Skip to content

Latest commit

 

History

History
6609 lines (4615 loc) · 210 KB

2020.md

File metadata and controls

6609 lines (4615 loc) · 210 KB

test\mjsunit\regress\regress-1158124.js

Issue: https://crbug.com/1158124

Commit: [api] Its sufficient for the holder in api call to be a JSReceier

Date(Commit): Wed, 16 Dec 2020 22:31:04 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2596336

Regress : test\mjsunit\regress\regress-1158124.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --log-code

o = new Proxy(this, {});
o.printErr();

test\mjsunit\regress\regress-11274.js

Issue: https://crbug.com/v8/11274

Commit: [runtime] Fix TypedArrayPrototype protector cell checks

Date(Commit): Wed, 16 Dec 2020 15:41:50 +0000

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2594776

Regress : test\mjsunit\regress\regress-11274.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

var typedArrayProto = Uint8Array.prototype.__proto__;
var typedArrayConstructor = Uint8Array.prototype.constructor[Symbol.species];
var called = false;

Uint8Array.prototype.__proto__ = {};
Uint8Array.prototype.constructor = {
    get [Symbol.species]() {
        called = true;
        return typedArrayConstructor;
    }
}

Uint8Array.prototype.__proto__ = typedArrayProto;
var arr = new Uint8Array(8);
arr.slice(1, 5);
assertTrue(called);

test\mjsunit\compiler\regress-1158049.js

Issue:

Commit: [turbofan] Update Node type in JSTypedLowering::ReduceJSToNumeric

Date(Commit): Tue, 15 Dec 2020 17:42:40 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2593336

Regress : test\mjsunit\compiler\regress-1158049.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

const v2 = Symbol.unscopables;

function v6(v7,v8,v9,v10) {
  try {
    let v11 = eval && v2;
    const v12 = v11++;
  } catch(v13) {}
}

for (let v17 = 1; v17 < 10000; v17++) {
  const v18 = v6();
}

test\mjsunit\regress\regress-v8-11261.js

Issue: https://crbug.com/v8/11261

Commit: [parser] Fix parsing "new super.x"

Date(Commit): Tue, 15 Dec 2020 12:51:07 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2593248

Regress : test\mjsunit\regress\regress-v8-11261.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

let obj = ({ __proto__: { x: class {} }, y() { return new super.x; } });
obj.y();

class A { static a = class {} }
class B extends A { static b() { return new super.a(); } }
B.b();

test\mjsunit\regress\regress-1152231.js

Issue: https://crbug.com/1152231

Commit: Update next_enumeration_index_ correctly in ObjectDescriptor

Date(Commit): Fri, 11 Dec 2020 09:46:11 +0000

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2577463

Regress : test\mjsunit\regress\regress-1152231.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.


function ID(x) {
  return x;
}

function f2(v) {
  var p = v.prototype;
  Object.defineProperty(p, undefined, { });
  assertArrayEquals(['constructor', 'a', 'b', 'c', 'd', 'undefined'],
                    Object.getOwnPropertyNames(p));
}

function f22() {
  class class1 {
    a() {
    }
    get [ID('b')]() {
    }
    c() {
    }
    d() {
    }
  }
  f2(class1);
};

f22();

test\mjsunit\regress\regress-1154961.js

Issue:

Commit: [TurboProp] Fix dynamic check maps register saving on x64

Date(Commit): Fri, 4 Dec 2020 17:02:37 +0000

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2574697

Regress : test\mjsunit\regress\regress-1154961.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --turboprop --stack-size=100

function runNearStackLimit(f) {
  function t() {
    try {
      return t();
    } catch (e) {
      return f();
    }
  }
  return t();
}

function baz(f) {
  return [[f(1)], 1, 2, 3, 4, 5, 6, 7, 8];
}

function foo(__v_3) {
  try {
    var arr = baz(__v_3);
  } catch (e) {}
  try {
    for (var i = 0; i < arr.length; i++) {
      function bar() {
        return arr[i];
      }
      try {
        throw e;
      } catch (e) {}
    }
  } catch (e) {}
}

%PrepareFunctionForOptimization(foo);
foo(a => a);
foo(a => a);
%OptimizeFunctionOnNextCall(foo);
runNearStackLimit(() => { foo(a => a); });

test\mjsunit\regress\wasm\regress-11206.js

Issue: https://crbug.com/v8/11206

Commit: [turbofan] Adjust spill slot range for multi-value return

Date(Commit): Thu, 3 Dec 2020 10:15:40 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2569762

Regress : test\mjsunit\regress\wasm\regress-11206.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --experimental-wasm-mv --expose-gc --stress-compaction
// Flags: --stress-scavenge=16

load('test/mjsunit/wasm/wasm-module-builder.js');

(function TestReturnOddNumberOfReturns() {
  let builder = new WasmModuleBuilder();
  let void_sig = builder.addType(kSig_v_v);
  let mv_sig = builder.addType(
      makeSig([], [kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmI32]));

  let gc_index = builder.addImport('q', 'gc', void_sig);
  builder.addFunction('main', mv_sig)
      .addBodyWithEnd([
        kExprCallFunction, gc_index,
        kExprI32Const, 1,
        kExprI32Const, 2,
        kExprI32Const, 3,
        kExprI32Const, 4,
        kExprI32Const, 5,
        kExprEnd
      ])
      .exportFunc();

  let instance = builder.instantiate({q: {gc: gc}});

  instance.exports.main();
})();

(function TestReturnEvenNumberOfReturns() {
  let builder = new WasmModuleBuilder();
  let void_sig = builder.addType(kSig_v_v);
  let mv_sig =
      builder.addType(makeSig([], [kWasmI32, kWasmI32, kWasmI32, kWasmI32]));

  let gc_index = builder.addImport('q', 'gc', void_sig);
  builder.addFunction('main', mv_sig)
      .addBodyWithEnd([
        kExprCallFunction, gc_index,
        kExprI32Const, 1,
        kExprI32Const, 2,
        kExprI32Const, 3,
        kExprI32Const, 4,
        kExprEnd
      ])
      .exportFunc();

  let instance = builder.instantiate({q: {gc: gc}});

  instance.exports.main();
})();

test\mjsunit\regress\regress-unlink-closures-on-deopt.js

Issue:

Commit: [cleanup][TurboProp] Unify DynamicMapChecks names.

Date(Commit): Wed, 2 Dec 2020 09:34:53 +0000

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2567952

Regress : test\mjsunit\regress\regress-unlink-closures-on-deopt.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --noalways-opt

function foo() {
  function g(o) {
    return o.f;
  }
  return g;
}

let g1 = foo();
let g2 = foo();
%PrepareFunctionForOptimization(g1);

g1({ f : 1});
g1({ f : 2});
g2({ f : 2});
g2({ f : 2});

%OptimizeFunctionOnNextCall(g1);
g1({ f : 1});

%PrepareFunctionForOptimization(g2);
%OptimizeFunctionOnNextCall(g2);
g2({ f : 2});
g1({});
if (%DynamicCheckMapsEnabled()) {
  // One more call to ensure a deopt even if dynamic map checks is enabled.
  g1({});
}

assertUnoptimized(g1);

// Deoptimization of g1 should also deoptimize g2 because they should share
// the optimized code object.  (Unfortunately, this test bakes in various
// other assumptions about dealing with optimized code, and thus might break
// in future.)
assertUnoptimized(g2);

g2({});

test\mjsunit\regress\wasm\regress-1152937.js

Issue: https://crbug.com/1152937

Commit: [wasm] Interface should only be called for 'br' if ok()

Date(Commit): Thu, 26 Nov 2020 14:07:32 +0000

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2562239

Regress : test\mjsunit\regress\wasm\regress-1152937.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Test that decoding of 'br' exits early and does not invoke the codegen
// interface when reading the LEB128 branch target fails.

load('test/mjsunit/wasm/wasm-module-builder.js');

const builder = new WasmModuleBuilder();
builder.addFunction(undefined, kSig_v_v)
  .addBodyWithEnd([kExprBr, 0xFF]);

assertThrows(() => builder.instantiate(), WebAssembly.CompileError);

test\mjsunit\regress\regress-crbug-1151890.js

Issue:

Commit: [bigint] Fix possibly-uninitialized leading digit on right shift

Date(Commit): Wed, 25 Nov 2020 23:09:27 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2561618

Regress : test\mjsunit\regress\regress-crbug-1151890.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

for (let i = 0, j = 0; i < 10; ++i) {
  let x = (-0xffffffffffffffff_ffffffffffffffffn >> 0x40n);
  assertEquals(-0x10000000000000000n, x);
  %SimulateNewspaceFull();
}

test\mjsunit\compiler\regress-1150649.js

Issue: https://crbug.com/1150649

Commit: [compiler] Fix a bug in SimplifiedLowering

Date(Commit): Tue, 24 Nov 2020 09:41:10 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2557498

Regress : test\mjsunit\compiler\regress-1150649.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function foo(a) {
  var y = 0x7fffffff;  // 2^31 - 1

  // Widen the static type of y (this condition never holds).
  if (a == NaN) y = NaN;

  // The next condition holds only in the warmup run. It leads to Smi
  // (SignedSmall) feedback being collected for the addition below.
  if (a) y = -1;

  const z = (y + 1)|0;
  return z < 0;
}

%PrepareFunctionForOptimization(foo);
assertFalse(foo(true));
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo(false));

test\mjsunit\regress\regress-1145990.js

Issue: https://crbug.com/1145990

Commit: [nci] Fix arguments order in call of ConstructWithSpread_WithFeedback

Date(Commit): Mon, 23 Nov 2020 15:19:06 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2549952

Regress : test\mjsunit\regress\regress-1145990.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

class B { }

class C extends B {
  #field = 'test';
}

for (let i = 0; i < 10000; i++) {
  new C();
}

test\mjsunit\regress\regress-11115.js

Issue: https://crbug.com/v8/11115

Commit: Fix rare stack overflow in instanceof

Date(Commit): Tue, 17 Nov 2020 23:36:22 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2545624

Regress : test\mjsunit\regress\regress-11115.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --stack-size=100

var f = function() {}

for (var i = 0; i < 1000; ++i) {
  f = f.bind();
  Object.defineProperty(f, Symbol.hasInstance, {value: undefined});
}

try {
  ({}) instanceof f;  // Don't overflow the stack!
} catch (e) {
  // Throwing a RangeError is okay.
}

test\mjsunit\compiler\regress-crbug-1148758.js

Issue: https://crbug.com/1148758

Commit: [super] Fix: receiver can be null / undefined

Date(Commit): Thu, 19 Nov 2020 15:11:09 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2549941

Regress : test\mjsunit\compiler\regress-crbug-1148758.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --interrupt-budget=100

var caught = 0;

function runManyTimes(f) {
  for (let i = 0; i < 1000; ++i) {
    try {
      // Seems to be important that this is inside a try catch.
      f();
    } catch (e) {
      assertUnreachable();
    }
  }
}

let A = {
  get foo() {
    return 0;
  }
};

let B = {
  __proto__: A,

  aa() {
    "use strict";
    super.foo;
  }
};

var superAccessingFunc = B.aa;

runManyTimes(function () {
  try {
    superAccessingFunc();
  } catch (e) {
    caught++;
  }
});

assertEquals(0, caught);

test\mjsunit\regress\regress-1141502.js

Issue: https://crbug.com/v8/8888

Commit: [compiler] Rename --turboprop-dynamic-map-checks

Date(Commit): Wed, 18 Nov 2020 12:51:57 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2546693

Regress : test\mjsunit\regress\regress-1141502.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --no-lazy-feedback-allocation
// Flags: --turbo-dynamic-map-checks

function bar(a) {
  return a.x;
}

function foo(a) {
  return 1 * bar(a);
}

var obj = {x: 2};

%PrepareFunctionForOptimization(foo);
foo(obj, obj);
%OptimizeFunctionOnNextCall(foo);
assertThrows(() => foo());

test\mjsunit\regress\regress-1146013.js

Issue: https://crbug.com/1146013

Commit: [nci] Fix DCHECK(function->is_compiled()) in CompileOptimized

Date(Commit): Thu, 12 Nov 2020 08:11:11 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2532297

Regress : test\mjsunit\regress\regress-1146013.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --no-use-ic --interrupt-budget=1000

try {
} catch (e) {}
class __c_0 extends class {} {
  constructor() {
    let __v_18 = () => {
      for (let __v_19 = 0; __v_19 < 10; __v_19++) {
        this.x;
      }
    };
    super();
    __v_18();
  }
}
for (let __v_21 = 0; __v_21 < 10000; __v_21++) {
  new __c_0();
}

test\mjsunit\regress-crbug-1078825.js

Issue: https://crbug.com/v8/9808

Commit: [flags] Remove --harmony-promise-any

Date(Commit): Wed, 11 Nov 2020 16:22:12 -0800

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2510869

Regress : test\mjsunit\regress-crbug-1078825.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax

load('test/mjsunit/test-async.js');

(function() {
  const p1 = Promise.reject(1);
  const p2 = Promise.resolve(1);
  Object.defineProperty(p2, "then", {});

  testAsync(assert => {
    assert.plan(1);
    Promise.any([p1, p2]).then(
      assert.unreachable,
      (e) => { assert.equals(true, e instanceof TypeError); });
    });
})();

test\mjsunit\regress\regress-1145988.js

Issue: https://crbug.com/1145988

Commit: [nci] Check Isolate::concurrent_recompilation_enabled

Date(Commit): Wed, 11 Nov 2020 13:31:04 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2531781

Regress : test\mjsunit\regress\regress-1145988.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

__f_1();
function __f_1() {
  for (var __v_3 = 0; __v_3 < 100000; __v_3++) {
  }
}
__f_1();

test\mjsunit\regress-1146106.js

Issue: https://crbug.com/v8/9237

Commit: [super] Optimize super property access in JSNativeContextSpecialization

Date(Commit): Tue, 10 Nov 2020 09:28:22 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2527092

Regress : test\mjsunit\regress-1146106.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --concurrent-inlining --no-use-ic --super-ic

class A {
  bar() { }
}
class B extends A {
  foo() {
    return super.bar();
  }
}
%PrepareFunctionForOptimization(B.prototype.foo);
new B().foo();
%OptimizeFunctionOnNextCall(B.prototype.foo);
new B().foo();

test\mjsunit\compiler\regress-1146652.js

Issue: https://crbug.com/1146652

Commit: [compiler] Fix use of HeapObjectMatcher

Date(Commit): Sat, 7 Nov 2020 12:22:59 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2524440

Regress : test\mjsunit\compiler\regress-1146652.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function IsDataView(obj) {
  return obj.getFloat64;
}
%NeverOptimizeFunction(IsDataView);

function bar(obj) {
  if (IsDataView(obj)) obj.getFloat64(0);
}

%PrepareFunctionForOptimization(bar);
bar(new DataView(new ArrayBuffer(42)));

const proxy = new Proxy({}, {});
function foo() { bar(proxy) }

%PrepareFunctionForOptimization(foo);
foo();

%OptimizeFunctionOnNextCall(foo);
foo();

test\mjsunit\regress\regress-1144672.js

Issue: https://crbug.com/1144672

Commit: [deoptimizer] Fix define typo and inlined frame base

Date(Commit): Tue, 3 Nov 2020 16:15:31 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2512923

Regress : test\mjsunit\regress\regress-1144672.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function g(b) {
  const _ = Object.getOwnPropertyDescriptors(g);
  // for (const _ of b) {}
}

function f(...a) {
  g(a);
}

%PrepareFunctionForOptimization(f);
%PrepareFunctionForOptimization(g);
f([]);
%OptimizeFunctionOnNextCall(f);
f([]);

test\mjsunit\regress\regress-1143772.js

Issue: https://crbug.com/1143772

Commit: [map] Try to in-place transition during map update

Date(Commit): Thu, 29 Oct 2020 21:47:46 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2507715

Regress : test\mjsunit\regress\regress-1143772.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax

(function() {
    // Only run this test if doubles are transitioned in-place to tagged.
    let x = {};
    x.a = 0.1;
    let y = {};
    y.a = {};
    if (!%HaveSameMap(x, y)) return;

    // m1: {}
    let m1 = {};

    // m2: {a:d}
    let m2 = {};
    assertTrue(%HaveSameMap(m2, m1));
    m2.a = 13.37;

    // m3: {a:d, b:s}
    let m3 = {};
    m3.a = 13.37;
    assertTrue(%HaveSameMap(m3, m2));
    m3.b = 1;

    // m4: {a:d, b:s, c:h}
    let m4 = {};
    m4.a = 13.37;
    m4.b = 1;
    assertTrue(%HaveSameMap(m4, m3));
    m4.c = {};

    // m4_2 == m4
    let m4_2 = {};
    m4_2.a = 13.37;
    m4_2.b = 1;
    m4_2.c = {};
    assertTrue(%HaveSameMap(m4_2, m4));

    // m5: {a:d, b:d}
    let m5 = {};
    m5.a = 13.37;
    assertTrue(%HaveSameMap(m5, m2));
    m5.b = 13.37;
    assertFalse(%HaveSameMap(m5, m3));

    // At this point, Map3 and Map4 are both deprecated. Map2 transitions to
    // Map5. Map5 is the migration target for Map3.
    assertFalse(%HaveSameMap(m5, m3));

    // m6: {a:d, b:d, c:d}
    let m6 = {};
    m6.a = 13.37;
    assertTrue(%HaveSameMap(m6, m2));
    m6.b = 13.37;
    assertTrue(%HaveSameMap(m6, m5));
    m6.c = 13.37

    // Make m7: {a:d, b:d, c:t}
    let m7 = m4_2;
    assertTrue(%HaveSameMap(m7, m4));
    // Map4 is deprecated, so this property access triggers a Map migration.
    // With in-place map updates and no double unboxing, this should end up
    // migrating to Map6, and updating it in-place.
    m7.c;
    assertFalse(%HaveSameMap(m7, m4));
    assertTrue(%HaveSameMap(m6, m7));
})();

test\mjsunit\regress\regress-crbug-696622.js

Issue: https://crbug.com/v8/10111

Commit: [class] Fix super call evaluation order

Date(Commit): Thu, 29 Oct 2020 08:26:02 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2493077

Regress : test\mjsunit\regress\regress-crbug-696622.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

class C {}
class D extends C { constructor() { super(...unresolved, 75) } }
D.__proto__ = null;

%PrepareFunctionForOptimization(D);
// ReferenceError because argument evaluation happens before calling the super
// constructor.
assertThrows(() => new D(), ReferenceError);
assertThrows(() => new D(), ReferenceError);
%OptimizeFunctionOnNextCall(D);
assertThrows(() => new D(), ReferenceError);

test\mjsunit\regress\regress-crbug-1137594.js

Issue: https://crbug.com/v8/7790

Commit: Reland x2 "[compiler] Replace Symbol with direct reads""

Date(Commit): Tue, 27 Oct 2020 14:33:47 +0000

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2400988

Regress : test\mjsunit\regress\regress-crbug-1137594.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

v = { symbol: Symbol() };
function f() {
  for (var i = 0; i < 1; ++i) {
    try { v.symbol(); } catch (e) {}
  }
}

%PrepareFunctionForOptimization(f);
f();
%OptimizeFunctionOnNextCall(f);
f();

test\mjsunit\regress\regress-542823.js

Issue:

Commit: [test] Fix mjsunit/regress/regress-542823 on PPC

Date(Commit): Tue, 27 Oct 2020 13:27:02 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2502330

Regress : test\mjsunit\regress\regress-542823.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax

(function() {
  // kPageSizeBits is 19 on PPC.
  const kPageSizeBits = 19;
  const kMaxHeapObjectSize = (1 << (kPageSizeBits - 1));

  const filler = "Large amount of text per element, so that the joined array is"
      + "large enough to be allocated in the large object space"
  const size = Math.ceil(kMaxHeapObjectSize / filler.length + 1);
  const arr = Array(size).fill(filler);

  for (let i = 0; i < 10; i++) {
    assertTrue(%InLargeObjectSpace(arr.join("")));
  }

})();

test\mjsunit\regress\regress-1142158.js

Issue: https://crbug.com/1142158

Commit: [arm] Correctly push and pop double registers on deopt entry

Date(Commit): Tue, 27 Oct 2020 11:46:00 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2498686

Regress : test\mjsunit\regress\regress-1142158.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax

var __v_0 = {};
var __v_13 = {};
var __v_14 = {};
var __v_15 = {};
var __v_16 = {};
var __v_17 = {};
var __v_18 = {};
function __f_6(x, deopt) {
  var __v_1 = x;
  var __v_2 = 2 * x;
  var __v_3 = 3 * x;
  var __v_4 = 4 * x;
  var __v_5 = 5 * x;
  var __v_6 = 6 * x;
  var __v_7 = 7 * x;
  var __v_9 = 9 * x;
  var __v_10 = 10 * x;
  var __v_11 = 11 * x;
  var __v_12 = 12 * x;
  var __v_20 = 18 * x;
  var __v_19 = 19 * x;
  var __v_8 = 20 * x;
  __v_0 = 1;
  deopt + -2147483648;
  return __v_1 + __v_2 + __v_3 + __v_4 + __v_5 + __v_6 + __v_7 + __v_8 + __v_9 + __v_10 + __v_11 + __v_12 + __v_13 +
      __v_14 + __v_15 + __v_16 + __v_17 + __v_18 + __v_19 + __v_20;
};
%PrepareFunctionForOptimization(__f_6);
__f_6();
%OptimizeFunctionOnNextCall(__f_6);
assertEquals("45[object Object][object Object][object Object][object Object][object Object][object Object]9.59", __f_6(0.5, ""));

test\mjsunit\regress\wasm\regress-11024.js

Issue: https://crbug.com/v8/11024

Commit: [wasm] Deserialized code is marked with top-tier-finished

Date(Commit): Fri, 23 Oct 2020 15:58:59 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2494930

Regress : test\mjsunit\regress\wasm\regress-11024.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// The test needs --wasm-tier-up because we can't serialize and deserialize
// Liftoff code.
// Flags: --expose-wasm --allow-natives-syntax --expose-gc --wasm-tier-up

load("test/mjsunit/wasm/wasm-module-builder.js");


const wire_bytes = new WasmModuleBuilder().toBuffer();

const serialized = (() => {
  return %SerializeWasmModule(new WebAssembly.Module(wire_bytes));
})();

// Collect the compiled module, to avoid sharing of the NativeModule.
gc();

const module = %DeserializeWasmModule(serialized, wire_bytes);
%SerializeWasmModule(module);

test\mjsunit\compiler\regress-1125145.js

Issue: https://crbug.com/1142240

Commit: [compiler] Fix bug in JSBoundFunction::Serialize

Date(Commit): Mon, 26 Oct 2020 10:19:12 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2497170

Regress : test\mjsunit\compiler\regress-1125145.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --opt

function foo() {}
for (let i = 0; i < 100000; ++i) {
  foo = foo.bind();
}

function main() {
  foo();
  foo();
}

%PrepareFunctionForOptimization(main);
main();
%OptimizeFunctionOnNextCall(main);
main();

test\mjsunit\regress\wasm\regress-1140549.js

Issue: https://crbug.com/1140549

Commit: [wasm][liftoff][ia32] Fix register allocation of CompareExchange

Date(Commit): Thu, 22 Oct 2020 11:38:50 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2491031

Regress : test\mjsunit\regress\wasm\regress-1140549.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --wasm-staging

load('test/mjsunit/wasm/wasm-module-builder.js');

const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false, true);
builder.addType(makeSig([], []));
builder.addFunction(undefined, 0 /* sig */)
  .addBodyWithEnd([
// signature: v_v
// body:
kExprI32Const, 0x00,
kExprI32Const, 0x00,
kExprI32Const, 0x00,
kAtomicPrefix, kExprI32AtomicCompareExchange8U, 0x00, 0xc3, 0x01,
kExprDrop,
kExprEnd,  // end @193
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
print(instance.exports.main(1, 2, 3));

test\mjsunit\regress\regress-1139782.js

Issue: https://crbug.com/1139782

Commit: [regexp] Add regression test for chromium:1139782

Date(Commit): Wed, 21 Oct 2020 12:06:57 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2488687

Regress : test\mjsunit\regress\regress-1139782.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

function main() {
    for (let v3 = 0; v3 < 120; v3++) {
        const v6 = [Int16Array,1111];
        let v12 = 577623200;
        const v14 = [2];
        const v18 = [1.7976931348623157e+308,1.7976931348623157e+308,1.7976931348623157e+308,1.7976931348623157e+308];
        const v20 = [1111,Uint8Array];
        const v21 = [v20,v20,v18,v20,1111,1111,1111,-1111];
        const v23 = [11.11,11.11,1.7976931348623157e+308,11.11,11.11];
        const v26 = -Infinity;
        const v27 = [v23,v26,1111,v18,Date,1111,-9007199254740992,v21];
        const v31 = [v14];
        const v32 = [v31,v12,"object",v21,1111,6.0,v18,v27,Int8Array];
        const v33 = ["65555",v26,v32];
        const v34 = v33.toLocaleString();
        let v35 = "659874589";
        v35 = v34;
        const v37 = [11.11,11.11,1111];
        const v38 = [v6];
        const v39 = [v38,v37,v38];
        v37[10000] = v23;
        v12 = v35;
        const v54 = [parseInt,v39];
        const v56 = String.fromCharCode();
        const v61 = [v12,1111,-9007199254740991,1111];
        const v63 = [11.11,v54,JSON,v61,11.11,v56,v61];
        const v64 = JSON.stringify(v63);
        const v65 = RegExp(v64);
        const v66 = v65.exec(v64);
    }
}

main();

test\mjsunit\regress\wasm\regress-1137608.js

Issue: https://crbug.com/1137608

Commit: [codegen] Skip invalid optimization in tail calls

Date(Commit): Thu, 15 Oct 2020 12:45:34 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2474784

Regress : test\mjsunit\regress\wasm\regress-1137608.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --no-liftoff --experimental-wasm-return-call --experimental-wasm-threads

load("test/mjsunit/wasm/wasm-module-builder.js");

(function Regress1137608() {
  print(arguments.callee.name);
  let builder = new WasmModuleBuilder();
  let sig0 = builder.addType(kSig_i_iii);
  let sig1 = builder.addType(makeSig([kWasmF64, kWasmF64, kWasmI32,
        kWasmI32, kWasmI32, kWasmF32, kWasmI32, kWasmF64, kWasmI32, kWasmF32,
        kWasmI32, kWasmF32, kWasmI32, kWasmF64, kWasmI32], [kWasmI32]));
  let main = builder.addFunction("main", sig0)
      .addBody([
        kExprI64Const, 0,
        kExprF64UConvertI64,
        kExprF64Const, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x00, 0x00,
        kExprF64Const, 0x30, 0x30, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00,
        kExprF64Mul,
        kExprI32Const, 0,
        kExprF64Const, 0x30, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        kExprF64StoreMem, 0x00, 0xb0, 0xe0, 0xc0, 0x81, 0x03,
        kExprI32Const, 0,
        kExprI32Const, 0,
        kExprI32Const, 0,
        kExprF32Const, 0x00, 0x00, 0x00, 0x00,
        kExprI32Const, 0,
        kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        kExprI32Const, 0,
        kExprF32Const, 0x00, 0x00, 0x00, 0x00,
        kExprI32Const, 0,
        kExprF32Const, 0x00, 0x00, 0x00, 0x00,
        kExprI32Const, 0,
        kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        kExprI32Const, 0,
        kExprI32Const, 2,
        kExprReturnCallIndirect, sig1, kTableZero]).exportFunc();
  builder.addFunction("f", sig1).addBody([kExprI32Const, 0]);
  builder.addTable(kWasmAnyFunc, 4, 4);
  builder.addMemory(16, 32, false, true);
  let module = new WebAssembly.Module(builder.toBuffer());
  let instance = new WebAssembly.Instance(module);
})();

test\mjsunit\regress\regress-1138611.js

Issue: https://crbug.com/1138075

Commit: Reland "[TurboProp] Avoid marking the output of a call live in its catch handler"

Date(Commit): Fri, 16 Oct 2020 13:57:04 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2476317

Regress : test\mjsunit\regress\regress-1138611.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --turboprop --gc-interval=1000

function runNearStackLimit(f) {
  function t() {
    try {
      return t();
    } catch (e) {
      return f();
    }
  }
  %PrepareFunctionForOptimization(t);
  %OptimizeFunctionOnNextCall(t);
  return t();
}

function foo() {
  runNearStackLimit(() => {});
}

(function () {
  var a = 42;
  var b = 153;
  try {
    Object.defineProperty({});
  } catch (e) {}
    foo();
    foo();
})();

runNearStackLimit(() => {});

test\mjsunit\regress\regress-1137979.js

Issue:

Commit: [TurboProp] Handle allocation of phis which are never used

Date(Commit): Wed, 14 Oct 2020 18:05:54 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2471998

Regress : test\mjsunit\regress\regress-1137979.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --turboprop --no-lazy-feedback-allocation
// Flags: --noanalyze-environment-liveness

function foo() {
  try {
    bar();
  } catch (e) {}
  for (var i = 0; i < 3; i++) {
    try {
      %PrepareFunctionForOptimization(foo);
      %OptimizeOsr();
    } catch (e) {}
  }
}

foo();
foo();

test\mjsunit\regress\regress-crbug-1137586.js

Issue: https://crbug.com/1137586

Commit: [turbofan] Avoid relaxing node that has other effect use

Date(Commit): Wed, 14 Oct 2020 11:11:50 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2469597

Regress : test\mjsunit\regress\regress-crbug-1137586.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

function f() {
  for (var i = 0; i < 100000; i++) {
    var a = arguments[0] + 2;
    var b = arguments[1] + 2;
    var c = a + i + 5;
    var d = c + 3;
  }
}

for (var j = 0; j < 3; j++) {
  f(2, 3);
}

test\mjsunit\regress\wasm\regress-1137582.js

Issue: https://crbug.com/1137582

Commit: [wasm] Add missing checks for growing the stack

Date(Commit): Tue, 13 Oct 2020 12:53:15 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2467796

Regress : test\mjsunit\regress\wasm\regress-1137582.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

load('test/mjsunit/wasm/wasm-module-builder.js');

const builder = new WasmModuleBuilder();
const results = new Array(9).fill(kWasmI32);
builder.addFunction('foo', makeSig([], results)).addBody([kExprUnreachable]);
builder.instantiate();

test\mjsunit\regress\regress-crbug-1130213.js

Issue: https://crbug.com/1130213

Commit: [d8] Fix Realm.owner on detached global proxy

Date(Commit): Thu, 8 Oct 2020 19:35:34 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2456087

Regress : test\mjsunit\regress\regress-crbug-1130213.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

Realm.createAllowCrossRealmAccess();
const global = Realm.global(1);
assertSame(1, Realm.owner(global));
Realm.detachGlobal(1);
assertSame(undefined, Realm.owner(global));

test\mjsunit\regress\regress-1132111.js

Issue:

Commit: [parser] Fix AST func reindexing for function fields

Date(Commit): Wed, 30 Sep 2020 15:19:13 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2440519

Regress : test\mjsunit\regress\regress-1132111.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Public function field with computed name
eval(`
  buggy = ((bug = new class { [0] = x => 1337.0; }) => bug);
`);

// Public method with computed name
eval(`
  buggy = ((bug = new class { [0](x) { return 1337.0}; }) => bug);
`);

// Private function field with computed name
eval(`
  buggy = ((bug = new class { #foo = x => 1337.0; }) => bug);
`);

// Private method with computed name
eval(`
  buggy = ((bug = new class { #foo(x) { return 1337.0; } }) => bug);
`);

test\mjsunit\regress\regress-10908.js

Issue:

Commit: Fix Array.p.pop() for read-only length 0

Date(Commit): Wed, 30 Sep 2020 15:31:21 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2440576

Regress : test\mjsunit\regress\regress-10908.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

let a = [];
Object.defineProperty(a, "length", {writable: false});
function f() {
  return a.pop();
}
assertThrows(f, TypeError, /Cannot assign to read only property 'length'/);

%PrepareFunctionForOptimization(f);
for (let i = 0; i < 3; i++) {
  assertThrows(f, TypeError, /Cannot assign to read only property 'length'/);
}
%OptimizeFunctionOnNextCall(f);
assertThrows(f, TypeError, /Cannot assign to read only property 'length'/);

test\mjsunit\regress\regress-10931.js

Issue:

Commit: [typedarray] Throw rather than crash when too large to sort

Date(Commit): Wed, 30 Sep 2020 16:36:15 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2440575

Regress : test\mjsunit\regress\regress-10931.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

const kLargerThanFixedArrayMaxLength = 200_000_000;
var x = new Int8Array(kLargerThanFixedArrayMaxLength);
try {
  var y = x.sort((a, b) => b - a);
} catch (e) {
  // Throwing is okay, crashing is not.
  assertInstanceof(e, TypeError);
  assertMatches(
      /not supported for huge TypedArrays/, e.message, 'Error message');
}

test\mjsunit\regress\wasm\regress-1132461.js

Issue: https://crbug.com/1132461

Commit: [wasm-simd] Protected load transforms are not eliminatable

Date(Commit): Tue, 29 Sep 2020 09:36:19 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2436081

Regress : test\mjsunit\regress\wasm\regress-1132461.js

// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --wasm-staging

// We load-splat a value, then drop it. Verify that the OOB load is not
// eliminated, it should trap. This test case is simplified from the fuzzer
// provided test case in https://crbug.com/1132461.
load('test/mjsunit/wasm/wasm-module-builder.js');

const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false, true);
builder.addFunction(undefined, makeSig([], [kWasmI32]))
  .addBodyWithEnd([
kExprI32Const, 0x00,
kExprI32Const, 0x00,
kSimdPrefix, kExprS128Load32Splat, 0x00, 0xb6, 0xec, 0xd8, 0xb1, 0x03,
kSimdPrefix, kExprI32x4ExtractLane, 0x00,
kExprDrop,
kExprEnd,
]);

builder.addExport('main', 0);
const instance = builder.instantiate();
assertThrows(() => instance.exports.main());

test\mjsunit\regress\wasm\regress-1116019.js

Issue: https://crbug.com/v8/10946

Commit: [wasm-simd] Rename load splat and load extend

Date(Commit): Tue, 22 Sep 2020 13:54:28 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2422357

Regress : test\mjsunit\regress\wasm\regress-1116019.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --experimental-wasm-simd

load('test/mjsunit/wasm/wasm-module-builder.js');

const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false);
builder.addType(makeSig([], [kWasmI32]));
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */)
  .addBodyWithEnd([
// signature: i_v
// body:
kExprI32Const, 0x00,  // i32.const
kSimdPrefix, kExprS128Load8x8U, 0x03, 0xff, 0xff, 0x3f,  // i16x8.load8x8_u
kSimdPrefix, kExprI16x8ExtractLaneS, 0,
kExprEnd,  // end @371
]).exportAs('main');
const instance = builder.instantiate();
assertTraps(kTrapMemOutOfBounds, () => instance.exports.main());

test\mjsunit\regress\wasm\regress-666741.js

Issue: https://crbug.com/v8/10577

Commit: Reland^5 "[flags] warn about contradictory flags"

Date(Commit): Fri, 18 Sep 2020 16:40:24 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2154792

Regress : test\mjsunit\regress\wasm\regress-666741.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --enable-slow-asserts --expose-wasm

(function __f_7() {
  assertThrows(() => new WebAssembly.Memory({initial: 79199}), RangeError);
})();

test\mjsunit\regress\regress-v8-9656.js

Issue: https://crbug.com/v8/10668

Commit: [test][d8] Add d8.log.getAndStop helper

Date(Commit): Tue, 15 Sep 2020 09:24:54 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2403245

Regress : test\mjsunit\regress\regress-v8-9656.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --no-flush-bytecode
// Flags: --no-stress-flush-bytecode
// Files: test/mjsunit/code-coverage-utils.js

%DebugToggleBlockCoverage(true);

try {
  throw new Error();
} catch (e) {
  e.stack;
}

test\mjsunit\regress\regress-6288.js

Issue: https://crbug.com/v8/7481

Commit: Fix locale of Intl.Collator..resolvedOptions

Date(Commit): Wed, 16 Sep 2020 08:03:45 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2410791

Regress : test\mjsunit\regress\regress-6288.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Environment Variables: LC_ALL=pt-BR.UTF8

// The data files packaged with d8 currently have Brazillian Portuguese
// DateTimeFormat and Collation

if (this.Intl) {
  assertEquals('pt-BR', Intl.Collator().resolvedOptions().locale);
  assertEquals('pt-BR', Intl.DateTimeFormat().resolvedOptions().locale);
}

test\mjsunit\compiler\regress-1127405.js

Issue: https://crbug.com/1127405

Commit: [compiler] Unpark local heap in more places

Date(Commit): Mon, 14 Sep 2020 17:27:29 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2410381

Regress : test\mjsunit\compiler\regress-1127405.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax
// Flags: --no-analyze-environment-liveness --no-use-ic --assert-types

const symbol = Symbol();

function foo(x) {
  try { x[symbol] = 42 } catch (e) {}
  new Number();
}

%PrepareFunctionForOptimization(foo);
foo({});
%OptimizeFunctionOnNextCall(foo);
foo({});

test\mjsunit\compiler\regress-1126249.js

Issue: https://crbug.com/1126249

Commit: [compiler] Fix bug in SimplifiedLowering's overflow computation

Date(Commit): Fri, 11 Sep 2020 16:37:47 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2404452

Regress : test\mjsunit\compiler\regress-1126249.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function foo(b) {
  var x = -0;
  var y = -0x80000000;

  if (b) {
    x = -1;
    y = 1;
  }

  return (x - y) == -0x80000000;
}

%PrepareFunctionForOptimization(foo);
assertFalse(foo(true));
%OptimizeFunctionOnNextCall(foo);
assertFalse(foo(false));

test\mjsunit\compiler\regress-1127319.js

Issue: https://crbug.com/1127319

Commit: [turbofan] Fix bug in inlining

Date(Commit): Mon, 14 Sep 2020 10:55:01 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2409273

Regress : test\mjsunit\compiler\regress-1127319.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --interrupt-budget=1024

function v1() {
  const v4 = Reflect;
  const v8 = [11.11];
  const v10 = {__proto__:1111, a:-1, c:RegExp, f:v8, d:1111, e:-1};
  const v12 = [11.11];
  function v13() {}
  const v16 = {a:v13, b:v13, c:v13, d:v13, e:v13, f:v13, g:v13, h:v13, i:v13, j:v13};
}

function foo() {
  let v22 = Number;
  v22 = v1;
  const v23 = false;
  if (v23) {
    v22 = Number;
  } else {
    function v24() {
      const v28 = ".Cactus"[0];
      for (let v32 = 0; v32 < 7; v32++) {}
    }
    new Promise(v24);
    try {
      for (const v37 of v36) {
        const v58 = [cactus,cactus,[] = cactus] = v117;
      }
    } catch(v119) {
    }
  }
  v22();
}

for (let i = 0; i < 10; i++) {
  foo();
}

test\mjsunit\regress\regress-crbug-882233-2.js

Issue: https://crbug.com/v8/10892

Commit: [turbofan] Fix some tests

Date(Commit): Fri, 11 Sep 2020 11:34:59 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2404774

Regress : test\mjsunit\regress\regress-crbug-882233-2.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --opt

// Intended to test bug [882233] on TF inlined (js-call-reducer) path.

function shift_array() {
  let array = [];
  Object.defineProperty(array, 'length', {writable : false});
  out = array; // Prevent array's map from dying too early.
  return array.shift();
}

%PrepareFunctionForOptimization(shift_array);
assertThrows(shift_array);
assertThrows(shift_array);
%OptimizeFunctionOnNextCall(shift_array);
assertThrows(shift_array);
assertOptimized(shift_array);


function shift_object() {
  let object = { length: 0 };
  Object.defineProperty(object, 'length', {writable : false});
  out = object; // Prevent object's map from dying too early.
  return object.shift();
}

%PrepareFunctionForOptimization(shift_object);
assertThrows(shift_object);
assertThrows(shift_object);
%OptimizeFunctionOnNextCall(shift_object);
assertThrows(shift_object);
assertOptimized(shift_object);

test\mjsunit\regress\wasm\regress-922670.js

Issue: https://crbug.com/v8/7748

Commit: [wasm][wasm-gc][test] Improve and extend Javascript testing API

Date(Commit): Thu, 10 Sep 2020 12:39:52 +0000

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2390144

Regress : test\mjsunit\regress\wasm\regress-922670.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

load('test/mjsunit/wasm/wasm-module-builder.js');

const builder = new WasmModuleBuilder();
const sig = builder.addType(makeSig([kWasmI32], []));
builder.addFunction(undefined, sig)
  .addLocals(kWasmI64, 1)
  .addBody([
    kExprLoop, kWasmI32,
      kExprLocalGet, 1,
      kExprI64Const, 1,
      kExprLoop, kWasmI32,
        kExprLocalGet, 0,
        kExprI32Const, 1,
        kExprI32Const, 1,
        kExprIf, kWasmI32,
          kExprI32Const, 1,
        kExprElse,
          kExprUnreachable,
          kExprEnd,
        kExprSelect,
        kExprUnreachable,
        kExprEnd,
      kExprUnreachable,
      kExprEnd,
    kExprUnreachable
]);
builder.instantiate();

test\mjsunit\compiler\regress-1126771.js

Issue: https://crbug.com/1126771

Commit: [compiler] Fix bug in ContextRef::previous

Date(Commit): Thu, 10 Sep 2020 09:45:47 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2402037

Regress : test\mjsunit\compiler\regress-1126771.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

let __callGC;
(function () {
  __callGC = function() {};
})();

var __v_5 = {};
var __v_9 = {x: {}};

function main() {
  function __f_6() { this.elms = new Array(); }
  __f_6.prototype.size = function () { return this.elms.length; };
  function __f_7() { this.v = new __f_6(); }
  __f_7.prototype.add = function (__v_25) { this.v.elms.push(__v_25); };
  __f_7.prototype.size = function () { return this.v.size(); };
  __f_7.prototype.execute = function () {
    for (var __v_28 = 0; __v_28 < this.size(); __v_28++) {
      delete __v_9[__v_9, 538276];
      __callGC();
    }
  };
  var __v_22 = new __f_7();
  for (var __v_23 = 0; __v_23 < 10; __v_23++) {
    try {
      if (__v_5 != null && typeof __v_5 == "object") {
        try {
          Object.defineProperty(__v_5, 807285, {get: function() {}});
        } catch (e) {}
      }
      __v_22.add();
    } catch (e) {}
  }
  __v_22.execute();
}

%PrepareFunctionForOptimization(main);
main();
main();
%OptimizeFunctionOnNextCall(main);
main();

test\mjsunit\regress\wasm\regress-1125951.js

Issue: https://crbug.com/v8/7581

Commit: Reland "[wasm][liftoff] Emit safepoints for externref values on the stack"

Date(Commit): Wed, 9 Sep 2020 12:33:44 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2398531

Regress : test\mjsunit\regress\wasm\regress-1125951.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --expose-wasm --liftoff --no-wasm-tier-up --print-code --wasm-staging
// Flags: --experimental-wasm-threads

load("test/mjsunit/wasm/wasm-module-builder.js");

(function testPrintCode() {
  let builder = new WasmModuleBuilder();
  builder.addMemory(1, undefined, false);
  builder
      .addFunction('main', makeSig([kWasmI32, kWasmI32, kWasmF64], [kWasmI32]))
      .addBody([
        kExprLocalGet, 0, kExprLocalGet, 1, kExprI64UConvertI32, kExprLocalGet,
        2, kExprI64SConvertF64, kAtomicPrefix, kExprI64AtomicWait, 0, 0
      ]);
  builder.instantiate();
})();

test\mjsunit\regress\regress-10802.js

Issue: https://crbug.com/v8/10802

Commit: [builtins] Use fast path for JSArray source in TypedArray.from()

Date(Commit): Tue, 1 Sep 2020 12:57:23 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2358749

Regress : test\mjsunit\regress\regress-10802.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

const arr = new Uint8Array([1, 2, 3]);

function mapper(x) {
  arr[1] = 182;
  return x + 1;
}

assertArrayEquals([2, 3, 4], Uint16Array.from(arr, mapper));

test\mjsunit\regress\wasm\regress-7785.js

Issue: https://crbug.com/v8/10852

Commit: [test] Enable --wasm-tier-up when test does serialization

Date(Commit): Tue, 1 Sep 2020 14:12:17 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2387574

Regress : test\mjsunit\regress\wasm\regress-7785.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// The test needs --wasm-tier-up because we can't serialize and deserialize
// Liftoff code.
// Flags: --allow-natives-syntax --experimental-wasm-reftypes --wasm-tier-up

load("test/mjsunit/wasm/wasm-module-builder.js");

(function testExternRefNull() {
  const builder = new WasmModuleBuilder();
  builder.addFunction('main', kSig_r_v)
      .addBody([kExprRefNull, kWasmExternRef])
      .exportFunc();

  var wire_bytes = builder.toBuffer();
  var module = new WebAssembly.Module(wire_bytes);
  var buffer = %SerializeWasmModule(module);
  module = %DeserializeWasmModule(buffer, wire_bytes);
  var instance = new WebAssembly.Instance(module);

  assertEquals(null, instance.exports.main());
})();

(function testExternRefIsNull() {
  const builder = new WasmModuleBuilder();
  builder.addFunction('main', kSig_i_r)
      .addBody([kExprLocalGet, 0, kExprRefIsNull])
      .exportFunc();

  var wire_bytes = builder.toBuffer();
  var module = new WebAssembly.Module(wire_bytes);
  var buffer = %SerializeWasmModule(module);
  module = %DeserializeWasmModule(buffer, wire_bytes);
  var instance = new WebAssembly.Instance(module);

  assertEquals(0, instance.exports.main({'hello' : 'world'}));
  assertEquals(0, instance.exports.main(1234));
  assertEquals(0, instance.exports.main(0));
  assertEquals(0, instance.exports.main(123.4));
  assertEquals(0, instance.exports.main(undefined));
  assertEquals(1, instance.exports.main(null));
  assertEquals(0, instance.exports.main(print));
})();

test\mjsunit\regress\regress-1123379.js

Issue: https://crbug.com/1123379

Commit: [compiler] Revisit graph end after a gasm reduction in call reducer

Date(Commit): Mon, 31 Aug 2020 12:03:45 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2384772

Regress : test\mjsunit\regress\regress-1123379.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --noanalyze-environment-liveness --interrupt-budget=1000

for (let __v_1 = 0; __v_1 < 5000; __v_1++) {
  try {
    [].reduce(function () {});
  } catch (__v_2) {}
}

__v_5 = {
  get: function () {
  }
};

test\mjsunit\regress\regress-1034449.js

Issue: https://crbug.com/v8/10846

Commit: [test] Make a few tests robust to GC stress

Date(Commit): Fri, 28 Aug 2020 17:18:48 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2381458

Regress : test\mjsunit\regress\regress-1034449.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --opt --no-always-opt
// Flags: --no-stress-flush-bytecode

function f(len) {
  return new Array(len);
}

%PrepareFunctionForOptimization(f);
assertEquals(3, f(3).length);
assertEquals(18, f(18).length);
%OptimizeFunctionOnNextCall(f);
assertEquals(4, f(4).length);
assertOptimized(f);
let a = f("8");
assertUnoptimized(f);
assertEquals(1, a.length);
assertEquals("8", a[0]);

// Check there is no deopt loop.
%PrepareFunctionForOptimization(f);
assertEquals(1, f(1).length);
%OptimizeFunctionOnNextCall(f);
assertEquals(8, f(8).length);
assertOptimized(f);
assertEquals(1, f("8").length);
assertOptimized(f);

test\mjsunit\asm\regress-1069173.js

Issue: https://crbug.com/1069173

Commit: [asm] Fix globals initialized by '-0'

Date(Commit): Fri, 28 Aug 2020 13:01:52 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2379861

Regress : test\mjsunit\asm\regress-1069173.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function foo() {
  "use asm";
  const v = -0;
  function bar() {
    return v;
  }
  return { d: bar };
}

var m = foo();
assertEquals(-Infinity, 1 / m.d());
assertTrue(%IsAsmWasmCode(foo));

test\mjsunit\regress-1120905.js

Issue: https://crbug.com/1120905

Commit: [test] Add short copyright to regress-1120905.js

Date(Commit): Wed, 26 Aug 2020 15:45:52 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2377689

Regress : test\mjsunit\regress-1120905.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function O() {}
O.prototype.f = f;
O.prototype.g = g;

function f() {
  return g.arguments;
}

function g(x) {
  return this.f(2 - x, "any");
}

var o = new O();
function foo(x) {
  return o.g(x, "z");
}

for (var i = 0; i < 35; i++) foo();

var result = (
  %PrepareFunctionForOptimization(foo),foo(), foo(),
  %OptimizeFunctionOnNextCall(foo), foo()
);
assertEquals(result[1], "z");

test\mjsunit\regress\regress-7773.js

Issue: https://crbug.com/v8/9646

Commit: Install "name" property on anonymous classes

Date(Commit): Mon, 17 Aug 2020 18:44:41 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2360905

Regress : test\mjsunit\regress\regress-7773.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

(function testFunctionNames() {
  let descriptor = {
    value: '',
    writable: false,
    enumerable: false,
    configurable: true
  };
  // Functions have a "name" property by default.
  assertEquals(
      descriptor, Object.getOwnPropertyDescriptor(function(){}, 'name'));
  let a = { fn: function(){} };
  assertSame('fn', a.fn.name);
  descriptor.value = 'fn';
  assertEquals(descriptor, Object.getOwnPropertyDescriptor(a.fn, 'name'));

  let b = { __proto__: function(){} };
  assertSame('', b.__proto__.name);
  descriptor.value = '';
  assertEquals(
      descriptor, Object.getOwnPropertyDescriptor(b.__proto__, 'name'));

  let c = { fn: function F(){} };
  assertSame('F', c.fn.name);
  descriptor.value = 'F';
  assertEquals(descriptor, Object.getOwnPropertyDescriptor(c.fn, 'name'));

  let d = { __proto__: function E(){} };
  assertSame('E', d.__proto__.name);
  descriptor.value = 'E';
  assertEquals(
      descriptor, Object.getOwnPropertyDescriptor(d.__proto__, 'name'));
})();

(function testClassNames() {
  let descriptor = {
    value: '',
    writable: false,
    enumerable: false,
    configurable: true
  };

  // Anonymous classes do not have a "name" property by default.
  descriptor.value = '';
  assertEquals(descriptor, Object.getOwnPropertyDescriptor(class {}, 'name'));
  descriptor.value = 'C';
  assertEquals(descriptor, Object.getOwnPropertyDescriptor(class C {}, 'name'));

  let a = { fn: class {} };
  assertSame('fn', a.fn.name);
  descriptor.value = 'fn';
  assertEquals(descriptor, Object.getOwnPropertyDescriptor(a.fn, 'name'));

  let b = { __proto__: class {} };
  assertSame('', b.__proto__.name);
  descriptor.value = '';
  assertEquals(
    descriptor, Object.getOwnPropertyDescriptor(b.__proto__, 'name'));

  let c = { fn: class F {} };
  assertSame('F', c.fn.name);
  descriptor.value = 'F';
  assertEquals(descriptor, Object.getOwnPropertyDescriptor(c.fn, 'name'));

  let d = { __proto__: class F {} };
  assertSame('F', d.__proto__.name);
  descriptor.value = 'F';
  assertEquals(
      descriptor, Object.getOwnPropertyDescriptor(d.__proto__, 'name'));
})();

test\mjsunit\regress\regress-1115354.js

Issue: https://crbug.com/1115354

Commit: [Atomics.waitAsync] Add regression test

Date(Commit): Fri, 14 Aug 2020 09:24:20 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2354813

Regress : test\mjsunit\regress\regress-1115354.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --harmony-sharedarraybuffer --harmony-atomics-waitasync --expose-async-hooks

const sab = new SharedArrayBuffer(16);
const i32a = new Int32Array(sab);
const result = Atomics.waitAsync(i32a, 0, 0);

Atomics.notify(i32a, 0);
let hook = async_hooks.createHook(
{
  promiseResolve: function() { }
});
hook.enable();

test\mjsunit\regress\wasm\regress-1112124.js

Issue: https://crbug.com/1112124

Commit: Reland "[wasm-simd][arm] Use vmov to move all ones to register"

Date(Commit): Mon, 10 Aug 2020 14:52:59 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2337503

Regress : test\mjsunit\regress\wasm\regress-1112124.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --experimental-wasm-simd

load('test/mjsunit/wasm/wasm-module-builder.js');

const builder = new WasmModuleBuilder();
builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */)
  .addBodyWithEnd([
    // signature: i_iii
    // body:
    kSimdPrefix, kExprS128Const, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,  // s128.const
    kSimdPrefix, kExprI32x4ExtractLane, 0x00,  // i32x4.extract_lane
    kExprEnd,  // end @22
  ]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertEquals(-1, instance.exports.main(1, 2, 3));
// The bug happens on the second call to the same exported function, it returns 0.
assertEquals(-1, instance.exports.main(1, 2, 3));

test\mjsunit\regress\wasm\regress-808980.js

Issue: https://crbug.com/v8/10777

Commit: Reland "[wasm] Ensure that only TurboFan code is serialized"

Date(Commit): Tue, 11 Aug 2020 13:36:55 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2336799

Regress : test\mjsunit\regress\wasm\regress-808980.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// The test needs --wasm-tier-up because we can't serialize and deserialize
// Liftoff code.
// Flags: --allow-natives-syntax --throws --wasm-tier-up

load('test/mjsunit/wasm/wasm-module-builder.js');
let kTableSize = 3;

var builder = new WasmModuleBuilder();
var sig_index1 = builder.addType(kSig_i_v);
builder.addFunction('main', kSig_i_ii).addBody([
    kExprLocalGet,
    0,
    kExprCallIndirect,
    sig_index1,
    kTableZero
]).exportAs('main');
builder.setTableBounds(kTableSize, kTableSize);
var m1_bytes = builder.toBuffer();
var m1 = new WebAssembly.Module(m1_bytes);

var serialized_m1 = %SerializeWasmModule(m1);
var m1_clone = %DeserializeWasmModule(serialized_m1, m1_bytes);
var i1 = new WebAssembly.Instance(m1_clone);

i1.exports.main(123123);

test\mjsunit\regress\regress-crbug-722871.js

Issue: https://crbug.com/v8/7883

Commit: [atomics] Remove the deprecated Atomics.wake

Date(Commit): Fri, 31 Jul 2020 15:02:36 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2333349

Regress : test\mjsunit\regress\regress-crbug-722871.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let sab = new SharedArrayBuffer(10 * 4);
let memory = new Int32Array(sab);
let workers = [];
let runningWorkers = 0;

function startWorker(script) {
  let worker = new Worker(script, {type: 'string'});
  worker.done = false;
  worker.idx = workers.length;
  workers.push(worker);
  worker.postMessage(memory);
  ++runningWorkers;
};

let shared = `
  function wait(memory, index, waitCondition, wakeCondition) {
    while (memory[index] == waitCondition) {
      var result = Atomics.wait(memory, index, waitCondition);
      switch (result) {
        case 'not-equal':
        case 'ok':
          break;
        default:
          postMessage('Error: bad result from wait: ' + result);
          break;
      }
      var value = memory[index];
      if (value != wakeCondition) {
        postMessage(
            'Error: wait returned not-equal but the memory has a bad value: ' +
            value);
      }
    }
    var value = memory[index];
    if (value != wakeCondition) {
      postMessage(
          'Error: done waiting but the memory has a bad value: ' + value);
    }
  }

  function wake(memory, index) {
    var result = Atomics.notify(memory, index, 1);
    if (result != 0 && result != 1) {
      postMessage('Error: bad result from wake: ' + result);
    }
  }
`;

let worker1 = startWorker(shared + `
  onmessage = function(msg) {
    let memory = msg;
    const didStartIdx = 0;
    const shouldGoIdx = 1;
    const didEndIdx = 2;

    postMessage("started");
    postMessage("memory: " + memory);
    wait(memory, didStartIdx, 0, 1);
    memory[shouldGoIdx] = 1;
    wake(memory, shouldGoIdx);
    wait(memory, didEndIdx, 0, 1);
    postMessage("memory: " + memory);
    postMessage("done");
  };
`);

let worker2 = startWorker(shared + `
  onmessage = function(msg) {
    let memory = msg;
    const didStartIdx = 0;
    const shouldGoIdx = 1;
    const didEndIdx = 2;

    postMessage("started");
    postMessage("memory: " + memory);
    Atomics.store(memory, didStartIdx, 1);
    wake(memory, didStartIdx);
    wait(memory, shouldGoIdx, 0, 1);
    Atomics.store(memory, didEndIdx, 1);
    wake(memory, didEndIdx, 1);
    postMessage("memory: " + memory);
    postMessage("done");
  };
`);

let running = true;
while (running) {
  for (let worker of workers) {
    if (worker.done) continue;

    let msg = worker.getMessage();
    if (msg) {
      switch (msg) {
        case "done":
          if (worker.done === false) {
            print("worker #" + worker.idx + " done.");
            worker.done = true;
            if (--runningWorkers === 0) {
              running = false;
            }
          }
          break;

        default:
          print("msg from worker #" + worker.idx + ": " + msg);
          break;
      }
    }
  }
}

test\mjsunit\regress\wasm\regress-1114005.js

Issue: https://crbug.com/1114006

Commit: [wasm] Check size of table imports at instantiation time

Date(Commit): Fri, 7 Aug 2020 08:43:25 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2339473

Regress : test\mjsunit\regress\wasm\regress-1114005.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

load("test/mjsunit/wasm/wasm-module-builder.js");

const builder = new WasmModuleBuilder();
let table = new WebAssembly.Table({element: 'anyfunc', initial: 2});
// Big size that causes an int32 overflow.
builder.addImportedTable('m', 'table', 4000000000);
assertThrows(() => builder.instantiate({m: {table: table}}), RangeError);

test\mjsunit\regress\wasm\regress-1111522.js

Issue: https://crbug.com/v8/10752

Commit: [wasm-simd] Add regression test for i64x2.shr_s bug

Date(Commit): Tue, 4 Aug 2020 10:11:33 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2335779

Regress : test\mjsunit\regress\wasm\regress-1111522.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --experimental-wasm-simd

load('test/mjsunit/wasm/wasm-module-builder.js');

// Regression test to exercise Liftoff's i64x2.shr_s codegen, which back up rcx
// to a scratch register, and immediately overwrote the backup, then later
// restoring the incorrect value. See https://crbug.com/v8/10752 and
// https://crbug.com/1111522 for more.
const builder = new WasmModuleBuilder();
// i64x2.shr_s shifts a v128 (with all bits set), by 1, then drops the result.
// The function returns param 2, which should be unmodified.
builder.addFunction(undefined, kSig_i_iii).addBodyWithEnd([
  kSimdPrefix, kExprS128Const, ...new Array(16).fill(0xff),
  kExprI32Const, 0x01,
  kSimdPrefix, kExprI64x2ShrS, 0x01,
  kExprDrop,
  kExprLocalGet, 0x02,
  kExprEnd,
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertEquals(3, instance.exports.main(1, 2, 3));

test\mjsunit\regress\regress-1110001.js

Issue: https://crbug.com/1110001

Commit: [d8] Fix worker creation near stack limit

Date(Commit): Fri, 31 Jul 2020 08:30:27 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2332156

Regress : test\mjsunit\regress\regress-1110001.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

function foo() {
  try {
    foo();
  } catch {
    print('Stack overflow');
    Worker('string', new Proxy([], {}));
  }
}
try {
  foo();
} catch {
  // expecting stack overflow, but we should not crash.
}

test\mjsunit\compiler\regress-1104514.js

Issue: https://crbug.com/1104514

Commit: [turbofan] Fix a lazy deopt bug in Array.prototype.map

Date(Commit): Wed, 29 Jul 2020 15:50:36 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2324249

Regress : test\mjsunit\compiler\regress-1104514.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

Array(32760);  // > JSArray::kInitialMaxFastElementArray

function main() {
  const a = [1, 2];
  a.x = 666;
  a.toString();
  const aa = Array.prototype.map.call(a, v => v);
  if (aa[0] != 1 || aa[1] != 2) { %SystemBreak(); }
  a.z = 667;
}

for (var i = 0; i < 20000; ++i) {
  main();
}

test\mjsunit\compiler\regress-1109174.js

Issue: https://crbug.com/1109174

Commit: [turbofan] Do more checks for dead nodes in BranchElimination

Date(Commit): Mon, 27 Jul 2020 17:43:35 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2320668

Regress : test\mjsunit\compiler\regress-1109174.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --interrupt-budget=1024

(function() {
  let n = 0;
  do {
    for (let i = 0; i < 100; i++) {
      function unused() {}
      let a = [i];
      let b = String.fromCodePoint(i, 1).padStart();
      a.reduce(parseInt, b);
    }
    for (let j = 0; j < 1; j++) {}
  } while (++n < 2);
})();

test\mjsunit\regress\regress-1105746.js

Issue: https://crbug.com/1105746

Commit: [turbofan] Skip optimizations for large unmapped 'arguments'

Date(Commit): Wed, 15 Jul 2020 17:37:46 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2300481

Regress : test\mjsunit\regress\regress-1105746.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax
'use strict'

function f() {
    return arguments;
}

var arr = [];
arr.length=0x8000;
var g = f.bind(null,...arr);

function test() {
    return g();
}

%PrepareFunctionForOptimization(f);
%PrepareFunctionForOptimization(test);
test();
%OptimizeFunctionOnNextCall(test);
assertEquals(test().length, arr.length);

test\mjsunit\regress\regress-896326.js

Issue: https://crbug.com/v8/10709

Commit: [Test] Set proper simulator stack size in regress-896326 test

Date(Commit): Wed, 15 Jul 2020 06:17:12 -0400

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2299880

Regress : test\mjsunit\regress\regress-896326.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --stack-size=100 --sim-stack-size=100

function f() {
}

var large_array = Array(150 * 1024);
assertThrows('new f(... large_array)', RangeError);

test\mjsunit\regress\regress-crbug-1105383.js

Issue: https://crbug.com/1104711

Commit: [hashtable] Don't add PropertyCell to GlobalDictionary too early

Date(Commit): Tue, 14 Jul 2020 18:39:25 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2297472

Regress : test\mjsunit\regress\regress-crbug-1105383.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

'use strict';
Object.defineProperty(
    this.__proto__, "boom",
    { value:153, writable:true, configurable: true, enumerable:false });

var good = 1;
try {
  boom = 42;
} catch (e) {}

var properties = Object.getOwnPropertyNames(this);

assertTrue(properties.findIndex(e => e == "good") >= 0);
assertEquals(properties.findIndex(e => e == "boom"), -1);

test\mjsunit\regress\regress-crbug-1104608.js

Issue: https://crbug.com/v8/4153

Commit: Fix "named" loads for large TypedArray indices

Date(Commit): Tue, 14 Jul 2020 13:09:01 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2295606

Regress : test\mjsunit\regress\regress-crbug-1104608.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --multi-mapped-mock-allocator

const kSize = 4294967296;
// Skip this test on 32-bit platforms.
if (%TypedArrayMaxLength() >= kSize) {
  const array = new Uint8Array(kSize);

  function f() {
    let result = array["4294967295"];
    assertEquals(0, result);
  }

  function g() {
    array["4294967295"] = 1;
  }

  %PrepareFunctionForOptimization(f);
  for (var i = 0; i < 3; i++) f();
  %OptimizeFunctionOnNextCall(f);
  f();

  %PrepareFunctionForOptimization(g);
  for (var i = 0; i < 3; i++) g();
  %OptimizeFunctionOnNextCall(g);
  g();
}

test\mjsunit\compiler\regress-1102683.js

Issue: https://crbug.com/1102683

Commit: [turbofan] Remove an incorrect DCHECK

Date(Commit): Wed, 8 Jul 2020 12:48:30 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2287494

Regress : test\mjsunit\compiler\regress-1102683.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

async function foo() {
  for (let i = 0; i < 1; i++) {
    while (i !== i) {
      await 42;
      function unused() {}
      return;
    }
  }
}

%PrepareFunctionForOptimization(foo);
foo();
%OptimizeFunctionOnNextCall(foo);
foo();

test\mjsunit\compiler\regress-1102053.js

Issue: https://crbug.com/1102053

Commit: [turbofan] Fix CHECK failure in graph verifier

Date(Commit): Mon, 6 Jul 2020 11:08:38 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2282523

Regress : test\mjsunit\compiler\regress-1102053.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --interrupt-budget=1024

const v10 =
  {__proto__: [42], a: 1757695453, length: Promise, toString: 1337, d: []};

async function foo(a) {
  a.length;
  for (const k in v10) {
    for (let i = 0; i < k; i++) {}
    for (let i = 0; i < 10; i++) {
      function bar() {}
      while (a < 1) {
        for (const kk of []) await 42;
      }
    }
  }
}

for (let i = 0; i < 2; i++) {
  foo([42]);
}

test\mjsunit\regress\regress-732836.js

Issue:

Commit: [Test] Lower arg count to avoid going over stack limit on Arm64.

Date(Commit): Fri, 3 Jul 2020 11:26:37 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2280095

Regress : test\mjsunit\regress\regress-732836.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

function boom() {
  var args = [];
  for (var i = 0; i < 110000; i++)
    args.push(1.1);
  return Array.apply(Array, args);
}
var array = boom();

test\mjsunit\regress\regress-1098565.js

Issue: https://crbug.com/1098565

Commit: [turbofan] Skip optimizations for huge 'arguments'

Date(Commit): Mon, 29 Jun 2020 16:32:55 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2273121

Regress : test\mjsunit\regress\regress-1098565.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function f() {
    return arguments;
}

arr = [];
arr.length=0x8000;
g = f.bind(null,...arr);

function test() {
    return g();
}

%PrepareFunctionForOptimization(f);
%PrepareFunctionForOptimization(test);
test();
%OptimizeFunctionOnNextCall(test);
assertEquals(test().length, arr.length);

test\mjsunit\regress\wasm\regress-712569.js

Issue: https://crbug.com/v8/10556

Commit: Ignore unhandled promises in one more test

Date(Commit): Wed, 24 Jun 2020 09:58:11 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2262916

Regress : test\mjsunit\regress\wasm\regress-712569.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --ignore-unhandled-promises

var v11 = {};
Object.defineProperty(v11.__proto__, 0, {
  get: function() {
  },
  set: function() {
    try {
      WebAssembly.instantiate().then(
          () => assertUnreachable(),
          () => { /* ignore */ });
      v11[0] = 0;
    } catch (e) {
      assertTrue(e instanceof RangeError);
    }
  }
});
v66 = new Array();
cv = v66; cv[0] = 0.1; cv[2] = 0.2;

test\mjsunit\regress\wasm\regress-948228.js

Issue: https://crbug.com/v8/10556

Commit: [d8] Exit with error code upon unhandled promise rejection

Date(Commit): Tue, 23 Jun 2020 16:45:51 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2238569

Regress : test\mjsunit\regress\wasm\regress-948228.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

load('test/mjsunit/wasm/wasm-module-builder.js');

var {proxy, revoke} = Proxy.revocable({}, {});
revoke();
let builder = new WasmModuleBuilder();
builder.addImport('m', 'q', kSig_v_v);
WebAssembly.instantiate(builder.toModule(), proxy).catch(error => {});

test\mjsunit\regress\wasm\regress-1080902.js

Issue: https://crbug.com/1080902

Commit: [wasm] Add templatized methods for static bounds checks

Date(Commit): Tue, 23 Jun 2020 19:58:43 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2256858

Regress : test\mjsunit\regress\wasm\regress-1080902.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --experimental-wasm-threads

load("test/mjsunit/wasm/wasm-module-builder.js");

let memory = new WebAssembly.Memory({
  initial: 1,
  maximum: 10,
  shared: true
});

let builder = new WasmModuleBuilder();
builder.addImportedMemory("m", "imported_mem", 0, 1 << 16, "shared");
builder.addFunction("main", kSig_i_v).addBody([
    kExprI32Const, 0,
    kAtomicPrefix,
    kExprI32AtomicLoad16U, 1, 0]).exportAs("main");
let module = new WebAssembly.Module(builder.toBuffer());
let instance = new WebAssembly.Instance(module, {
  m: {
    imported_mem: memory
  }
});
instance.exports.main();

test\mjsunit\regress\regress-1708.js

Issue: https://crbug.com/v8/10619

Commit: [Respect] Prefer inclusive terms

Date(Commit): Mon, 22 Jun 2020 09:35:23 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2254483

Regress : test\mjsunit\regress\regress-1708.js

// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
//     * Redistributions of source code must retain the above copyright
//       notice, this list of conditions and the following disclaimer.
//     * Redistributions in binary form must reproduce the above
//       copyright notice, this list of conditions and the following
//       disclaimer in the documentation and/or other materials provided
//       with the distribution.
//     * Neither the name of Google Inc. nor the names of its
//       contributors may be used to endorse or promote products derived
//       from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

// Regression test of a very rare corner case where left-trimming an
// array caused invalid marking bit patterns on lazily swept pages.
//
// Lazy sweeping was deprecated. We are keeping the test case to make
// sure that concurrent sweeping, which relies on similar assumptions
// as lazy sweeping works correctly.

// Flags: --expose-gc --noincremental-marking --max-semi-space-size=1

(function() {
  var head = new Array(1);
  var tail = head;

  // Fill heap to increase old-space size and trigger concurrent sweeping on
  // some of the old-space pages.
  for (var i = 0; i < 200; i++) {
    tail[1] = new Array(1000);
    tail = tail[1];
  }
  array = new Array(100);
  gc(); gc();

  // At this point "array" should have been promoted to old-space and be
  // located in a concurrently swept page with intact marking bits. Now shift
  // the array to trigger left-trimming operations.
  assertEquals(100, array.length);
  for (var i = 0; i < 50; i++) {
    array.shift();
  }
  assertEquals(50, array.length);

  // At this point "array" should have been trimmed from the left with
  // marking bits being correctly transferred to the new object start.
  // Scavenging operations cause concurrent sweeping to advance and verify
  // that marking bit patterns are still sensible.
  for (var i = 0; i < 200; i++) {
    tail[1] = new Array(1000);
    tail = tail[1];
  }
})();

test\mjsunit\regress\regress-crbug-1053364.js

Issue: https://crbug.com/1053364

Commit: [parser] Don't mark sloppy block functions as assigned

Date(Commit): Thu, 18 Jun 2020 16:43:44 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2241511

Regress : test\mjsunit\regress\regress-crbug-1053364.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --throws

function main() {
  function g() {
    function h() {
      f;
    }
    {
      function f() {}
    }
    f;
    throw new Error();
  }
  g();
}
main();

test\mjsunit\regress\regress-crbug-754177.js

Issue: https://crbug.com/1094866

Commit: [fuzzing] Use --fuzzing flag for allowed runtime functions

Date(Commit): Wed, 17 Jun 2020 18:56:54 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2246568

Regress : test\mjsunit\regress\regress-crbug-754177.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax  --fuzzing

// Do not crash on non-JSFunction input when fuzzing.
%NeverOptimizeFunction(undefined);
%NeverOptimizeFunction(true);
%NeverOptimizeFunction(1);
%NeverOptimizeFunction({});
%NeverOptimizeFunction();

%PrepareFunctionForOptimization(print);
%OptimizeFunctionOnNextCall(print);

test\mjsunit\regress\regress-1094226.js

Issue: https://crbug.com/1094226

Commit: [scanner] Update outdated DCHECK

Date(Commit): Mon, 15 Jun 2020 08:31:27 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2245592

Regress : test\mjsunit\regress\regress-1094226.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

assertThrows(() => eval('<' + '!'));

test\mjsunit\compiler\regress-1094132.js

Issue: https://crbug.com/1094132

Commit: [deoptimizer] Relax a CHECK

Date(Commit): Fri, 12 Jun 2020 11:08:09 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2241517

Regress : test\mjsunit\compiler\regress-1094132.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function prettyPrinted() {}

function formatFailureText() {
  if (expectedText.length <= 40 && foundText.length <= 40) {
    message += ": expected <" + expectedText + "> found <" + foundText + ">";
    message += ":\nexpected:\n" + expectedText + "\nfound:\n" + foundText;
  }
}

function fail(expectedText, found, name_opt) {
  formatFailureText(expectedText, found, name_opt);
  if (!a[aProps[i]][aProps[i]]) { }
}

function deepEquals(a, b) {
  if (a === 0) return 1 / a === 1 / b;
  if (typeof a !== typeof a) return false;
  if (typeof a !== "object" && typeof a !== "function") return false;
  if (objectClass !== classOf()) return false;
  if (objectClass === "RegExp") { }
}

function assertEquals() {
  if (!deepEquals()) {
    fail(prettyPrinted(), undefined, undefined);
  }
}

({y: {}, x: 0.42});

function gaga() {
  return {gx: bar.arguments[0], hx: baz.arguments[0]};
}

function baz() {
  return gaga();
}

function bar(obj) {
  return baz(obj.y);
}

function foo() {
  bar({y: {}, x: 42});
  try { assertEquals() } catch (e) {}
  try { assertEquals() } catch (e) {}
  assertEquals();
}

%PrepareFunctionForOptimization(prettyPrinted);
%PrepareFunctionForOptimization(formatFailureText);
%PrepareFunctionForOptimization(fail);
%PrepareFunctionForOptimization(deepEquals);
%PrepareFunctionForOptimization(assertEquals);
%PrepareFunctionForOptimization(gaga);
%PrepareFunctionForOptimization(baz);
%PrepareFunctionForOptimization(bar);
%PrepareFunctionForOptimization(foo);
try { foo() } catch (e) {}
%OptimizeFunctionOnNextCall(foo);
try { foo() } catch (e) {}
%PrepareFunctionForOptimization(prettyPrinted);
%PrepareFunctionForOptimization(formatFailureText);
%PrepareFunctionForOptimization(fail);
%PrepareFunctionForOptimization(deepEquals);
%PrepareFunctionForOptimization(assertEquals);
%PrepareFunctionForOptimization(gaga);
%PrepareFunctionForOptimization(baz);
%PrepareFunctionForOptimization(bar);
%PrepareFunctionForOptimization(foo);
%OptimizeFunctionOnNextCall(foo);
try { foo() } catch (e) {}

test\mjsunit\regress\regress-v8-10568.js

Issue: https://crbug.com/v8/10568

Commit: [regexp] Fix integer overflows in TextNode::GetQuickCheckDetails

Date(Commit): Wed, 10 Jun 2020 13:14:52 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2230527

Regress : test\mjsunit\regress\regress-v8-10568.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

assertEquals(/[--𐀾]/u.exec("Hr3QoS3KCWXQ2yjBoDIK")[0], "H");
assertEquals(/[0-\u{10000}]/u.exec("A0")[0], "A");

test\mjsunit\regress\regress-1092896.js

Issue: https://crbug.com/1092896

Commit: [string] Don't skip GetMethod on Smis in String builtins

Date(Commit): Wed, 10 Jun 2020 10:27:01 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2238030

Regress : test\mjsunit\regress\regress-1092896.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

let count = 0
Object.prototype[Symbol.replace] = function () {
  count++
}

"".replace(0);
assertEquals(count, 1);

"".replace(0.1);
assertEquals(count, 2);

test\mjsunit\regress\wasm\regress-964607.js

Issue: https://crbug.com/v8/7748

Commit: [wasm] Rename anyref to externref, anyref flag/feature to reftypes

Date(Commit): Tue, 9 Jun 2020 15:54:14 +0000

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2232941

Regress : test\mjsunit\regress\wasm\regress-964607.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --expose-wasm --experimental-wasm-reftypes

load('test/mjsunit/wasm/wasm-module-builder.js');

let builder = new WasmModuleBuilder();

builder.addImportedTable('ffi', 't1', 5, 5, kWasmAnyFunc);
builder.addImportedTable('ffi', 't2', 9, 9, kWasmAnyFunc);

builder.addFunction('foo', kSig_v_v).addBody([]).exportFunc();

let module = builder.toModule();
let table1 =
    new WebAssembly.Table({element: 'anyfunc', initial: 5, maximum: 5});

let table2 =
    new WebAssembly.Table({element: 'anyfunc', initial: 9, maximum: 9});

let instance =
    new WebAssembly.Instance(module, {ffi: {t1: table1, t2: table2}});
let table3 =
    new WebAssembly.Table({element: 'anyfunc', initial: 9, maximum: 9});

table3.set(8, instance.exports.foo);
new WebAssembly.Instance(module, {ffi: {t1: table1, t2: table3}});

test\mjsunit\compiler\regress-1092650.js

Issue: https://crbug.com/1084820

Commit: [deoptimizer] Add missing HeapNumber allocation

Date(Commit): Tue, 9 Jun 2020 15:31:42 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2237145

Regress : test\mjsunit\compiler\regress-1092650.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

// Create map with HeapNumber in field 'a'
({a: 2**30});

function foo() {
  return foo.arguments[0];
}

function main() {
  foo({a: 42});
}

%PrepareFunctionForOptimization(foo);
%PrepareFunctionForOptimization(main);
main();
main();
%OptimizeFunctionOnNextCall(main);
main();

test\mjsunit\regress\regress-1091461.js

Issue: https://crbug.com/1091461

Commit: [turbofan] Make BigInt operations kNoThrow again

Date(Commit): Mon, 8 Jun 2020 11:48:13 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2235113

Regress : test\mjsunit\regress\regress-1091461.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function foo(a, b) {
  let x = a + b;
}
function test() {
  try {
    foo(1n, 1n);
  } catch (e) {}
}

%PrepareFunctionForOptimization(foo);
%PrepareFunctionForOptimization(test);
test();
test();
%OptimizeFunctionOnNextCall(test);
test();

test\mjsunit\compiler\regress-1084820.js

Issue: https://crbug.com/1084820

Commit: [deoptimizer] Fix bug in object materialization

Date(Commit): Mon, 8 Jun 2020 14:32:31 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2228330

Regress : test\mjsunit\compiler\regress-1084820.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

// Create a map where 'my_property' has HeapObject representation.
const dummy_obj = {};
dummy_obj.my_property = 'some HeapObject';
dummy_obj.my_property = 'some other HeapObject';

function gaga() {
  const obj = {};
  // Store a HeapNumber and then a Smi.
  // This must happen in a loop, even if it's only 2 iterations:
  for (let j = -3_000_000_000; j <= -1_000_000_000; j += 2_000_000_000) {
    obj.my_property = j;
  }
  // Trigger (soft) deopt.
  if (!%IsBeingInterpreted()) obj + obj;
}

%PrepareFunctionForOptimization(gaga);
gaga();
gaga();
%OptimizeFunctionOnNextCall(gaga);
gaga();

test\mjsunit\regress\regress-1073440.js

Issue: https://crbug.com/1073440

Commit: [turbofan] Fix lost exception on BigInt ops

Date(Commit): Thu, 4 Jun 2020 16:55:35 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2228493

Regress : test\mjsunit\regress\regress-1073440.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --opt --allow-natives-syntax --no-always-opt

function foo(n) {
  try {
    let v = 0n;
    for (let i = 0; i < n; ++i) {
      v = 3n + v;
      v = i;
    }
  } catch (e) {
    return 1;
  }
  return 0;
}

%PrepareFunctionForOptimization(foo);
assertEquals(foo(1), 0);
assertEquals(foo(1), 0);
%OptimizeFunctionOnNextCall(foo);
assertEquals(foo(1), 0);
assertOptimized(foo);
%PrepareFunctionForOptimization(foo);
assertEquals(foo(2), 1);
assertUnoptimized(foo);
// Check that we learned something and do not loop deoptimizations.
%OptimizeFunctionOnNextCall(foo);
assertEquals(foo(1), 0);
assertOptimized(foo);
assertEquals(foo(2), 1);
assertOptimized(foo);

test\mjsunit\regress\regress-crbug-1082293.js

Issue: https://crbug.com/1082293

Commit: [ic] Fix a bug in StoreOwnIC when storing NaN values

Date(Commit): Wed, 3 Jun 2020 18:04:56 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2228886

Regress : test\mjsunit\regress\regress-crbug-1082293.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function f() {
  let buffer = new ArrayBuffer(8);
  let a32 = new Float32Array(buffer);
  let a8 = new Uint32Array(buffer);
  let a = { value: NaN };
  Object.defineProperty(a32, 0, { value: NaN });
  return a8[0];
}

let value = f();
%EnsureFeedbackVectorForFunction(f);
assertEquals(value, f());

test\mjsunit\regress\regress-786784.js

Issue: https://crbug.com/v8/10560

Commit: Hold on to FeedbackMetadata when allocating feedback vectors

Date(Commit): Thu, 28 May 2020 17:17:15 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2218066

Regress : test\mjsunit\regress\regress-786784.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function f() {
  function g(arg) { return arg; }
  // The closure contains a call IC slot.
  return function() { return g(42); };
}

const a = Realm.create();
const b = Realm.create();

// Create two closures in different contexts sharing the same
// SharedFunctionInfo (shared due to code caching).
const x = Realm.eval(a, f.toString() + " f()");
const y = Realm.eval(b, f.toString() + " f()");

// Run the first closure to create SFI::code.
x();

// At this point, SFI::code is set and `x` has a feedback vector (`y` does not).

// Enabling block code coverage deoptimizes all functions and triggers the
// buggy code path in which we'd unconditionally replace JSFunction::code with
// its SFI::code (but skip feedback vector setup).
%DebugToggleBlockCoverage(true);

// Still no feedback vector set on `y` but it now contains code. Run it to
// trigger the crash when attempting to write into the non-existent feedback
// vector.
y();

test\mjsunit\regress\regress-9441.js

Issue: https://crbug.com/1077197

Commit: Fix feedback loss when builtins throw

Date(Commit): Thu, 28 May 2020 13:44:41 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2202904

Regress : test\mjsunit\regress\regress-9441.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --opt --no-always-opt

function foo(a, b) {
    return a - b;
}

%PrepareFunctionForOptimization(foo);
assertEquals(-1n, foo(1n, 2n));
%OptimizeFunctionOnNextCall(foo);
assertEquals(1n, foo(2n, 1n));
assertOptimized(foo);
assertThrows(() => foo(2n, undefined));
assertUnoptimized(foo);
%PrepareFunctionForOptimization(foo);
%OptimizeFunctionOnNextCall(foo);
assertEquals(-1n, foo(1n, 2n));
assertOptimized(foo);
assertThrows(() => foo(undefined, 2n));
assertOptimized(foo);

test\mjsunit\regress\regress-5660.js

Issue: https://crbug.com/v8/5660

Commit: Reland "[turbofan] Improve equality on NumberOrOddball"

Date(Commit): Thu, 28 May 2020 10:24:20 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2162854

Regress : test\mjsunit\regress\regress-5660.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --opt --allow-natives-syntax

(function() {
  function test(a, b) {
    return a === b;
  }

  %PrepareFunctionForOptimization(test);
  assertTrue(test(undefined, undefined));
  assertTrue(test(undefined, undefined));
  %OptimizeFunctionOnNextCall(test);
  assertTrue(test(undefined, undefined));
})();

(function() {
  function test(a, b) {
    return a === b;
  }

  %PrepareFunctionForOptimization(test);
  assertTrue(test(true, true));
  assertTrue(test(true, true));
  %OptimizeFunctionOnNextCall(test);
  assertFalse(test(true, 1));
})();

(function() {
  function test(a, b) {
      return a == b;
  }

  %PrepareFunctionForOptimization(test);
  assertTrue(test(true, true));
  assertTrue(test(true, true));
  %OptimizeFunctionOnNextCall(test);
  assertTrue(test(true, 1));
})();

test\mjsunit\regress\regress-1086470.js

Issue: https://crbug.com/1086470

Commit: Fix assert caused by SloppyArgumentsElements introduction

Date(Commit): Tue, 26 May 2020 17:00:38 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2215059

Regress : test\mjsunit\regress\regress-1086470.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

function __f_1( __v_9) {
  return arguments;
}

var __v_48 = [];
var __v_49 = __f_1();
var __v_50 = 3;
Object.preventExtensions(__v_49);
function __f_7(__v_52, __v_53, __v_54) {
  __v_52[__v_53] =
  __v_54;
}
__v_48.__proto__ = __v_49;
for (var __v_51 = 0; __v_51 < __v_50; __v_51++) {
  __f_7(__v_48, __v_51);
}

test\mjsunit\regress\regress-1084953.js

Issue:

Commit: [TurboProp] Don't try to rewire unreachable blocks to end.

Date(Commit): Thu, 21 May 2020 12:19:51 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2209061

Regress : test\mjsunit\regress\regress-1084953.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --turboprop

function foo() {
  try {
    +Symbol();
  } catch {
  }
}
%PrepareFunctionForOptimization(foo);
foo();
%OptimizeFunctionOnNextCall(foo);
foo();

test\mjsunit\regress\regress-1084872.js

Issue: https://crbug.com/1084872

Commit: [regexp] Fix signed/unsigned confusion in regexp interpreter

Date(Commit): Wed, 20 May 2020 14:23:49 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2209066

Regress : test\mjsunit\regress\regress-1084872.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

const re = new RegExp("(?<=(.)\\2.*(T))");
re.exec(undefined);
assertEquals(re.exec("bTaLTT")[1], "b");

test\mjsunit\regress\wasm\regress-1084151.js

Issue: https://crbug.com/1084151

Commit: [liftoff][mv] Fix merge issue in multi-value loops

Date(Commit): Tue, 19 May 2020 12:17:57 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2208851

Regress : test\mjsunit\regress\wasm\regress-1084151.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --experimental-wasm-mv

load("test/mjsunit/wasm/wasm-module-builder.js");

let builder = new WasmModuleBuilder();
let sig_i_iii = builder.addType(kSig_i_iii);

builder.addFunction("main", sig_i_iii)
  .addBody([
    kExprLocalGet, 1,
    kExprLocalGet, 1,
    kExprI32Const, 5,
    kExprLoop, sig_i_iii,
      kExprLocalGet, 1,
      kExprBlock, sig_i_iii,
        kExprLocalGet, 1,
        kExprLocalGet, 2,
        kExprBrIf, 1,
        kExprDrop,
        kExprDrop,
        kExprDrop,
      kExprEnd,
      kExprDrop,
    kExprEnd])
  .exportAs("main");

let module = new WebAssembly.Module(builder.toBuffer());

test\mjsunit\regress\regress-1083450.js

Issue: https://crbug.com/1083450

Commit: [regexp] Specify signedness when accessing packed arguments

Date(Commit): Mon, 18 May 2020 14:50:45 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2207137

Regress : test\mjsunit\regress\regress-1083450.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

const source = "(?<=(?=ab)(|)abc)"
const re = new RegExp(source);
assertNotNull(re.exec("abc"));

test\mjsunit\compiler\regress-1082704.js

Issue: https://crbug.com/1082704

Commit: [turbofan] Make GraphAssembler branching respect typing

Date(Commit): Fri, 15 May 2020 11:42:39 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2202978

Regress : test\mjsunit\compiler\regress-1082704.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

var array = [[]];
function foo() {
  const x = array[0];
  const y = [][0];
  return x == y;
}
%PrepareFunctionForOptimization(foo);
assertFalse(foo());
%OptimizeFunctionOnNextCall(foo);
assertFalse(foo());

test\mjsunit\regress\regress-1079446.js

Issue:

Commit: [Turboprop] Allow removal of multiple unreachable blocks that merge.

Date(Commit): Tue, 12 May 2020 21:27:09 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2196354

Regress : test\mjsunit\regress\regress-1079446.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --turboprop

arr = new Int16Array();
function foo() {
  arr.__defineGetter__('a', function() { });
  arr[0] = "123.12";
}

%PrepareFunctionForOptimization(foo);
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();

test\mjsunit\regress\regress-crbug-1069530.js

Issue: https://crbug.com/1069530

Commit: [ic] Properly handle store mode generalization in KeyedStoreIC

Date(Commit): Tue, 12 May 2020 22:26:41 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2196353

Regress : test\mjsunit\regress\regress-crbug-1069530.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --no-lazy-feedback-allocation

function store(ar, index) {
  ar[index] = "a";
}

let growable_array = [];

// Train IC on growable array
store(growable_array, 0);
store(growable_array, 1);
store(growable_array, 2);
store(growable_array, 3);

// Now make IC polymorphic
var array = [];
Object.defineProperty(array, "length", { value: 3, writable: false });

store(array, 0);
store(array, 1);

// ... and try to grow it.
store(array, 3);
assertEquals(undefined, array[3]);
assertEquals(3, array.length);

test\mjsunit\regress\regress-v8-10513.js

Issue: https://crbug.com/v8/10513

Commit: [regexp] Unconditionally get named capture in GetSubstitution

Date(Commit): Tue, 12 May 2020 08:46:36 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2195821

Regress : test\mjsunit\regress\regress-v8-10513.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

const access_log = [];
const handler = {
  get: function(obj, prop) {
    access_log.push(prop);
    return prop in obj ? obj[prop] : "z";
  }
};

class ProxiedGroupRegExp extends RegExp {
  exec(s) {
    var result = super.exec(s);
    if (result) {
      result.groups = new Proxy(result.groups, handler);
    }
    return result;
  }
}

let re = new ProxiedGroupRegExp("(?<x>.)");
assertEquals("a z", "a".replace(re, "$<x> $<y>"));
assertEquals(["x", "y"], access_log);

test\mjsunit\regress\regress-crbug-1055138-3.js

Issue: https://crbug.com/1055138

Commit: [ic] Fix stores to holey elements

Date(Commit): Mon, 11 May 2020 17:57:59 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2172090

Regress : test\mjsunit\regress\regress-crbug-1055138-3.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

Object.prototype[1] = 153;

(function StrictStoreToReadOnlyProperty() {
  function foo(prototype_frozen) {
    "use strict";
    let ar = [];
    let threw_exception = false;
    for (let i = 0; i < 3; i++) {
      try {
        ar[i] = 42;
      } catch(e) {
        if (prototype_frozen) {
          // Attempt to overwrite read-only element should throw and
          // should not change array length.
          assertTrue(i == 1);
          assertEquals(1, ar.length);
          assertInstanceof(e, TypeError);
          threw_exception = true;
        }
      }
    }
    if (prototype_frozen) {
      assertTrue(threw_exception);
    }
    return ar;
  }

  // Warm-up store IC.
  assertEquals([42,42,42], foo(false));
  assertEquals([42,42,42], foo(false));
  assertEquals([42,42,42], foo(false));
  assertEquals([42,42,42], foo(false));
  Object.freeze(Object.prototype);
  // Ensure IC was properly invalidated.
  assertEquals([42,153,42], foo());
})();

test\mjsunit\regress\regress-10508.js

Issue: https://crbug.com/v8/10508

Commit: [runtime] Return undefined as CallSite::getFunction for scripts

Date(Commit): Mon, 11 May 2020 14:23:00 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2193716

Regress : test\mjsunit\regress\regress-10508.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

Error.prepareStackTrace = (error, frames) => {
  // JSON.stringify executes the replacer, triggering the relevant
  // code in Invoke().
  JSON.stringify({}, frames[0].getFunction());
};
let v0;
try {
  throw new Error();
} catch (e) {
  e.stack
}

test\mjsunit\regress\regress-crbug-1074737.js

Issue: https://crbug.com/1074737

Commit: [parser] Treat var initializers in masking catch as assigning

Date(Commit): Fri, 8 May 2020 15:46:18 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2187272

Regress : test\mjsunit\regress\regress-crbug-1074737.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

try {
  throw 42
} catch (e) {
  function foo() { return e };
  %PrepareFunctionForOptimization(foo);
  %OptimizeFunctionOnNextCall(foo);
  foo();
  var e = "expected";
}
assertEquals("expected", foo());

try {
  throw 42
} catch (f) {
  function foo2() { return f };
  %PrepareFunctionForOptimization(foo2);
  %OptimizeFunctionOnNextCall(foo2);
  foo2();
  with ({}) {
    var f = "expected";
  }
}
assertEquals("expected", foo2());

(function () {
  function foo3() { return g };
  %PrepareFunctionForOptimization(foo3);
  %OptimizeFunctionOnNextCall(foo3);
  foo3();
  with ({}) {
    var g = "expected";
  }
  assertEquals("expected", foo3());
})()

test\mjsunit\regress\regress-1078913.js

Issue: https://crbug.com/1078913

Commit: [compiler] Skip interpreter trampoline copy for asm.js

Date(Commit): Fri, 8 May 2020 13:08:23 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2190412

Regress : test\mjsunit\regress\regress-1078913.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --interpreted-frames-native-stack

// Make sure that the interpreted trampoline copy (for native interpreter frames
// in stack traces) works for interperted functions but doesn't crash for asm.js

function func() {
  return;
}

function asm_func() {
  "use asm";
  function f(){}
  return {f:f};
}

function failed_asm_func() {
  "use asm";
  // This should fail validation
  [x,y,z] = [1,2,3];
  return;
}

func();
asm_func();
failed_asm_func();

test\mjsunit\regress\regress-1077804.js

Issue: https://crbug.com/1077804

Commit: [mjsunit] Relax flags of regress-1077804.js test

Date(Commit): Thu, 7 May 2020 12:40:08 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2187499

Regress : test\mjsunit\regress\regress-1077804.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function foo() {
  return bar();
}

function bar(a, b) {
  return a + b;
}

%PrepareFunctionForOptimization(foo);
foo();
%OptimizeFunctionOnNextCall(foo);
%PrepareFunctionForOptimization(bar);
%OptimizeFunctionOnNextCall(bar);
bar(2n, 2n);
assertTrue(Number.isNaN(foo()));

test\mjsunit\regress\regress-crbug-1077508.js

Issue: https://crbug.com/1077508

Commit: Move to slow-path in Array#sort if the array is no longer a FastJSArray

Date(Commit): Thu, 7 May 2020 09:23:50 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2187171

Regress : test\mjsunit\regress\regress-crbug-1077508.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

const array = [, , , 0, 1, 2];
const comparefn = () => {
  Array.prototype.__defineSetter__("0", function () {});
  Array.prototype.__defineSetter__("1", function () {});
  Array.prototype.__defineSetter__("2", function () {});
};

array.sort(comparefn);

assertArrayEquals([, , , , , , ], array);

test\mjsunit\regress\regress-1076569.js

Issue:

Commit: [Tests] Add mjsunit test for issue 1076569.

Date(Commit): Wed, 6 May 2020 18:12:33 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2185130

Regress : test\mjsunit\regress\regress-1076569.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --turboprop

var array = new Int16Array();

function foo() {
  array[0] = "123.12";
}

%PrepareFunctionForOptimization(foo);
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();

test\mjsunit\regress\regress-v8-10484-2.js

Issue: https://crbug.com/v8/10484

Commit: [builtins] Fix handling of read-only length in Array.prototype.pop

Date(Commit): Wed, 6 May 2020 15:20:34 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2182452

Regress : test\mjsunit\regress\regress-v8-10484-2.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

var ar;
Object.defineProperty(Array.prototype, 3,
    {
      get() {
        Object.defineProperty(
            ar, "length",
            { value: 3, writable: false, configurable: false });
      }
    });

function foo() {
  ar = [1, 2, 3];
  ar.length = 4;
  ar.pop();
}

assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);

test\mjsunit\regress\regress-crbug-1063796.js

Issue: https://crbug.com/1063796

Commit: [ic] Fix KeyedHasIC_SloppyArguments implementation

Date(Commit): Fri, 1 May 2020 15:40:25 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2174504

Regress : test\mjsunit\regress\regress-crbug-1063796.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

Object.prototype[1] = 1;
function foo(baz) {
  return 1 in arguments;
}
assertTrue(foo(0));
%PrepareFunctionForOptimization(foo);
assertTrue(foo(0));
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo(0));

test\mjsunit\regress\wasm\regress-10309.js

Issue:

Commit: [wasm-simd] Update SIMD opcode numbers as per the Spec change

Date(Commit): Fri, 1 May 2020 08:40:22 -0700

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2173952

Regress : test\mjsunit\regress\wasm\regress-10309.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --experimental-wasm-simd

let registry = {};

function module(bytes, valid = true) {
  let buffer = new ArrayBuffer(bytes.length);
  let view = new Uint8Array(buffer);
  for (let i = 0; i < bytes.length; ++i) {
    view[i] = bytes.charCodeAt(i);
  }
  let validated;
  try {
    validated = WebAssembly.validate(buffer);
  } catch (e) {
    throw new Error("Wasm validate throws");
  }
  if (validated !== valid) {
    throw new Error("Wasm validate failure" + (valid ? "" : " expected"));
  }
  return new WebAssembly.Module(buffer);
}

function instance(bytes, imports = registry) {
  return new WebAssembly.Instance(module(bytes), imports);
}

function call(instance, name, args) {
  return instance.exports[name](...args);
}

function exports(name, instance) {
  return {[name]: instance.exports};
}

function assert_return(action, expected) {
  let actual = action();
  if (!Object.is(actual, expected)) {
    throw new Error("Wasm return value " + expected + " expected, got " + actual);
  };
}

let f32 = Math.fround;

// simple.wast:1
let $1 = instance("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x09\x02\x60\x00\x00\x60\x01\x7f\x01\x7d\x03\x04\x03\x00\x00\x01\x05\x03\x01\x00\x01\x07\x1c\x02\x11\x72\x65\x70\x6c\x61\x63\x65\x5f\x6c\x61\x6e\x65\x5f\x74\x65\x73\x74\x00\x01\x04\x72\x65\x61\x64\x00\x02\x08\x01\x00\x0a\x6e\x03\x2a\x00\x41\x10\x43\x00\x00\x80\x3f\x38\x02\x00\x41\x14\x43\x00\x00\x00\x40\x38\x02\x00\x41\x18\x43\x00\x00\x40\x40\x38\x02\x00\x41\x1c\x43\x00\x00\x80\x40\x38\x02\x00\x0b\x39\x01\x01\x7b\x41\x10\x2a\x02\x00\xfd\x13\x21\x00\x20\x00\x41\x10\x2a\x01\x04\xfd\x20\x01\x21\x00\x20\x00\x41\x10\x2a\x01\x08\xfd\x20\x02\x21\x00\x20\x00\x41\x10\x2a\x01\x0c\xfd\x20\x03\x21\x00\x41\x00\x20\x00\xfd\x0b\x02\x00\x0b\x07\x00\x20\x00\x2a\x02\x00\x0b");

// simple.wast:49
call($1, "replace_lane_test", []);

// simple.wast:50
assert_return(() => call($1, "read", [0]), f32(1.0));

// simple.wast:51
assert_return(() => call($1, "read", [4]), f32(2.0));

// simple.wast:52
assert_return(() => call($1, "read", [8]), f32(3.0));

// simple.wast:53
assert_return(() => call($1, "read", [12]), f32(4.0));

test\mjsunit\regress\regress-crbug-1072947.js

Issue: https://crbug.com/1072947

Commit: [runtime] Fix miscalculated number of properties for derived class

Date(Commit): Thu, 30 Apr 2020 16:14:08 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2172964

Regress : test\mjsunit\regress\regress-crbug-1072947.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

(function() {
  class reg extends RegExp {}

  let r;
  function trigger() {
    try {
      trigger();
    } catch {
      Reflect.construct(RegExp,[],reg);
    }
  }
  trigger();
})();

(function() {
  class reg extends Function {}

  let r;
  function trigger() {
    try {
      trigger();
    } catch {
      Reflect.construct(RegExp,[],reg);
    }
  }
  trigger();
})();

test\mjsunit\regress\regress-1071190.js

Issue: https://crbug.com/1071190

Commit: [turbofan] Fixes incorrect DataView setters

Date(Commit): Tue, 28 Apr 2020 16:32:19 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2170091

Regress : test\mjsunit\regress\regress-1071190.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax


function test() {
  const a = new DataView(new ArrayBuffer(32));
  const b = new DataView(new ArrayBuffer(32));
  a.setFloat64(0);
  b.setFloat64(0, undefined);

  for(let i = 0; i < 8; ++i) {
    assertEquals(a.getUint8(i), b.getUint8(i));
  }
}

%PrepareFunctionForOptimization(test);
test();
test();
%OptimizeFunctionOnNextCall(test);
test();

test\mjsunit\regress\wasm\regress-1074586-b.js

Issue:

Commit: [wasm][liftoff][arm] Avoid double allocation of register is AtomicOp64

Date(Commit): Tue, 28 Apr 2020 11:37:47 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2170088

Regress : test\mjsunit\regress\wasm\regress-1074586-b.js

// // Use of this source code is governed by a BSD-style license that can be
// // found in the LICENSE file.

// Flags: --wasm-staging

load('test/mjsunit/wasm/wasm-module-builder.js');

const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false, true);
const sig = builder.addType(makeSig(
    [kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmI32],
    []));
builder.addFunction(undefined, sig).addBodyWithEnd([
  // signature: v_iiiiifidi
  // body:
  kExprI32Const, 0x00,                             // i32.const
  kExprI64Const, 0x00,                             // i64.const
  kAtomicPrefix, kExprI64AtomicStore, 0x00, 0x00,  // i64.atomic.store64
  kExprEnd,                                        // end @9
]);
builder.addExport('main', 0);
assertDoesNotThrow(() => builder.instantiate());

test\mjsunit\compiler\regress-1074736.js

Issue: https://crbug.com/1074736

Commit: [turbofan] Fix bug in typed array iteration

Date(Commit): Tue, 28 Apr 2020 14:40:22 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2168874

Regress : test\mjsunit\compiler\regress-1074736.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

var arr = new Uint8Array();
%ArrayBufferDetach(arr.buffer);

function foo() {
  return arr[Symbol.iterator]();
}

%PrepareFunctionForOptimization(foo);
assertThrows(foo, TypeError);
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, TypeError);

test\mjsunit\regress\regress-1069964.js

Issue: https://crbug.com/1069964

Commit: [protectors] Move regexp species protector back to the isolate

Date(Commit): Wed, 22 Apr 2020 08:35:06 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2157382

Regress : test\mjsunit\regress\regress-1069964.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

Realm.createAllowCrossRealmAccess();
const c = Realm.global(1);
Realm.detachGlobal(1);
try { c.constructor = () => {}; } catch {}

test\mjsunit\compiler\regress-1071743.js

Issue: https://crbug.com/1070892

Commit: [turbofan] Distinguish two further modes of CheckBounds

Date(Commit): Mon, 27 Apr 2020 20:59:14 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2157365

Regress : test\mjsunit\compiler\regress-1071743.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax


function foo(v) {
  let x = Math.floor(v);
  Number.prototype[v] = 42;
  return x + Math.floor(v);
}

%PrepareFunctionForOptimization(foo);
assertSame(foo(-0), -0);
assertSame(foo(-0), -0);
%OptimizeFunctionOnNextCall(foo);
assertSame(foo(-0), -0);


function bar(v) {
  v = v ? (v|0) : -0;  // v has now type Integral32OrMinusZero.
  let x = Math.floor(v);
  Number.prototype[v] = 42;
  return x + Math.floor(v);
}

%PrepareFunctionForOptimization(bar);
assertSame(2, bar(1));
assertSame(2, bar(1));
%OptimizeFunctionOnNextCall(bar);
assertSame(-0, bar(-0));

test\mjsunit\compiler\regress-1072171.js

Issue: https://crbug.com/1072171

Commit: Reland "[turbofan] Fix bug in Number.Min/Max typings"

Date(Commit): Tue, 21 Apr 2020 07:45:09 +0000

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2157028

Regress : test\mjsunit\compiler\regress-1072171.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function testMax1(b) {
  const max = Math.max(-1, b ? -0 : 1);
  return Object.is(max, -0);
}
%PrepareFunctionForOptimization(testMax1);
assertTrue(testMax1(true));
assertTrue(testMax1(true));
%OptimizeFunctionOnNextCall(testMax1);
assertTrue(testMax1(true));

function testMax2(b) {
  const max = Math.max(b ? -0 : 1, -1);
  return Object.is(max, -0);
}
%PrepareFunctionForOptimization(testMax2);
assertTrue(testMax2(true));
assertTrue(testMax2(true));
%OptimizeFunctionOnNextCall(testMax2);
assertTrue(testMax2(true));

function testMin1(b) {
  const min = Math.min(1, b ? -0 : -1);
  return Object.is(min, -0);
}
%PrepareFunctionForOptimization(testMin1);
assertTrue(testMin1(true));
assertTrue(testMin1(true));
%OptimizeFunctionOnNextCall(testMin1);
assertTrue(testMin1(true));

function testMin2(b) {
  const min = Math.min(b ? -0 : -1, 1);
  return Object.is(min, -0);
}
%PrepareFunctionForOptimization(testMin2);
assertTrue(testMin2(true));
assertTrue(testMin2(true));
%OptimizeFunctionOnNextCall(testMin2);
assertTrue(testMin2(true));

test\mjsunit\regress\regress-crbug-1053939-1.js

Issue: https://crbug.com/1068492

Commit: [ic] Use slow stub if typed arrays are in prototype chain of JSObjects

Date(Commit): Fri, 3 Apr 2020 11:47:36 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2134138

Regress : test\mjsunit\regress\regress-crbug-1053939-1.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --no-lazy-feedback-allocation


v = {};
v.__proto__ = new Int32Array(1);
function foo() {
  for (var i = 0; i < 2; i++) {
    v[i] = 0;
  }
}
foo();
assertEquals(Object.keys(v).length, 1);

test\mjsunit\regress\regress-crbug-1070560.js

Issue: https://crbug.com/1070560

Commit: [builtins] When creating new elements array initialize with holes

Date(Commit): Thu, 16 Apr 2020 15:12:04 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2150599

Regress : test\mjsunit\regress\regress-crbug-1070560.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

function f() {
 // Create a FixedDoubleArray
 var arr = [5.65];
 // Force the elements to be EmptyFixedArray
 arr.splice(0);
 // This should create a FixedDoubleArray initialized with holes.
 arr.splice(-4, 9, 10, 20);
 // If the earlier spice didn't create a holes this would fail.
 assertFalse(2 in arr);
}

f();

test\mjsunit\regress\regress-crbug-1067757.js

Issue: https://crbug.com/1067757

Commit: [ic] Use slow stub when storing non-existent properties to global object

Date(Commit): Wed, 15 Apr 2020 15:08:19 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2142255

Regress : test\mjsunit\regress\regress-crbug-1067757.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --no-lazy-feedback-allocation

"use strict";

function foo() {
  let count = 0;
  try {
    for (p of v) {
      count += 1;
    }
  } catch (e) { }
  assertEquals(count, 0);
}

var v = [ "0", {}];

foo();
Reflect.deleteProperty(v, '0');

let count_loop = 0;
try {
 for (p of v) { count_loop += 1; }
} catch (e) {}
assertEquals(count_loop, 0);

foo();

test\mjsunit\regress\wasm\regress-1067621.js

Issue: https://crbug.com/1067621

Commit: [wasm] Fix return value of concurrent memory.grow

Date(Commit): Tue, 14 Apr 2020 15:23:05 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2144113

Regress : test\mjsunit\regress\wasm\regress-1067621.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --experimental-wasm-threads

load('test/mjsunit/wasm/wasm-module-builder.js');

const kNumberOfWorker = 4;

const workerOnMessage = function(msg) {
  if (msg.module) {
    let module = msg.module;
    let mem = msg.mem;
    this.instance = new WebAssembly.Instance(module, {m: {memory: mem}});
    postMessage({instantiated: true});
  } else {
    const kNumberOfRuns = 20;
    let result = new Array(kNumberOfRuns);
    for (let i = 0; i < kNumberOfRuns; ++i) {
      result[i] = instance.exports.grow();
    }
    postMessage({result: result});
  }
};

function spawnWorkers() {
  let workers = [];
  for (let i = 0; i < kNumberOfWorker; i++) {
    let worker = new Worker(
        'onmessage = ' + workerOnMessage.toString(), {type: 'string'});
    workers.push(worker);
  }
  return workers;
}

function instantiateModuleInWorkers(workers, module, shared_memory) {
  for (let worker of workers) {
    worker.postMessage({module: module, mem: shared_memory});
    let msg = worker.getMessage();
    if (!msg.instantiated) throw 'Worker failed to instantiate';
  }
}

function triggerWorkers(workers) {
  for (i = 0; i < workers.length; i++) {
    let worker = workers[i];
    worker.postMessage({});
  }
}

(function TestConcurrentGrowMemoryResult() {
  let builder = new WasmModuleBuilder();
  builder.addImportedMemory('m', 'memory', 1, 500, 'shared');
  builder.addFunction('grow', kSig_i_v)
      .addBody([kExprI32Const, 1, kExprMemoryGrow, kMemoryZero])
      .exportFunc();

  const module = builder.toModule();
  const shared_memory =
      new WebAssembly.Memory({initial: 1, maximum: 500, shared: true});

  // Spawn off the workers and run the sequences.
  let workers = spawnWorkers();
  instantiateModuleInWorkers(workers, module, shared_memory);
  triggerWorkers(workers);
  let all_results = [];
  for (let worker of workers) {
    let msg = worker.getMessage();
    all_results = all_results.concat(msg.result);
  }

  all_results.sort((a, b) => a - b);
  for (let i = 1; i < all_results.length; ++i) {
    assertEquals(all_results[i - 1] + 1, all_results[i]);
  }

  // Terminate all workers.
  for (let worker of workers) {
    worker.terminate();
  }
})();

test\mjsunit\regress\regress-447756.js

Issue: https://crbug.com/v8/10249

Commit: [test] Crash on invalid intrinsic use unless --fuzzing is on

Date(Commit): Tue, 14 Apr 2020 15:05:13 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2137406

Regress : test\mjsunit\regress\regress-447756.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax

function TestConstructor(c) {
  var a = new c(-0);
  assertSame(Infinity, 1 / a.length);
  assertSame(Infinity, 1 / a.byteLength);

  var ab = new ArrayBuffer(-0);
  assertSame(Infinity, 1 / ab.byteLength);

  var a1 = new c(ab, -0, -0);
  assertSame(Infinity, 1 / a1.length);
  assertSame(Infinity, 1 / a1.byteLength);
  assertSame(Infinity, 1 / a1.byteOffset);
}

var constructors =
  [ Uint8Array, Int8Array, Uint8ClampedArray,
    Uint16Array, Int16Array,
    Uint32Array, Int32Array,
    Float32Array, Float64Array ];
for (var i = 0; i < constructors.length; i++) {
  TestConstructor(constructors[i]);
}


function TestOptimizedCode() {
  var a = new Uint8Array(-0);
  assertSame(Infinity, 1 / a.length);
  assertSame(Infinity, 1 / a.byteLength);

  var ab = new ArrayBuffer(-0);
  assertSame(Infinity, 1 / ab.byteLength);

  var a1 = new Uint8Array(ab, -0, -0);
  assertSame(Infinity, 1 / a1.length);
  assertSame(Infinity, 1 / a1.byteLength);
  assertSame(Infinity, 1 / a1.byteOffset);
}

%PrepareFunctionForOptimization(TestOptimizedCode);
TestOptimizedCode();
TestOptimizedCode();
%OptimizeFunctionOnNextCall(TestOptimizedCode);
TestOptimizedCode();

test\mjsunit\compiler\regress-1068494.js

Issue: https://crbug.com/1068494

Commit: [turbofan] Fix bug in reduction of StoreDataPropertyInLiteral

Date(Commit): Wed, 8 Apr 2020 13:02:56 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2139581

Regress : test\mjsunit\compiler\regress-1068494.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function foo() {
  return { ['bar']: class {} };
}
%PrepareFunctionForOptimization(foo);
assertEquals('bar', foo().bar.name);
assertEquals('bar', foo().bar.name);
%OptimizeFunctionOnNextCall(foo);
assertEquals('bar', foo().bar.name);

test\mjsunit\compiler\regress-1067544.js

Issue: https://crbug.com/1067544

Commit: [turbofan] Fix bug in reduction of typed array iteration

Date(Commit): Mon, 6 Apr 2020 11:41:10 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2135632

Regress : test\mjsunit\compiler\regress-1067544.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

const v = [];
function foo() {
  Int8Array.prototype.values.call([v]);
}

%PrepareFunctionForOptimization(foo);
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, TypeError);

test\mjsunit\regress\regress-crbug-1060023.js

Issue: https://crbug.com/1060023

Commit: [parser] Already break the expression scope chain for function parameters

Date(Commit): Thu, 2 Apr 2020 14:26:18 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2134006

Regress : test\mjsunit\regress\regress-crbug-1060023.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

class b extends RegExp {
  exec() {
    (function() { (a = (function({} = this) {})) => {} })
  }
}
assertThrows(()=>'a'.match(new b), TypeError);

test\mjsunit\regress\regress-crbug-1053939.js

Issue: https://crbug.com/1053939

Commit: [ic] Use the existing prototype validity cell when recomputing handlers

Date(Commit): Thu, 2 Apr 2020 12:41:52 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2122032

Regress : test\mjsunit\regress\regress-crbug-1053939.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --no-lazy-feedback-allocation


function foo(a, b) {
  a[b] = 1;
  return a[b];
}
v = [];
assertEquals(foo(v, 1), 1);
v.__proto__.__proto__ = new Int32Array();
assertEquals(foo(Object(), 1), 1);
assertEquals(foo(v, 2), undefined);

test\mjsunit\regress\wasm\regress-1065635.js

Issue: https://crbug.com/1065635

Commit: [asm] Fix double literals without dots

Date(Commit): Mon, 30 Mar 2020 18:34:41 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2126922

Regress : test\mjsunit\regress\wasm\regress-1065635.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

function foo() {
  'use asm';
  function bar() {
    return -1e-15;
  }
  return {bar: bar};
}

assertEquals(-1e-15, foo().bar());

test\mjsunit\regress\regress-crbug-1065741.js

Issue:

Commit: [turbofan] Add a type check to String.prototype.startsWith

Date(Commit): Wed, 1 Apr 2020 14:45:11 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2129639

Regress : test\mjsunit\regress\regress-crbug-1065741.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --opt

function bar() {
  String.prototype.startsWith.apply();
}

%PrepareFunctionForOptimization(bar);
assertThrows(bar, TypeError);
assertThrows(bar, TypeError);
%OptimizeFunctionOnNextCall(bar);
assertThrows(bar, TypeError);
%PrepareFunctionForOptimization(bar);
%OptimizeFunctionOnNextCall(bar);
assertThrows(bar, TypeError);
assertOptimized(bar);

test\mjsunit\compiler\regress-1065737.js

Issue: https://crbug.com/1065737

Commit: [turbofan] Mark JSStoreGlobal as NeedsExactContext

Date(Commit): Wed, 1 Apr 2020 11:24:45 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2130280

Regress : test\mjsunit\compiler\regress-1065737.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function foo() {
  class c {
    static get [v = 0]() {}
  }
}

%PrepareFunctionForOptimization(foo);
assertThrows(foo, ReferenceError);
assertThrows(foo, ReferenceError);
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, ReferenceError);

test\mjsunit\regress\wasm\regress-1065852.js

Issue: https://crbug.com/1065852

Commit: [asm] Avoid instantiation as resumable function

Date(Commit): Mon, 30 Mar 2020 18:06:07 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2126920

Regress : test\mjsunit\regress\wasm\regress-1065852.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

function* asm() {
  "use asm";
  function x(v) {
    v = v | 0;
  }
  return x;
}

// 'function*' creates a generator with an implicit 'next' method.
asm().next();

test\mjsunit\regress-1065094.js

Issue: https://crbug.com/1065094

Commit: Make CreateDynamicFunction throw if disallowed

Date(Commit): Mon, 30 Mar 2020 11:55:10 +0200

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2124837

Regress : test\mjsunit\regress-1065094.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function f(fnConstructor) {
    return Object.is(new fnConstructor(), undefined);
}

const realmIndex = Realm.createAllowCrossRealmAccess();
const otherFunction = Realm.global(realmIndex).Function;
Realm.detachGlobal(realmIndex);

%PrepareFunctionForOptimization(f);
assertFalse(f(Function));
assertThrows(_ => f(otherFunction));
%OptimizeFunctionOnNextCall(f);
assertThrows(_ => f(otherFunction));

test\mjsunit\compiler\regress-1063661.js

Issue: https://crbug.com/1063661

Commit: [turbofan] Fix NumberMin and NumberMax typings

Date(Commit): Tue, 24 Mar 2020 20:14:48 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2116199

Regress : test\mjsunit\compiler\regress-1063661.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --interrupt-budget=1024

function main() {
  const v1 = [];
  for (let v11 = 0; v11 < 7; v11++) {
    for (let v16 = 0; v16 != 100; v16++) {}
    for (let v18 = -0.0; v18 < 7; v18 = v18 || 13.37) {
      const v21 = Math.max(-339,v18);
      v1.fill();
      undefined % v21;
    }
  }
}
main();

test\mjsunit\regress\regress-crbug-1057653.js

Issue: https://crbug.com/v8/10333

Commit: [mjsunit] Use smaller test array

Date(Commit): Thu, 19 Mar 2020 09:44:41 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2108547

Regress : test\mjsunit\regress\regress-crbug-1057653.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

Object.prototype.length = 3642395160;
const array = new Float32Array(2**27);

assertThrows(() => {for (const key in array) {}}, RangeError);

test\mjsunit\compiler\regress-1062916.js

Issue: https://crbug.com/1062916

Commit: [turbofan] Remove bogus DCHECK and add a comment

Date(Commit): Thu, 19 Mar 2020 17:30:21 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2110027

Regress : test\mjsunit\compiler\regress-1062916.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --no-analyze-environment-liveness --no-use-ic

function foo(x) {
  var a = [];
  for (var k1 in x) {
    for (var k2 in x) {
      a.k2;
    }
  }
  return a.join();
}

%PrepareFunctionForOptimization(foo);
foo({p: 42});
%OptimizeFunctionOnNextCall(foo);
foo();

test\mjsunit\compiler\regress-1061803.js

Issue:

Commit: Reland "[turbofan] Clean up ConstantFoldingReducer"

Date(Commit): Tue, 17 Mar 2020 09:53:42 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2098736

Regress : test\mjsunit\compiler\regress-1061803.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function foo() {
  return arguments[1][0] === arguments[0];
}

%PrepareFunctionForOptimization(foo);
assertFalse(foo(0, 0));
assertFalse(foo(0, 0));
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, TypeError);

test\mjsunit\regress\regress-crbug-1059738.js

Issue: https://crbug.com/1059738

Commit: Fix one more LookupIterator

Date(Commit): Fri, 13 Mar 2020 13:53:19 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2101005

Regress : test\mjsunit\regress\regress-crbug-1059738.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

var o = {4294967295: ({4294967295: NaN}) + "foo"};

test\mjsunit\regress\wasm\regress-crbug-1057094.js

Issue: https://crbug.com/1057094

Commit: [wasm] Fix memory limit check with custom flags

Date(Commit): Mon, 2 Mar 2020 15:30:24 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2083300

Regress : test\mjsunit\regress\wasm\regress-crbug-1057094.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --wasm-max-mem-pages=65536

try {
  var __v_50189 = new WebAssembly.Memory({
    initial: 65536
  });
} catch (e) {
  // 32-bit builds will throw a RangeError, that's okay.
  assertTrue(e instanceof RangeError);
}

test\mjsunit\regress\regress-v8-8445.js

Issue:

Commit: [mjsunit] Move all regress-*.js tests to mjsunit/regress/

Date(Commit): Tue, 3 Mar 2020 10:27:43 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2082562

Regress : test\mjsunit\regress\regress-v8-8445.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

class MyRegExp {
  exec() { return null; }
}

assertEquals(["ab", ""], "abc".split(/c/g));
assertEquals([["a"]], [..."a".matchAll(/a/g)]);

Object.defineProperty(RegExp, Symbol.species, { get() { return MyRegExp; }});

assertEquals(["abc"], "abc".split(/c/g));
assertEquals([], [..."a".matchAll(/a/g)]);

test\mjsunit\regress\regress-crbug-1052647.js

Issue: https://crbug.com/1052647

Commit: [intl] Fix Intl.NumberFormat constructor

Date(Commit): Tue, 3 Mar 2020 11:14:57 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2082560

Regress : test\mjsunit\regress\regress-crbug-1052647.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

let useArgs = undefined;
function f(arg) {
    useArgs = 'result' + arguments[0] + arg;
}

Intl.NumberFormat.__proto__ = { [Symbol.hasInstance]: f };

new Intl.NumberFormat();

test\mjsunit\regress\wasm\regress-10126.js

Issue: https://crbug.com/v8/10126

Commit: Reland "[wasm] The name of a custom section can cause a validation error"

Date(Commit): Tue, 25 Feb 2020 15:41:13 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2041446

Regress : test\mjsunit\regress\wasm\regress-10126.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

load('test/mjsunit/wasm/wasm-module-builder.js')

let binary = new Binary;
binary.emit_bytes([
  kWasmH0,              //  0 header
  kWasmH1,              //  1 -
  kWasmH2,              //  2 -
  kWasmH3,              //  3 -
  kWasmV0,              //  4 version
  kWasmV1,              //  5 -
  kWasmV2,              //  6 -
  kWasmV3,              //  7 -
  kUnknownSectionCode,  //  8 custom section
  0x5,                  //  9 length
  0x6,                  // 10 invalid name length
  'a',                  // 11 payload
  'b',                  // 12 -
  'c',                  // 13 -
  'd',                  // 14 -
  kCodeSectionCode,     // 15 code section start
  0x1,                  // 16 code section length
  19,                   // 17 invalid number of functions
]);

const buffer = binary.trunc_buffer();
assertThrowsAsync(
    WebAssembly.compile(buffer), WebAssembly.CompileError,
    'WebAssembly.compile(): expected 6 bytes, fell off end @+11');

test\mjsunit\regress\wasm\regress-724846.js

Issue: https://crbug.com/v8/7881

Commit: [wasm] Bring memory limits up to spec

Date(Commit): Fri, 21 Feb 2020 18:00:27 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2035876

Regress : test\mjsunit\regress\wasm\regress-724846.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

load('test/mjsunit/wasm/wasm-module-builder.js');

// Flags: --wasm-max-mem-pages=49151

let builder = new WasmModuleBuilder();
const num_pages = 49152;
builder.addMemory(num_pages, num_pages);
// num_pages * 64k (page size) > kMaxInt.
assertThrows(() => builder.instantiate(), WebAssembly.CompileError);

test\mjsunit\regress\regress-crbug-1050046.js

Issue: https://crbug.com/1050046

Commit: [keys] Make sure we don't leak the enum cache in slow-mode for/in

Date(Commit): Thu, 20 Feb 2020 16:56:57 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2066959

Regress : test\mjsunit\regress\regress-crbug-1050046.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --expose-gc

var __v_6 = new Boolean();
 __v_6.first = 0;
 __v_6.prop = 1;
for (var __v_2 in __v_6) {
 delete __v_6.prop;
 gc();
}

test\mjsunit\compiler\regress-1051017.js

Issue: https://crbug.com/1051017

Commit: [turbofan] Fix bug in Typer::TypeInductionVariablePhi, again

Date(Commit): Wed, 19 Feb 2020 16:08:26 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2064222

Regress : test\mjsunit\compiler\regress-1051017.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax


function foo1() {
  var x = -Infinity;
  var i = 0;
  for (; i < 1; i += x) {
    if (i == -Infinity) x = +Infinity;
  }
  return i;
}

%PrepareFunctionForOptimization(foo1);
assertEquals(NaN, foo1());
assertEquals(NaN, foo1());
%OptimizeFunctionOnNextCall(foo1);
assertEquals(NaN, foo1());


function foo2() {
  var i = -Infinity;
  for (; i <= 42; i += Infinity) { }
  return i;
}

%PrepareFunctionForOptimization(foo2);
assertEquals(NaN, foo2());
assertEquals(NaN, foo2());
%OptimizeFunctionOnNextCall(foo2);
assertEquals(NaN, foo2());


function foo3(b) {
  var k = 0;
  let str = b ? "42" : "0";
  for (var i = str; i < 1 && k++ < 1; i -= 0) { }
  return i;
}

%PrepareFunctionForOptimization(foo3);
assertEquals(0, foo3());
assertEquals(0, foo3());
%OptimizeFunctionOnNextCall(foo3);
assertEquals(0, foo3());

test\mjsunit\compiler\regress-1053604.js

Issue: https://crbug.com/1053604

Commit: [turbofan] Fix bug in receiver maps inference

Date(Commit): Wed, 19 Feb 2020 10:04:19 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2062396

Regress : test\mjsunit\compiler\regress-1053604.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

let a = [0, 1, 2, 3, 4];

function empty() {}

function f(p) {
  a.pop(Reflect.construct(empty, arguments, p));
}

let p = new Proxy(Object, {
    get: () => (a[0] = 1.1, Object.prototype)
});

function main(p) {
  f(p);
}

%PrepareFunctionForOptimization(empty);
%PrepareFunctionForOptimization(f);
%PrepareFunctionForOptimization(main);

main(empty);
main(empty);
%OptimizeFunctionOnNextCall(main);
main(p);

test\mjsunit\asm\regress-674089.js

Issue: https://crbug.com/v8/8088

Commit: [parser] Track labels in the parser-base rather than parser+ast

Date(Commit): Tue, 18 Feb 2020 16:07:23 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2059989

Regress : test\mjsunit\asm\regress-674089.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --validate-asm --lazy-inner-functions

function outer() {
  "use asm";
  function inner() {
    /f(/
  }
}
outer();

test\mjsunit\regress\regress-1049982-2.js

Issue: https://crbug.com/1049982

Commit: Add test skips for deopt_fuzzer

Date(Commit): Wed, 12 Feb 2020 08:39:47 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2050402

Regress : test\mjsunit\regress\regress-1049982-2.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --opt

const xs = [1,2,3,4,5,6,7,8,9];
let deopt = false;

function g(acc, x, i) {
  if (deopt) {
    assertFalse(%IsBeingInterpreted());
    Array.prototype.x = 42;  // Trigger a lazy deopt.
    deopt = false;
  }
  return acc + x;
}

function f() {
  return xs.reduceRight(g, 0);
}

%PrepareFunctionForOptimization(f);
%PrepareFunctionForOptimization(g);
assertEquals(45, f());
assertEquals(45, f());
%OptimizeFunctionOnNextCall(f);

deopt = true;
assertEquals(45, f());
assertEquals(45, f());

test\mjsunit\regress\wasm\regress-1048241.js

Issue: https://crbug.com/1048241

Commit: [liftoff][ia32] Fix AtomicStore register spilling

Date(Commit): Tue, 4 Feb 2020 09:48:04 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2036073

Regress : test\mjsunit\regress\wasm\regress-1048241.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --wasm-staging

load('test/mjsunit/wasm/wasm-module-builder.js');

const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false, true);
const sig = makeSig([kWasmF64, kWasmI64, kWasmI32, kWasmF64], []);
builder.addFunction(undefined, sig).addBody([
  kExprI32Const, 0x00,                               // -
  kExprI32Const, 0x00,                               // -
  kExprI32Const, 0x00,                               // -
  kAtomicPrefix, kExprI32AtomicXor16U, 0x01, 0x00,   // -
  kAtomicPrefix, kExprI32AtomicStore8U, 0x00, 0x00,  // -
]);
builder.instantiate();

test\mjsunit\regress\wasm\regress-1045225.js

Issue: https://crbug.com/1045225

Commit: [Liftoff] Clean up implementation of AtomicStore

Date(Commit): Fri, 31 Jan 2020 09:13:09 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2029414

Regress : test\mjsunit\regress\wasm\regress-1045225.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --wasm-staging

load('test/mjsunit/wasm/wasm-module-builder.js');

(function() {
  const builder = new WasmModuleBuilder();
  builder.addMemory(16, 32, false, true);
  builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
  // Generate function 1 (out of 1).
  builder.addFunction(undefined, 0 /* sig */)
    .addBodyWithEnd([
// signature: i_iii
// body:
kExprI32Const, 0x80, 0x01,
kExprI32Clz,
kExprI32Const, 0x00,
kExprI64Const, 0x00,
kAtomicPrefix, kExprI64AtomicStore8U, 0x00, 0x00,
kExprEnd,   // @13
            ]);
  builder.addExport('main', 0);
  const instance = builder.instantiate();
  print(instance.exports.main(1, 2, 3));
})();

test\mjsunit\regress\regress-crbug-1044909.js

Issue: https://crbug.com/1044909

Commit: Fix one more LookupIterator

Date(Commit): Wed, 29 Jan 2020 17:05:21 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2023558

Regress : test\mjsunit\regress\regress-crbug-1044909.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function main() {
  const v2 = Object.prototype;
  v2[4294967296] = {};
  const v12 = {get: function() {}};
  Object.defineProperty(v2, 4294967296, v12);
  const v15 = {...v2};
}
%PrepareFunctionForOptimization(main);
main();

test\mjsunit\regress\regress-crbug-1041251.js

Issue: https://crbug.com/1041251

Commit: [builtins] Fix FastCreateDataProperty

Date(Commit): Tue, 28 Jan 2020 12:24:45 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2023551

Regress : test\mjsunit\regress\regress-crbug-1041251.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

let v0 = [0, 1];
v0.constructor = {
  [Symbol.species]: function() {
    let v1 = [2];
    Object.defineProperty(v1, "length", {writable: false});
    return v1;
  }
}

assertThrows(() => Array.prototype.map.call(v0, function() {}), TypeError);

test\mjsunit\regress\regress-1044919.js

Issue: https://crbug.com/1044919

Commit: [runtime] Don't invalidate property cell when it becomes read-only

Date(Commit): Tue, 28 Jan 2020 16:48:54 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2023562

Regress : test\mjsunit\regress\regress-1044919.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

(function main() {
  eval();
  function foo() {
    bla = [];
    bla.__proto__ = '';
  }
  %PrepareFunctionForOptimization(foo);
  foo();
  Object.defineProperty(this, 'bla',
      {value: bla, configurable: false, writable: true});
  foo();
  %OptimizeFunctionOnNextCall(foo);
  foo();
  Object.defineProperty(this, 'bla',
      {value: bla, configurable: false, writable: false});
  foo();
})();

test\mjsunit\regress\regress-crbug-1044911.js

Issue: https://crbug.com/1044911

Commit: Fix ArrayLengthSetter for suddenly frozen elements

Date(Commit): Tue, 28 Jan 2020 14:49:46 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2023555

Regress : test\mjsunit\regress\regress-crbug-1044911.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

let a = [0];
let l = {
  valueOf: function() {
    Object.freeze(a);
    return 1;
  }
};
a.length = l;

test\mjsunit\regress\wasm\regress-1045737.js

Issue:

Commit: [wasm][liftoff] Zero-extend result of atomic.add

Date(Commit): Mon, 27 Jan 2020 12:48:17 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2020768

Regress : test\mjsunit\regress\wasm\regress-1045737.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --wasm-staging --liftoff --no-wasm-tier-up

load('test/mjsunit/wasm/wasm-module-builder.js');

(function() {
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false, true);
builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */).addBodyWithEnd([
  // signature: i_iii
  // body:
  kExprI32Const, 0x00, kExprI64Const, 0xc2, 0xe6, 0x00, kAtomicPrefix,
  kExprI64AtomicAdd8U, 0x00, 0xb6, 0x0e, kExprF32SConvertI64,
  kExprI32SConvertF32,
  kExprEnd,  // @14
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertEquals(instance.exports.main(1, 2, 3), 0);
})();

test\mjsunit\regress\wasm\regress-8059.js

Issue: https://crbug.com/v8/10021

Commit: Remove "--wasm-disable-structured-cloning" flag

Date(Commit): Wed, 22 Jan 2020 13:32:28 -0800

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1999158

Regress : test\mjsunit\regress\wasm\regress-8059.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

load("test/mjsunit/wasm/wasm-module-builder.js");

(function TestPostModule() {
  let builder = new WasmModuleBuilder();
  builder.addFunction("add", kSig_i_ii)
    .addBody([kExprLocalGet, 0, kExprLocalGet, 1, kExprI32Add])
    .exportFunc();

  let module = builder.toModule();

  let workerScript = `
    onmessage = function(module) {
      try {
        let instance = new WebAssembly.Instance(module);
        let result = instance.exports.add(40, 2);
        postMessage(result);
      } catch(e) {
        postMessage('ERROR: ' + e);
      }
    }
  `;

  let realm = Realm.create();
  Realm.shared = { m:module, s:workerScript };

  let realmScript = `
    let worker = new Worker(Realm.shared.s, {type: 'string'});
    worker.postMessage(Realm.shared.m);
    let message = worker.getMessage();
    worker.terminate();
    message;
  `;
  let message = Realm.eval(realm, realmScript);
  assertEquals(42, message);
})();

test\mjsunit\regress\regress-crbug-754175.js

Issue: https://crbug.com/v8/4153

Commit: [64bit] Bump TypedArray max length to 2**32-1 elements

Date(Commit): Wed, 22 Jan 2020 15:39:19 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2007495

Regress : test\mjsunit\regress\regress-crbug-754175.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --mock-arraybuffer-allocator --allow-natives-syntax

function Module(stdlib, foreign, buffer) {
  "use asm";
  var heap = new stdlib.Int8Array(buffer);
  function foo() { return heap[23] | 0 }
  return { foo:foo };
}
const kLength = Math.max(0x100000000, %TypedArrayMaxLength() + 1);
function instantiate() {
  // On 32-bit architectures buffer allocation will throw.
  var buffer = new ArrayBuffer(kLength);
  // On 64-bit architectures instantiation will throw.
  var module = Module(this, {}, buffer);
}
assertThrows(instantiate, RangeError);

test\mjsunit\regress\regress-10138.js

Issue: https://crbug.com/v8/10138

Commit: Fix native stacks flag for pointer compression

Date(Commit): Mon, 20 Jan 2020 23:36:00 -0800

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2011206

Regress : test\mjsunit\regress\regress-10138.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file

// Flags: --allow-natives-syntax --interpreted-frames-native-stack

function f() {
  g();
}

function g() {
  %DeoptimizeFunction(f);
  %DeoptimizeFunction(f);
}

%PrepareFunctionForOptimization(f);
f(); f();
%OptimizeFunctionOnNextCall(f);
f();

test\mjsunit\compiler\regress-1037771.js

Issue: https://crbug.com/1037771

Commit: [turbofan] Don't verify context input of Create*Context nodes

Date(Commit): Mon, 20 Jan 2020 13:58:49 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2010792

Regress : test\mjsunit\compiler\regress-1037771.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --interrupt-budget=1024

async function* r() {
  for (var l = "" in { goo: ()=>{} }) {
    for (let n = 0; n < 500; (t ? -500 : 0)) {
      n++;
      if (n > 1) break;
      try {
        r.blabadfasdfasdfsdafsdsadf();
      } catch (e) {
        for (let n = 0; n < 500; n++);
        for (let n in t) {
          return t[n];
        }
      }
      try { r(n, null) } catch (e) {}
    }
  }
}
let t = r();
t.return({
  get then() {
    let n = r();
    n.next();
  }
});

test\mjsunit\regress\regress-v8-10072.js

Issue: https://crbug.com/v8/10072

Commit: [regexp] Fix CP advancement in all SKIP_* bytecodes

Date(Commit): Thu, 16 Jan 2020 11:27:52 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2002543

Regress : test\mjsunit\regress\regress-v8-10072.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

assertNull(/(?<=a[^b]*)./.exec('a'));

test\mjsunit\regress\regress-crbug-1041232.js

Issue: https://crbug.com/1042151

Commit: [test] Proper OOM handling for multi-mapped mock allocator

Date(Commit): Wed, 15 Jan 2020 12:24:58 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2002391

Regress : test\mjsunit\regress\regress-crbug-1041232.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --multi-mapped-mock-allocator

// Chosen for stress runs on 32-bit systems. Physical memory is not an issue
// thanks to the mock allocator, but virtual address space is still limited.
let kSize = 128 * 1024 * 1024;
// Must be >= MultiMappedMockAllocator::kChunkSize in d8.cc.
let kChunkSize = 2 * 1024 * 1024;
let a = new Uint8Array(kSize);

for (let i = 0; i < kChunkSize; i++) {
  a[i] = 42;
}

// Check that OOB accesses return undefined and all array elements are 42.
// Importantly, nothing crashes.
assertEquals(undefined, a[-kChunkSize - 1]);
assertEquals(undefined, a[-kChunkSize]);
assertEquals(undefined, a[-1]);
assertEquals(42, a[0]);
assertEquals(42, a[1]);
// If this fails, then you probably tried to run this test without the
// multi-mapped mock allocator.
assertEquals(42, a[kChunkSize]);
assertEquals(42, a[kChunkSize + 1]);
assertEquals(42, a[kChunkSize + 1]);
assertEquals(42, a[kSize - kChunkSize]);
assertEquals(42, a[kSize - 1]);
assertEquals(undefined, a[kSize]);
assertEquals(undefined, a[kSize + 1]);
assertEquals(undefined, a[kSize + kChunkSize]);
assertEquals(undefined, a[kSize + kSize]);

// Check that excessive requests throw (crbug.com/1042173, crbug.com/1042151).
assertThrows(() => new ArrayBuffer(Number.MAX_SAFE_INTEGER));

test\mjsunit\regress\wasm\regress-1032753.js

Issue: https://crbug.com/v8/10121

Commit: Add --perf-prof-delete-file flag

Date(Commit): Tue, 14 Jan 2020 15:55:59 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2000738

Regress : test\mjsunit\regress\wasm\regress-1032753.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --perf-prof --perf-prof-delete-file

load('test/mjsunit/wasm/wasm-module-builder.js');

new WasmModuleBuilder().instantiate();

test\mjsunit\regress\regress-crbug-1041616.js

Issue:

Commit: [parser] Fix cache scope recursion for with

Date(Commit): Tue, 14 Jan 2020 14:08:33 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2000133

Regress : test\mjsunit\regress\regress-crbug-1041616.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

global = 0;

(function foo() {
  function bar() {
    let context_allocated = 0;
    with ({}) {
      f = function() { ++global; }
    }
    function baz() { return foo(context_allocated); };
    f();
  };
  bar();
})();

test\mjsunit\regress\wasm\regress-1033948.js

Issue: https://crbug.com/1033948

Commit: [wasm] Leave Global constructor on error

Date(Commit): Thu, 9 Jan 2020 15:01:48 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1993283

Regress : test\mjsunit\regress\wasm\regress-1033948.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

const desc = {
  get mutable() {
    throw "foo";
  },
  get value() {
    console.trace();
  }
};
assertThrowsEquals(() => new WebAssembly.Global(desc), "foo");

test\mjsunit\regress\regress-1040403.js

Issue: https://crbug.com/1040444

Commit: [turbofan] Allow handle deferences when compiling non concurrently

Date(Commit): Thu, 9 Jan 2020 11:38:45 +0000

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1992433

Regress : test\mjsunit\regress\regress-1040403.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --trace-turbo-graph --noconcurrent-recompilation

function bytes() {
}
function __f_4622() {
  var __v_22507 = {
  };
}
%PrepareFunctionForOptimization(__f_4622);
%OptimizeFunctionOnNextCall(__f_4622);
42 |  __f_4622();

test\mjsunit\regress\regress-crbug-1020162.js

Issue: https://crbug.com/1020162

Commit: [parser] Force stable order for variables

Date(Commit): Thu, 9 Jan 2020 09:33:44 +0000

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1977865

Regress : test\mjsunit\regress\regress-crbug-1020162.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --throws

((get = foo.get(...a, a), b) => 0)();

test\mjsunit\regress\regress-1038573.js

Issue: https://crbug.com/1038573

Commit: Fixes lost TypeError for BigInts

Date(Commit): Tue, 7 Jan 2020 17:40:17 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1986003

Regress : test\mjsunit\regress\regress-1038573.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax

(function(){
  function f(x) {
    return "abcd".charCodeAt(BigInt.asUintN(64, 10n));
  }

  %PrepareFunctionForOptimization(f);
  try { f(1); } catch(e) {}
  try { f(1); } catch(e) {}
  %OptimizeFunctionOnNextCall(f);
  assertThrows(f, TypeError);
})();


(function(){
  function f(x) {
    return "abcd".charCodeAt(BigInt.asUintN(2, 10n));
  }

  %PrepareFunctionForOptimization(f);
  try { f(1); } catch(e) {}
  try { f(1); } catch(e) {}
  %OptimizeFunctionOnNextCall(f);
  assertThrows(f, TypeError);
})();

test\mjsunit\regress\regress-1038588.js

Issue: https://crbug.com/1038588

Commit: [parser] Fix conflict detection loop early exit

Date(Commit): Tue, 7 Jan 2020 12:44:00 +0100

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1985991

Regress : test\mjsunit\regress\regress-1038588.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

function foo(arg){
  const x = 0;
  eval("var arg, x;");
}
assertThrows(foo, SyntaxError);

test\mjsunit\regress\regress-1033966.js

Issue: https://crbug.com/1033966

Commit: [protectors] Remove invalid DCHECK in protectors.

Date(Commit): Thu, 26 Dec 2019 08:53:22 -0800

Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1982582

Regress : test\mjsunit\regress\regress-1033966.js

// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

var regexp = Realm.global(Realm.createAllowCrossRealmAccess()).RegExp;
regexp.prototype.constructor = 1;