googlesource.com/c/1346115
Regress : test\mjsunit\regress\regress-v8-6716.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f() {}
var a = Array(2 ** 16); // Elements in large-object-space.
f.bind(...a);
Commit: aix: prevent stack overflow in RegExp test by increasing available stack size
Date(Commit): Wed, 28 Nov 2018 16:51:18 -0500
Code Review : https://chromium-review.googlesource.com/c/1351766
Regress : test\mjsunit\regress\regress-crbug-178790.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Flags: --stack-size=1200
// Create a regexp in the form of a?a?...a? so that fully
// traversing the entire graph would be prohibitively expensive.
// This should not cause time out.
var r1 = "";
for (var i = 0; i < 1000; i++) {
r1 += "a?";
}
"test".match(RegExp(r1));
var r2 = "";
for (var i = 0; i < 100; i++) {
r2 += "(a?|b?|c?|d?|e?|f?|g?)";
}
"test".match(RegExp(r2));
// Create a regexp in the form of ((..(a)a..)a.
// Compiling it causes EatsAtLeast to reach the maximum
// recursion depth possible with a given budget.
// This should not cause a stack overflow.
var r3 = "a";
for (var i = 0; i < 1000; i++) {
r3 = "(" + r3 + ")a";
}
"test".match(RegExp(r3));
Issue: https://crbug.com/v8/8516
Commit: Speed up two tests by skipping slow asserts
Date(Commit): Wed, 28 Nov 2018 00:42:49 -0800
Code Review : https://chromium-review.googlesource.com/c/1352794
Regress : test\mjsunit\regress\regress-748069.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// This test gets very slow with slow asserts.
// Flags: --noenable-slow-asserts
try {
var a = 'a'.repeat(1 << 28);
} catch (e) {
// If the allocation fails, we don't care, because we can't cause the
// overflow.
}
// Cause an overflow in worst-case calculation for string replacement.
JSON.stringify(a);
Issue: https://crbug.com/908975
Commit: [parser] Set rewritable_length to the correct length rather than 0
Date(Commit): Wed, 28 Nov 2018 09:14:54 +0100
Code Review : https://chromium-review.googlesource.com/c/1352286
Regress : test\mjsunit\regress\regress-908975.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
[] = [];
a => 0
Issue: https://crbug.com/907714
Commit: Fix Reflect.construct with constructors without a prototype slot
Date(Commit): Tue, 27 Nov 2018 11:30:15 +0100
Code Review : https://chromium-review.googlesource.com/c/1351023
Regress : test\mjsunit\regress\regress-crbug-90771.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function target() {};
for (let key of Object.getOwnPropertyNames(this)) {
try {
let newTarget = this[key];
let arg = target;
Reflect.construct(target, arg, newTarget);
} catch {}
}
Issue: https://crbug.com/908231
Commit: [parser] Relax DCHECK in has_error() case
Date(Commit): Mon, 26 Nov 2018 09:55:02 +0100
Code Review : https://chromium-review.googlesource.com/c/1350116
Regress : test\mjsunit\regress\regress-908231.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows(`
class C {
get [(function() { function lazy() { Syntax Error } })()]() {}
}`, SyntaxError)
Issue: https://crbug.com/908250
Commit: [parser] Don't rewrite parameters if has_error()
Date(Commit): Mon, 26 Nov 2018 09:41:37 +0100
Code Review : https://chromium-review.googlesource.com/c/1350117
Regress : test\mjsunit\regress\regress-908250.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("(al,al,e={}=e)=>l", SyntaxError);
Issue: https://crbug.com/907575
Commit: [parser] Drop ExpressionClassifier::ArrowFormalsParameterProduction and BP_to_AFP
Date(Commit): Thu, 22 Nov 2018 15:27:04 +0100
Code Review : https://chromium-review.googlesource.com/c/1348078
Regress : test\mjsunit\regress\regress-907575.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("0 || () =>", SyntaxError);
assertThrows("++(a) =>", SyntaxError);
Issue: https://crbug.com/907669
Commit: [parser] Don't re-preparse when trying to find an unidentifiable error
Date(Commit): Thu, 22 Nov 2018 13:20:38 +0100
Code Review : https://chromium-review.googlesource.com/c/1347486
Regress : test\mjsunit\regress\regress-907669.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("function f() { function g() { (); ", SyntaxError);
Issue: https://crbug.com/906406
Commit: [turbofan] Apply duct-tape to load elimination
Date(Commit): Wed, 21 Nov 2018 15:49:06 +0100
Code Review : https://chromium-review.googlesource.com/c/1346491
Regress : test\mjsunit\regress\regress-906406.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
for (x = 0; x < 10000; ++x) {
[(x) => x, [, 4294967295].find((x) => x), , 2].includes('x', -0);
}
Issue: https://crbug.com/905587
Commit: [scanner] Reset invalid_template_escape_message during Bookmark::Apply
Date(Commit): Fri, 16 Nov 2018 11:07:22 +0100
Code Review : https://chromium-review.googlesource.com/c/1340040
Regress : test\mjsunit\regress\regress-905587.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("function test() { '\\u`''\\u' }", SyntaxError)
Issue: https://crbug.com/905907
Commit: [parser] Declare scope-info deserialized function var on the cache scope
Date(Commit): Fri, 16 Nov 2018 10:33:45 +0100
Code Review : https://chromium-review.googlesource.com/c/1339862
Regress : test\mjsunit\regress\regress-905907.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var g = function f(a = 3) {
var context_allocated = undefined;
function inner() { f(); f(context_allocated) };
inner();
};
assertThrows("g()", RangeError);
Issue: https://crbug.com/v8/8449
Commit: Fix ArrayIteratorPrototypeNext for holes.
Date(Commit): Tue, 13 Nov 2018 10:32:01 +0100
Code Review : https://chromium-review.googlesource.com/c/1332232
Regress : test\mjsunit\regress\regress-8449.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
{
const x = [, 1];
x.__proto__ = [42];
const y = [...x];
assertEquals([42, 1], y);
assertTrue(y.hasOwnProperty(0));
}
{
const x = [, 1];
x.__proto__ = [42];
assertEquals(42, x[Symbol.iterator]().next().value);
}
{
const array_prototype = [].__proto__;
array_prototype[0] = 42;
const x = [, 1];
assertEquals(42, x[Symbol.iterator]().next().value);
delete array_prototype[0];
}
Issue: https://crbug.com/902672
Commit: [builtin] Array.p.join throws on invalid Array lengths.
Date(Commit): Tue, 13 Nov 2018 02:58:09 -0600
Code Review : https://chromium-review.googlesource.com/c/1330921
Regress : test\mjsunit\regress\regress-crbug-902672.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var a = this;
var b = {};
a.length = 4294967296; // 2 ^ 32 (max array length + 1)
assertThrows(() => Array.prototype.join.call(a,b), TypeError);
Issue: https://crbug.com/904255
Commit: [parser] Restore reparenting of temporaries
Date(Commit): Mon, 12 Nov 2018 08:49:22 +0100
Code Review : https://chromium-review.googlesource.com/c/1329685
Regress : test\mjsunit\regress\regress-904255.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("((__v_0 = __v_0.replace(...new Array(), '0').slice(...new Int32Array(), '0')) => print())()", ReferenceError);
Issue: https://crbug.com/903527
Commit: [parser] Cook invalid template literals if we've thrown
Date(Commit): Mon, 12 Nov 2018 09:58:47 +0100
Code Review : https://chromium-review.googlesource.com/c/1329691
Regress : test\mjsunit\regress\regress-903527.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("e*!`\\2`", SyntaxError)
Issue: https://crbug.com/904275
Commit: [parser] Don't reindex function literals if there's a parser error
Date(Commit): Mon, 12 Nov 2018 09:06:22 +0100
Code Review : https://chromium-review.googlesource.com/c/1329686
Regress : test\mjsunit\regress\regress-904275.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function __isPropertyOfType(obj, name) {
Object.getOwnPropertyDescriptor(obj, name)
}
function __getProperties(obj, type) {
for (let name of Object.getOwnPropertyNames(obj)) {
__isPropertyOfType(obj, name);
}
}
function __getRandomProperty(obj) {
let properties = __getProperties(obj);
}
function __f_6776(__v_33890, __v_33891) {
var __v_33896 = __v_33891();
__getRandomProperty([])
}
(function __f_6777() {
var __v_33906 = async () => { };
__f_6776(1, () => __v_33906())
})();
(function __f_6822() {
try {
__f_6776(1, () => __f_6822());
} catch (e) {}
var __v_34059 = async (__v_34079 = () => eval()) => { };
delete __v_34059[__getRandomProperty(__v_34059)];
})();
Commit: [wasm][test] Remove default --wasm-async-compilation flag
Date(Commit): Thu, 8 Nov 2018 09:40:06 +0100
Code Review : https://chromium-review.googlesource.com/c/1325961
Regress : test\mjsunit\regress\wasm\regress-734108.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
__v_0 = new Uint8Array([
0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x05, 0x01,
0x60, 0x00, 0x01, 0x7f, 0x03, 0x02, 0x01, 0x00, 0x05, 0x03, 0x01,
0x00, 0x01, 0x07, 0x11, 0x02, 0x04, 0x67, 0x72, 0x6f, 0x77, 0x00,
0x00, 0x06, 0x6d, 0x65, 0x6d, 0x6f, 0x72, 0x79, 0x02, 0x00, 0x0a,
0x08, 0x01, 0x06, 0x00, 0x41, 0x01, 0x40, 0x00, 0x0b
]);
assertPromiseResult(
WebAssembly.compile(__v_0)
);
Commit: [CloneObjectIC] clone MutableHeapNumbers only if !FLAG_unbox_double_fields
Date(Commit): Thu, 8 Nov 2018 12:39:59 -0500
Code Review : https://chromium-review.googlesource.com/c/1323911
Regress : test\mjsunit\es9\regress\regress-903070.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function clone(src) {
return { ...src };
}
function inobjectDoubles() {
"use strict";
this.p0 = -6400510997704731;
}
// Check that unboxed double is not treated as tagged
assertEquals({ p0: -6400510997704731 }, clone(new inobjectDoubles()));
Issue: https://crbug.com/902610
Commit: [parser] Fix off-by-one in parameter count check
Date(Commit): Thu, 8 Nov 2018 13:47:54 +0100
Code Review : https://chromium-review.googlesource.com/c/1326029
Regress : test\mjsunit\regress\regress-crbug-902610.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows(() => {
// Make a function with 65535 args. This should throw a SyntaxError because -1
// is reserved for the "don't adapt arguments" sentinel.
var f_with_65535_args =
eval("(function(" + Array(65535).fill("x").join(",") + "){})");
f_with_65535_args();
}, SyntaxError);
Issue: https://crbug.com/902810
Commit: [parser] Fix cover-grammar initializer positions
Date(Commit): Thu, 8 Nov 2018 11:07:42 +0100
Code Review : https://chromium-review.googlesource.com/c/1326022
Regress : test\mjsunit\regress\regress-902810.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("((__v_4 = __v_4, __v_0) => eval(__v_4))()", ReferenceError)
Issue: https://crbug.com/901633
Commit: [array] Weaken bounds checks in Array.p.sort
Date(Commit): Tue, 6 Nov 2018 14:27:42 +0100
Code Review : https://chromium-review.googlesource.com/c/1317814
Regress : test\mjsunit\regress\regress-901633.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const magic0 = 2396;
const magic1 = 1972;
// Fill xs with float arrays.
const xs = [];
for (let j = 0; j < magic0; ++j) {
xs[j] = [j + 0.1];
}
// Sort, but trim the array at some point.
let cmp_calls = 0;
xs.sort((lhs, rhs) => {
lhs = lhs || [0];
rhs = rhs || [0];
if (cmp_calls++ == magic1) xs.length = 1;
return lhs[0] - rhs[0];
});
// The final shape of the array is unspecified since the comparison function is
// inconsistent.
Issue: https://crbug.com/901250
Commit: Reland "[parser] Optimize directive parsing especially for preparser"
Date(Commit): Fri, 2 Nov 2018 17:55:28 +0100
Code Review : https://chromium-review.googlesource.com/c/1314570
Regress : test\mjsunit\regress\regress-directive.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f() {
'use strict'
in Number
}
f.arguments
Issue: https://crbug.com/900786
Commit: [parser] Simplify Scope::DeclareVariable
Date(Commit): Fri, 2 Nov 2018 10:08:57 +0100
Code Review : https://chromium-review.googlesource.com/c/1314331
Regress : test\mjsunit\regress\regress-900786.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("{function g(){}function g(){+", SyntaxError);
Issue: https://crbug.com/898785
Commit: [builtins] Fix out-of-bounds in Array#lastIndexOf().
Date(Commit): Fri, 2 Nov 2018 08:00:28 +0100
Code Review : https://chromium-review.googlesource.com/c/1314329
Regress : test\mjsunit\regress\regress-crbug-898785.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var a = [0, 1];
var o = { [Symbol.toPrimitive]() { a.length = 1; return 2; } };
a.push(2);
a.lastIndexOf(5, o);
Issue: https://crbug.com/899537
Commit: [class] Rewrite destructuring assignment in class field initializers
Date(Commit): Tue, 30 Oct 2018 10:06:03 +0000
Code Review : https://chromium-review.googlesource.com/c/1304538
Regress : test\mjsunit\regress\regress-899537.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
[ class { c = [ c ] = c } ]
Issue: https://crbug.com/898677
Commit: [wasm] Fix memory limit checks
Date(Commit): Tue, 30 Oct 2018 13:32:17 +0100
Code Review : https://chromium-review.googlesource.com/c/1305274
Regress : test\mjsunit\regress\wasm\regress-898932.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-max-mem-pages=49152
let mem = new WebAssembly.Memory({initial: 1});
try {
mem.grow(49151);
} catch (e) {
// This can fail on 32-bit systems if we cannot make such a big reservation.
if (!(e instanceof RangeError)) throw e;
}
Issue: https://crbug.com/900085
Commit: [parser] Restore RETURN_IF_PARSE_ERROR in for/await
Date(Commit): Tue, 30 Oct 2018 09:44:30 +0100
Code Review : https://chromium-review.googlesource.com/c/1306438
Regress : test\mjsunit\regress\regress-900085.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows(
"async function f() { let v = 1; for await (var v of {}) { }",
SyntaxError);
Issue: https://crbug.com/899535
Commit: [elements] fix wrong cast of empty FixedArray in Array.prototype.includes
Date(Commit): Mon, 29 Oct 2018 17:09:20 +0100
Code Review : https://chromium-review.googlesource.com/c/1304296
Regress : test\mjsunit\regress\regress-crbug-899535.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let a = [1.1, 2.2, 3.3];
a.includes(4.4, { toString: () => a.length = 0 });
Issue: https://crbug.com/897404
Commit: [builtins] Cap and grow Array.p.join's internal buffer.
Date(Commit): Mon, 29 Oct 2018 18:29:49 +0800
Code Review : https://chromium-review.googlesource.com/c/1303538
Regress : test\mjsunit\regress\regress-crbug-897404.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function TestError() {}
const a = new Array(2**32 - 1);
// Force early exit to avoid an unreasonably long test.
a[0] = {
toString() { throw new TestError(); }
};
// Verify join throws test error and does not fail due to asserts (Negative
// length fixed array allocation).
assertThrows(() => a.join(), TestError);
Issue: https://crbug.com/899474
Commit: [parser] Only throw spread class property error if it's the first error
Date(Commit): Mon, 29 Oct 2018 09:22:29 +0100
Code Review : https://chromium-review.googlesource.com/c/1304314
Regress : test\mjsunit\regress\regress-899474.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("class A {...", SyntaxError);
Issue: https://crbug.com/899133
Commit: [parser] Temporarily restore RETURN_IF_PARSE_ERROR guarding DCHECK
Date(Commit): Fri, 26 Oct 2018 16:26:24 +0200
Code Review : https://chromium-review.googlesource.com/c/1301482
Regress : test\mjsunit\regress\regress-899133.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("let fun = ({a} = {a: 30}) => {", SyntaxError);
Issue: https://crbug.com/v8/8357
Commit: [string] Remove invalid optimization in MaybeCallFunctionAtSymbol
Date(Commit): Fri, 26 Oct 2018 15:58:40 +0200
Code Review : https://chromium-review.googlesource.com/c/1301498
Regress : test\mjsunit\regress\regress-v8-8357.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
const s = "Umbridge has been reading your mail, Harry."
{
let monkey_called = false;
s.__proto__.__proto__[Symbol.replace] =
() => { monkey_called = true; };
s.replace(s);
assertTrue(monkey_called);
}
{
let monkey_called = false;
s.__proto__.__proto__[Symbol.search] =
() => { monkey_called = true; };
s.search(s);
assertTrue(monkey_called);
}
{
let monkey_called = false;
s.__proto__.__proto__[Symbol.match] =
() => { monkey_called = true; };
s.match(s);
assertTrue(monkey_called);
}
Issue: https://crbug.com/898936
Commit: [parser] Only validate async params of valid arrow functions
Date(Commit): Thu, 25 Oct 2018 22:44:10 +0200
Code Review : https://chromium-review.googlesource.com/c/1300133
Regress : test\mjsunit\regress\regress-898936.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("async(...x=e)()=>");
Issue: https://crbug.com/898812
Commit: [parser] Only parse async parenthesized arrow if current_token == ASYNC
Date(Commit): Thu, 25 Oct 2018 23:02:37 +0200
Code Review : https://chromium-review.googlesource.com/c/1300134
Regress : test\mjsunit\regress\regress-898812.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("(async)(a)=>{}", SyntaxError);
Commit: [async-await] remove CSA_SLOW_ASSERT in AsyncGeneratorResolve
Date(Commit): Tue, 23 Oct 2018 11:36:20 -0400
Code Review : https://chromium-review.googlesource.com/c/1296909
Regress : test\mjsunit\harmony\regress\regress-897436.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --enable-slow-asserts
async function* gen() {
const alwaysPending = new Promise(() => {});
alwaysPending.then = "non-callable then";
yield alwaysPending;
}
gen().next();
Issue: https://crbug.com/897366
Commit: [array] Fix left-trimming in Array.p.sort
Date(Commit): Mon, 22 Oct 2018 14:49:12 +0200
Code Review : https://chromium-review.googlesource.com/c/1292066
Regress : test\mjsunit\regress\regress-897366.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --gc-interval=100
let xs = [];
for (let i = 0; i < 205; ++i) {
xs.push(i);
}
xs.sort((a, b) => {
xs.shift();
xs[xs.length] = -246;
return a - b;
});
Issue: https://crbug.com/v8/8241
Commit: [parser] Validate destructuring assignment pattern in correct classifier
Date(Commit): Tue, 23 Oct 2018 10:45:34 +0200
Code Review : https://chromium-review.googlesource.com/c/1296229
Regress : test\mjsunit\regress\regress-8241.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f(x) { }
f(x=>x, [x,y] = [1,2]);
Issue: https://crbug.com/897098
Commit: [elements] handle OOB-holes in Array.prototype.includes fast-path
Date(Commit): Mon, 22 Oct 2018 15:48:42 +0200
Code Review : https://chromium-review.googlesource.com/c/1293571
Regress : test\mjsunit\regress\regress-crbug-897098.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const arr = [1.1,2.2,3.3];
arr.pop();
const start = {toString: function() {arr.pop();}}
arr.includes(0, start);
Issue: https://crbug.com/897514
Commit: [ic] Respect PropertyDetails::KindField when following transitions
Date(Commit): Mon, 22 Oct 2018 20:08:07 +0200
Code Review : https://chromium-review.googlesource.com/c/1293955
Regress : test\mjsunit\regress\regress-crbug-897514.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
// Create transtion => 'get a'.
let o = {};
Object.defineProperty(o, 'a', {
enumerable: true,
configurable: true,
get: function() { return 7 }
});
function spread(o) {
let result = { ...o };
%HeapObjectVerify(result);
return result;
}
for (let i = 0; i<3; i++) {
spread([]);
// Use different transition => 'a'.
spread({ a:0 });
spread("abc");
}
Issue: https://crbug.com/897406
Commit: [async] Gracefully handle suspended generators.
Date(Commit): Mon, 22 Oct 2018 07:28:55 +0200
Code Review : https://chromium-review.googlesource.com/c/1292057
Regress : test\mjsunit\regress\regress-crbug-897406.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --async-stack-traces --expose-async-hooks
async_hooks.createHook({
after() { throw new Error(); }
}).enable();
(async function() {
await 1;
await 1;
})();
Commit: Reland: [builtins] Implement Array.prototype.slice in Torque
Date(Commit): Fri, 19 Oct 2018 18:00:14 +0200
Code Review : https://chromium-review.googlesource.com/c/1291375
Regress : test\mjsunit\regress\regress-778668.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function () {
function f() {
arguments.length = -5;
Array.prototype.slice.call(arguments);
}
f('a')
})();
(function () {
function f() {
arguments.length = 2.3;
Array.prototype.slice.call(arguments);
}
f('a')
})();
(function () {
function f( __v_59960) {
arguments.length = -5;
Array.prototype.slice.call(arguments);
}
f('a')
})();
(function () {
function f( __v_59960) {
arguments.length = 2.3;
Array.prototype.slice.call(arguments);
}
f('a')
})();
Issue: https://crbug.com/881247
Commit: [CloneObjectIC] Avoid FieldType confusions
Date(Commit): Thu, 18 Oct 2018 18:40:40 +0200
Code Review : https://chromium-review.googlesource.com/c/1288637
Regress : test\mjsunit\regress\regress-crbug-881247.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
const resolvedPromise = Promise.resolve();
function spread() {
const result = { ...resolvedPromise };
%HeapObjectVerify(result);
return result;
}
resolvedPromise[undefined] = {a:1};
%HeapObjectVerify(resolvedPromise);
spread();
resolvedPromise[undefined] = undefined;
%HeapObjectVerify(resolvedPromise);
spread();
%HeapObjectVerify(resolvedPromise);
Issue: https://crbug.com/896700
Commit: [async] Gracefully handle exceptions in async_hooks.
Date(Commit): Fri, 19 Oct 2018 07:42:38 +0200
Code Review : https://chromium-review.googlesource.com/c/1290550
Regress : test\mjsunit\regress\regress-crbug-896700.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --async-stack-traces --expose-async-hooks
async_hooks.createHook({
after() { throw new Error(); }
}).enable();
Promise.resolve().then();
Issue: https://crbug.com/896181
Commit: [builtins] Fix Array.p.join handling of an index getter with side effects
Date(Commit): Wed, 17 Oct 2018 22:11:47 -0500
Code Review : https://chromium-review.googlesource.com/c/1286957
Regress : test\mjsunit\regress\regress-crbug-896181.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var a = new Array();
a[0] = 0.1;
a[2] = 0.2;
Object.defineProperty(a, 1, {
get: function() {
a[4] = 0.3;
},
});
assertSame('0.1,,0.2', a.join());
Issue: https://crbug.com/895860
Commit: Use slow path in IterableToList for big input strings.
Date(Commit): Wed, 17 Oct 2018 12:43:54 +0200
Code Review : https://chromium-review.googlesource.com/c/1286337
Regress : test\mjsunit\es6\regress\regress-cr895860.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function() {
var s = "f";
// 2^18 length, enough to ensure an array (of pointers) bigger than 500KB.
for (var i = 0; i < 18; i++) {
s += s;
}
var ss = [...s];
})();
Commit: [test] Remove dead flags from some tests.
Date(Commit): Mon, 15 Oct 2018 11:01:33 +0200
Code Review : https://chromium-review.googlesource.com/c/1280322
Regress : test\mjsunit\type-profile\regress-707223.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let e;
eval("e");
Commit: [parser] Rewrite duplicate formal detection
Date(Commit): Tue, 9 Oct 2018 10:35:05 +0200
Code Review : https://chromium-review.googlesource.com/c/1270578
Regress : test\mjsunit\regress\regress-preparse-inner-arrow-duplicate-parameter.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("()=>{ (x,x)=>1 }", SyntaxError)
Commit: [parser] Fix single-expression arrow function scoping
Date(Commit): Mon, 8 Oct 2018 14:56:17 +0200
Code Review : https://chromium-review.googlesource.com/c/1268236
Regress : test\mjsunit\regress\regress-arrow-single-expression-eval.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
((x=1) => eval("var x = 10"))();
Issue: https://crbug.com/892858
Commit: [async-await] Fix global-buffer-overflow issue when loading flag
Date(Commit): Mon, 8 Oct 2018 11:13:14 +0200
Code Review : https://chromium-review.googlesource.com/c/1267936
Regress : test\mjsunit\regress\regress-892858.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
async function foo() {
await Promise.resolve(42);
}
foo();
Issue: https://crbug.com/892472
Commit: [async] Only try to peak into async functions/generators.
Date(Commit): Fri, 5 Oct 2018 07:50:36 +0200
Code Review : https://chromium-review.googlesource.com/c/1264276
Regress : test\mjsunit\regress\regress-crbug-892472-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --async-stack-traces
assertThrows(_ => '' + {toString: Object.prototype.toLocaleString});
Issue: https://crbug.com/v8/4958
Commit: Remove always-true --harmony-function-tostring runtime flag
Date(Commit): Wed, 3 Oct 2018 11:28:25 +0200
Code Review : https://chromium-review.googlesource.com/c/1254123
Regress : test\mjsunit\regress\regress-707066.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// There was a bug in CreateDynamicFunction where a stack overflow
// situation caused an assertion failure.
function test(api) {
function f() {
try {
// induce a stack overflow
f();
} catch(e) {
// this might result in even more stack overflows
api();
}
}
f();
}
test(( function (){}).constructor); // Function
test(( function*(){}).constructor); // GeneratorFunction
test((async function (){}).constructor); // AsyncFunction
Issue: https://crbug.com/890553
Commit: [parser] Fix function name variable tracking
Date(Commit): Mon, 1 Oct 2018 14:21:41 +0200
Code Review : https://chromium-review.googlesource.com/1254061
Regress : test\mjsunit\regress\regress-890553.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
"use strict";
var s = "function __f_9(func, testName) {" +
"var __v_0 = function __f_10(__v_14, __v_14) {" +
" return __v_16;" +
"}; " +
"}"
assertThrows(function() { eval(s); });
Issue: https://crbug.com/890057
Commit: [turbofan] Fail slack tracking dependency if initial map disappears.
Date(Commit): Fri, 28 Sep 2018 06:53:48 +0200
Code Review : https://chromium-review.googlesource.com/1250481
Regress : test\mjsunit\compiler\regress-890057.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f() {}
function g() {
f.prototype = undefined;
f();
new f();
}
// Do not use %OptimizeFunctionOnNextCall here, this particular bug needs
// to trigger truly concurrent compilation.
for (let i = 0; i < 10000; i++) g();
Issue: https://crbug.com/889722
Commit: [turbofan] Prepare broker for the next steps.
Date(Commit): Thu, 27 Sep 2018 11:41:34 +0200
Code Review : https://chromium-review.googlesource.com/1245425
Regress : test\mjsunit\regress\regress-889722.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function getRandomProperty(v, rand) {
var properties = Object.getOwnPropertyNames(v);
return properties[rand % properties.length];
}
r = Realm.create();
o = Realm.eval(r, "() => { return Realm.global(-10) instanceof Object }");
o.__p_211203344 = o[getRandomProperty(o, 211203344)];
Issue: https://crbug.com/888825
Commit: [parser] Don't resolve preparser variables for arrow functions
Date(Commit): Tue, 25 Sep 2018 16:49:39 +0200
Code Review : https://chromium-review.googlesource.com/1243383
Regress : test\mjsunit\regress\regress-crbug-888825.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
eval("((a=function g() { function g() {}}) => {})();");
Issue: https://crbug.com/887891
Commit: [es2015] Setup JSTypedArray after allocating the JSArrayBuffer.
Date(Commit): Fri, 21 Sep 2018 13:07:24 +0200
Code Review : https://chromium-review.googlesource.com/1238494
Regress : test\mjsunit\regress\regress-crbug-887891.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --verify-heap
const l = 1000000000;
const a = [];
function foo() { var x = new Int32Array(l); }
try { foo(); } catch (e) { }
Issue: https://crbug.com/v8/8020
Commit: [d8] Update new Worker
API to match the Web API
Date(Commit): Wed, 19 Sep 2018 16:30:04 -0700
Code Review : https://chromium-review.googlesource.com/1185980
Regress : test\mjsunit\regress\regress-crbug-522496.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
if (this.Worker) {
var worker = new Worker("onmessage = function(){}", {type: 'string'});
var buf = new ArrayBuffer();
worker.postMessage(buf, [buf]);
}
Issue: https://crbug.com/885404
Commit: [es2015] Clear JSTypedArray raw fields in the constructor.
Date(Commit): Wed, 19 Sep 2018 10:37:04 +0200
Code Review : https://chromium-review.googlesource.com/1233257
Regress : test\mjsunit\regress\regress-crbug-885404.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --verify-heap --expose-gc
var ab = new ArrayBuffer(2);
try { new Int32Array(ab); } catch (e) { }
assertEquals(2, ab.byteLength);
gc();
assertEquals(2, ab.byteLength);
Commit: [wasm] Nerf regression test size
Date(Commit): Thu, 13 Sep 2018 14:03:35 +0200
Code Review : https://chromium-review.googlesource.com/1224057
Regress : test\mjsunit\regress\wasm\regress-810973b.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function module() {
"use asm";
function foo(
a0, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11,
a12, a13, a14, a15, a16, a17, a18, a19, a20, a21,
a22, a23, a24, a25, a26, a27, a28, a29, a30, a31,
a32, a33, a34, a35, a36, a37, a38, a39, a40, a41,
a42, a43, a44, a45, a46, a47, a48, a49, a50, a51,
a52, a53, a54, a55, a56, a57, a58, a59, a60, a61,
a62, a63, a64, a65, a66, a67, a68, a69, a70, a71,
a72, a73, a74, a75, a76, a77, a78, a79, a80, a81,
a82, a83, a84, a85, a86, a87, a88, a89, a90, a91,
a92, a93, a94, a95, a96, a97, a98, a99, a100, a101,
a102, a103, a104, a105, a106, a107, a108, a109, a110,
a111, a112, a113, a114, a115, a116, a117, a118, a119,
a120, a121, a122, a123, a124, a125, a126, a127, a128,
a129, a130, a131, a132, a133, a134, a135, a136, a137,
a138, a139, a140, a141, a142, a143, a144, a145, a146,
a147, a148, a149, a150, a151, a152, a153, a154, a155,
a156, a157, a158, a159, a160, a161, a162, a163, a164,
a165, a166, a167, a168, a169, a170, a171, a172, a173,
a174, a175, a176, a177, a178, a179, a180, a181, a182,
a183, a184, a185, a186, a187, a188, a189, a190, a191,
a192, a193, a194, a195, a196, a197, a198, a199, a200,
a201, a202, a203, a204, a205, a206, a207, a208, a209,
a210, a211, a212, a213, a214, a215, a216, a217, a218,
a219, a220, a221, a222, a223, a224, a225, a226, a227,
a228, a229, a230, a231, a232, a233, a234, a235, a236,
a237, a238, a239, a240, a241, a242, a243, a244, a245,
a246, a247, a248, a249, a250, a251, a252, a253, a254,
a255, a256, a257, a258, a259, a260, a261, a262, a263,
a264, a265, a266, a267, a268, a269, a270, a271, a272,
a273, a274, a275, a276, a277, a278, a279, a280, a281,
a282, a283, a284, a285, a286, a287, a288, a289, a290,
a291, a292, a293, a294, a295, a296, a297, a298, a299,
a300, a301, a302, a303, a304, a305, a306, a307, a308,
a309, a310, a311, a312, a313, a314, a315, a316, a317,
a318, a319, a320, a321, a322, a323, a324, a325, a326,
a327, a328, a329, a330, a331, a332, a333, a334, a335,
a336, a337, a338, a339, a340, a341, a342, a343, a344,
a345, a346, a347, a348, a349, a350, a351, a352, a353,
a354, a355, a356, a357, a358, a359, a360, a361, a362,
a363, a364, a365, a366, a367, a368, a369, a370, a371,
a372, a373, a374, a375, a376, a377, a378, a379, a380,
a381, a382, a383, a384, a385, a386, a387, a388, a389,
a390, a391, a392, a393, a394, a395, a396, a397, a398,
a399, a400, a401, a402, a403, a404, a405, a406, a407,
a408, a409, a410, a411, a412, a413, a414, a415, a416,
a417, a418, a419, a420, a421, a422, a423, a424, a425,
a426, a427, a428, a429, a430, a431, a432, a433, a434,
a435, a436, a437, a438, a439, a440, a441, a442, a443,
a444, a445, a446, a447, a448, a449, a450, a451, a452,
a453, a454, a455, a456, a457, a458, a459, a460, a461,
a462, a463, a464, a465, a466, a467, a468, a469, a470,
a471, a472, a473, a474, a475, a476, a477, a478, a479,
a480, a481, a482, a483, a484, a485, a486, a487, a488,
a489, a490, a491, a492, a493, a494, a495, a496, a497,
a498, a499, a500, a501, a502, a503, a504, a505, a506,
a507, a508, a509, a510, a511, a512, a513, a514, a515,
a516, a517, a518, a519, a520, a521, a522, a523, a524,
a525, a526, a527, a528, a529, a530, a531, a532, a533,
a534, a535, a536, a537, a538, a539, a540, a541, a542,
a543, a544, a545, a546, a547, a548, a549, a550, a551,
a552, a553, a554, a555, a556, a557, a558, a559, a560,
a561, a562, a563, a564, a565, a566, a567, a568, a569,
a570, a571, a572, a573, a574, a575, a576, a577, a578,
a579, a580, a581, a582, a583, a584, a585, a586, a587,
a588, a589, a590, a591, a592, a593, a594, a595, a596,
a597, a598, a599, a600, a601, a602, a603, a604, a605,
a606, a607, a608, a609, a610, a611, a612, a613, a614,
a615, a616, a617, a618, a619, a620, a621, a622, a623,
a624, a625, a626, a627, a628, a629, a630, a631, a632,
a633, a634, a635, a636, a637, a638, a639, a640, a641,
a642, a643, a644, a645, a646, a647, a648, a649, a650,
a651, a652, a653, a654, a655, a656, a657, a658, a659,
a660, a661, a662, a663, a664, a665, a666, a667, a668,
a669, a670, a671, a672, a673, a674, a675, a676, a677,
a678, a679, a680, a681, a682, a683, a684, a685, a686,
a687, a688, a689, a690, a691, a692, a693, a694, a695,
a696, a697, a698, a699, a700, a701, a702, a703, a704,
a705, a706, a707, a708, a709, a710, a711, a712, a713,
a714, a715, a716, a717, a718, a719, a720, a721, a722,
a723, a724, a725, a726, a727, a728, a729, a730, a731,
a732, a733, a734, a735, a736, a737, a738, a739, a740,
a741, a742, a743, a744, a745, a746, a747, a748, a749,
a750, a751, a752, a753, a754, a755, a756, a757, a758,
a759, a760, a761, a762, a763, a764, a765, a766, a767,
a768, a769, a770, a771, a772, a773, a774, a775, a776,
a777, a778, a779, a780, a781, a782, a783, a784, a785,
a786, a787, a788, a789, a790, a791, a792, a793, a794,
a795, a796, a797, a798, a799, a800, a801, a802, a803,
a804, a805, a806, a807, a808, a809, a810, a811, a812,
a813, a814, a815, a816, a817, a818, a819, a820, a821,
a822, a823, a824, a825, a826, a827, a828, a829, a830,
a831, a832, a833, a834, a835, a836, a837, a838, a839,
a840, a841, a842, a843, a844, a845, a846, a847, a848,
a849, a850, a851, a852, a853, a854, a855, a856, a857,
a858, a859, a860, a861, a862, a863, a864, a865, a866,
a867, a868, a869, a870, a871, a872, a873, a874, a875,
a876, a877, a878, a879, a880, a881, a882, a883, a884,
a885, a886, a887, a888, a889, a890, a891, a892, a893,
a894, a895, a896, a897, a898, a899, a900, a901, a902,
a903, a904, a905, a906, a907, a908, a909, a910, a911,
a912, a913, a914, a915, a916, a917, a918, a919, a920,
a921, a922, a923, a924, a925, a926, a927, a928, a929,
a930, a931, a932, a933, a934, a935, a936, a937, a938,
a939, a940, a941, a942, a943, a944, a945, a946, a947,
a948, a949, a950, a951, a952, a953, a954, a955, a956,
a957, a958, a959, a960, a961, a962, a963, a964, a965,
a966, a967, a968, a969, a970, a971, a972, a973, a974,
a975, a976, a977, a978, a979, a980, a981, a982, a983,
a984, a985, a986, a987, a988, a989, a990, a991, a992,
a993, a994, a995, a996, a997, a998, a999, a1000, a1001,
a1002, a1003, a1004, a1005) {
a0 = +a0;
a1 = +a1;
a2 = +a2;
a3 = +a3;
a4 = +a4;
a5 = +a5;
a6 = +a6;
a7 = +a7;
a8 = +a8;
a9 = +a9;
a10 = +a10;
a11 = +a11;
a12 = +a12;
a13 = +a13;
a14 = +a14;
a15 = +a15;
a16 = +a16;
a17 = +a17;
a18 = +a18;
a19 = +a19;
a20 = +a20;
a21 = +a21;
a22 = +a22;
a23 = +a23;
a24 = +a24;
a25 = +a25;
a26 = +a26;
a27 = +a27;
a28 = +a28;
a29 = +a29;
a30 = +a30;
a31 = +a31;
a32 = +a32;
a33 = +a33;
a34 = +a34;
a35 = +a35;
a36 = +a36;
a37 = +a37;
a38 = +a38;
a39 = +a39;
a40 = +a40;
a41 = +a41;
a42 = +a42;
a43 = +a43;
a44 = +a44;
a45 = +a45;
a46 = +a46;
a47 = +a47;
a48 = +a48;
a49 = +a49;
a50 = +a50;
a51 = +a51;
a52 = +a52;
a53 = +a53;
a54 = +a54;
a55 = +a55;
a56 = +a56;
a57 = +a57;
a58 = +a58;
a59 = +a59;
a60 = +a60;
a61 = +a61;
a62 = +a62;
a63 = +a63;
a64 = +a64;
a65 = +a65;
a66 = +a66;
a67 = +a67;
a68 = +a68;
a69 = +a69;
a70 = +a70;
a71 = +a71;
a72 = +a72;
a73 = +a73;
a74 = +a74;
a75 = +a75;
a76 = +a76;
a77 = +a77;
a78 = +a78;
a79 = +a79;
a80 = +a80;
a81 = +a81;
a82 = +a82;
a83 = +a83;
a84 = +a84;
a85 = +a85;
a86 = +a86;
a87 = +a87;
a88 = +a88;
a89 = +a89;
a90 = +a90;
a91 = +a91;
a92 = +a92;
a93 = +a93;
a94 = +a94;
a95 = +a95;
a96 = +a96;
a97 = +a97;
a98 = +a98;
a99 = +a99;
a100 = +a100;
a101 = +a101;
a102 = +a102;
a103 = +a103;
a104 = +a104;
a105 = +a105;
a106 = +a106;
a107 = +a107;
a108 = +a108;
a109 = +a109;
a110 = +a110;
a111 = +a111;
a112 = +a112;
a113 = +a113;
a114 = +a114;
a115 = +a115;
a116 = +a116;
a117 = +a117;
a118 = +a118;
a119 = +a119;
a120 = +a120;
a121 = +a121;
a122 = +a122;
a123 = +a123;
a124 = +a124;
a125 = +a125;
a126 = +a126;
a127 = +a127;
a128 = +a128;
a129 = +a129;
a130 = +a130;
a131 = +a131;
a132 = +a132;
a133 = +a133;
a134 = +a134;
a135 = +a135;
a136 = +a136;
a137 = +a137;
a138 = +a138;
a139 = +a139;
a140 = +a140;
a141 = +a141;
a142 = +a142;
a143 = +a143;
a144 = +a144;
a145 = +a145;
a146 = +a146;
a147 = +a147;
a148 = +a148;
a149 = +a149;
a150 = +a150;
a151 = +a151;
a152 = +a152;
a153 = +a153;
a154 = +a154;
a155 = +a155;
a156 = +a156;
a157 = +a157;
a158 = +a158;
a159 = +a159;
a160 = +a160;
a161 = +a161;
a162 = +a162;
a163 = +a163;
a164 = +a164;
a165 = +a165;
a166 = +a166;
a167 = +a167;
a168 = +a168;
a169 = +a169;
a170 = +a170;
a171 = +a171;
a172 = +a172;
a173 = +a173;
a174 = +a174;
a175 = +a175;
a176 = +a176;
a177 = +a177;
a178 = +a178;
a179 = +a179;
a180 = +a180;
a181 = +a181;
a182 = +a182;
a183 = +a183;
a184 = +a184;
a185 = +a185;
a186 = +a186;
a187 = +a187;
a188 = +a188;
a189 = +a189;
a190 = +a190;
a191 = +a191;
a192 = +a192;
a193 = +a193;
a194 = +a194;
a195 = +a195;
a196 = +a196;
a197 = +a197;
a198 = +a198;
a199 = +a199;
a200 = +a200;
a201 = +a201;
a202 = +a202;
a203 = +a203;
a204 = +a204;
a205 = +a205;
a206 = +a206;
a207 = +a207;
a208 = +a208;
a209 = +a209;
a210 = +a210;
a211 = +a211;
a212 = +a212;
a213 = +a213;
a214 = +a214;
a215 = +a215;
a216 = +a216;
a217 = +a217;
a218 = +a218;
a219 = +a219;
a220 = +a220;
a221 = +a221;
a222 = +a222;
a223 = +a223;
a224 = +a224;
a225 = +a225;
a226 = +a226;
a227 = +a227;
a228 = +a228;
a229 = +a229;
a230 = +a230;
a231 = +a231;
a232 = +a232;
a233 = +a233;
a234 = +a234;
a235 = +a235;
a236 = +a236;
a237 = +a237;
a238 = +a238;
a239 = +a239;
a240 = +a240;
a241 = +a241;
a242 = +a242;
a243 = +a243;
a244 = +a244;
a245 = +a245;
a246 = +a246;
a247 = +a247;
a248 = +a248;
a249 = +a249;
a250 = +a250;
a251 = +a251;
a252 = +a252;
a253 = +a253;
a254 = +a254;
a255 = +a255;
a256 = +a256;
a257 = +a257;
a258 = +a258;
a259 = +a259;
a260 = +a260;
a261 = +a261;
a262 = +a262;
a263 = +a263;
a264 = +a264;
a265 = +a265;
a266 = +a266;
a267 = +a267;
a268 = +a268;
a269 = +a269;
a270 = +a270;
a271 = +a271;
a272 = +a272;
a273 = +a273;
a274 = +a274;
a275 = +a275;
a276 = +a276;
a277 = +a277;
a278 = +a278;
a279 = +a279;
a280 = +a280;
a281 = +a281;
a282 = +a282;
a283 = +a283;
a284 = +a284;
a285 = +a285;
a286 = +a286;
a287 = +a287;
a288 = +a288;
a289 = +a289;
a290 = +a290;
a291 = +a291;
a292 = +a292;
a293 = +a293;
a294 = +a294;
a295 = +a295;
a296 = +a296;
a297 = +a297;
a298 = +a298;
a299 = +a299;
a300 = +a300;
a301 = +a301;
a302 = +a302;
a303 = +a303;
a304 = +a304;
a305 = +a305;
a306 = +a306;
a307 = +a307;
a308 = +a308;
a309 = +a309;
a310 = +a310;
a311 = +a311;
a312 = +a312;
a313 = +a313;
a314 = +a314;
a315 = +a315;
a316 = +a316;
a317 = +a317;
a318 = +a318;
a319 = +a319;
a320 = +a320;
a321 = +a321;
a322 = +a322;
a323 = +a323;
a324 = +a324;
a325 = +a325;
a326 = +a326;
a327 = +a327;
a328 = +a328;
a329 = +a329;
a330 = +a330;
a331 = +a331;
a332 = +a332;
a333 = +a333;
a334 = +a334;
a335 = +a335;
a336 = +a336;
a337 = +a337;
a338 = +a338;
a339 = +a339;
a340 = +a340;
a341 = +a341;
a342 = +a342;
a343 = +a343;
a344 = +a344;
a345 = +a345;
a346 = +a346;
a347 = +a347;
a348 = +a348;
a349 = +a349;
a350 = +a350;
a351 = +a351;
a352 = +a352;
a353 = +a353;
a354 = +a354;
a355 = +a355;
a356 = +a356;
a357 = +a357;
a358 = +a358;
a359 = +a359;
a360 = +a360;
a361 = +a361;
a362 = +a362;
a363 = +a363;
a364 = +a364;
a365 = +a365;
a366 = +a366;
a367 = +a367;
a368 = +a368;
a369 = +a369;
a370 = +a370;
a371 = +a371;
a372 = +a372;
a373 = +a373;
a374 = +a374;
a375 = +a375;
a376 = +a376;
a377 = +a377;
a378 = +a378;
a379 = +a379;
a380 = +a380;
a381 = +a381;
a382 = +a382;
a383 = +a383;
a384 = +a384;
a385 = +a385;
a386 = +a386;
a387 = +a387;
a388 = +a388;
a389 = +a389;
a390 = +a390;
a391 = +a391;
a392 = +a392;
a393 = +a393;
a394 = +a394;
a395 = +a395;
a396 = +a396;
a397 = +a397;
a398 = +a398;
a399 = +a399;
a400 = +a400;
a401 = +a401;
a402 = +a402;
a403 = +a403;
a404 = +a404;
a405 = +a405;
a406 = +a406;
a407 = +a407;
a408 = +a408;
a409 = +a409;
a410 = +a410;
a411 = +a411;
a412 = +a412;
a413 = +a413;
a414 = +a414;
a415 = +a415;
a416 = +a416;
a417 = +a417;
a418 = +a418;
a419 = +a419;
a420 = +a420;
a421 = +a421;
a422 = +a422;
a423 = +a423;
a424 = +a424;
a425 = +a425;
a426 = +a426;
a427 = +a427;
a428 = +a428;
a429 = +a429;
a430 = +a430;
a431 = +a431;
a432 = +a432;
a433 = +a433;
a434 = +a434;
a435 = +a435;
a436 = +a436;
a437 = +a437;
a438 = +a438;
a439 = +a439;
a440 = +a440;
a441 = +a441;
a442 = +a442;
a443 = +a443;
a444 = +a444;
a445 = +a445;
a446 = +a446;
a447 = +a447;
a448 = +a448;
a449 = +a449;
a450 = +a450;
a451 = +a451;
a452 = +a452;
a453 = +a453;
a454 = +a454;
a455 = +a455;
a456 = +a456;
a457 = +a457;
a458 = +a458;
a459 = +a459;
a460 = +a460;
a461 = +a461;
a462 = +a462;
a463 = +a463;
a464 = +a464;
a465 = +a465;
a466 = +a466;
a467 = +a467;
a468 = +a468;
a469 = +a469;
a470 = +a470;
a471 = +a471;
a472 = +a472;
a473 = +a473;
a474 = +a474;
a475 = +a475;
a476 = +a476;
a477 = +a477;
a478 = +a478;
a479 = +a479;
a480 = +a480;
a481 = +a481;
a482 = +a482;
a483 = +a483;
a484 = +a484;
a485 = +a485;
a486 = +a486;
a487 = +a487;
a488 = +a488;
a489 = +a489;
a490 = +a490;
a491 = +a491;
a492 = +a492;
a493 = +a493;
a494 = +a494;
a495 = +a495;
a496 = +a496;
a497 = +a497;
a498 = +a498;
a499 = +a499;
a500 = +a500;
a501 = +a501;
a502 = +a502;
a503 = +a503;
a504 = +a504;
a505 = +a505;
a506 = +a506;
a507 = +a507;
a508 = +a508;
a509 = +a509;
a510 = +a510;
a511 = +a511;
a512 = +a512;
a513 = +a513;
a514 = +a514;
a515 = +a515;
a516 = +a516;
a517 = +a517;
a518 = +a518;
a519 = +a519;
a520 = +a520;
a521 = +a521;
a522 = +a522;
a523 = +a523;
a524 = +a524;
a525 = +a525;
a526 = +a526;
a527 = +a527;
a528 = +a528;
a529 = +a529;
a530 = +a530;
a531 = +a531;
a532 = +a532;
a533 = +a533;
a534 = +a534;
a535 = +a535;
a536 = +a536;
a537 = +a537;
a538 = +a538;
a539 = +a539;
a540 = +a540;
a541 = +a541;
a542 = +a542;
a543 = +a543;
a544 = +a544;
a545 = +a545;
a546 = +a546;
a547 = +a547;
a548 = +a548;
a549 = +a549;
a550 = +a550;
a551 = +a551;
a552 = +a552;
a553 = +a553;
a554 = +a554;
a555 = +a555;
a556 = +a556;
a557 = +a557;
a558 = +a558;
a559 = +a559;
a560 = +a560;
a561 = +a561;
a562 = +a562;
a563 = +a563;
a564 = +a564;
a565 = +a565;
a566 = +a566;
a567 = +a567;
a568 = +a568;
a569 = +a569;
a570 = +a570;
a571 = +a571;
a572 = +a572;
a573 = +a573;
a574 = +a574;
a575 = +a575;
a576 = +a576;
a577 = +a577;
a578 = +a578;
a579 = +a579;
a580 = +a580;
a581 = +a581;
a582 = +a582;
a583 = +a583;
a584 = +a584;
a585 = +a585;
a586 = +a586;
a587 = +a587;
a588 = +a588;
a589 = +a589;
a590 = +a590;
a591 = +a591;
a592 = +a592;
a593 = +a593;
a594 = +a594;
a595 = +a595;
a596 = +a596;
a597 = +a597;
a598 = +a598;
a599 = +a599;
a600 = +a600;
a601 = +a601;
a602 = +a602;
a603 = +a603;
a604 = +a604;
a605 = +a605;
a606 = +a606;
a607 = +a607;
a608 = +a608;
a609 = +a609;
a610 = +a610;
a611 = +a611;
a612 = +a612;
a613 = +a613;
a614 = +a614;
a615 = +a615;
a616 = +a616;
a617 = +a617;
a618 = +a618;
a619 = +a619;
a620 = +a620;
a621 = +a621;
a622 = +a622;
a623 = +a623;
a624 = +a624;
a625 = +a625;
a626 = +a626;
a627 = +a627;
a628 = +a628;
a629 = +a629;
a630 = +a630;
a631 = +a631;
a632 = +a632;
a633 = +a633;
a634 = +a634;
a635 = +a635;
a636 = +a636;
a637 = +a637;
a638 = +a638;
a639 = +a639;
a640 = +a640;
a641 = +a641;
a642 = +a642;
a643 = +a643;
a644 = +a644;
a645 = +a645;
a646 = +a646;
a647 = +a647;
a648 = +a648;
a649 = +a649;
a650 = +a650;
a651 = +a651;
a652 = +a652;
a653 = +a653;
a654 = +a654;
a655 = +a655;
a656 = +a656;
a657 = +a657;
a658 = +a658;
a659 = +a659;
a660 = +a660;
a661 = +a661;
a662 = +a662;
a663 = +a663;
a664 = +a664;
a665 = +a665;
a666 = +a666;
a667 = +a667;
a668 = +a668;
a669 = +a669;
a670 = +a670;
a671 = +a671;
a672 = +a672;
a673 = +a673;
a674 = +a674;
a675 = +a675;
a676 = +a676;
a677 = +a677;
a678 = +a678;
a679 = +a679;
a680 = +a680;
a681 = +a681;
a682 = +a682;
a683 = +a683;
a684 = +a684;
a685 = +a685;
a686 = +a686;
a687 = +a687;
a688 = +a688;
a689 = +a689;
a690 = +a690;
a691 = +a691;
a692 = +a692;
a693 = +a693;
a694 = +a694;
a695 = +a695;
a696 = +a696;
a697 = +a697;
a698 = +a698;
a699 = +a699;
a700 = +a700;
a701 = +a701;
a702 = +a702;
a703 = +a703;
a704 = +a704;
a705 = +a705;
a706 = +a706;
a707 = +a707;
a708 = +a708;
a709 = +a709;
a710 = +a710;
a711 = +a711;
a712 = +a712;
a713 = +a713;
a714 = +a714;
a715 = +a715;
a716 = +a716;
a717 = +a717;
a718 = +a718;
a719 = +a719;
a720 = +a720;
a721 = +a721;
a722 = +a722;
a723 = +a723;
a724 = +a724;
a725 = +a725;
a726 = +a726;
a727 = +a727;
a728 = +a728;
a729 = +a729;
a730 = +a730;
a731 = +a731;
a732 = +a732;
a733 = +a733;
a734 = +a734;
a735 = +a735;
a736 = +a736;
a737 = +a737;
a738 = +a738;
a739 = +a739;
a740 = +a740;
a741 = +a741;
a742 = +a742;
a743 = +a743;
a744 = +a744;
a745 = +a745;
a746 = +a746;
a747 = +a747;
a748 = +a748;
a749 = +a749;
a750 = +a750;
a751 = +a751;
a752 = +a752;
a753 = +a753;
a754 = +a754;
a755 = +a755;
a756 = +a756;
a757 = +a757;
a758 = +a758;
a759 = +a759;
a760 = +a760;
a761 = +a761;
a762 = +a762;
a763 = +a763;
a764 = +a764;
a765 = +a765;
a766 = +a766;
a767 = +a767;
a768 = +a768;
a769 = +a769;
a770 = +a770;
a771 = +a771;
a772 = +a772;
a773 = +a773;
a774 = +a774;
a775 = +a775;
a776 = +a776;
a777 = +a777;
a778 = +a778;
a779 = +a779;
a780 = +a780;
a781 = +a781;
a782 = +a782;
a783 = +a783;
a784 = +a784;
a785 = +a785;
a786 = +a786;
a787 = +a787;
a788 = +a788;
a789 = +a789;
a790 = +a790;
a791 = +a791;
a792 = +a792;
a793 = +a793;
a794 = +a794;
a795 = +a795;
a796 = +a796;
a797 = +a797;
a798 = +a798;
a799 = +a799;
a800 = +a800;
a801 = +a801;
a802 = +a802;
a803 = +a803;
a804 = +a804;
a805 = +a805;
a806 = +a806;
a807 = +a807;
a808 = +a808;
a809 = +a809;
a810 = +a810;
a811 = +a811;
a812 = +a812;
a813 = +a813;
a814 = +a814;
a815 = +a815;
a816 = +a816;
a817 = +a817;
a818 = +a818;
a819 = +a819;
a820 = +a820;
a821 = +a821;
a822 = +a822;
a823 = +a823;
a824 = +a824;
a825 = +a825;
a826 = +a826;
a827 = +a827;
a828 = +a828;
a829 = +a829;
a830 = +a830;
a831 = +a831;
a832 = +a832;
a833 = +a833;
a834 = +a834;
a835 = +a835;
a836 = +a836;
a837 = +a837;
a838 = +a838;
a839 = +a839;
a840 = +a840;
a841 = +a841;
a842 = +a842;
a843 = +a843;
a844 = +a844;
a845 = +a845;
a846 = +a846;
a847 = +a847;
a848 = +a848;
a849 = +a849;
a850 = +a850;
a851 = +a851;
a852 = +a852;
a853 = +a853;
a854 = +a854;
a855 = +a855;
a856 = +a856;
a857 = +a857;
a858 = +a858;
a859 = +a859;
a860 = +a860;
a861 = +a861;
a862 = +a862;
a863 = +a863;
a864 = +a864;
a865 = +a865;
a866 = +a866;
a867 = +a867;
a868 = +a868;
a869 = +a869;
a870 = +a870;
a871 = +a871;
a872 = +a872;
a873 = +a873;
a874 = +a874;
a875 = +a875;
a876 = +a876;
a877 = +a877;
a878 = +a878;
a879 = +a879;
a880 = +a880;
a881 = +a881;
a882 = +a882;
a883 = +a883;
a884 = +a884;
a885 = +a885;
a886 = +a886;
a887 = +a887;
a888 = +a888;
a889 = +a889;
a890 = +a890;
a891 = +a891;
a892 = +a892;
a893 = +a893;
a894 = +a894;
a895 = +a895;
a896 = +a896;
a897 = +a897;
a898 = +a898;
a899 = +a899;
a900 = +a900;
a901 = +a901;
a902 = +a902;
a903 = +a903;
a904 = +a904;
a905 = +a905;
a906 = +a906;
a907 = +a907;
a908 = +a908;
a909 = +a909;
a910 = +a910;
a911 = +a911;
a912 = +a912;
a913 = +a913;
a914 = +a914;
a915 = +a915;
a916 = +a916;
a917 = +a917;
a918 = +a918;
a919 = +a919;
a920 = +a920;
a921 = +a921;
a922 = +a922;
a923 = +a923;
a924 = +a924;
a925 = +a925;
a926 = +a926;
a927 = +a927;
a928 = +a928;
a929 = +a929;
a930 = +a930;
a931 = +a931;
a932 = +a932;
a933 = +a933;
a934 = +a934;
a935 = +a935;
a936 = +a936;
a937 = +a937;
a938 = +a938;
a939 = +a939;
a940 = +a940;
a941 = +a941;
a942 = +a942;
a943 = +a943;
a944 = +a944;
a945 = +a945;
a946 = +a946;
a947 = +a947;
a948 = +a948;
a949 = +a949;
a950 = +a950;
a951 = +a951;
a952 = +a952;
a953 = +a953;
a954 = +a954;
a955 = +a955;
a956 = +a956;
a957 = +a957;
a958 = +a958;
a959 = +a959;
a960 = +a960;
a961 = +a961;
a962 = +a962;
a963 = +a963;
a964 = +a964;
a965 = +a965;
a966 = +a966;
a967 = +a967;
a968 = +a968;
a969 = +a969;
a970 = +a970;
a971 = +a971;
a972 = +a972;
a973 = +a973;
a974 = +a974;
a975 = +a975;
a976 = +a976;
a977 = +a977;
a978 = +a978;
a979 = +a979;
a980 = +a980;
a981 = +a981;
a982 = +a982;
a983 = +a983;
a984 = +a984;
a985 = +a985;
a986 = +a986;
a987 = +a987;
a988 = +a988;
a989 = +a989;
a990 = +a990;
a991 = +a991;
a992 = +a992;
a993 = +a993;
a994 = +a994;
a995 = +a995;
a996 = +a996;
a997 = +a997;
a998 = +a998;
a999 = +a999;
a1000 = +a1000;
a1001 = +a1001;
a1002 = +a1002;
a1003 = +a1003;
a1004 = +a1004;
a1005 = +a1005;
return 10;
}
function bar() {
return foo(0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 1.0) |
0;
}
return bar
})()();
Issue: https://crbug.com/v8/8133
Commit: Reland "[typedarray] Properly convert hole to undefined in TypedArray.from"
Date(Commit): Fri, 7 Sep 2018 14:19:18 +0200
Code Review : https://chromium-review.googlesource.com/1213204
Regress : test\mjsunit\regress\regress-8133-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const arr = [1, , 3];
function mapper(x) {
Array.prototype[1] = 2;
return x + 1;
}
// We force a direct iteration (using the array length, not the iterator
// protocol). The mapper function gets called during this iteration, not in a
// separate one. Hence when index 1 is read, 2 is retrieved from the prototype
// and incremented to 3.
Array.prototype[Symbol.iterator] = undefined;
assertArrayEquals([2, 3, 4], Uint16Array.from(arr, mapper));
Issue: https://crbug.com/882233
Commit: [array] Consistently throw TypeError for zero-length arrays
Date(Commit): Mon, 10 Sep 2018 09:40:09 +0200
Code Review : https://chromium-review.googlesource.com/1215164
Regress : test\mjsunit\regress\regress-crbug-882233-1.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Intended to test bug [882233] on CSA fast-path.
let array = [];
Object.defineProperty(array, 'length', {writable: false});
assertEquals(array.length, 0);
assertThrows(() => array.shift(), TypeError);
let object = { length: 0 };
Object.defineProperty(object, 'length', {writable: false});
assertEquals(object.length, 0);
assertThrows(() => Array.prototype.shift.call(object));
Commit: [builtins] Enable Torque Array.prototype.splice
Date(Commit): Tue, 4 Sep 2018 14:30:33 +0200
Code Review : https://chromium-review.googlesource.com/1201783
Regress : test\mjsunit\regress\regress-crbug-876443.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags:
var a = [5.65];
a.splice(0);
var b = a.splice(-4, 9, 10);
Issue: https://crbug.com/878845
Commit: [array] Fix side-effect for 'from' argument in Array.p.lastIndexOf
Date(Commit): Thu, 30 Aug 2018 14:50:18 +0200
Code Review : https://chromium-review.googlesource.com/1196507
Regress : test\mjsunit\regress\regress-crbug-878845.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let arr = [, 0.1];
Array.prototype.lastIndexOf.call(arr, 100, {
valueOf() {
arr.length = 0;
}
});
Commit: [test] Remove %SetFlags runtime test method.
Date(Commit): Thu, 23 Aug 2018 16:13:19 +0200
Code Review : https://chromium-review.googlesource.com/1186731
Regress : test\mjsunit\regress\regress-set-flags-stress-compact.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --gc-interval=164 --stress-compaction
var a = [];
for (var i = 0; i < 10000; i++) { a[i * 100] = 0; }
Commit: [Tests] Fix regress/regress-599414-array-concat-fast-path on Android.
Date(Commit): Tue, 21 Aug 2018 11:22:20 +0100
Code Review : https://chromium-review.googlesource.com/1181429
Regress : test\mjsunit\regress\regress-599414-array-concat-fast-path.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var largeArray = 'x'.repeat(999).split('');
var a = largeArray;
assertThrows(() => {
for (;;) {
a = a.concat(a, a, a, a, a);
}}, RangeError);
Issue: https://crbug.com/873600
Commit: Reland "[asmjs] Properly validate asm.js heap sizes"
Date(Commit): Fri, 17 Aug 2018 14:05:25 +0200
Code Review : https://chromium-review.googlesource.com/1174411
Regress : test\mjsunit\regress\wasm\regress-873600.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function DoTest() {
var stdlib = this;
try {
var buffer = new ArrayBuffer((2097120) * 1024);
} catch (e) {
// Out of memory: soft pass because 2GiB is actually a lot!
print("OOM: soft pass");
return;
}
var foreign = {}
var m = (function Module(stdlib, foreign, heap) {
"use asm";
var MEM16 = new stdlib.Int16Array(heap);
function load(i) {
i = i|0;
i = MEM16[i >> 1]|0;
return i | 0;
}
function store(i, v) {
i = i|0;
v = v|0;
MEM16[i >> 1] = v;
}
function load8(i) {
i = i|0;
i = MEM16[i + 8 >> 1]|0;
return i | 0;
}
function store8(i, v) {
i = i|0;
v = v|0;
MEM16[i + 8 >> 1] = v;
}
return { load: load, store: store, load8: load8, store8: store8 };
})(stdlib, foreign, buffer);
assertEquals(0, m.load(-8));
assertEquals(0, m.load8(-16));
m.store(2014, 2, 30, 1, 0);
assertEquals(0, m.load8(-8));
m.store8(-8, 99);
assertEquals(99, m.load(0));
assertEquals(99, m.load8(-8));
})();
Issue: https://crbug.com/875493
Commit: [regexp] Fix invalid lastIndex handling in RegExp.p[@@replace]
Date(Commit): Mon, 20 Aug 2018 11:44:10 +0200
Code Review : https://chromium-review.googlesource.com/1180889
Regress : test\mjsunit\regress\regress-875493.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function test() {
const re = /./y;
re.lastIndex = 3;
const str = 'fg';
return re[Symbol.replace](str, '$');
}
%SetForceSlowPath(false);
const fast = test();
%SetForceSlowPath(true);
const slow = test();
%SetForceSlowPath(false);
assertEquals(slow, fast);
Issue: https://crbug.com/v8/8033
Commit: [parsing] Fix detection of invalid continue targets.
Date(Commit): Mon, 13 Aug 2018 11:32:19 +0200
Code Review : https://chromium-review.googlesource.com/1172292
Regress : test\mjsunit\regress\regress-8033.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows("foo: if (true) do { continue foo } while (false)", SyntaxError);
assertThrows("foo: if (true) while (false) { continue foo }", SyntaxError);
assertThrows("foo: if (true) for (; false; ) { continue foo }", SyntaxError);
assertThrows("foo: if (true) for (let x of []) { continue foo }", SyntaxError);
assertThrows("foo: if (true) for (let x in []) { continue foo }", SyntaxError);
assertThrows("foo: if (true) { do { continue foo } while (false) }", SyntaxError);
assertThrows("foo: if (true) { while (false) { continue foo } }", SyntaxError);
assertThrows("foo: if (true) { for (; false; ) { continue foo } }", SyntaxError);
assertThrows("foo: if (true) { for (let x of []) { continue foo } }", SyntaxError);
assertThrows("foo: if (true) { for (let x in []) { continue foo } }", SyntaxError);
assertThrows("foo: goo: if (true) do { continue foo } while (false)", SyntaxError);
assertThrows("foo: goo: if (true) while (false) { continue foo }", SyntaxError);
assertThrows("foo: goo: if (true) for (; false; ) { continue foo }", SyntaxError);
assertThrows("foo: goo: if (true) for (let x of []) { continue foo }", SyntaxError);
assertThrows("foo: goo: if (true) for (let x in []) { continue foo }", SyntaxError);
assertThrows("foo: goo: if (true) { do { continue foo } while (false) }", SyntaxError);
assertThrows("foo: goo: if (true) { while (false) { continue foo } }", SyntaxError);
assertThrows("foo: goo: if (true) { for (; false; ) { continue foo } }", SyntaxError);
assertThrows("foo: goo: if (true) { for (let x of []) { continue foo } }", SyntaxError);
assertThrows("foo: goo: if (true) { for (let x in []) { continue foo } }", SyntaxError);
assertDoesNotThrow("if (true) foo: goo: do { continue foo } while (false)");
assertDoesNotThrow("if (true) foo: goo: while (false) { continue foo }");
assertDoesNotThrow("if (true) foo: goo: for (; false; ) { continue foo }");
assertDoesNotThrow("if (true) foo: goo: for (let x of []) { continue foo }");
assertDoesNotThrow("if (true) foo: goo: for (let x in []) { continue foo }");
assertThrows("if (true) foo: goo: { do { continue foo } while (false) }", SyntaxError);
assertThrows("if (true) foo: goo: { while (false) { continue foo } }", SyntaxError);
assertThrows("if (true) foo: goo: { for (; false; ) { continue foo } }", SyntaxError);
assertThrows("if (true) foo: goo: { for (let x of []) { continue foo } }", SyntaxError);
assertThrows("if (true) foo: goo: { for (let x in []) { continue foo } }", SyntaxError);
assertDoesNotThrow("if (true) { foo: goo: do { continue foo } while (false) }");
assertDoesNotThrow("if (true) { foo: goo: while (false) { continue foo } }");
assertDoesNotThrow("if (true) { foo: goo: for (; false; ) { continue foo } }");
assertDoesNotThrow("if (true) { foo: goo: for (let x of []) { continue foo } }");
assertDoesNotThrow("if (true) { foo: goo: for (let x in []) { continue foo } }");
Issue: https://crbug.com/871886
Commit: [csa] avoid FixedDoubleArray CAST on empty FixedArray
Date(Commit): Thu, 9 Aug 2018 11:09:25 +0200
Code Review : https://chromium-review.googlesource.com/1166906
Regress : test\mjsunit\regress\regress-crbug-871886.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let arr = [1.5, 2.5];
arr.slice(0,
{ valueOf: function () {
arr.length = 0;
return 2;
}
});
Commit: [CloneObjectIC] copy may_have_interesting_symbols bit to fast result map
Date(Commit): Fri, 3 Aug 2018 12:01:30 -0400
Code Review : https://chromium-review.googlesource.com/1162278
Regress : test\mjsunit\es9\regress\regress-866229.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var obj = { length: 1, 0: "spread" };
obj[Symbol.toStringTag] = "foo";
obj[Symbol.hasInstance] = function() { return true; }
obj[Symbol.isConcatSpreadable] = true;
var obj2 = { ...obj };
// Crash if fast result map bitfield is not set correctly, if verifying heap
%HeapObjectVerify(obj2);
// Ensure correct result for some well-known symbols
assertEquals("[object foo]", Object.prototype.toString.call(obj2));
assertTrue(Uint8Array instanceof obj2);
assertEquals(["spread"], [].concat(obj2));
Issue: https://crbug.com/869313
Commit: [dataview] Fix too tight TNode type in DataView getters
Date(Commit): Thu, 2 Aug 2018 16:41:58 +0200
Code Review : https://chromium-review.googlesource.com/1158582
Regress : test\mjsunit\regress\regress-crbug-869313.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f() {
try {
var a = new ArrayBuffer(1073741824);
var d = new DataView(a);
return d.getUint8() === 0;
} catch(e) {
return true;
}
}
!f();
Commit: Refactor unreliable Proxy tests
Date(Commit): Thu, 2 Aug 2018 12:01:36 -0700
Code Review : https://chromium-review.googlesource.com/1159356
Regress : test\mjsunit\regress\regress-7716.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Deeply nested target.
let proxy = new Proxy(function(){}, {});
for (let i = 0; i < 100000; i++) {
proxy = new Proxy(proxy, {});
}
// Ensure these nested calls don't segfault. They may not all throw exceptions
// depending on whether the compiler is able to perform tail call optimization
// on the affected routines.
try { Reflect.apply(proxy, {}, []) } catch(_) {}
try { Reflect.construct(proxy, []) } catch(_) {}
try { Reflect.defineProperty(proxy, "x", {}) } catch(_) {}
try { Reflect.deleteProperty(proxy, "x") } catch(_) {}
try { Reflect.get(proxy, "x") } catch(_) {}
try { Reflect.getOwnPropertyDescriptor(proxy, "x") } catch(_) {}
try { Reflect.getPrototypeOf(proxy) } catch(_) {}
try { Reflect.has(proxy, "x") } catch(_) {}
try { Reflect.isExtensible(proxy) } catch(_) {}
try { Reflect.ownKeys(proxy) } catch(_) {}
try { Reflect.preventExtensions(proxy) } catch(_) {}
try { Reflect.setPrototypeOf(proxy, {}) } catch(_) {}
try { Reflect.set(proxy, "x", {}) } catch(_) {}
// Recursive handler.
function run(trap, ...args) {
let handler = {};
const proxy = new Proxy(function(){}, handler);
handler[trap] = (target, ...args) => Reflect[trap](proxy, ...args);
return Reflect[trap](proxy, ...args);
}
assertThrows(() => run("apply", {}, []), RangeError);
assertThrows(() => run("construct", []), RangeError);
assertThrows(() => run("defineProperty", "x", {}), RangeError);
assertThrows(() => run("deleteProperty", "x"), RangeError);
assertThrows(() => run("get", "x"), RangeError);
assertThrows(() => run("getOwnPropertyDescriptor", "x"), RangeError);
assertThrows(() => run("has", "x"), RangeError);
assertThrows(() => run("isExtensible"), RangeError);
assertThrows(() => run("ownKeys"), RangeError);
assertThrows(() => run("preventExtensions"), RangeError);
assertThrows(() => run("setPrototypeOf", {}), RangeError);
assertThrows(() => run("set", "x", {}), RangeError);
Issue: https://crbug.com/774841
Commit: [mjsunit] Move the implementation of testAsync into a separate file
Date(Commit): Tue, 31 Jul 2018 16:16:40 +0200
Code Review : https://chromium-review.googlesource.com/1156598
Regress : test\mjsunit\regress\regress-crbug-830565.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
load('test/mjsunit/test-async.js');
testAsync(assert => {
assert.plan(1);
const error = new TypeError('Throwing');
Promise.resolve({ then(resolve, reject) {
throw error;
}}).then(v => {
assert.unreachable();
}, e => {
assert.equals(error, e);
});
});
Commit: Reland "Reland [CloneObjectIC] overwrite monomorphic/polymorphic feedback if deprecated"
Date(Commit): Tue, 31 Jul 2018 17:01:09 -0400
Code Review : https://chromium-review.googlesource.com/1154143
Regress : test\mjsunit\es9\regress\regress-869342.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
function spread(o) { return { ...o }; }
(function setupPolymorphicFeedback() {
function C1() { this.p0 = 1; }
function C2() { this.p1 = 2; this.p2 = 3; }
assertEquals({ p0: 1 }, spread(new C1));
assertEquals({ p1: 2, p2: 3 }, spread(new C2));
})();
gc(); // Clobber cached map in feedback[0], and check that we don't crash
function C3() { this.p0 = 3; }
assertEquals({ p0: 3 }, spread(new C3));
Commit: [runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject
Date(Commit): Wed, 25 Jul 2018 16:32:58 -0400
Code Review : https://chromium-review.googlesource.com/1146297
Regress : test\mjsunit\es9\regress\regress-866861.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Check that property constness for out-of-object fields is valid
var o = {};
var toString = o.toString = function() {};
try {
assertEquals({ toString }, o = { ...o });
} catch (e) {}
o.toString = [];
Issue: https://crbug.com/866315
Commit: [async] Fix a crash when AsyncHooks is used in the proto of an object
Date(Commit): Mon, 23 Jul 2018 15:50:39 +0200
Code Review : https://chromium-review.googlesource.com/1146645
Regress : test\mjsunit\regress\regress-crbug-866315.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-async-hooks
let num = 42;
let ah = async_hooks.createHook({});
num.__proto__.__proto__ = ah;
assertThrows('num.enable()');
assertThrows('num.disable()');
Issue: https://crbug.com/865892
Commit: [async] Improve error handling when running async hooks
Date(Commit): Mon, 23 Jul 2018 11:04:08 +0200
Code Review : https://chromium-review.googlesource.com/1146561
Regress : test\mjsunit\regress\regress-crbug-865892.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-async-hooks
let ah = async_hooks.createHook(
{
init(asyncId, type) {
if (type !== 'PROMISE') { return; }
assertThrows('asyncIds.push(asyncId);');
}
});
ah.enable();
async function foo() {
let x = { toString() { return 'modules-skip-1.js' } };
assertThrows('await import(x);');
}
foo();
Issue: https://crbug.com/865312
Commit: [array] Only use fast-path in Array.p.fill for JSArrays
Date(Commit): Thu, 19 Jul 2018 11:01:07 +0200
Code Review : https://chromium-review.googlesource.com/1142772
Regress : test\mjsunit\regress\regress-crbug-865312.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const intArrayConstructors = [
Uint8Array,
Int8Array,
Uint16Array,
Int16Array,
Uint32Array,
Int32Array,
Uint8ClampedArray
];
const floatArrayConstructors = [
Float32Array,
Float64Array
];
const typedArrayConstructors = [...intArrayConstructors,
...floatArrayConstructors];
for (let constructor of typedArrayConstructors) {
// Shadowing the length of a TypedArray should work for Array.p.fill,
// but not crash it.
let array = new constructor([2, 2]);
assertEquals(2, array.length);
Object.defineProperty(array, 'length', {value: 5});
Array.prototype.fill.call(array, 5);
assertArrayEquals([5, 5], [array[0], array[1]]);
assertEquals(undefined, array[2]);
}
Issue: https://crbug.com/863155
Commit: [turbofan] Add a few missing AllowHandleAllocation scopes.
Date(Commit): Fri, 13 Jul 2018 14:07:47 +0200
Code Review : https://chromium-review.googlesource.com/1136444
Regress : test\mjsunit\regress\regress-863155.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --always-opt
for (let i = 0; i < 5; i++) {
try { typeof x } catch (e) {};
let x;
}
Issue: https://crbug.com/862433
Commit: [runtime] Allow FeedbackMetadata objects in old space for verification
Date(Commit): Thu, 12 Jul 2018 14:10:53 +0200
Code Review : https://chromium-review.googlesource.com/1134995
Regress : test\mjsunit\regress\regress-862433.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var arr = [];
for (var i = 1; i != 390000; ++i) {
arr.push("f()");
}
new Function(arr.join());
Issue: https://crbug.com/862538
Commit: [scanner] Fix scanner stream creation: Sliced strings can have an underlying thin string.
Date(Commit): Wed, 11 Jul 2018 22:38:34 +0200
Code Review : https://chromium-review.googlesource.com/1133980
Regress : test\mjsunit\regress\regress-crbug-862538.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var uvwxyzundefined;
function __f_5778(__v_29973) {
var __v_29975 = __v_29973 + undefined;
var __v_29976 = __v_29975.substring( 20);
({})[__v_29975];
return eval(__v_29976);
}
__f_5778("abcdefghijklmnopqrstuvwxyz");
Issue: https://crbug.com/v8/5530
Commit: [debug] retire ScriptWrapper
Date(Commit): Thu, 5 Jul 2018 13:34:14 -0700
Code Review : https://chromium-review.googlesource.com/1112851
Regress : test\mjsunit\regress\regress-crbug-491062.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --stack-size=100
function g() {}
var count = 0;
function f() {
try {
f();
} catch(e) {
print(e.stack);
}
if (count < 100) {
count++;
%DebugGetLoadedScriptIds();
}
}
f();
g();
Issue: https://crbug.com/849024
Commit: [builtins] Add reference error for global object property access
Date(Commit): Thu, 5 Jul 2018 11:06:51 +0200
Code Review : https://chromium-review.googlesource.com/1124446
Regress : test\mjsunit\regress\regress-crbug-849024.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
this.__proto__ = new Proxy({}, {});
function test1() {
eval("bla");
}
assertThrows(test1, ReferenceError);
assertThrows(test1, ReferenceError);
assertThrows(test1, ReferenceError);
function test2() {
gc();
eval("bla");
}
assertThrows(test2, ReferenceError);
assertThrows(test2, ReferenceError);
assertThrows(test2, ReferenceError);
function foo() {
try {
eval("bla");
} catch(e) {
return;
}
throw 1337;
}
function test3() {
gc();
foo();
foo();
}
assertDoesNotThrow(test3);
assertDoesNotThrow(test3);
assertDoesNotThrow(test3);
Issue: https://crbug.com/859809
Commit: [array] Add regression test that causes left trimming while sorting
Date(Commit): Tue, 3 Jul 2018 15:33:32 +0200
Code Review : https://chromium-review.googlesource.com/1124475
Regress : test\mjsunit\regress\regress-crbug-859809.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
let xs = [];
const kSize = 200;
for (let i = 0; i < kSize; ++i) {
xs.push(i);
}
let counter = 0;
xs.sort((a, b) => {
if (counter++ % 10 == 0) {
xs.shift();
gc();
}
return a - b;
});
Issue: https://crbug.com/v8/7382
Commit: [array] Throw TypeError for read-only properties on fast-path
Date(Commit): Mon, 2 Jul 2018 16:56:52 +0200
Code Review : https://chromium-review.googlesource.com/1122120
Regress : test\mjsunit\regress\regress-crbug-7907.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let arr = new Array(10);
Object.defineProperty(arr, 0, {value: 10, writable: false});
Object.defineProperty(arr, 9, {value: 1, writable: false});
assertThrows(() => arr.sort(), TypeError);
Issue: https://crbug.com/856095
Commit: Fix overzealous assert in CallOrConstructVarArgs
Date(Commit): Thu, 28 Jun 2018 10:37:52 -0700
Code Review : https://chromium-review.googlesource.com/1117922
Regress : test\mjsunit\regress\regress-crbug-856095.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f(a, b, c) { }
function a() {
let o1;
o1 = new Array();
f(...o1);
o1[1000] = Infinity;
}
a();
a();
Issue: https://crbug.com/853453
Commit: [wasm] Catch invalid flags correctly
Date(Commit): Thu, 21 Jun 2018 14:32:20 -0700
Code Review : https://chromium-review.googlesource.com/1104976
Regress : test\mjsunit\regress\wasm\regress-853453.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-threads
assertThrows(() => new WebAssembly.Module(
new Uint8Array([
0x00, 0x61, 0x73, 0x6d, // wasm magic
0x01, 0x00, 0x00, 0x00, // wasm version
0x04, // section code
0x04, // section length
/* Section: Table */
0x01, // table count
0x70, // table type
0x03, // resizable limits flags
0x00])),
WebAssembly.CompileError);
Commit: [typedarray] Use slow case more aggressively in CopyElementsHandleImpl
Date(Commit): Thu, 21 Jun 2018 13:30:15 +0200
Code Review : https://chromium-review.googlesource.com/1108203
Regress : test\mjsunit\regress\regress-854066.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
oobArray = [];
for (let i = 0; i < 1e5; ++i) {
oobArray[i] = 1.1;
}
floatArray = new Float64Array(oobArray.length);
Float64Array.from.call(function(length) {
oobArray.length = 0;
return floatArray;
}, oobArray);
Issue: https://crbug.com/854299
Commit: [array] Change Array.p.sort bailout behavior from fast- to slow-path
Date(Commit): Wed, 20 Jun 2018 16:53:34 +0200
Code Review : https://chromium-review.googlesource.com/1107702
Regress : test\mjsunit\regress\regress-crbug-854299.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
let rand = n => Math.floor(Math.random() * n);
for (let i = 0; i < 1000; ++i) {
array = [];
let len = rand(30);
for(let i = 0; i < len; ++i) {
array[i] = [i + 0.1];
}
let counter = 0;
array.sort((a, b) => {
a = a || [0];
b = b || [0];
if (counter++ == rand(30)) {
array.length = 1;
gc();
}
return a[0] - b[0];
});
}
Issue: https://crbug.com/852592
Commit: [array] Fix OOB load/stores when underlying FixedArray changed
Date(Commit): Mon, 18 Jun 2018 15:49:34 +0200
Code Review : https://chromium-review.googlesource.com/1104158
Regress : test\mjsunit\regress\regress-crbug-852592.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const kArraySize = 1024;
let array = [];
for (let i = 1; i < kArraySize; ++i) {
array[i] = i + 0.1;
}
assertEquals(array.length, kArraySize);
let executed = false;
compareFn = _ => {
if (!executed) {
executed = true;
array.length = 1; // shrink
array.length = 0; // replace
array.length = kArraySize; // restore the original length
}
}
array.sort(compareFn);
Issue: https://crbug.com/851393
Commit: [builtins] Relax type check in a slow path of Object.assign.
Date(Commit): Mon, 18 Jun 2018 14:09:28 +0200
Code Review : https://chromium-review.googlesource.com/1104317
Regress : test\mjsunit\regress\regress-crbug-851393.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var proxy = new Proxy({}, {});
Object.assign(proxy, { b: "boom", 060: "ah", o: "ouch" });
Issue: https://crbug.com/848165
Commit: Properly set enumeration order for accessor properties in class literals.
Date(Commit): Mon, 18 Jun 2018 13:40:25 +0200
Code Review : https://chromium-review.googlesource.com/1104175
Regress : test\mjsunit\regress\regress-crbug-848165.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
class cls0 {
static get length(){ return 42; };
static get [1](){ return 21; };
};
Object.defineProperty(cls0, "length", {value:'1'});
Issue: https://crbug.com/852258
Commit: [typedarray] Fix incorrect access to typed array byte offset.
Date(Commit): Thu, 14 Jun 2018 15:40:16 +0200
Code Review : https://chromium-review.googlesource.com/1100886
Regress : test\mjsunit\regress\regress-852258.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
try {
let ta0 = new Int16Array(0x24924925);
let ta2 = ta0.slice(1);
let ta1 = ta0.slice(0x24924924);
} catch (e) {
// Allocation failed, that's fine.
}
Issue: https://crbug.com/v8/7726
Commit: [js-perf-test] Remove flaky perf test from mjsunittest...
Date(Commit): Mon, 11 Jun 2018 11:10:45 +0200
Code Review : https://chromium-review.googlesource.com/1094637
Regress : test\mjsunit\regress\regress-165637.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Make sure that packed and unpacked array slices are still properly handled
var holey_array = [1, 2, 3, 4, 5,,,,,,];
assertEquals([undefined], holey_array.slice(6, 7));
assertEquals(undefined, holey_array.slice(6, 7)[0]);
assertEquals([], holey_array.slice(2, 1));
assertEquals(3, holey_array.slice(2, 3)[0]);
Issue: https://crbug.com/850005
Commit: [CSA] Fix assertion in CallOrConstructDoubleVarargs with empty FixedArray
Date(Commit): Wed, 6 Jun 2018 11:42:25 +0200
Code Review : https://chromium-review.googlesource.com/1088608
Regress : test\mjsunit\regress\regress-crbug-850005.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let args = [3.34, ];
function f(a, b, c) {};
f(...args);
args = args.splice();
f(...args);
args = [];
f(...args);
Issue: https://crbug.com/849663
Commit: [date] Fix double-to-int conversion in MakeDay
Date(Commit): Tue, 5 Jun 2018 17:34:19 +0200
Code Review : https://chromium-review.googlesource.com/1087063
Regress : test\mjsunit\regress\regress-849663.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const v1 = 0xFFFFFFFF;
const v3 = new Float64Array();
new Date(v3, v3, 0xFFFFFFFF,);
Issue: https://crbug.com/v8/4743
Commit: Remove always-true --harmony-regexp-property runtime flag
Date(Commit): Tue, 5 Jun 2018 10:37:49 +0200
Code Review : https://chromium-review.googlesource.com/1086799
Regress : test\mjsunit\regress\regress-793793.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows(() => new RegExp("\\1(\\P{P\0[}()/", "u"), SyntaxError);
Issue: https://crbug.com/v8/5437
Commit: Remove always-true --harmony-regexp-named-captures runtime flag
Date(Commit): Tue, 5 Jun 2018 09:37:23 +0200
Code Review : https://chromium-review.googlesource.com/1086790
Regress : test\mjsunit\regress\regress-705934.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --stack-size=100
function call_replace_close_to_stack_overflow() {
try {
call_replace_close_to_stack_overflow();
} catch {
"b".replace(/(b)/g);
}
}
call_replace_close_to_stack_overflow();
Commit: [wasm] Add missing WebAssembly.instantiate regression test.
Date(Commit): Tue, 29 May 2018 10:42:37 +0200
Code Review : https://chromium-review.googlesource.com/1075967
Regress : test\mjsunit\regress\wasm\regress-799952.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var sentinel = {};
Object.defineProperty(Promise, Symbol.species, {
value: function(f) {
f(function() {}, function() {})
return sentinel;
}
});
// According to the WebAssembly JavaScript API spec, WebAssembly.instantiate is
// using the initial value of the Promise constructor. Specifically it ignores
// the Promise species constructor installed above.
var promise = WebAssembly.instantiate(new ArrayBuffer());
assertInstanceof(promise, Promise);
assertNotSame(promise, sentinel);
// All further uses of the returned Promise, like using Promise.prototype.then,
// will respect the Promise species constructor installed above however.
var monkey = promise.then(r => { print(r) }, e => { print(e) });
assertSame(monkey, sentinel);
Issue: https://crbug.com/v8/7791
Commit: Fix bug in object literals with redeclarations.
Date(Commit): Mon, 28 May 2018 14:24:46 +0200
Code Review : https://chromium-review.googlesource.com/1075054
Regress : test\mjsunit\regress\regress-7791.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
"use strict";
// Data property last.
{
const o = {
get foo() { return 666 },
foo: 42,
};
assertEquals(42, Object.getOwnPropertyDescriptor(o, 'foo').value);
}
{
const o = {
set foo(_) { },
foo: 42,
};
assertEquals(42, Object.getOwnPropertyDescriptor(o, 'foo').value);
}
{
const o = {
get foo() { return 666 },
set foo(_) { },
foo: 42,
};
assertEquals(42, Object.getOwnPropertyDescriptor(o, 'foo').value);
}
{
const o = {
get foo() { return 666 },
set ['foo'.slice()](_) { },
foo: 42,
};
assertEquals(42, Object.getOwnPropertyDescriptor(o, 'foo').value);
}
{
const o = {
get ['foo'.slice()]() { return 666 },
set ['foo'.slice()](_) { },
foo: 42,
};
assertEquals(42, Object.getOwnPropertyDescriptor(o, 'foo').value);
}
// Data property first.
{
const o = {
foo: 666,
get foo() { return 42 },
};
assertEquals(42, Object.getOwnPropertyDescriptor(o, 'foo').get());
}
{
const o = {
foo: 666,
set foo(_) { },
};
assertEquals(undefined, Object.getOwnPropertyDescriptor(o, 'foo').get);
assertEquals(undefined, Object.getOwnPropertyDescriptor(o, 'foo').value);
}
{
const o = {
foo: 666,
get foo() { return 42 },
set foo(_) { },
};
assertEquals(42, Object.getOwnPropertyDescriptor(o, 'foo').get());
}
{
const o = {
foo: 666,
get ['foo'.slice()]() { return 42 },
set foo(_) { },
};
assertEquals(42, Object.getOwnPropertyDescriptor(o, 'foo').get());
}
{
const o = {
foo: 666,
get ['foo'.slice()]() { return 42 },
set ['foo'](_) { },
};
assertEquals(42, Object.getOwnPropertyDescriptor(o, 'foo').get());
}
// Data property in the middle.
{
const o = {
get foo() { return 42 },
foo: 666,
set foo(_) { },
};
assertEquals(undefined, Object.getOwnPropertyDescriptor(o, 'foo').get);
assertEquals(undefined, Object.getOwnPropertyDescriptor(o, 'foo').set());
}
{
const o = {
set foo(_) { },
foo: 666,
get foo() { return 42 },
};
assertEquals(42, Object.getOwnPropertyDescriptor(o, 'foo').get());
}
Issue: https://crbug.com/843062
Commit: [runtime] Do not shrink fixed arrays to length 0.
Date(Commit): Thu, 24 May 2018 10:49:32 +0200
Code Review : https://chromium-review.googlesource.com/1064052
Regress : test\mjsunit\regress\regress-843062-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
class C {
[1]() { return 'B'; }
}
Object.keys(C.prototype);
Issue: https://crbug.com/843022
Commit: [regexp] Do not assume fast regexp results are non-empty
Date(Commit): Wed, 16 May 2018 13:57:10 +0200
Code Review : https://chromium-review.googlesource.com/1061455
Regress : test\mjsunit\regress\regress-crbug-843022.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Produce an fast, but empty result.
const fast_regexp_result = /./g.exec("a");
fast_regexp_result.length = 0;
class RegExpWithFastResult extends RegExp {
constructor() { super(".", "g"); this.number_of_runs = 0; }
exec(str) { return (this.number_of_runs++ == 0) ? fast_regexp_result : null; }
}
// A slow empty result.
const slow_regexp_result = [];
class RegExpWithSlowResult extends RegExp {
constructor() { super(".", "g"); this.number_of_runs = 0; }
exec(str) { return (this.number_of_runs++ == 0) ? slow_regexp_result : null; }
}
assertEquals(["undefined"], "a".match(new RegExpWithFastResult()));
assertEquals(["undefined"], "a".match(new RegExpWithSlowResult()));
Issue: https://crbug.com/842078
Commit: [objects] Disallow externalizing RO_SPACE 2-byte strings
Date(Commit): Fri, 11 May 2018 10:53:36 +0100
Code Review : https://chromium-review.googlesource.com/1054290
Regress : test\mjsunit\regress\regress-842078.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-externalize-string
// Attempt to externalize a string that's in RO_SPACE, which is not allowed as
// the string's map would need to be writable.
assertThrows(() => {
externalizeString("1", false)
});
assertThrows(() => {
externalizeString("1", true)
});
Issue: https://crbug.com/v8/841592
Commit: [elements] Avoid NOP operation when shrinking HashTables
Date(Commit): Thu, 10 May 2018 10:57:55 +0100
Code Review : https://chromium-review.googlesource.com/1052693
Regress : test\mjsunit\regress\regress-crbug-841592.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// a has packed SMI elements
a = [];
// a has dictionary elements
a.length = 0xFFFFFFF;
// a has dictionary elements and the backing array is
// empty_slow_element_dictionary (length 0)
a.length = 0;
// a has dictionary elements and the backing array is
// empty_slow_element_dictionary (length 0xFFFFFFF)
a.length = 0xFFFFFFF;
// This will crash if V8 attempts to remove 0 elements from
// empty_slow_element_dictionary as it is in RO_SPACE.
a.length = 1;
Issue: https://crbug.com/v8/7725
Commit: [builtins] Properly handle non-simple target in Object.assign.
Date(Commit): Wed, 9 May 2018 13:18:39 +0200
Code Review : https://chromium-review.googlesource.com/1051653
Regress : test\mjsunit\regress\regress-v8-7725.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var proxy = new Proxy({}, {});
Object.assign(proxy, { b: "boom", a: "ah", o: "ouch" });
assertEquals(["b", "a", "o"], Object.getOwnPropertyNames(proxy));
assertEquals("boom", proxy.b);
assertEquals("ah", proxy.a);
assertEquals("ouch", proxy.o);
Commit: Remove --use-allocation-folding relict from tests.
Date(Commit): Wed, 9 May 2018 10:06:57 +0200
Code Review : https://chromium-review.googlesource.com/1051237
Regress : test\mjsunit\regress\regress-484544.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --stress-compaction --predictable
function f() {
return [[], [], [[], [], []]];
}
for (var i=0; i<10000; i++) {
f();
}
Issue: https://crbug.com/v8/7382
Commit: [array] Move SafeRemoveArrayHoles to runtime
Date(Commit): Tue, 8 May 2018 07:50:28 +0200
Code Review : https://chromium-review.googlesource.com/1041950
Regress : test\mjsunit\regress\regress-crbug-743154.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Object.prototype[1] = 1.5;
var v = { length: 12, [1073741824]: 0 };
assertEquals(['1073741824', 'length'], Object.keys(v));
assertEquals(undefined, v[0]);
assertEquals(1.5, v[1]);
assertEquals(0, v[1073741824]);
// Properly handle out of range HeapNumber keys on 32bit platforms.
Array.prototype.sort.call(v);
assertEquals(['0', '1073741824', 'length'], Object.keys(v));
assertTrue(v.hasOwnProperty(0));
assertEquals(1.5, v[0]);
assertFalse(v.hasOwnProperty(1));
assertEquals(1.5, v[1]);
assertEquals(0, v[1073741824]);
Issue: https://crbug.com/v8/7716
Commit: [proxies] Add missing stack overflow check.
Date(Commit): Mon, 7 May 2018 20:10:50 +0200
Code Review : https://chromium-review.googlesource.com/1047612
Regress : test\mjsunit\regress\regress-crbug-779344.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var o = {};
var proxy = new Proxy(() => {}, o);
o.apply = proxy;
assertThrows(proxy);
Issue: https://crbug.com/840220
Commit: [CSA] Remove overzealous type check
Date(Commit): Mon, 7 May 2018 10:19:21 +0200
Code Review : https://chromium-review.googlesource.com/1046066
Regress : test\mjsunit\regress\regress-crbug-840220.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var boundFunction = (function(){}).bind();
var instance = new Uint8Array()
instance.constructor = {
[Symbol.species]: boundFunction
};
assertThrows(() => instance.map(each => each * 2), TypeError);
Issue: https://crbug.com/823130
Commit: Fix "x is not iterable" error message consistency
Date(Commit): Thu, 3 May 2018 12:59:07 -0700
Code Review : https://chromium-review.googlesource.com/1042951
Regress : test\mjsunit\regress\regress-crbug-823130.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
var __v_1 = new Array();
var __v_2 = 0x30;
var __v_4 = "abc";
var __v_3 = "def";
function __f_2(b) {
[...b];
}
__f_2([1]);
__f_2([3.3]);
__f_2([{}]);
var vars = [__v_1, __v_2, __v_3, __v_4];
for (var j = 0; j < vars.length && j < 7; j++) {
for (var k = j; k < vars.length && k < 7 + j; k++) {
var v1 = vars[j];
var e1, e2;
try {
__f_2(v1);
__f_2();
} catch (e) {
e1 = "" + e;
}
gc();
try {
__f_2(v1);
__f_2();
} catch (e) {
e2 = "" + e;
}
assertEquals(e1, e2);
}
}
Issue: https://crbug.com/837939
Commit: Do not throw if the array is empty in Map constructor
Date(Commit): Wed, 2 May 2018 19:58:45 +0900
Code Review : https://chromium-review.googlesource.com/1034043
Regress : test\mjsunit\es6\regress\regress-crbug-837939.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
// Create a double elements array.
const iterable = [123.123];
assertTrue(%HasDoubleElements(iterable))
iterable.length = 0;
assertTrue(%HasDoubleElements(iterable))
// Should not throw here.
let map = new Map(iterable);
assertEquals(0, map.size);
new WeakMap(iterable); // WeakMap does not have a size
Issue: https://crbug.com/v8/7677
Commit: Remove incorrect receiver checks from some array methods.
Date(Commit): Mon, 23 Apr 2018 10:13:39 +0200
Code Review : https://chromium-review.googlesource.com/1021870
Regress : test\mjsunit\regress\regress-7677.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
"use strict";
// Generate a frozen or sealed array-like object.
function arraylike(freeze) {
let x;
const obj = {length: 42};
Object.defineProperty(obj, 5, {get() {return x}, set(y) {x = y}});
return freeze ? Object.freeze(obj) : Object.seal(obj);
}
// Array.prototype.fill
{
const sealed = arraylike(false);
Array.prototype.fill.call(sealed, "foo", 5, 6);
assertEquals("foo", sealed[5]);
assertThrows(() => Array.prototype.fill.call(sealed, "foo"), TypeError);
}{
const frozen = arraylike(true);
Array.prototype.fill.call(frozen, "foo", 5, 6);
assertEquals("foo", frozen[5]);
assertThrows(() => Array.prototype.fill.call(frozen, "foo"), TypeError);
}
// Array.prototype.shift
{
const sealed = Object.seal({length: 0});
assertEquals(undefined, Array.prototype.shift.call(sealed));
}{
const sealed = Object.seal({length: 42});
assertEquals(undefined, Array.prototype.shift.call(sealed));
}{
let x;
let obj = {length: 42, [1]: "foo"};
Object.defineProperty(obj, 0, {get() {return x}, set(y) {x = y}});
const sealed = Object.seal(obj);
assertThrows(() => Array.prototype.shift.call(sealed), TypeError);
assertEquals("foo", sealed[0]);
}{
const frozen = Object.freeze({length: 0});
assertThrows(() => Array.prototype.shift.call(frozen), TypeError);
}
// Array.prototype.splice
{
const sealed = arraylike(false);
assertEquals([undefined], Array.prototype.splice.call(sealed, 5, 1, "foo"));
assertEquals("foo", sealed[5]);
assertThrows(() => Array.prototype.splice.call(sealed, 5, 0, "bar"),
TypeError);
assertEquals("foo", sealed[5]);
}{
const frozen = arraylike(true);
assertThrows(() => Array.prototype.splice.call(frozen, 5, 1, "foo"),
TypeError);
assertEquals("foo", frozen[5]);
assertThrows(() => Array.prototype.splice.call(frozen, 5, 0, "bar"),
TypeError);
assertEquals("foo", frozen[5]);
}
Issue: https://crbug.com/v8/7652
Commit: Check length in Array.prototype.concat.
Date(Commit): Tue, 17 Apr 2018 14:01:32 +0200
Code Review : https://chromium-review.googlesource.com/1013714
Regress : test\mjsunit\regress\regress-7652.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const splice = Array.prototype.splice;
const unshift = Array.prototype.unshift;
{
let a = {length: 2**53 - 1};
assertThrows(() => unshift.call(a, 42), TypeError);
assertEquals(unshift.call(a), 2**53 - 1);
}
{
let a = {length: 2**53 - 1};
assertThrows(() => splice.call(a, 0, 0, 42), TypeError);
assertEquals(splice.call(a, 0, 1, 42).length, 1);
assertEquals(a[0], 42);
}
{
let a = {length: 2**53 - 1, [Symbol.isConcatSpreadable]: true};
assertThrows(() => [42].concat(a), TypeError);
assertThrows(() => [, ].concat(a), TypeError);
assertThrows(() => [].concat(42, a), TypeError);
}
Issue: https://crbug.com/831984
Commit: [keys] Don't keep chain of OrderedHashSets in KeyAccumulator
Date(Commit): Mon, 16 Apr 2018 11:24:20 -0700
Code Review : https://chromium-review.googlesource.com/1012874
Regress : test\mjsunit\regress\regress-crbug-831984.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let arr = [...Array(9000)];
for (let j = 0; j < 40; j++) {
Reflect.ownKeys(arr).shift();
Array(64386);
}
Issue: https://crbug.com/v8/7642
Commit: [interpreter] Move desugaring of spread super call to bytecode generator
Date(Commit): Fri, 13 Apr 2018 15:14:27 +0200
Code Review : https://chromium-review.googlesource.com/1009907
Regress : test\mjsunit\regress\regress-7642.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --harmony-public-fields
const a = [2];
const b = [4];
let log;
class C {
constructor(...args) {
log = args;
}
}
class D extends C {
field = 42;
constructor() { super(1) };
}
assertEquals(42, (new D).field);
assertEquals([1], log);
class E extends C {
field = 42;
constructor() { super(...a) };
}
assertEquals(42, (new E).field);
assertEquals([2], log);
class F extends C {
field = 42;
constructor() { super(1, ...a) };
}
assertEquals(42, (new F).field);
assertEquals([1, 2], log);
class G extends C {
field = 42;
constructor() { super(1, ...a, 3) };
}
assertEquals(42, (new G).field);
assertEquals([1, 2, 3], log);
class H extends C {
field = 42;
constructor() { super(1, ...a, 3, ...b) };
}
assertEquals(42, (new H).field);
assertEquals([1, 2, 3, 4], log);
class I extends C {
field = 42;
constructor() { super(1, ...a, 3, ...b, 5) };
}
assertEquals(42, (new I).field);
assertEquals([1, 2, 3, 4, 5], log);
Issue: https://crbug.com/831943
Commit: [builtins] Fix missing ToString in RegExp.p.match
Date(Commit): Wed, 11 Apr 2018 20:59:25 -0700
Code Review : https://chromium-review.googlesource.com/1009325
Regress : test\mjsunit\regress\regress-crbug-831943.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
class MyRegExp extends RegExp {
exec(str) {
const r = super.exec.call(this, str);
if (r) r[0] = 0;
return r;
}
}
const result = 'a'.match(new MyRegExp('.', 'g'));
assertArrayEquals(result, ['0']);
Issue: https://crbug.com/823069
Commit: [builtins] Throw on pop()/shift() when JSArray's length is not writable.
Date(Commit): Mon, 9 Apr 2018 13:34:41 +0200
Code Review : https://chromium-review.googlesource.com/1002560
Regress : test\mjsunit\regress\regress-crbug-823069.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var v = [];
Object.defineProperty(v, "length", {value: 3, writable: false});
assertThrows(()=>{v.pop();});
assertThrows(()=>{v.shift();});
Issue: https://crbug.com/v8/5988
Commit: [ic] Use Map as transition handlers instead of StoreHandler objects.
Date(Commit): Wed, 21 Mar 2018 10:51:18 +0100
Code Review : https://chromium-review.googlesource.com/931701
Regress : test\mjsunit\regress\regress-store-transition-dict.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function() {
function SetX(o, v) {
o.x = v;
}
function SetY(o, v) {
o.y = v;
}
var p = {};
function Create() {
var o = {__proto__:p, b:1, a:2};
delete o.b;
assertFalse(%HasFastProperties(o));
return o;
}
for (var i = 0; i < 10; i++) {
var o = Create();
SetX(o, 13);
SetY(o, 13);
}
Object.defineProperty(p, "x", {value:42, configurable: true, writable: false});
for (var i = 0; i < 10; i++) {
var o = Create();
SetY(o, 13);
}
var o = Create();
assertEquals(42, o.x);
SetX(o, 13);
assertEquals(42, o.x);
})();
(function() {
var p1 = {a:10};
Object.defineProperty(p1, "x", {value:42, configurable: true, writable: false});
var p2 = {__proto__: p1, x:153};
for (var i = 0; i < 2000; i++) {
p1["p" + i] = 0;
p2["p" + i] = 0;
}
assertFalse(%HasFastProperties(p1));
assertFalse(%HasFastProperties(p2));
function GetX(o) {
return o.x;
}
function SetX(o, v) {
o.x = v;
}
function Create() {
var o = {__proto__:p2, b:1, a:2};
return o;
}
for (var i = 0; i < 10; i++) {
var o = Create();
assertEquals(153, GetX(o));
SetX(o, 13);
assertEquals(13, GetX(o));
}
delete p2.x;
assertFalse(%HasFastProperties(p1));
assertFalse(%HasFastProperties(p2));
var o = Create();
assertEquals(42, GetX(o));
SetX(o, 13);
assertEquals(42, GetX(o));
})();
Commit: [parser] Fix aborting preparsing of a function with a rest param.
Date(Commit): Wed, 21 Mar 2018 09:19:27 +0100
Code Review : https://chromium-review.googlesource.com/972901
Regress : test\mjsunit\regress\regress-crbug-813630.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Regression test for a bug where aborting a function which has a rest
// parameter didn't work correctly.
function g(...args) {
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;x;
}
Commit: Reland "[esnext] re-implement template strings"
Date(Commit): Sat, 10 Mar 2018 12:27:18 -0500
Code Review : https://chromium-review.googlesource.com/958408
Regress : test\mjsunit\es6\regress\regress-crbug-820596.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --print-ast
var x;
`Crashes if OOB read with --print-ast ${x}`;
Issue: https://crbug.com/821137
Commit: [builtins] Fix OOB read/write using Array.from
Date(Commit): Wed, 14 Mar 2018 10:02:08 +0000
Code Review : https://chromium-review.googlesource.com/962222
Regress : test\mjsunit\regress\regress-821137.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Tests that creating an iterator that shrinks the array populated by
// Array.from does not lead to out of bounds writes.
let oobArray = [];
let maxSize = 1028 * 8;
Array.from.call(function() { return oobArray }, {[Symbol.iterator] : _ => (
{
counter : 0,
next() {
let result = this.counter++;
if (this.counter > maxSize) {
oobArray.length = 0;
return {done: true};
} else {
return {value: result, done: false};
}
}
}
) });
assertEquals(oobArray.length, maxSize);
// iterator reset the length to 0 just before returning done, so this will crash
// if the backing store was not resized correctly.
oobArray[oobArray.length - 1] = 0x41414141;
Issue: https://crbug.com/821159
Commit: [es2015] Properly deal with fast-path results from IterableToList.
Date(Commit): Tue, 13 Mar 2018 07:44:51 +0100
Code Review : https://chromium-review.googlesource.com/959323
Regress : test\mjsunit\regress\regress-crbug-821159-4.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
Object.prototype[0] = 0;
Math.max(...[3.1]);
Issue: https://crbug.com/820312
Commit: [builtins] Properly handle DICTIONARY_ELEMENTS in Promise.all closures.
Date(Commit): Fri, 9 Mar 2018 13:47:35 +0100
Code Review : https://chromium-review.googlesource.com/957090
Regress : test\mjsunit\regress\regress-crbug-820312.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
let arr = new Array(0x10000);
let resolve_element_closures = new Array(0x10000);
for (let i = 0; i < arr.length; i++) {
arr[i] = new Promise(() => {});
arr[i].then = ((idx, resolve) => {
resolve_element_closures[idx] = resolve;
}).bind(null, i);
}
Promise.all(arr);
// 0xffff is too large, transitions to DICTIONARY_ELEMENTS
resolve_element_closures[0xffff]();
// grows the capacity, the elements kind of the result array is still DICTIONARY_ELEMENTS, but the elements object of it is no more a dictionary.
resolve_element_closures[100]();
// You can observe that V8 crashes here in debug mode.
resolve_element_closures[0xfffe]();
Issue: https://crbug.com/818438
Date(Commit): Mon, 5 Mar 2018 10:29:42 +0100
Code Review : https://chromium-review.googlesource.com/947950
Regress : test\mjsunit\regress\regress-818438.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function foo(b) {
[,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
...b];
}
Array.prototype.__defineSetter__("0", () => {});
foo([3.3, 3.3, 3.3]);
foo([{}, 3.3]);
Issue: https://crbug.com/815392
Commit: [turbofan] Bailout from optimizations for large bytecode sizes (>128kB).
Date(Commit): Mon, 26 Feb 2018 22:06:46 +0100
Code Review : https://chromium-review.googlesource.com/938421
Regress : test\mjsunit\compiler\regress-815392.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const __f_1 = eval(`(function __f_1() {
class Derived extends Object {
constructor() {
${"this.a=1;".repeat(0x3fffe-8)}
}
}
return Derived;
})`);
assertThrows(() => new (__f_1())());
Issue: https://crbug.com/816289
Commit: [typedarray] Extend ElementsAccessor::CopyElements to all Object types
Date(Commit): Mon, 26 Feb 2018 16:14:56 +0100
Code Review : https://chromium-review.googlesource.com/937461
Regress : test\mjsunit\regress\regress-816289.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
delete String.prototype[Symbol.iterator];
Int8Array.from("anything");
Issue: https://crbug.com/816317
Commit: [typedarray] Fix failing DCHECK for TA.from with a length getter.
Date(Commit): Mon, 26 Feb 2018 12:08:06 +0100
Code Review : https://chromium-review.googlesource.com/937209
Regress : test\mjsunit\regress\regress-816317.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let a = new Float64Array(15);
Object.defineProperty(a, "length", {
get: function () {
return 6;
}
});
delete a.__proto__.__proto__[Symbol.iterator];
Float64Array.from(a);
Issue: https://crbug.com/814643
Commit: [typedarray] Fix IterableToList when Number has an iterator
Date(Commit): Thu, 22 Feb 2018 10:48:50 +0100
Code Review : https://chromium-review.googlesource.com/930962
Regress : test\mjsunit\regress\regress-814643.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Number.prototype.__proto__ = String.prototype;
Uint8Array.from(1);
Issue: https://crbug.com/808472
Commit: [turbofan] simplified lowering: process DeadValue input
Date(Commit): Tue, 20 Feb 2018 15:39:55 +0100
Code Review : https://chromium-review.googlesource.com/919362
Regress : test\mjsunit\compiler\regress-808472.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function opt() {
let opt, arr = [...[...[...[...new Uint8Array(0x10000)]]]];
while (arr--) {
opt = ((typeof opt) === 'undefined') ? /a/ : arr;
}
}
opt();
opt();
Issue: https://crbug.com/813427
Commit: [runtime] Fix overzealous check for derived constructor instance size
Date(Commit): Tue, 20 Feb 2018 13:09:04 +0100
Code Review : https://chromium-review.googlesource.com/926003
Regress : test\mjsunit\regress\regress-crbug-813427.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
// Create {count} property assignments.
function createPropertiesAssignment(count) {
let result = "";
for (let i = 0; i < count; i++) {
result += "this.p"+i+" = undefined;";
}
return result;
}
function testSubclassProtoProperties(count) {
const MyClass = eval(`(class MyClass {
constructor() {
${createPropertiesAssignment(count)}
}
});`);
class BaseClass {};
class SubClass extends BaseClass {
constructor() {
super()
}
};
const boundMyClass = MyClass.bind();
%HeapObjectVerify(boundMyClass);
SubClass.__proto__ = boundMyClass;
var instance = new SubClass();
%HeapObjectVerify(instance);
// Create some more instances to complete in-object slack tracking.
let results = [];
for (let i = 0; i < 4000; i++) {
results.push(new SubClass());
}
var instance = new SubClass();
%HeapObjectVerify(instance);
}
for (let count = 0; count < 10; count++) {
testSubclassProtoProperties(count);
}
Issue: https://crbug.com/v8/7447
Commit: Reland "[ic] EmitElementStore: don't miss when hitting new space limit."
Date(Commit): Thu, 15 Feb 2018 12:48:15 +0100
Code Review : https://chromium-review.googlesource.com/918723
Regress : test\mjsunit\regress\regress-812451.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
var x = [];
function foo(x, p) {
x[p] = 5.3;
}
foo(x, 1);
foo(x, 2);
foo(x, -1);
gc();
Commit: Remove %_ClassOf and SharedFunctionInfo::instance_class_name
Date(Commit): Thu, 15 Feb 2018 06:26:29 +0100
Code Review : https://chromium-review.googlesource.com/776683
Regress : test\mjsunit\regress\regress-995.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
//
// A number of hydrogen instructions did not correctly compare its
// data during GVN.
//
// Flags: --allow-natives-syntax
// HHasInstance.
function f(value) {
if (%_IsJSReceiver(value)) {
if ((%_IsArray(value))) assertTrue(false);
}
}
f(new String("bar"));
// HIsNull.
function h(value) {
if (value == null) {
if (value === null) assertTrue(false);
}
}
h(undefined);
Issue: https://crbug.com/v8/6703
Commit: Reland "[regexp] fix Latin1 ignore-case bug."
Date(Commit): Mon, 5 Feb 2018 15:29:59 +0100
Code Review : https://chromium-review.googlesource.com/901522
Regress : test\mjsunit\regress\regress-6703.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertTrue(/(\u039C)/i.test("\xB5"));
assertTrue(/(\u039C)+/i.test("\xB5"));
assertTrue(/(\u039C)/ui.test("\xB5"));
assertTrue(/(\u039C)+/ui.test("\xB5"));
assertTrue(/(\u03BC)/i.test("\xB5"));
assertTrue(/(\u03BC)+/i.test("\xB5"));
assertTrue(/(\u03BC)/ui.test("\xB5"));
assertTrue(/(\u03BC)+/ui.test("\xB5"));
assertTrue(/(\u03BC)/i.test("\u039C"));
assertTrue(/(\u03BC)+/i.test("\u039C"));
assertTrue(/(\u03BC)/ui.test("\u039C"));
assertTrue(/(\u03BC)+/ui.test("\u039C"));
assertTrue(/(\u0178)/i.test("\xFF"));
assertTrue(/(\u0178)+/i.test("\xFF"));
assertTrue(/(\u0178)/ui.test("\xFF"));
assertTrue(/(\u0178)+/ui.test("\xFF"));
Issue: https://crbug.com/805729
Commit: Fix bug in async generators.
Date(Commit): Mon, 29 Jan 2018 15:31:04 +0100
Code Review : https://chromium-review.googlesource.com/891231
Regress : test\mjsunit\regress\regress-805729.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
async function* asyncGenerator() {};
let gen = asyncGenerator();
gen.return({ get then() { delete this.then; gen.next(); } });
Issue: https://crbug.com/805765
Commit: [ignition] Fix wide suspends to also return
Date(Commit): Fri, 26 Jan 2018 16:34:27 +0000
Code Review : https://chromium-review.googlesource.com/887082
Regress : test\mjsunit\regress\regress-crbug-805765.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var code = "(function* gen() {"
for (var i = 0; i < 256; ++i) {
code += `var v_${i} = 0;`
}
code += `yield; })`
var gen = eval(code);
var g = gen();
g.next();
Issue: https://crbug.com/806200
Commit: [parser] Throw syntax error for %Foo(...spread)
Date(Commit): Fri, 26 Jan 2018 14:52:35 +0000
Code Review : https://chromium-review.googlesource.com/888922
Regress : test\mjsunit\regress\regress-crbug-806200.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
assertThrows("%Foo(...spread)", SyntaxError);
Issue: https://crbug.com/v8/7369
Commit: Fix parseInt fast-path to return -0 when needed
Date(Commit): Fri, 26 Jan 2018 09:39:41 -0800
Code Review : https://chromium-review.googlesource.com/887428
Regress : test\mjsunit\regress\regress-7369.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertEquals(-Infinity, 1/parseInt(-0.9));
assertEquals(-Infinity, 1/parseInt("-0.9"));
assertEquals(-Infinity, 1/parseInt(-0.09));
assertEquals(-Infinity, 1/parseInt(-0.009));
Issue: https://crbug.com/804176
Commit: [builtins] Fix Collection constructor when entries have custom iteration.
Date(Commit): Thu, 25 Jan 2018 17:27:45 +0700
Code Review : https://chromium-review.googlesource.com/883065
Regress : test\mjsunit\regress\regress-804188.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Object.defineProperty(Array.prototype, Symbol.iterator, {
value: function* () {}
});
const arrayIteratorProto = Object.getPrototypeOf([][Symbol.iterator]());
arrayIteratorProto.next = function() {};
assertThrows(() => new Map([[{}, 1], [{}, 2]]), TypeError);
assertThrows(() => new WeakMap([[{}, 1], [{}, 2]]), TypeError);
assertThrows(() => new Set([{}]), TypeError);
assertThrows(() => new WeakSet([{}]), TypeError);
Issue: https://crbug.com/804801
Commit: [builtins] Allow bound function / proxy add
in collection ctors
Date(Commit): Wed, 24 Jan 2018 10:06:28 +0100
Code Review : https://chromium-review.googlesource.com/883121
Regress : test\mjsunit\regress\regress-804801.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f() { return 42; }
const bound_function = f.bind();
const callable_proxy = new Proxy(function(){}.__proto__, {});
function testSet(ctor) {
new ctor([]);
new ctor([{},{}]);
}
function testMap(ctor) {
new ctor([]);
new ctor([[{},{}],[{},{}]]);
}
function testAllVariants(set_or_add_function) {
Set.prototype.add = set_or_add_function;
testSet(Set);
WeakSet.prototype.add = set_or_add_function;
testSet(WeakSet);
Map.prototype.set = set_or_add_function;
testMap(Map);
WeakMap.prototype.set = set_or_add_function;
testMap(WeakMap);
}
testAllVariants(bound_function);
testAllVariants(callable_proxy);
Issue: https://crbug.com/804177
Commit: [builtins] Fix Array.of crashes by setting length correctly
Date(Commit): Tue, 23 Jan 2018 21:26:34 +0000
Code Review : https://chromium-review.googlesource.com/880922
Regress : test\mjsunit\regress\regress-804177.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Tests that insertion at the beginning via unshift won't crash when using a
// constructor that creates an array larger than normal. (Also values inserted
// by original constructor past the end should not survive into the result of
// unshift).
(function testUnshift() {
a = [1];
function f() {
return a;
}
b = Array.of.call(f);
b.unshift(2);
assertEquals(b, [2]);
})();
// Tests that insertion past the end won't expose values previously put into the
// backing store by using a constructor that creates an array larger than normal.
(function testInsertionPastEnd() {
a = [9,9,9,9];
function f() {
return a;
}
b = Array.of.call(f,1,2);
b[4] = 1;
assertEquals(b, [1, 2, undefined, undefined, 1]);
})();
// Tests that using Array.of with a constructor returning an object with an
// unwriteable length throws a TypeError.
(function testFrozenArrayThrows() {
function f() {
return Object.freeze([1,2,3]);
}
assertThrows(function() { Array.of.call(f); }, TypeError);
})();
Issue: https://crbug.com/804288
Commit: [typedarray] Use native context in elements accessor.
Date(Commit): Mon, 22 Jan 2018 14:53:04 +0100
Code Review : https://chromium-review.googlesource.com/878324
Regress : test\mjsunit\regress\regress-804288.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var arr = [{}];
Object.setPrototypeOf(arr, {});
var ta = new Uint8Array(arr);
let kDeclNoLocals = 0;
Issue: https://crbug.com/804096
Commit: [turbofan] Fix deoptimization framestate in A.p.reduce[Right]
Date(Commit): Mon, 22 Jan 2018 12:34:05 +0100
Code Review : https://chromium-review.googlesource.com/878120
Regress : test\mjsunit\regress\regress-804096.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --opt
for (let i = 0; i < 5000; i++) {
try {
[].reduce(function() {});
} catch (x) {
}
}
Commit: [parser] Fix declaration order of "arguments" and func name.
Date(Commit): Mon, 15 Jan 2018 10:09:46 +0100
Code Review : https://chromium-review.googlesource.com/865900
Regress : test\mjsunit\regress\regress-801772.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function foo(f) { f(); }
foo(function arguments() {
function skippable() { }
});
Issue: https://crbug.com/v8/5855
Commit: Remove always-true --harmony-async-iteration runtime flag
Date(Commit): Fri, 12 Jan 2018 11:33:13 -0800
Code Review : https://chromium-review.googlesource.com/858381
Regress : test\mjsunit\harmony\regress\regress-6322.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Crash with --verify-heap
(async function() { for await (let { a = class b { } } of [{}]) { } })();
(async function() { var a; for await ({ a = class b { } } of [{}]) { } })();
Issue: https://crbug.com/800810
Commit: [elements] Fix overzealous DCHECK in Array.prototype.includes
Date(Commit): Fri, 12 Jan 2018 11:54:45 +0100
Code Review : https://chromium-review.googlesource.com/860927
Regress : test\mjsunit\regress\regress-crbug-800810.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var array = [];
Object.defineProperty(array , 506519, {});
Object.defineProperty(array , 3, {
get: function () {
Object.defineProperty(array , undefined, {
})
}
});
array.includes(61301);
Issue: https://crbug.com/800538
Commit: [regexp] Fix fast/slow-path dispatch in RegExp.p.get flags
Date(Commit): Wed, 10 Jan 2018 14:52:14 +0100
Code Review : https://chromium-review.googlesource.com/859767
Regress : test\mjsunit\regress\regress-800538.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
RegExp.prototype.__defineGetter__("global", () => true);
assertEquals("/()/g", /()/.toString());
Issue: https://crbug.com/801171
Commit: [regexp] Fix spec ordering issue in @@split
Date(Commit): Fri, 12 Jan 2018 11:26:51 +0100
Code Review : https://chromium-review.googlesource.com/863644
Regress : test\mjsunit\regress\regress-801171.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let called_custom_unicode_getter = false;
const re = /./;
function f() {
re.__defineGetter__("unicode", function() {
called_custom_unicode_getter = true;
});
return 2;
}
assertEquals(["","",], re[Symbol.split]("abc", { valueOf: f }));
// The spec mandates retrieving the regexp instance's flags before
// ToUint(limit), i.e. the unicode getter must still be unmodified when
// flags are retrieved.
assertFalse(called_custom_unicode_getter);
Issue: https://crbug.com/797481
Commit: [regexp] Add stack check to RegExpExec
Date(Commit): Tue, 9 Jan 2018 11:58:05 +0100
Code Review : https://chromium-review.googlesource.com/856777
Regress : test\mjsunit\regress\regress-797481.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --stack-size=100
const a = /x/;
a.exec = RegExp.prototype.test;
assertThrows(() => RegExp.prototype.test.call(a), RangeError);
Issue: https://crbug.com/v8/4958
Commit: Reland: Enable --harmony-function-tostring by default
Date(Commit): Tue, 19 Dec 2017 12:14:44 -0700
Code Review : https://chromium-review.googlesource.com/834458
Regress : test\mjsunit\regress\regress-crbug-663410.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function alert(x) {};
assertThrows(
'Function("a=`","`,xss=1){alert(xss)")'
);
Issue: https://crbug.com/798644
Commit: [elements] Fix Object.entries/values with changing elements
Date(Commit): Wed, 10 Jan 2018 14:00:20 +0100
Code Review : https://chromium-review.googlesource.com/856816
Regress : test\mjsunit\regress\regress-crbug-798644.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
let arr = [];
// Make the array large enough to trigger re-checking for compaction.
arr[1000] = 0x1234;
arr.__defineGetter__(256, function () {
// Remove the getter so we can compact the array.
delete arr[256];
// Trigger compaction.
arr.unshift(1.1);
});
let results = Object.entries(arr);
%HeapObjectVerify(results);
%HeapObjectVerify(arr);
let str = results.toString();
Issue: https://crbug.com/799690
Commit: [asm] Store source position for all loops
Date(Commit): Tue, 9 Jan 2018 13:46:34 +0100
Code Review : https://chromium-review.googlesource.com/856338
Regress : test\mjsunit\regress\regress-799690.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --stack-size=500
function asm() {
"use asm";
function f(a) {
a = a | 0;
while (1) return 1;
return 0;
}
return { f: f};
}
const mod = asm();
function call_f() {
mod.f();
call_f();
}
assertThrows(call_f, RangeError);
Issue: https://crbug.com/800077
Commit: [csa] Fix type casing in GetProperty
Date(Commit): Tue, 9 Jan 2018 07:33:29 +0900
Code Review : https://chromium-review.googlesource.com/855138
Regress : test\mjsunit\regress\regress-crbug-800077.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var sample = new Float64Array(1);
Reflect.has(sample, undefined);
Issue: https://crbug.com/799813
Commit: [regexp] Properly handle large values in AdvanceStringIndex
Date(Commit): Tue, 9 Jan 2018 10:36:45 +0100
Code Review : https://chromium-review.googlesource.com/854272
Regress : test\mjsunit\regress\regress-799813.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function testAdvanceLastIndex(initial_last_index_value,
expected_final_last_index_value) {
let exec_call_count = 0;
let last_index_setter_call_count = 0;
let final_last_index_value;
var customRegexp = {
get global() { return true; },
get unicode() { return true; },
get lastIndex() {
return initial_last_index_value;
},
set lastIndex(v) {
last_index_setter_call_count++;
final_last_index_value = v;
},
exec() {
return (exec_call_count++ == 0) ? [""] : null;
}
};
RegExp.prototype[Symbol.replace].call(customRegexp);
assertEquals(2, exec_call_count);
assertEquals(2, last_index_setter_call_count);
assertEquals(expected_final_last_index_value, final_last_index_value);
}
testAdvanceLastIndex(-1, 1);
testAdvanceLastIndex( 0, 1);
testAdvanceLastIndex(2**31 - 2, 2**31 - 1);
testAdvanceLastIndex(2**31 - 1, 2**31 - 0);
testAdvanceLastIndex(2**32 - 3, 2**32 - 2);
testAdvanceLastIndex(2**32 - 2, 2**32 - 1);
testAdvanceLastIndex(2**32 - 1, 2**32 - 0);
testAdvanceLastIndex(2**53 - 2, 2**53 - 1);
testAdvanceLastIndex(2**53 - 1, 2**53 - 0);
testAdvanceLastIndex(2**53 - 0, 2**53 - 0);
Issue: https://crbug.com/v8/7245
Commit: [builtins] Port Proxy.revocable() to CSA
Date(Commit): Fri, 5 Jan 2018 22:40:40 +0800
Code Review : https://chromium-review.googlesource.com/844065
Regress : test\mjsunit\regress\regress-v8-7245.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const { revoke } = Proxy.revocable({}, {});
assertEquals("", revoke.name);
Issue: https://crbug.com/798026
Commit: [Builtins] Eliminate the fast path in constructor entries
Date(Commit): Thu, 4 Jan 2018 15:57:29 +0100
Code Review : https://chromium-review.googlesource.com/850356
Regress : test\mjsunit\regress\regress-crbug-798026.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --expose-gc
array = new Array(4 * 1024 * 1024);
Set.prototype.add = value => {
if (array.length != 1) {
array.length = 1;
gc();
}
}
new Set(array);