Issue: https://crbug.com/1158124
Commit: [api] Its sufficient for the holder in api call to be a JSReceier
Date(Commit): Wed, 16 Dec 2020 22:31:04 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2596336
Regress : test\mjsunit\regress\regress-1158124.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --log-code
o = new Proxy(this, {});
o.printErr();
Issue: https://crbug.com/v8/11274
Commit: [runtime] Fix TypedArrayPrototype protector cell checks
Date(Commit): Wed, 16 Dec 2020 15:41:50 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2594776
Regress : test\mjsunit\regress\regress-11274.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var typedArrayProto = Uint8Array.prototype.__proto__;
var typedArrayConstructor = Uint8Array.prototype.constructor[Symbol.species];
var called = false;
Uint8Array.prototype.__proto__ = {};
Uint8Array.prototype.constructor = {
get [Symbol.species]() {
called = true;
return typedArrayConstructor;
}
}
Uint8Array.prototype.__proto__ = typedArrayProto;
var arr = new Uint8Array(8);
arr.slice(1, 5);
assertTrue(called);
Commit: [turbofan] Update Node type in JSTypedLowering::ReduceJSToNumeric
Date(Commit): Tue, 15 Dec 2020 17:42:40 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2593336
Regress : test\mjsunit\compiler\regress-1158049.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const v2 = Symbol.unscopables;
function v6(v7,v8,v9,v10) {
try {
let v11 = eval && v2;
const v12 = v11++;
} catch(v13) {}
}
for (let v17 = 1; v17 < 10000; v17++) {
const v18 = v6();
}
Issue: https://crbug.com/v8/11261
Commit: [parser] Fix parsing "new super.x"
Date(Commit): Tue, 15 Dec 2020 12:51:07 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2593248
Regress : test\mjsunit\regress\regress-v8-11261.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let obj = ({ __proto__: { x: class {} }, y() { return new super.x; } });
obj.y();
class A { static a = class {} }
class B extends A { static b() { return new super.a(); } }
B.b();
Issue: https://crbug.com/1152231
Commit: Update next_enumeration_index_ correctly in ObjectDescriptor
Date(Commit): Fri, 11 Dec 2020 09:46:11 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2577463
Regress : test\mjsunit\regress\regress-1152231.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function ID(x) {
return x;
}
function f2(v) {
var p = v.prototype;
Object.defineProperty(p, undefined, { });
assertArrayEquals(['constructor', 'a', 'b', 'c', 'd', 'undefined'],
Object.getOwnPropertyNames(p));
}
function f22() {
class class1 {
a() {
}
get [ID('b')]() {
}
c() {
}
d() {
}
}
f2(class1);
};
f22();
Commit: [TurboProp] Fix dynamic check maps register saving on x64
Date(Commit): Fri, 4 Dec 2020 17:02:37 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2574697
Regress : test\mjsunit\regress\regress-1154961.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --turboprop --stack-size=100
function runNearStackLimit(f) {
function t() {
try {
return t();
} catch (e) {
return f();
}
}
return t();
}
function baz(f) {
return [[f(1)], 1, 2, 3, 4, 5, 6, 7, 8];
}
function foo(__v_3) {
try {
var arr = baz(__v_3);
} catch (e) {}
try {
for (var i = 0; i < arr.length; i++) {
function bar() {
return arr[i];
}
try {
throw e;
} catch (e) {}
}
} catch (e) {}
}
%PrepareFunctionForOptimization(foo);
foo(a => a);
foo(a => a);
%OptimizeFunctionOnNextCall(foo);
runNearStackLimit(() => { foo(a => a); });
Issue: https://crbug.com/v8/11206
Commit: [turbofan] Adjust spill slot range for multi-value return
Date(Commit): Thu, 3 Dec 2020 10:15:40 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2569762
Regress : test\mjsunit\regress\wasm\regress-11206.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-mv --expose-gc --stress-compaction
// Flags: --stress-scavenge=16
load('test/mjsunit/wasm/wasm-module-builder.js');
(function TestReturnOddNumberOfReturns() {
let builder = new WasmModuleBuilder();
let void_sig = builder.addType(kSig_v_v);
let mv_sig = builder.addType(
makeSig([], [kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmI32]));
let gc_index = builder.addImport('q', 'gc', void_sig);
builder.addFunction('main', mv_sig)
.addBodyWithEnd([
kExprCallFunction, gc_index,
kExprI32Const, 1,
kExprI32Const, 2,
kExprI32Const, 3,
kExprI32Const, 4,
kExprI32Const, 5,
kExprEnd
])
.exportFunc();
let instance = builder.instantiate({q: {gc: gc}});
instance.exports.main();
})();
(function TestReturnEvenNumberOfReturns() {
let builder = new WasmModuleBuilder();
let void_sig = builder.addType(kSig_v_v);
let mv_sig =
builder.addType(makeSig([], [kWasmI32, kWasmI32, kWasmI32, kWasmI32]));
let gc_index = builder.addImport('q', 'gc', void_sig);
builder.addFunction('main', mv_sig)
.addBodyWithEnd([
kExprCallFunction, gc_index,
kExprI32Const, 1,
kExprI32Const, 2,
kExprI32Const, 3,
kExprI32Const, 4,
kExprEnd
])
.exportFunc();
let instance = builder.instantiate({q: {gc: gc}});
instance.exports.main();
})();
Commit: [cleanup][TurboProp] Unify DynamicMapChecks names.
Date(Commit): Wed, 2 Dec 2020 09:34:53 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2567952
Regress : test\mjsunit\regress\regress-unlink-closures-on-deopt.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --noalways-opt
function foo() {
function g(o) {
return o.f;
}
return g;
}
let g1 = foo();
let g2 = foo();
%PrepareFunctionForOptimization(g1);
g1({ f : 1});
g1({ f : 2});
g2({ f : 2});
g2({ f : 2});
%OptimizeFunctionOnNextCall(g1);
g1({ f : 1});
%PrepareFunctionForOptimization(g2);
%OptimizeFunctionOnNextCall(g2);
g2({ f : 2});
g1({});
if (%DynamicCheckMapsEnabled()) {
// One more call to ensure a deopt even if dynamic map checks is enabled.
g1({});
}
assertUnoptimized(g1);
// Deoptimization of g1 should also deoptimize g2 because they should share
// the optimized code object. (Unfortunately, this test bakes in various
// other assumptions about dealing with optimized code, and thus might break
// in future.)
assertUnoptimized(g2);
g2({});
Issue: https://crbug.com/1152937
Commit: [wasm] Interface should only be called for 'br' if ok()
Date(Commit): Thu, 26 Nov 2020 14:07:32 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2562239
Regress : test\mjsunit\regress\wasm\regress-1152937.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Test that decoding of 'br' exits early and does not invoke the codegen
// interface when reading the LEB128 branch target fails.
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addFunction(undefined, kSig_v_v)
.addBodyWithEnd([kExprBr, 0xFF]);
assertThrows(() => builder.instantiate(), WebAssembly.CompileError);
Commit: [bigint] Fix possibly-uninitialized leading digit on right shift
Date(Commit): Wed, 25 Nov 2020 23:09:27 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2561618
Regress : test\mjsunit\regress\regress-crbug-1151890.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
for (let i = 0, j = 0; i < 10; ++i) {
let x = (-0xffffffffffffffff_ffffffffffffffffn >> 0x40n);
assertEquals(-0x10000000000000000n, x);
%SimulateNewspaceFull();
}
Issue: https://crbug.com/1150649
Commit: [compiler] Fix a bug in SimplifiedLowering
Date(Commit): Tue, 24 Nov 2020 09:41:10 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2557498
Regress : test\mjsunit\compiler\regress-1150649.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(a) {
var y = 0x7fffffff; // 2^31 - 1
// Widen the static type of y (this condition never holds).
if (a == NaN) y = NaN;
// The next condition holds only in the warmup run. It leads to Smi
// (SignedSmall) feedback being collected for the addition below.
if (a) y = -1;
const z = (y + 1)|0;
return z < 0;
}
%PrepareFunctionForOptimization(foo);
assertFalse(foo(true));
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo(false));
Issue: https://crbug.com/1145990
Commit: [nci] Fix arguments order in call of ConstructWithSpread_WithFeedback
Date(Commit): Mon, 23 Nov 2020 15:19:06 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2549952
Regress : test\mjsunit\regress\regress-1145990.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
class B { }
class C extends B {
#field = 'test';
}
for (let i = 0; i < 10000; i++) {
new C();
}
Issue: https://crbug.com/v8/11115
Commit: Fix rare stack overflow in instanceof
Date(Commit): Tue, 17 Nov 2020 23:36:22 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2545624
Regress : test\mjsunit\regress\regress-11115.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --stack-size=100
var f = function() {}
for (var i = 0; i < 1000; ++i) {
f = f.bind();
Object.defineProperty(f, Symbol.hasInstance, {value: undefined});
}
try {
({}) instanceof f; // Don't overflow the stack!
} catch (e) {
// Throwing a RangeError is okay.
}
Issue: https://crbug.com/1148758
Commit: [super] Fix: receiver can be null / undefined
Date(Commit): Thu, 19 Nov 2020 15:11:09 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2549941
Regress : test\mjsunit\compiler\regress-crbug-1148758.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --interrupt-budget=100
var caught = 0;
function runManyTimes(f) {
for (let i = 0; i < 1000; ++i) {
try {
// Seems to be important that this is inside a try catch.
f();
} catch (e) {
assertUnreachable();
}
}
}
let A = {
get foo() {
return 0;
}
};
let B = {
__proto__: A,
aa() {
"use strict";
super.foo;
}
};
var superAccessingFunc = B.aa;
runManyTimes(function () {
try {
superAccessingFunc();
} catch (e) {
caught++;
}
});
assertEquals(0, caught);
Issue: https://crbug.com/v8/8888
Commit: [compiler] Rename --turboprop-dynamic-map-checks
Date(Commit): Wed, 18 Nov 2020 12:51:57 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2546693
Regress : test\mjsunit\regress\regress-1141502.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-lazy-feedback-allocation
// Flags: --turbo-dynamic-map-checks
function bar(a) {
return a.x;
}
function foo(a) {
return 1 * bar(a);
}
var obj = {x: 2};
%PrepareFunctionForOptimization(foo);
foo(obj, obj);
%OptimizeFunctionOnNextCall(foo);
assertThrows(() => foo());
Issue: https://crbug.com/1146013
Commit: [nci] Fix DCHECK(function->is_compiled()) in CompileOptimized
Date(Commit): Thu, 12 Nov 2020 08:11:11 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2532297
Regress : test\mjsunit\regress\regress-1146013.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --no-use-ic --interrupt-budget=1000
try {
} catch (e) {}
class __c_0 extends class {} {
constructor() {
let __v_18 = () => {
for (let __v_19 = 0; __v_19 < 10; __v_19++) {
this.x;
}
};
super();
__v_18();
}
}
for (let __v_21 = 0; __v_21 < 10000; __v_21++) {
new __c_0();
}
Issue: https://crbug.com/v8/9808
Commit: [flags] Remove --harmony-promise-any
Date(Commit): Wed, 11 Nov 2020 16:22:12 -0800
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2510869
Regress : test\mjsunit\regress-crbug-1078825.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
load('test/mjsunit/test-async.js');
(function() {
const p1 = Promise.reject(1);
const p2 = Promise.resolve(1);
Object.defineProperty(p2, "then", {});
testAsync(assert => {
assert.plan(1);
Promise.any([p1, p2]).then(
assert.unreachable,
(e) => { assert.equals(true, e instanceof TypeError); });
});
})();
Issue: https://crbug.com/1145988
Commit: [nci] Check Isolate::concurrent_recompilation_enabled
Date(Commit): Wed, 11 Nov 2020 13:31:04 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2531781
Regress : test\mjsunit\regress\regress-1145988.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
__f_1();
function __f_1() {
for (var __v_3 = 0; __v_3 < 100000; __v_3++) {
}
}
__f_1();
Issue: https://crbug.com/v8/9237
Commit: [super] Optimize super property access in JSNativeContextSpecialization
Date(Commit): Tue, 10 Nov 2020 09:28:22 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2527092
Regress : test\mjsunit\regress-1146106.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --concurrent-inlining --no-use-ic --super-ic
class A {
bar() { }
}
class B extends A {
foo() {
return super.bar();
}
}
%PrepareFunctionForOptimization(B.prototype.foo);
new B().foo();
%OptimizeFunctionOnNextCall(B.prototype.foo);
new B().foo();
Issue: https://crbug.com/1146652
Commit: [compiler] Fix use of HeapObjectMatcher
Date(Commit): Sat, 7 Nov 2020 12:22:59 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2524440
Regress : test\mjsunit\compiler\regress-1146652.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function IsDataView(obj) {
return obj.getFloat64;
}
%NeverOptimizeFunction(IsDataView);
function bar(obj) {
if (IsDataView(obj)) obj.getFloat64(0);
}
%PrepareFunctionForOptimization(bar);
bar(new DataView(new ArrayBuffer(42)));
const proxy = new Proxy({}, {});
function foo() { bar(proxy) }
%PrepareFunctionForOptimization(foo);
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/1144672
Commit: [deoptimizer] Fix define typo and inlined frame base
Date(Commit): Tue, 3 Nov 2020 16:15:31 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2512923
Regress : test\mjsunit\regress\regress-1144672.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function g(b) {
const _ = Object.getOwnPropertyDescriptors(g);
// for (const _ of b) {}
}
function f(...a) {
g(a);
}
%PrepareFunctionForOptimization(f);
%PrepareFunctionForOptimization(g);
f([]);
%OptimizeFunctionOnNextCall(f);
f([]);
Issue: https://crbug.com/1143772
Commit: [map] Try to in-place transition during map update
Date(Commit): Thu, 29 Oct 2020 21:47:46 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2507715
Regress : test\mjsunit\regress\regress-1143772.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
(function() {
// Only run this test if doubles are transitioned in-place to tagged.
let x = {};
x.a = 0.1;
let y = {};
y.a = {};
if (!%HaveSameMap(x, y)) return;
// m1: {}
let m1 = {};
// m2: {a:d}
let m2 = {};
assertTrue(%HaveSameMap(m2, m1));
m2.a = 13.37;
// m3: {a:d, b:s}
let m3 = {};
m3.a = 13.37;
assertTrue(%HaveSameMap(m3, m2));
m3.b = 1;
// m4: {a:d, b:s, c:h}
let m4 = {};
m4.a = 13.37;
m4.b = 1;
assertTrue(%HaveSameMap(m4, m3));
m4.c = {};
// m4_2 == m4
let m4_2 = {};
m4_2.a = 13.37;
m4_2.b = 1;
m4_2.c = {};
assertTrue(%HaveSameMap(m4_2, m4));
// m5: {a:d, b:d}
let m5 = {};
m5.a = 13.37;
assertTrue(%HaveSameMap(m5, m2));
m5.b = 13.37;
assertFalse(%HaveSameMap(m5, m3));
// At this point, Map3 and Map4 are both deprecated. Map2 transitions to
// Map5. Map5 is the migration target for Map3.
assertFalse(%HaveSameMap(m5, m3));
// m6: {a:d, b:d, c:d}
let m6 = {};
m6.a = 13.37;
assertTrue(%HaveSameMap(m6, m2));
m6.b = 13.37;
assertTrue(%HaveSameMap(m6, m5));
m6.c = 13.37
// Make m7: {a:d, b:d, c:t}
let m7 = m4_2;
assertTrue(%HaveSameMap(m7, m4));
// Map4 is deprecated, so this property access triggers a Map migration.
// With in-place map updates and no double unboxing, this should end up
// migrating to Map6, and updating it in-place.
m7.c;
assertFalse(%HaveSameMap(m7, m4));
assertTrue(%HaveSameMap(m6, m7));
})();
Issue: https://crbug.com/v8/10111
Commit: [class] Fix super call evaluation order
Date(Commit): Thu, 29 Oct 2020 08:26:02 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2493077
Regress : test\mjsunit\regress\regress-crbug-696622.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
class C {}
class D extends C { constructor() { super(...unresolved, 75) } }
D.__proto__ = null;
%PrepareFunctionForOptimization(D);
// ReferenceError because argument evaluation happens before calling the super
// constructor.
assertThrows(() => new D(), ReferenceError);
assertThrows(() => new D(), ReferenceError);
%OptimizeFunctionOnNextCall(D);
assertThrows(() => new D(), ReferenceError);
Issue: https://crbug.com/v8/7790
Commit: Reland x2 "[compiler] Replace Symbol with direct reads""
Date(Commit): Tue, 27 Oct 2020 14:33:47 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2400988
Regress : test\mjsunit\regress\regress-crbug-1137594.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
v = { symbol: Symbol() };
function f() {
for (var i = 0; i < 1; ++i) {
try { v.symbol(); } catch (e) {}
}
}
%PrepareFunctionForOptimization(f);
f();
%OptimizeFunctionOnNextCall(f);
f();
Commit: [test] Fix mjsunit/regress/regress-542823 on PPC
Date(Commit): Tue, 27 Oct 2020 13:27:02 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2502330
Regress : test\mjsunit\regress\regress-542823.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
(function() {
// kPageSizeBits is 19 on PPC.
const kPageSizeBits = 19;
const kMaxHeapObjectSize = (1 << (kPageSizeBits - 1));
const filler = "Large amount of text per element, so that the joined array is"
+ "large enough to be allocated in the large object space"
const size = Math.ceil(kMaxHeapObjectSize / filler.length + 1);
const arr = Array(size).fill(filler);
for (let i = 0; i < 10; i++) {
assertTrue(%InLargeObjectSpace(arr.join("")));
}
})();
Issue: https://crbug.com/1142158
Commit: [arm] Correctly push and pop double registers on deopt entry
Date(Commit): Tue, 27 Oct 2020 11:46:00 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2498686
Regress : test\mjsunit\regress\regress-1142158.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
var __v_0 = {};
var __v_13 = {};
var __v_14 = {};
var __v_15 = {};
var __v_16 = {};
var __v_17 = {};
var __v_18 = {};
function __f_6(x, deopt) {
var __v_1 = x;
var __v_2 = 2 * x;
var __v_3 = 3 * x;
var __v_4 = 4 * x;
var __v_5 = 5 * x;
var __v_6 = 6 * x;
var __v_7 = 7 * x;
var __v_9 = 9 * x;
var __v_10 = 10 * x;
var __v_11 = 11 * x;
var __v_12 = 12 * x;
var __v_20 = 18 * x;
var __v_19 = 19 * x;
var __v_8 = 20 * x;
__v_0 = 1;
deopt + -2147483648;
return __v_1 + __v_2 + __v_3 + __v_4 + __v_5 + __v_6 + __v_7 + __v_8 + __v_9 + __v_10 + __v_11 + __v_12 + __v_13 +
__v_14 + __v_15 + __v_16 + __v_17 + __v_18 + __v_19 + __v_20;
};
%PrepareFunctionForOptimization(__f_6);
__f_6();
%OptimizeFunctionOnNextCall(__f_6);
assertEquals("45[object Object][object Object][object Object][object Object][object Object][object Object]9.59", __f_6(0.5, ""));
Issue: https://crbug.com/v8/11024
Commit: [wasm] Deserialized code is marked with top-tier-finished
Date(Commit): Fri, 23 Oct 2020 15:58:59 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2494930
Regress : test\mjsunit\regress\wasm\regress-11024.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// The test needs --wasm-tier-up because we can't serialize and deserialize
// Liftoff code.
// Flags: --expose-wasm --allow-natives-syntax --expose-gc --wasm-tier-up
load("test/mjsunit/wasm/wasm-module-builder.js");
const wire_bytes = new WasmModuleBuilder().toBuffer();
const serialized = (() => {
return %SerializeWasmModule(new WebAssembly.Module(wire_bytes));
})();
// Collect the compiled module, to avoid sharing of the NativeModule.
gc();
const module = %DeserializeWasmModule(serialized, wire_bytes);
%SerializeWasmModule(module);
Issue: https://crbug.com/1142240
Commit: [compiler] Fix bug in JSBoundFunction::Serialize
Date(Commit): Mon, 26 Oct 2020 10:19:12 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2497170
Regress : test\mjsunit\compiler\regress-1125145.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt
function foo() {}
for (let i = 0; i < 100000; ++i) {
foo = foo.bind();
}
function main() {
foo();
foo();
}
%PrepareFunctionForOptimization(main);
main();
%OptimizeFunctionOnNextCall(main);
main();
Issue: https://crbug.com/1140549
Commit: [wasm][liftoff][ia32] Fix register allocation of CompareExchange
Date(Commit): Thu, 22 Oct 2020 11:38:50 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2491031
Regress : test\mjsunit\regress\wasm\regress-1140549.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false, true);
builder.addType(makeSig([], []));
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: v_v
// body:
kExprI32Const, 0x00,
kExprI32Const, 0x00,
kExprI32Const, 0x00,
kAtomicPrefix, kExprI32AtomicCompareExchange8U, 0x00, 0xc3, 0x01,
kExprDrop,
kExprEnd, // end @193
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
print(instance.exports.main(1, 2, 3));
Issue: https://crbug.com/1139782
Commit: [regexp] Add regression test for chromium:1139782
Date(Commit): Wed, 21 Oct 2020 12:06:57 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2488687
Regress : test\mjsunit\regress\regress-1139782.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function main() {
for (let v3 = 0; v3 < 120; v3++) {
const v6 = [Int16Array,1111];
let v12 = 577623200;
const v14 = [2];
const v18 = [1.7976931348623157e+308,1.7976931348623157e+308,1.7976931348623157e+308,1.7976931348623157e+308];
const v20 = [1111,Uint8Array];
const v21 = [v20,v20,v18,v20,1111,1111,1111,-1111];
const v23 = [11.11,11.11,1.7976931348623157e+308,11.11,11.11];
const v26 = -Infinity;
const v27 = [v23,v26,1111,v18,Date,1111,-9007199254740992,v21];
const v31 = [v14];
const v32 = [v31,v12,"object",v21,1111,6.0,v18,v27,Int8Array];
const v33 = ["65555",v26,v32];
const v34 = v33.toLocaleString();
let v35 = "659874589";
v35 = v34;
const v37 = [11.11,11.11,1111];
const v38 = [v6];
const v39 = [v38,v37,v38];
v37[10000] = v23;
v12 = v35;
const v54 = [parseInt,v39];
const v56 = String.fromCharCode();
const v61 = [v12,1111,-9007199254740991,1111];
const v63 = [11.11,v54,JSON,v61,11.11,v56,v61];
const v64 = JSON.stringify(v63);
const v65 = RegExp(v64);
const v66 = v65.exec(v64);
}
}
main();
Issue: https://crbug.com/1137608
Commit: [codegen] Skip invalid optimization in tail calls
Date(Commit): Thu, 15 Oct 2020 12:45:34 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2474784
Regress : test\mjsunit\regress\wasm\regress-1137608.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --no-liftoff --experimental-wasm-return-call --experimental-wasm-threads
load("test/mjsunit/wasm/wasm-module-builder.js");
(function Regress1137608() {
print(arguments.callee.name);
let builder = new WasmModuleBuilder();
let sig0 = builder.addType(kSig_i_iii);
let sig1 = builder.addType(makeSig([kWasmF64, kWasmF64, kWasmI32,
kWasmI32, kWasmI32, kWasmF32, kWasmI32, kWasmF64, kWasmI32, kWasmF32,
kWasmI32, kWasmF32, kWasmI32, kWasmF64, kWasmI32], [kWasmI32]));
let main = builder.addFunction("main", sig0)
.addBody([
kExprI64Const, 0,
kExprF64UConvertI64,
kExprF64Const, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x00, 0x00,
kExprF64Const, 0x30, 0x30, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00,
kExprF64Mul,
kExprI32Const, 0,
kExprF64Const, 0x30, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
kExprF64StoreMem, 0x00, 0xb0, 0xe0, 0xc0, 0x81, 0x03,
kExprI32Const, 0,
kExprI32Const, 0,
kExprI32Const, 0,
kExprF32Const, 0x00, 0x00, 0x00, 0x00,
kExprI32Const, 0,
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
kExprI32Const, 0,
kExprF32Const, 0x00, 0x00, 0x00, 0x00,
kExprI32Const, 0,
kExprF32Const, 0x00, 0x00, 0x00, 0x00,
kExprI32Const, 0,
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
kExprI32Const, 0,
kExprI32Const, 2,
kExprReturnCallIndirect, sig1, kTableZero]).exportFunc();
builder.addFunction("f", sig1).addBody([kExprI32Const, 0]);
builder.addTable(kWasmAnyFunc, 4, 4);
builder.addMemory(16, 32, false, true);
let module = new WebAssembly.Module(builder.toBuffer());
let instance = new WebAssembly.Instance(module);
})();
Issue: https://crbug.com/1138075
Commit: Reland "[TurboProp] Avoid marking the output of a call live in its catch handler"
Date(Commit): Fri, 16 Oct 2020 13:57:04 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2476317
Regress : test\mjsunit\regress\regress-1138611.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --turboprop --gc-interval=1000
function runNearStackLimit(f) {
function t() {
try {
return t();
} catch (e) {
return f();
}
}
%PrepareFunctionForOptimization(t);
%OptimizeFunctionOnNextCall(t);
return t();
}
function foo() {
runNearStackLimit(() => {});
}
(function () {
var a = 42;
var b = 153;
try {
Object.defineProperty({});
} catch (e) {}
foo();
foo();
})();
runNearStackLimit(() => {});
Commit: [TurboProp] Handle allocation of phis which are never used
Date(Commit): Wed, 14 Oct 2020 18:05:54 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2471998
Regress : test\mjsunit\regress\regress-1137979.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --turboprop --no-lazy-feedback-allocation
// Flags: --noanalyze-environment-liveness
function foo() {
try {
bar();
} catch (e) {}
for (var i = 0; i < 3; i++) {
try {
%PrepareFunctionForOptimization(foo);
%OptimizeOsr();
} catch (e) {}
}
}
foo();
foo();
Issue: https://crbug.com/1137586
Commit: [turbofan] Avoid relaxing node that has other effect use
Date(Commit): Wed, 14 Oct 2020 11:11:50 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2469597
Regress : test\mjsunit\regress\regress-crbug-1137586.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f() {
for (var i = 0; i < 100000; i++) {
var a = arguments[0] + 2;
var b = arguments[1] + 2;
var c = a + i + 5;
var d = c + 3;
}
}
for (var j = 0; j < 3; j++) {
f(2, 3);
}
Issue: https://crbug.com/1137582
Commit: [wasm] Add missing checks for growing the stack
Date(Commit): Tue, 13 Oct 2020 12:53:15 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2467796
Regress : test\mjsunit\regress\wasm\regress-1137582.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
const results = new Array(9).fill(kWasmI32);
builder.addFunction('foo', makeSig([], results)).addBody([kExprUnreachable]);
builder.instantiate();
Issue: https://crbug.com/1130213
Commit: [d8] Fix Realm.owner on detached global proxy
Date(Commit): Thu, 8 Oct 2020 19:35:34 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2456087
Regress : test\mjsunit\regress\regress-crbug-1130213.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Realm.createAllowCrossRealmAccess();
const global = Realm.global(1);
assertSame(1, Realm.owner(global));
Realm.detachGlobal(1);
assertSame(undefined, Realm.owner(global));
Commit: [parser] Fix AST func reindexing for function fields
Date(Commit): Wed, 30 Sep 2020 15:19:13 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2440519
Regress : test\mjsunit\regress\regress-1132111.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Public function field with computed name
eval(`
buggy = ((bug = new class { [0] = x => 1337.0; }) => bug);
`);
// Public method with computed name
eval(`
buggy = ((bug = new class { [0](x) { return 1337.0}; }) => bug);
`);
// Private function field with computed name
eval(`
buggy = ((bug = new class { #foo = x => 1337.0; }) => bug);
`);
// Private method with computed name
eval(`
buggy = ((bug = new class { #foo(x) { return 1337.0; } }) => bug);
`);
Commit: Fix Array.p.pop() for read-only length 0
Date(Commit): Wed, 30 Sep 2020 15:31:21 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2440576
Regress : test\mjsunit\regress\regress-10908.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
let a = [];
Object.defineProperty(a, "length", {writable: false});
function f() {
return a.pop();
}
assertThrows(f, TypeError, /Cannot assign to read only property 'length'/);
%PrepareFunctionForOptimization(f);
for (let i = 0; i < 3; i++) {
assertThrows(f, TypeError, /Cannot assign to read only property 'length'/);
}
%OptimizeFunctionOnNextCall(f);
assertThrows(f, TypeError, /Cannot assign to read only property 'length'/);
Commit: [typedarray] Throw rather than crash when too large to sort
Date(Commit): Wed, 30 Sep 2020 16:36:15 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2440575
Regress : test\mjsunit\regress\regress-10931.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const kLargerThanFixedArrayMaxLength = 200_000_000;
var x = new Int8Array(kLargerThanFixedArrayMaxLength);
try {
var y = x.sort((a, b) => b - a);
} catch (e) {
// Throwing is okay, crashing is not.
assertInstanceof(e, TypeError);
assertMatches(
/not supported for huge TypedArrays/, e.message, 'Error message');
}
Issue: https://crbug.com/1132461
Commit: [wasm-simd] Protected load transforms are not eliminatable
Date(Commit): Tue, 29 Sep 2020 09:36:19 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2436081
Regress : test\mjsunit\regress\wasm\regress-1132461.js
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
// We load-splat a value, then drop it. Verify that the OOB load is not
// eliminated, it should trap. This test case is simplified from the fuzzer
// provided test case in https://crbug.com/1132461.
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false, true);
builder.addFunction(undefined, makeSig([], [kWasmI32]))
.addBodyWithEnd([
kExprI32Const, 0x00,
kExprI32Const, 0x00,
kSimdPrefix, kExprS128Load32Splat, 0x00, 0xb6, 0xec, 0xd8, 0xb1, 0x03,
kSimdPrefix, kExprI32x4ExtractLane, 0x00,
kExprDrop,
kExprEnd,
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertThrows(() => instance.exports.main());
Issue: https://crbug.com/v8/10946
Commit: [wasm-simd] Rename load splat and load extend
Date(Commit): Tue, 22 Sep 2020 13:54:28 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2422357
Regress : test\mjsunit\regress\wasm\regress-1116019.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-simd
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false);
builder.addType(makeSig([], [kWasmI32]));
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: i_v
// body:
kExprI32Const, 0x00, // i32.const
kSimdPrefix, kExprS128Load8x8U, 0x03, 0xff, 0xff, 0x3f, // i16x8.load8x8_u
kSimdPrefix, kExprI16x8ExtractLaneS, 0,
kExprEnd, // end @371
]).exportAs('main');
const instance = builder.instantiate();
assertTraps(kTrapMemOutOfBounds, () => instance.exports.main());
Issue: https://crbug.com/v8/10577
Commit: Reland^5 "[flags] warn about contradictory flags"
Date(Commit): Fri, 18 Sep 2020 16:40:24 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2154792
Regress : test\mjsunit\regress\wasm\regress-666741.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --enable-slow-asserts --expose-wasm
(function __f_7() {
assertThrows(() => new WebAssembly.Memory({initial: 79199}), RangeError);
})();
Issue: https://crbug.com/v8/10668
Commit: [test][d8] Add d8.log.getAndStop helper
Date(Commit): Tue, 15 Sep 2020 09:24:54 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2403245
Regress : test\mjsunit\regress\regress-v8-9656.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-flush-bytecode
// Flags: --no-stress-flush-bytecode
// Files: test/mjsunit/code-coverage-utils.js
%DebugToggleBlockCoverage(true);
try {
throw new Error();
} catch (e) {
e.stack;
}
Issue: https://crbug.com/v8/7481
Commit: Fix locale of Intl.Collator..resolvedOptions
Date(Commit): Wed, 16 Sep 2020 08:03:45 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2410791
Regress : test\mjsunit\regress\regress-6288.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Environment Variables: LC_ALL=pt-BR.UTF8
// The data files packaged with d8 currently have Brazillian Portuguese
// DateTimeFormat and Collation
if (this.Intl) {
assertEquals('pt-BR', Intl.Collator().resolvedOptions().locale);
assertEquals('pt-BR', Intl.DateTimeFormat().resolvedOptions().locale);
}
Issue: https://crbug.com/1127405
Commit: [compiler] Unpark local heap in more places
Date(Commit): Mon, 14 Sep 2020 17:27:29 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2410381
Regress : test\mjsunit\compiler\regress-1127405.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
// Flags: --no-analyze-environment-liveness --no-use-ic --assert-types
const symbol = Symbol();
function foo(x) {
try { x[symbol] = 42 } catch (e) {}
new Number();
}
%PrepareFunctionForOptimization(foo);
foo({});
%OptimizeFunctionOnNextCall(foo);
foo({});
Issue: https://crbug.com/1126249
Commit: [compiler] Fix bug in SimplifiedLowering's overflow computation
Date(Commit): Fri, 11 Sep 2020 16:37:47 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2404452
Regress : test\mjsunit\compiler\regress-1126249.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(b) {
var x = -0;
var y = -0x80000000;
if (b) {
x = -1;
y = 1;
}
return (x - y) == -0x80000000;
}
%PrepareFunctionForOptimization(foo);
assertFalse(foo(true));
%OptimizeFunctionOnNextCall(foo);
assertFalse(foo(false));
Issue: https://crbug.com/1127319
Commit: [turbofan] Fix bug in inlining
Date(Commit): Mon, 14 Sep 2020 10:55:01 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2409273
Regress : test\mjsunit\compiler\regress-1127319.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --interrupt-budget=1024
function v1() {
const v4 = Reflect;
const v8 = [11.11];
const v10 = {__proto__:1111, a:-1, c:RegExp, f:v8, d:1111, e:-1};
const v12 = [11.11];
function v13() {}
const v16 = {a:v13, b:v13, c:v13, d:v13, e:v13, f:v13, g:v13, h:v13, i:v13, j:v13};
}
function foo() {
let v22 = Number;
v22 = v1;
const v23 = false;
if (v23) {
v22 = Number;
} else {
function v24() {
const v28 = ".Cactus"[0];
for (let v32 = 0; v32 < 7; v32++) {}
}
new Promise(v24);
try {
for (const v37 of v36) {
const v58 = [cactus,cactus,[] = cactus] = v117;
}
} catch(v119) {
}
}
v22();
}
for (let i = 0; i < 10; i++) {
foo();
}
Issue: https://crbug.com/v8/10892
Commit: [turbofan] Fix some tests
Date(Commit): Fri, 11 Sep 2020 11:34:59 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2404774
Regress : test\mjsunit\regress\regress-crbug-882233-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt
// Intended to test bug [882233] on TF inlined (js-call-reducer) path.
function shift_array() {
let array = [];
Object.defineProperty(array, 'length', {writable : false});
out = array; // Prevent array's map from dying too early.
return array.shift();
}
%PrepareFunctionForOptimization(shift_array);
assertThrows(shift_array);
assertThrows(shift_array);
%OptimizeFunctionOnNextCall(shift_array);
assertThrows(shift_array);
assertOptimized(shift_array);
function shift_object() {
let object = { length: 0 };
Object.defineProperty(object, 'length', {writable : false});
out = object; // Prevent object's map from dying too early.
return object.shift();
}
%PrepareFunctionForOptimization(shift_object);
assertThrows(shift_object);
assertThrows(shift_object);
%OptimizeFunctionOnNextCall(shift_object);
assertThrows(shift_object);
assertOptimized(shift_object);
Issue: https://crbug.com/v8/7748
Commit: [wasm][wasm-gc][test] Improve and extend Javascript testing API
Date(Commit): Thu, 10 Sep 2020 12:39:52 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2390144
Regress : test\mjsunit\regress\wasm\regress-922670.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
const sig = builder.addType(makeSig([kWasmI32], []));
builder.addFunction(undefined, sig)
.addLocals(kWasmI64, 1)
.addBody([
kExprLoop, kWasmI32,
kExprLocalGet, 1,
kExprI64Const, 1,
kExprLoop, kWasmI32,
kExprLocalGet, 0,
kExprI32Const, 1,
kExprI32Const, 1,
kExprIf, kWasmI32,
kExprI32Const, 1,
kExprElse,
kExprUnreachable,
kExprEnd,
kExprSelect,
kExprUnreachable,
kExprEnd,
kExprUnreachable,
kExprEnd,
kExprUnreachable
]);
builder.instantiate();
Issue: https://crbug.com/1126771
Commit: [compiler] Fix bug in ContextRef::previous
Date(Commit): Thu, 10 Sep 2020 09:45:47 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2402037
Regress : test\mjsunit\compiler\regress-1126771.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
let __callGC;
(function () {
__callGC = function() {};
})();
var __v_5 = {};
var __v_9 = {x: {}};
function main() {
function __f_6() { this.elms = new Array(); }
__f_6.prototype.size = function () { return this.elms.length; };
function __f_7() { this.v = new __f_6(); }
__f_7.prototype.add = function (__v_25) { this.v.elms.push(__v_25); };
__f_7.prototype.size = function () { return this.v.size(); };
__f_7.prototype.execute = function () {
for (var __v_28 = 0; __v_28 < this.size(); __v_28++) {
delete __v_9[__v_9, 538276];
__callGC();
}
};
var __v_22 = new __f_7();
for (var __v_23 = 0; __v_23 < 10; __v_23++) {
try {
if (__v_5 != null && typeof __v_5 == "object") {
try {
Object.defineProperty(__v_5, 807285, {get: function() {}});
} catch (e) {}
}
__v_22.add();
} catch (e) {}
}
__v_22.execute();
}
%PrepareFunctionForOptimization(main);
main();
main();
%OptimizeFunctionOnNextCall(main);
main();
Issue: https://crbug.com/v8/7581
Commit: Reland "[wasm][liftoff] Emit safepoints for externref values on the stack"
Date(Commit): Wed, 9 Sep 2020 12:33:44 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2398531
Regress : test\mjsunit\regress\wasm\regress-1125951.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-wasm --liftoff --no-wasm-tier-up --print-code --wasm-staging
// Flags: --experimental-wasm-threads
load("test/mjsunit/wasm/wasm-module-builder.js");
(function testPrintCode() {
let builder = new WasmModuleBuilder();
builder.addMemory(1, undefined, false);
builder
.addFunction('main', makeSig([kWasmI32, kWasmI32, kWasmF64], [kWasmI32]))
.addBody([
kExprLocalGet, 0, kExprLocalGet, 1, kExprI64UConvertI32, kExprLocalGet,
2, kExprI64SConvertF64, kAtomicPrefix, kExprI64AtomicWait, 0, 0
]);
builder.instantiate();
})();
Issue: https://crbug.com/v8/10802
Commit: [builtins] Use fast path for JSArray source in TypedArray.from()
Date(Commit): Tue, 1 Sep 2020 12:57:23 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2358749
Regress : test\mjsunit\regress\regress-10802.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const arr = new Uint8Array([1, 2, 3]);
function mapper(x) {
arr[1] = 182;
return x + 1;
}
assertArrayEquals([2, 3, 4], Uint16Array.from(arr, mapper));
Issue: https://crbug.com/v8/10852
Commit: [test] Enable --wasm-tier-up when test does serialization
Date(Commit): Tue, 1 Sep 2020 14:12:17 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2387574
Regress : test\mjsunit\regress\wasm\regress-7785.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// The test needs --wasm-tier-up because we can't serialize and deserialize
// Liftoff code.
// Flags: --allow-natives-syntax --experimental-wasm-reftypes --wasm-tier-up
load("test/mjsunit/wasm/wasm-module-builder.js");
(function testExternRefNull() {
const builder = new WasmModuleBuilder();
builder.addFunction('main', kSig_r_v)
.addBody([kExprRefNull, kWasmExternRef])
.exportFunc();
var wire_bytes = builder.toBuffer();
var module = new WebAssembly.Module(wire_bytes);
var buffer = %SerializeWasmModule(module);
module = %DeserializeWasmModule(buffer, wire_bytes);
var instance = new WebAssembly.Instance(module);
assertEquals(null, instance.exports.main());
})();
(function testExternRefIsNull() {
const builder = new WasmModuleBuilder();
builder.addFunction('main', kSig_i_r)
.addBody([kExprLocalGet, 0, kExprRefIsNull])
.exportFunc();
var wire_bytes = builder.toBuffer();
var module = new WebAssembly.Module(wire_bytes);
var buffer = %SerializeWasmModule(module);
module = %DeserializeWasmModule(buffer, wire_bytes);
var instance = new WebAssembly.Instance(module);
assertEquals(0, instance.exports.main({'hello' : 'world'}));
assertEquals(0, instance.exports.main(1234));
assertEquals(0, instance.exports.main(0));
assertEquals(0, instance.exports.main(123.4));
assertEquals(0, instance.exports.main(undefined));
assertEquals(1, instance.exports.main(null));
assertEquals(0, instance.exports.main(print));
})();
Issue: https://crbug.com/1123379
Commit: [compiler] Revisit graph end after a gasm reduction in call reducer
Date(Commit): Mon, 31 Aug 2020 12:03:45 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2384772
Regress : test\mjsunit\regress\regress-1123379.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --noanalyze-environment-liveness --interrupt-budget=1000
for (let __v_1 = 0; __v_1 < 5000; __v_1++) {
try {
[].reduce(function () {});
} catch (__v_2) {}
}
__v_5 = {
get: function () {
}
};
Issue: https://crbug.com/v8/10846
Commit: [test] Make a few tests robust to GC stress
Date(Commit): Fri, 28 Aug 2020 17:18:48 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2381458
Regress : test\mjsunit\regress\regress-1034449.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt --no-always-opt
// Flags: --no-stress-flush-bytecode
function f(len) {
return new Array(len);
}
%PrepareFunctionForOptimization(f);
assertEquals(3, f(3).length);
assertEquals(18, f(18).length);
%OptimizeFunctionOnNextCall(f);
assertEquals(4, f(4).length);
assertOptimized(f);
let a = f("8");
assertUnoptimized(f);
assertEquals(1, a.length);
assertEquals("8", a[0]);
// Check there is no deopt loop.
%PrepareFunctionForOptimization(f);
assertEquals(1, f(1).length);
%OptimizeFunctionOnNextCall(f);
assertEquals(8, f(8).length);
assertOptimized(f);
assertEquals(1, f("8").length);
assertOptimized(f);
Issue: https://crbug.com/1069173
Commit: [asm] Fix globals initialized by '-0'
Date(Commit): Fri, 28 Aug 2020 13:01:52 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2379861
Regress : test\mjsunit\asm\regress-1069173.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo() {
"use asm";
const v = -0;
function bar() {
return v;
}
return { d: bar };
}
var m = foo();
assertEquals(-Infinity, 1 / m.d());
assertTrue(%IsAsmWasmCode(foo));
Issue: https://crbug.com/1120905
Commit: [test] Add short copyright to regress-1120905.js
Date(Commit): Wed, 26 Aug 2020 15:45:52 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2377689
Regress : test\mjsunit\regress-1120905.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function O() {}
O.prototype.f = f;
O.prototype.g = g;
function f() {
return g.arguments;
}
function g(x) {
return this.f(2 - x, "any");
}
var o = new O();
function foo(x) {
return o.g(x, "z");
}
for (var i = 0; i < 35; i++) foo();
var result = (
%PrepareFunctionForOptimization(foo),foo(), foo(),
%OptimizeFunctionOnNextCall(foo), foo()
);
assertEquals(result[1], "z");
Issue: https://crbug.com/v8/9646
Commit: Install "name" property on anonymous classes
Date(Commit): Mon, 17 Aug 2020 18:44:41 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2360905
Regress : test\mjsunit\regress\regress-7773.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function testFunctionNames() {
let descriptor = {
value: '',
writable: false,
enumerable: false,
configurable: true
};
// Functions have a "name" property by default.
assertEquals(
descriptor, Object.getOwnPropertyDescriptor(function(){}, 'name'));
let a = { fn: function(){} };
assertSame('fn', a.fn.name);
descriptor.value = 'fn';
assertEquals(descriptor, Object.getOwnPropertyDescriptor(a.fn, 'name'));
let b = { __proto__: function(){} };
assertSame('', b.__proto__.name);
descriptor.value = '';
assertEquals(
descriptor, Object.getOwnPropertyDescriptor(b.__proto__, 'name'));
let c = { fn: function F(){} };
assertSame('F', c.fn.name);
descriptor.value = 'F';
assertEquals(descriptor, Object.getOwnPropertyDescriptor(c.fn, 'name'));
let d = { __proto__: function E(){} };
assertSame('E', d.__proto__.name);
descriptor.value = 'E';
assertEquals(
descriptor, Object.getOwnPropertyDescriptor(d.__proto__, 'name'));
})();
(function testClassNames() {
let descriptor = {
value: '',
writable: false,
enumerable: false,
configurable: true
};
// Anonymous classes do not have a "name" property by default.
descriptor.value = '';
assertEquals(descriptor, Object.getOwnPropertyDescriptor(class {}, 'name'));
descriptor.value = 'C';
assertEquals(descriptor, Object.getOwnPropertyDescriptor(class C {}, 'name'));
let a = { fn: class {} };
assertSame('fn', a.fn.name);
descriptor.value = 'fn';
assertEquals(descriptor, Object.getOwnPropertyDescriptor(a.fn, 'name'));
let b = { __proto__: class {} };
assertSame('', b.__proto__.name);
descriptor.value = '';
assertEquals(
descriptor, Object.getOwnPropertyDescriptor(b.__proto__, 'name'));
let c = { fn: class F {} };
assertSame('F', c.fn.name);
descriptor.value = 'F';
assertEquals(descriptor, Object.getOwnPropertyDescriptor(c.fn, 'name'));
let d = { __proto__: class F {} };
assertSame('F', d.__proto__.name);
descriptor.value = 'F';
assertEquals(
descriptor, Object.getOwnPropertyDescriptor(d.__proto__, 'name'));
})();
Issue: https://crbug.com/1115354
Commit: [Atomics.waitAsync] Add regression test
Date(Commit): Fri, 14 Aug 2020 09:24:20 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2354813
Regress : test\mjsunit\regress\regress-1115354.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --harmony-sharedarraybuffer --harmony-atomics-waitasync --expose-async-hooks
const sab = new SharedArrayBuffer(16);
const i32a = new Int32Array(sab);
const result = Atomics.waitAsync(i32a, 0, 0);
Atomics.notify(i32a, 0);
let hook = async_hooks.createHook(
{
promiseResolve: function() { }
});
hook.enable();
Issue: https://crbug.com/1112124
Commit: Reland "[wasm-simd][arm] Use vmov to move all ones to register"
Date(Commit): Mon, 10 Aug 2020 14:52:59 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2337503
Regress : test\mjsunit\regress\wasm\regress-1112124.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-simd
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: i_iii
// body:
kSimdPrefix, kExprS128Const, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, // s128.const
kSimdPrefix, kExprI32x4ExtractLane, 0x00, // i32x4.extract_lane
kExprEnd, // end @22
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertEquals(-1, instance.exports.main(1, 2, 3));
// The bug happens on the second call to the same exported function, it returns 0.
assertEquals(-1, instance.exports.main(1, 2, 3));
Issue: https://crbug.com/v8/10777
Commit: Reland "[wasm] Ensure that only TurboFan code is serialized"
Date(Commit): Tue, 11 Aug 2020 13:36:55 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2336799
Regress : test\mjsunit\regress\wasm\regress-808980.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// The test needs --wasm-tier-up because we can't serialize and deserialize
// Liftoff code.
// Flags: --allow-natives-syntax --throws --wasm-tier-up
load('test/mjsunit/wasm/wasm-module-builder.js');
let kTableSize = 3;
var builder = new WasmModuleBuilder();
var sig_index1 = builder.addType(kSig_i_v);
builder.addFunction('main', kSig_i_ii).addBody([
kExprLocalGet,
0,
kExprCallIndirect,
sig_index1,
kTableZero
]).exportAs('main');
builder.setTableBounds(kTableSize, kTableSize);
var m1_bytes = builder.toBuffer();
var m1 = new WebAssembly.Module(m1_bytes);
var serialized_m1 = %SerializeWasmModule(m1);
var m1_clone = %DeserializeWasmModule(serialized_m1, m1_bytes);
var i1 = new WebAssembly.Instance(m1_clone);
i1.exports.main(123123);
Issue: https://crbug.com/v8/7883
Commit: [atomics] Remove the deprecated Atomics.wake
Date(Commit): Fri, 31 Jul 2020 15:02:36 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2333349
Regress : test\mjsunit\regress\regress-crbug-722871.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let sab = new SharedArrayBuffer(10 * 4);
let memory = new Int32Array(sab);
let workers = [];
let runningWorkers = 0;
function startWorker(script) {
let worker = new Worker(script, {type: 'string'});
worker.done = false;
worker.idx = workers.length;
workers.push(worker);
worker.postMessage(memory);
++runningWorkers;
};
let shared = `
function wait(memory, index, waitCondition, wakeCondition) {
while (memory[index] == waitCondition) {
var result = Atomics.wait(memory, index, waitCondition);
switch (result) {
case 'not-equal':
case 'ok':
break;
default:
postMessage('Error: bad result from wait: ' + result);
break;
}
var value = memory[index];
if (value != wakeCondition) {
postMessage(
'Error: wait returned not-equal but the memory has a bad value: ' +
value);
}
}
var value = memory[index];
if (value != wakeCondition) {
postMessage(
'Error: done waiting but the memory has a bad value: ' + value);
}
}
function wake(memory, index) {
var result = Atomics.notify(memory, index, 1);
if (result != 0 && result != 1) {
postMessage('Error: bad result from wake: ' + result);
}
}
`;
let worker1 = startWorker(shared + `
onmessage = function(msg) {
let memory = msg;
const didStartIdx = 0;
const shouldGoIdx = 1;
const didEndIdx = 2;
postMessage("started");
postMessage("memory: " + memory);
wait(memory, didStartIdx, 0, 1);
memory[shouldGoIdx] = 1;
wake(memory, shouldGoIdx);
wait(memory, didEndIdx, 0, 1);
postMessage("memory: " + memory);
postMessage("done");
};
`);
let worker2 = startWorker(shared + `
onmessage = function(msg) {
let memory = msg;
const didStartIdx = 0;
const shouldGoIdx = 1;
const didEndIdx = 2;
postMessage("started");
postMessage("memory: " + memory);
Atomics.store(memory, didStartIdx, 1);
wake(memory, didStartIdx);
wait(memory, shouldGoIdx, 0, 1);
Atomics.store(memory, didEndIdx, 1);
wake(memory, didEndIdx, 1);
postMessage("memory: " + memory);
postMessage("done");
};
`);
let running = true;
while (running) {
for (let worker of workers) {
if (worker.done) continue;
let msg = worker.getMessage();
if (msg) {
switch (msg) {
case "done":
if (worker.done === false) {
print("worker #" + worker.idx + " done.");
worker.done = true;
if (--runningWorkers === 0) {
running = false;
}
}
break;
default:
print("msg from worker #" + worker.idx + ": " + msg);
break;
}
}
}
}
Issue: https://crbug.com/1114006
Commit: [wasm] Check size of table imports at instantiation time
Date(Commit): Fri, 7 Aug 2020 08:43:25 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2339473
Regress : test\mjsunit\regress\wasm\regress-1114005.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load("test/mjsunit/wasm/wasm-module-builder.js");
const builder = new WasmModuleBuilder();
let table = new WebAssembly.Table({element: 'anyfunc', initial: 2});
// Big size that causes an int32 overflow.
builder.addImportedTable('m', 'table', 4000000000);
assertThrows(() => builder.instantiate({m: {table: table}}), RangeError);
Issue: https://crbug.com/v8/10752
Commit: [wasm-simd] Add regression test for i64x2.shr_s bug
Date(Commit): Tue, 4 Aug 2020 10:11:33 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2335779
Regress : test\mjsunit\regress\wasm\regress-1111522.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-simd
load('test/mjsunit/wasm/wasm-module-builder.js');
// Regression test to exercise Liftoff's i64x2.shr_s codegen, which back up rcx
// to a scratch register, and immediately overwrote the backup, then later
// restoring the incorrect value. See https://crbug.com/v8/10752 and
// https://crbug.com/1111522 for more.
const builder = new WasmModuleBuilder();
// i64x2.shr_s shifts a v128 (with all bits set), by 1, then drops the result.
// The function returns param 2, which should be unmodified.
builder.addFunction(undefined, kSig_i_iii).addBodyWithEnd([
kSimdPrefix, kExprS128Const, ...new Array(16).fill(0xff),
kExprI32Const, 0x01,
kSimdPrefix, kExprI64x2ShrS, 0x01,
kExprDrop,
kExprLocalGet, 0x02,
kExprEnd,
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertEquals(3, instance.exports.main(1, 2, 3));
Issue: https://crbug.com/1110001
Commit: [d8] Fix worker creation near stack limit
Date(Commit): Fri, 31 Jul 2020 08:30:27 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2332156
Regress : test\mjsunit\regress\regress-1110001.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function foo() {
try {
foo();
} catch {
print('Stack overflow');
Worker('string', new Proxy([], {}));
}
}
try {
foo();
} catch {
// expecting stack overflow, but we should not crash.
}
Issue: https://crbug.com/1104514
Commit: [turbofan] Fix a lazy deopt bug in Array.prototype.map
Date(Commit): Wed, 29 Jul 2020 15:50:36 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2324249
Regress : test\mjsunit\compiler\regress-1104514.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
Array(32760); // > JSArray::kInitialMaxFastElementArray
function main() {
const a = [1, 2];
a.x = 666;
a.toString();
const aa = Array.prototype.map.call(a, v => v);
if (aa[0] != 1 || aa[1] != 2) { %SystemBreak(); }
a.z = 667;
}
for (var i = 0; i < 20000; ++i) {
main();
}
Issue: https://crbug.com/1109174
Commit: [turbofan] Do more checks for dead nodes in BranchElimination
Date(Commit): Mon, 27 Jul 2020 17:43:35 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2320668
Regress : test\mjsunit\compiler\regress-1109174.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --interrupt-budget=1024
(function() {
let n = 0;
do {
for (let i = 0; i < 100; i++) {
function unused() {}
let a = [i];
let b = String.fromCodePoint(i, 1).padStart();
a.reduce(parseInt, b);
}
for (let j = 0; j < 1; j++) {}
} while (++n < 2);
})();
Issue: https://crbug.com/1105746
Commit: [turbofan] Skip optimizations for large unmapped 'arguments'
Date(Commit): Wed, 15 Jul 2020 17:37:46 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2300481
Regress : test\mjsunit\regress\regress-1105746.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
'use strict'
function f() {
return arguments;
}
var arr = [];
arr.length=0x8000;
var g = f.bind(null,...arr);
function test() {
return g();
}
%PrepareFunctionForOptimization(f);
%PrepareFunctionForOptimization(test);
test();
%OptimizeFunctionOnNextCall(test);
assertEquals(test().length, arr.length);
Issue: https://crbug.com/v8/10709
Commit: [Test] Set proper simulator stack size in regress-896326 test
Date(Commit): Wed, 15 Jul 2020 06:17:12 -0400
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2299880
Regress : test\mjsunit\regress\regress-896326.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --stack-size=100 --sim-stack-size=100
function f() {
}
var large_array = Array(150 * 1024);
assertThrows('new f(... large_array)', RangeError);
Issue: https://crbug.com/1104711
Commit: [hashtable] Don't add PropertyCell to GlobalDictionary too early
Date(Commit): Tue, 14 Jul 2020 18:39:25 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2297472
Regress : test\mjsunit\regress\regress-crbug-1105383.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
'use strict';
Object.defineProperty(
this.__proto__, "boom",
{ value:153, writable:true, configurable: true, enumerable:false });
var good = 1;
try {
boom = 42;
} catch (e) {}
var properties = Object.getOwnPropertyNames(this);
assertTrue(properties.findIndex(e => e == "good") >= 0);
assertEquals(properties.findIndex(e => e == "boom"), -1);
Issue: https://crbug.com/v8/4153
Commit: Fix "named" loads for large TypedArray indices
Date(Commit): Tue, 14 Jul 2020 13:09:01 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2295606
Regress : test\mjsunit\regress\regress-crbug-1104608.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --multi-mapped-mock-allocator
const kSize = 4294967296;
// Skip this test on 32-bit platforms.
if (%TypedArrayMaxLength() >= kSize) {
const array = new Uint8Array(kSize);
function f() {
let result = array["4294967295"];
assertEquals(0, result);
}
function g() {
array["4294967295"] = 1;
}
%PrepareFunctionForOptimization(f);
for (var i = 0; i < 3; i++) f();
%OptimizeFunctionOnNextCall(f);
f();
%PrepareFunctionForOptimization(g);
for (var i = 0; i < 3; i++) g();
%OptimizeFunctionOnNextCall(g);
g();
}
Issue: https://crbug.com/1102683
Commit: [turbofan] Remove an incorrect DCHECK
Date(Commit): Wed, 8 Jul 2020 12:48:30 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2287494
Regress : test\mjsunit\compiler\regress-1102683.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
async function foo() {
for (let i = 0; i < 1; i++) {
while (i !== i) {
await 42;
function unused() {}
return;
}
}
}
%PrepareFunctionForOptimization(foo);
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/1102053
Commit: [turbofan] Fix CHECK failure in graph verifier
Date(Commit): Mon, 6 Jul 2020 11:08:38 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2282523
Regress : test\mjsunit\compiler\regress-1102053.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --interrupt-budget=1024
const v10 =
{__proto__: [42], a: 1757695453, length: Promise, toString: 1337, d: []};
async function foo(a) {
a.length;
for (const k in v10) {
for (let i = 0; i < k; i++) {}
for (let i = 0; i < 10; i++) {
function bar() {}
while (a < 1) {
for (const kk of []) await 42;
}
}
}
}
for (let i = 0; i < 2; i++) {
foo([42]);
}
Commit: [Test] Lower arg count to avoid going over stack limit on Arm64.
Date(Commit): Fri, 3 Jul 2020 11:26:37 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2280095
Regress : test\mjsunit\regress\regress-732836.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function boom() {
var args = [];
for (var i = 0; i < 110000; i++)
args.push(1.1);
return Array.apply(Array, args);
}
var array = boom();
Issue: https://crbug.com/1098565
Commit: [turbofan] Skip optimizations for huge 'arguments'
Date(Commit): Mon, 29 Jun 2020 16:32:55 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2273121
Regress : test\mjsunit\regress\regress-1098565.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f() {
return arguments;
}
arr = [];
arr.length=0x8000;
g = f.bind(null,...arr);
function test() {
return g();
}
%PrepareFunctionForOptimization(f);
%PrepareFunctionForOptimization(test);
test();
%OptimizeFunctionOnNextCall(test);
assertEquals(test().length, arr.length);
Issue: https://crbug.com/v8/10556
Commit: Ignore unhandled promises in one more test
Date(Commit): Wed, 24 Jun 2020 09:58:11 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2262916
Regress : test\mjsunit\regress\wasm\regress-712569.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --ignore-unhandled-promises
var v11 = {};
Object.defineProperty(v11.__proto__, 0, {
get: function() {
},
set: function() {
try {
WebAssembly.instantiate().then(
() => assertUnreachable(),
() => { /* ignore */ });
v11[0] = 0;
} catch (e) {
assertTrue(e instanceof RangeError);
}
}
});
v66 = new Array();
cv = v66; cv[0] = 0.1; cv[2] = 0.2;
Issue: https://crbug.com/v8/10556
Commit: [d8] Exit with error code upon unhandled promise rejection
Date(Commit): Tue, 23 Jun 2020 16:45:51 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2238569
Regress : test\mjsunit\regress\wasm\regress-948228.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js');
var {proxy, revoke} = Proxy.revocable({}, {});
revoke();
let builder = new WasmModuleBuilder();
builder.addImport('m', 'q', kSig_v_v);
WebAssembly.instantiate(builder.toModule(), proxy).catch(error => {});
Issue: https://crbug.com/1080902
Commit: [wasm] Add templatized methods for static bounds checks
Date(Commit): Tue, 23 Jun 2020 19:58:43 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2256858
Regress : test\mjsunit\regress\wasm\regress-1080902.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-threads
load("test/mjsunit/wasm/wasm-module-builder.js");
let memory = new WebAssembly.Memory({
initial: 1,
maximum: 10,
shared: true
});
let builder = new WasmModuleBuilder();
builder.addImportedMemory("m", "imported_mem", 0, 1 << 16, "shared");
builder.addFunction("main", kSig_i_v).addBody([
kExprI32Const, 0,
kAtomicPrefix,
kExprI32AtomicLoad16U, 1, 0]).exportAs("main");
let module = new WebAssembly.Module(builder.toBuffer());
let instance = new WebAssembly.Instance(module, {
m: {
imported_mem: memory
}
});
instance.exports.main();
Issue: https://crbug.com/v8/10619
Commit: [Respect] Prefer inclusive terms
Date(Commit): Mon, 22 Jun 2020 09:35:23 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2254483
Regress : test\mjsunit\regress\regress-1708.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Regression test of a very rare corner case where left-trimming an
// array caused invalid marking bit patterns on lazily swept pages.
//
// Lazy sweeping was deprecated. We are keeping the test case to make
// sure that concurrent sweeping, which relies on similar assumptions
// as lazy sweeping works correctly.
// Flags: --expose-gc --noincremental-marking --max-semi-space-size=1
(function() {
var head = new Array(1);
var tail = head;
// Fill heap to increase old-space size and trigger concurrent sweeping on
// some of the old-space pages.
for (var i = 0; i < 200; i++) {
tail[1] = new Array(1000);
tail = tail[1];
}
array = new Array(100);
gc(); gc();
// At this point "array" should have been promoted to old-space and be
// located in a concurrently swept page with intact marking bits. Now shift
// the array to trigger left-trimming operations.
assertEquals(100, array.length);
for (var i = 0; i < 50; i++) {
array.shift();
}
assertEquals(50, array.length);
// At this point "array" should have been trimmed from the left with
// marking bits being correctly transferred to the new object start.
// Scavenging operations cause concurrent sweeping to advance and verify
// that marking bit patterns are still sensible.
for (var i = 0; i < 200; i++) {
tail[1] = new Array(1000);
tail = tail[1];
}
})();
Issue: https://crbug.com/1053364
Commit: [parser] Don't mark sloppy block functions as assigned
Date(Commit): Thu, 18 Jun 2020 16:43:44 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2241511
Regress : test\mjsunit\regress\regress-crbug-1053364.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --throws
function main() {
function g() {
function h() {
f;
}
{
function f() {}
}
f;
throw new Error();
}
g();
}
main();
Issue: https://crbug.com/1094866
Commit: [fuzzing] Use --fuzzing flag for allowed runtime functions
Date(Commit): Wed, 17 Jun 2020 18:56:54 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2246568
Regress : test\mjsunit\regress\regress-crbug-754177.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --fuzzing
// Do not crash on non-JSFunction input when fuzzing.
%NeverOptimizeFunction(undefined);
%NeverOptimizeFunction(true);
%NeverOptimizeFunction(1);
%NeverOptimizeFunction({});
%NeverOptimizeFunction();
%PrepareFunctionForOptimization(print);
%OptimizeFunctionOnNextCall(print);
Issue: https://crbug.com/1094226
Commit: [scanner] Update outdated DCHECK
Date(Commit): Mon, 15 Jun 2020 08:31:27 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2245592
Regress : test\mjsunit\regress\regress-1094226.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertThrows(() => eval('<' + '!'));
Issue: https://crbug.com/1094132
Commit: [deoptimizer] Relax a CHECK
Date(Commit): Fri, 12 Jun 2020 11:08:09 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2241517
Regress : test\mjsunit\compiler\regress-1094132.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function prettyPrinted() {}
function formatFailureText() {
if (expectedText.length <= 40 && foundText.length <= 40) {
message += ": expected <" + expectedText + "> found <" + foundText + ">";
message += ":\nexpected:\n" + expectedText + "\nfound:\n" + foundText;
}
}
function fail(expectedText, found, name_opt) {
formatFailureText(expectedText, found, name_opt);
if (!a[aProps[i]][aProps[i]]) { }
}
function deepEquals(a, b) {
if (a === 0) return 1 / a === 1 / b;
if (typeof a !== typeof a) return false;
if (typeof a !== "object" && typeof a !== "function") return false;
if (objectClass !== classOf()) return false;
if (objectClass === "RegExp") { }
}
function assertEquals() {
if (!deepEquals()) {
fail(prettyPrinted(), undefined, undefined);
}
}
({y: {}, x: 0.42});
function gaga() {
return {gx: bar.arguments[0], hx: baz.arguments[0]};
}
function baz() {
return gaga();
}
function bar(obj) {
return baz(obj.y);
}
function foo() {
bar({y: {}, x: 42});
try { assertEquals() } catch (e) {}
try { assertEquals() } catch (e) {}
assertEquals();
}
%PrepareFunctionForOptimization(prettyPrinted);
%PrepareFunctionForOptimization(formatFailureText);
%PrepareFunctionForOptimization(fail);
%PrepareFunctionForOptimization(deepEquals);
%PrepareFunctionForOptimization(assertEquals);
%PrepareFunctionForOptimization(gaga);
%PrepareFunctionForOptimization(baz);
%PrepareFunctionForOptimization(bar);
%PrepareFunctionForOptimization(foo);
try { foo() } catch (e) {}
%OptimizeFunctionOnNextCall(foo);
try { foo() } catch (e) {}
%PrepareFunctionForOptimization(prettyPrinted);
%PrepareFunctionForOptimization(formatFailureText);
%PrepareFunctionForOptimization(fail);
%PrepareFunctionForOptimization(deepEquals);
%PrepareFunctionForOptimization(assertEquals);
%PrepareFunctionForOptimization(gaga);
%PrepareFunctionForOptimization(baz);
%PrepareFunctionForOptimization(bar);
%PrepareFunctionForOptimization(foo);
%OptimizeFunctionOnNextCall(foo);
try { foo() } catch (e) {}
Issue: https://crbug.com/v8/10568
Commit: [regexp] Fix integer overflows in TextNode::GetQuickCheckDetails
Date(Commit): Wed, 10 Jun 2020 13:14:52 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2230527
Regress : test\mjsunit\regress\regress-v8-10568.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertEquals(/[--]/u.exec("Hr3QoS3KCWXQ2yjBoDIK")[0], "H");
assertEquals(/[0-\u{10000}]/u.exec("A0")[0], "A");
Issue: https://crbug.com/1092896
Commit: [string] Don't skip GetMethod on Smis in String builtins
Date(Commit): Wed, 10 Jun 2020 10:27:01 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2238030
Regress : test\mjsunit\regress\regress-1092896.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let count = 0
Object.prototype[Symbol.replace] = function () {
count++
}
"".replace(0);
assertEquals(count, 1);
"".replace(0.1);
assertEquals(count, 2);
Issue: https://crbug.com/v8/7748
Commit: [wasm] Rename anyref to externref, anyref flag/feature to reftypes
Date(Commit): Tue, 9 Jun 2020 15:54:14 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2232941
Regress : test\mjsunit\regress\wasm\regress-964607.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-wasm --experimental-wasm-reftypes
load('test/mjsunit/wasm/wasm-module-builder.js');
let builder = new WasmModuleBuilder();
builder.addImportedTable('ffi', 't1', 5, 5, kWasmAnyFunc);
builder.addImportedTable('ffi', 't2', 9, 9, kWasmAnyFunc);
builder.addFunction('foo', kSig_v_v).addBody([]).exportFunc();
let module = builder.toModule();
let table1 =
new WebAssembly.Table({element: 'anyfunc', initial: 5, maximum: 5});
let table2 =
new WebAssembly.Table({element: 'anyfunc', initial: 9, maximum: 9});
let instance =
new WebAssembly.Instance(module, {ffi: {t1: table1, t2: table2}});
let table3 =
new WebAssembly.Table({element: 'anyfunc', initial: 9, maximum: 9});
table3.set(8, instance.exports.foo);
new WebAssembly.Instance(module, {ffi: {t1: table1, t2: table3}});
Issue: https://crbug.com/1084820
Commit: [deoptimizer] Add missing HeapNumber allocation
Date(Commit): Tue, 9 Jun 2020 15:31:42 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2237145
Regress : test\mjsunit\compiler\regress-1092650.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
// Create map with HeapNumber in field 'a'
({a: 2**30});
function foo() {
return foo.arguments[0];
}
function main() {
foo({a: 42});
}
%PrepareFunctionForOptimization(foo);
%PrepareFunctionForOptimization(main);
main();
main();
%OptimizeFunctionOnNextCall(main);
main();
Issue: https://crbug.com/1091461
Commit: [turbofan] Make BigInt operations kNoThrow again
Date(Commit): Mon, 8 Jun 2020 11:48:13 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2235113
Regress : test\mjsunit\regress\regress-1091461.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(a, b) {
let x = a + b;
}
function test() {
try {
foo(1n, 1n);
} catch (e) {}
}
%PrepareFunctionForOptimization(foo);
%PrepareFunctionForOptimization(test);
test();
test();
%OptimizeFunctionOnNextCall(test);
test();
Issue: https://crbug.com/1084820
Commit: [deoptimizer] Fix bug in object materialization
Date(Commit): Mon, 8 Jun 2020 14:32:31 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2228330
Regress : test\mjsunit\compiler\regress-1084820.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
// Create a map where 'my_property' has HeapObject representation.
const dummy_obj = {};
dummy_obj.my_property = 'some HeapObject';
dummy_obj.my_property = 'some other HeapObject';
function gaga() {
const obj = {};
// Store a HeapNumber and then a Smi.
// This must happen in a loop, even if it's only 2 iterations:
for (let j = -3_000_000_000; j <= -1_000_000_000; j += 2_000_000_000) {
obj.my_property = j;
}
// Trigger (soft) deopt.
if (!%IsBeingInterpreted()) obj + obj;
}
%PrepareFunctionForOptimization(gaga);
gaga();
gaga();
%OptimizeFunctionOnNextCall(gaga);
gaga();
Issue: https://crbug.com/1073440
Commit: [turbofan] Fix lost exception on BigInt ops
Date(Commit): Thu, 4 Jun 2020 16:55:35 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2228493
Regress : test\mjsunit\regress\regress-1073440.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --opt --allow-natives-syntax --no-always-opt
function foo(n) {
try {
let v = 0n;
for (let i = 0; i < n; ++i) {
v = 3n + v;
v = i;
}
} catch (e) {
return 1;
}
return 0;
}
%PrepareFunctionForOptimization(foo);
assertEquals(foo(1), 0);
assertEquals(foo(1), 0);
%OptimizeFunctionOnNextCall(foo);
assertEquals(foo(1), 0);
assertOptimized(foo);
%PrepareFunctionForOptimization(foo);
assertEquals(foo(2), 1);
assertUnoptimized(foo);
// Check that we learned something and do not loop deoptimizations.
%OptimizeFunctionOnNextCall(foo);
assertEquals(foo(1), 0);
assertOptimized(foo);
assertEquals(foo(2), 1);
assertOptimized(foo);
Issue: https://crbug.com/1082293
Commit: [ic] Fix a bug in StoreOwnIC when storing NaN values
Date(Commit): Wed, 3 Jun 2020 18:04:56 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2228886
Regress : test\mjsunit\regress\regress-crbug-1082293.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f() {
let buffer = new ArrayBuffer(8);
let a32 = new Float32Array(buffer);
let a8 = new Uint32Array(buffer);
let a = { value: NaN };
Object.defineProperty(a32, 0, { value: NaN });
return a8[0];
}
let value = f();
%EnsureFeedbackVectorForFunction(f);
assertEquals(value, f());
Issue: https://crbug.com/v8/10560
Commit: Hold on to FeedbackMetadata when allocating feedback vectors
Date(Commit): Thu, 28 May 2020 17:17:15 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2218066
Regress : test\mjsunit\regress\regress-786784.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f() {
function g(arg) { return arg; }
// The closure contains a call IC slot.
return function() { return g(42); };
}
const a = Realm.create();
const b = Realm.create();
// Create two closures in different contexts sharing the same
// SharedFunctionInfo (shared due to code caching).
const x = Realm.eval(a, f.toString() + " f()");
const y = Realm.eval(b, f.toString() + " f()");
// Run the first closure to create SFI::code.
x();
// At this point, SFI::code is set and `x` has a feedback vector (`y` does not).
// Enabling block code coverage deoptimizes all functions and triggers the
// buggy code path in which we'd unconditionally replace JSFunction::code with
// its SFI::code (but skip feedback vector setup).
%DebugToggleBlockCoverage(true);
// Still no feedback vector set on `y` but it now contains code. Run it to
// trigger the crash when attempting to write into the non-existent feedback
// vector.
y();
Issue: https://crbug.com/1077197
Commit: Fix feedback loss when builtins throw
Date(Commit): Thu, 28 May 2020 13:44:41 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2202904
Regress : test\mjsunit\regress\regress-9441.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt --no-always-opt
function foo(a, b) {
return a - b;
}
%PrepareFunctionForOptimization(foo);
assertEquals(-1n, foo(1n, 2n));
%OptimizeFunctionOnNextCall(foo);
assertEquals(1n, foo(2n, 1n));
assertOptimized(foo);
assertThrows(() => foo(2n, undefined));
assertUnoptimized(foo);
%PrepareFunctionForOptimization(foo);
%OptimizeFunctionOnNextCall(foo);
assertEquals(-1n, foo(1n, 2n));
assertOptimized(foo);
assertThrows(() => foo(undefined, 2n));
assertOptimized(foo);
Issue: https://crbug.com/v8/5660
Commit: Reland "[turbofan] Improve equality on NumberOrOddball"
Date(Commit): Thu, 28 May 2020 10:24:20 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2162854
Regress : test\mjsunit\regress\regress-5660.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --opt --allow-natives-syntax
(function() {
function test(a, b) {
return a === b;
}
%PrepareFunctionForOptimization(test);
assertTrue(test(undefined, undefined));
assertTrue(test(undefined, undefined));
%OptimizeFunctionOnNextCall(test);
assertTrue(test(undefined, undefined));
})();
(function() {
function test(a, b) {
return a === b;
}
%PrepareFunctionForOptimization(test);
assertTrue(test(true, true));
assertTrue(test(true, true));
%OptimizeFunctionOnNextCall(test);
assertFalse(test(true, 1));
})();
(function() {
function test(a, b) {
return a == b;
}
%PrepareFunctionForOptimization(test);
assertTrue(test(true, true));
assertTrue(test(true, true));
%OptimizeFunctionOnNextCall(test);
assertTrue(test(true, 1));
})();
Issue: https://crbug.com/1086470
Commit: Fix assert caused by SloppyArgumentsElements introduction
Date(Commit): Tue, 26 May 2020 17:00:38 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2215059
Regress : test\mjsunit\regress\regress-1086470.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function __f_1( __v_9) {
return arguments;
}
var __v_48 = [];
var __v_49 = __f_1();
var __v_50 = 3;
Object.preventExtensions(__v_49);
function __f_7(__v_52, __v_53, __v_54) {
__v_52[__v_53] =
__v_54;
}
__v_48.__proto__ = __v_49;
for (var __v_51 = 0; __v_51 < __v_50; __v_51++) {
__f_7(__v_48, __v_51);
}
Commit: [TurboProp] Don't try to rewire unreachable blocks to end.
Date(Commit): Thu, 21 May 2020 12:19:51 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2209061
Regress : test\mjsunit\regress\regress-1084953.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --turboprop
function foo() {
try {
+Symbol();
} catch {
}
}
%PrepareFunctionForOptimization(foo);
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/1084872
Commit: [regexp] Fix signed/unsigned confusion in regexp interpreter
Date(Commit): Wed, 20 May 2020 14:23:49 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2209066
Regress : test\mjsunit\regress\regress-1084872.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const re = new RegExp("(?<=(.)\\2.*(T))");
re.exec(undefined);
assertEquals(re.exec("bTaLTT")[1], "b");
Issue: https://crbug.com/1084151
Commit: [liftoff][mv] Fix merge issue in multi-value loops
Date(Commit): Tue, 19 May 2020 12:17:57 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2208851
Regress : test\mjsunit\regress\wasm\regress-1084151.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-mv
load("test/mjsunit/wasm/wasm-module-builder.js");
let builder = new WasmModuleBuilder();
let sig_i_iii = builder.addType(kSig_i_iii);
builder.addFunction("main", sig_i_iii)
.addBody([
kExprLocalGet, 1,
kExprLocalGet, 1,
kExprI32Const, 5,
kExprLoop, sig_i_iii,
kExprLocalGet, 1,
kExprBlock, sig_i_iii,
kExprLocalGet, 1,
kExprLocalGet, 2,
kExprBrIf, 1,
kExprDrop,
kExprDrop,
kExprDrop,
kExprEnd,
kExprDrop,
kExprEnd])
.exportAs("main");
let module = new WebAssembly.Module(builder.toBuffer());
Issue: https://crbug.com/1083450
Commit: [regexp] Specify signedness when accessing packed arguments
Date(Commit): Mon, 18 May 2020 14:50:45 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2207137
Regress : test\mjsunit\regress\regress-1083450.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const source = "(?<=(?=ab)(|)abc)"
const re = new RegExp(source);
assertNotNull(re.exec("abc"));
Issue: https://crbug.com/1082704
Commit: [turbofan] Make GraphAssembler branching respect typing
Date(Commit): Fri, 15 May 2020 11:42:39 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2202978
Regress : test\mjsunit\compiler\regress-1082704.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var array = [[]];
function foo() {
const x = array[0];
const y = [][0];
return x == y;
}
%PrepareFunctionForOptimization(foo);
assertFalse(foo());
%OptimizeFunctionOnNextCall(foo);
assertFalse(foo());
Commit: [Turboprop] Allow removal of multiple unreachable blocks that merge.
Date(Commit): Tue, 12 May 2020 21:27:09 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2196354
Regress : test\mjsunit\regress\regress-1079446.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --turboprop
arr = new Int16Array();
function foo() {
arr.__defineGetter__('a', function() { });
arr[0] = "123.12";
}
%PrepareFunctionForOptimization(foo);
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/1069530
Commit: [ic] Properly handle store mode generalization in KeyedStoreIC
Date(Commit): Tue, 12 May 2020 22:26:41 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2196353
Regress : test\mjsunit\regress\regress-crbug-1069530.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy-feedback-allocation
function store(ar, index) {
ar[index] = "a";
}
let growable_array = [];
// Train IC on growable array
store(growable_array, 0);
store(growable_array, 1);
store(growable_array, 2);
store(growable_array, 3);
// Now make IC polymorphic
var array = [];
Object.defineProperty(array, "length", { value: 3, writable: false });
store(array, 0);
store(array, 1);
// ... and try to grow it.
store(array, 3);
assertEquals(undefined, array[3]);
assertEquals(3, array.length);
Issue: https://crbug.com/v8/10513
Commit: [regexp] Unconditionally get named capture in GetSubstitution
Date(Commit): Tue, 12 May 2020 08:46:36 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2195821
Regress : test\mjsunit\regress\regress-v8-10513.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const access_log = [];
const handler = {
get: function(obj, prop) {
access_log.push(prop);
return prop in obj ? obj[prop] : "z";
}
};
class ProxiedGroupRegExp extends RegExp {
exec(s) {
var result = super.exec(s);
if (result) {
result.groups = new Proxy(result.groups, handler);
}
return result;
}
}
let re = new ProxiedGroupRegExp("(?<x>.)");
assertEquals("a z", "a".replace(re, "$<x> $<y>"));
assertEquals(["x", "y"], access_log);
Issue: https://crbug.com/1055138
Commit: [ic] Fix stores to holey elements
Date(Commit): Mon, 11 May 2020 17:57:59 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2172090
Regress : test\mjsunit\regress\regress-crbug-1055138-3.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Object.prototype[1] = 153;
(function StrictStoreToReadOnlyProperty() {
function foo(prototype_frozen) {
"use strict";
let ar = [];
let threw_exception = false;
for (let i = 0; i < 3; i++) {
try {
ar[i] = 42;
} catch(e) {
if (prototype_frozen) {
// Attempt to overwrite read-only element should throw and
// should not change array length.
assertTrue(i == 1);
assertEquals(1, ar.length);
assertInstanceof(e, TypeError);
threw_exception = true;
}
}
}
if (prototype_frozen) {
assertTrue(threw_exception);
}
return ar;
}
// Warm-up store IC.
assertEquals([42,42,42], foo(false));
assertEquals([42,42,42], foo(false));
assertEquals([42,42,42], foo(false));
assertEquals([42,42,42], foo(false));
Object.freeze(Object.prototype);
// Ensure IC was properly invalidated.
assertEquals([42,153,42], foo());
})();
Issue: https://crbug.com/v8/10508
Commit: [runtime] Return undefined as CallSite::getFunction for scripts
Date(Commit): Mon, 11 May 2020 14:23:00 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2193716
Regress : test\mjsunit\regress\regress-10508.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Error.prepareStackTrace = (error, frames) => {
// JSON.stringify executes the replacer, triggering the relevant
// code in Invoke().
JSON.stringify({}, frames[0].getFunction());
};
let v0;
try {
throw new Error();
} catch (e) {
e.stack
}
Issue: https://crbug.com/1074737
Commit: [parser] Treat var initializers in masking catch as assigning
Date(Commit): Fri, 8 May 2020 15:46:18 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2187272
Regress : test\mjsunit\regress\regress-crbug-1074737.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
try {
throw 42
} catch (e) {
function foo() { return e };
%PrepareFunctionForOptimization(foo);
%OptimizeFunctionOnNextCall(foo);
foo();
var e = "expected";
}
assertEquals("expected", foo());
try {
throw 42
} catch (f) {
function foo2() { return f };
%PrepareFunctionForOptimization(foo2);
%OptimizeFunctionOnNextCall(foo2);
foo2();
with ({}) {
var f = "expected";
}
}
assertEquals("expected", foo2());
(function () {
function foo3() { return g };
%PrepareFunctionForOptimization(foo3);
%OptimizeFunctionOnNextCall(foo3);
foo3();
with ({}) {
var g = "expected";
}
assertEquals("expected", foo3());
})()
Issue: https://crbug.com/1078913
Commit: [compiler] Skip interpreter trampoline copy for asm.js
Date(Commit): Fri, 8 May 2020 13:08:23 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2190412
Regress : test\mjsunit\regress\regress-1078913.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --interpreted-frames-native-stack
// Make sure that the interpreted trampoline copy (for native interpreter frames
// in stack traces) works for interperted functions but doesn't crash for asm.js
function func() {
return;
}
function asm_func() {
"use asm";
function f(){}
return {f:f};
}
function failed_asm_func() {
"use asm";
// This should fail validation
[x,y,z] = [1,2,3];
return;
}
func();
asm_func();
failed_asm_func();
Issue: https://crbug.com/1077804
Commit: [mjsunit] Relax flags of regress-1077804.js test
Date(Commit): Thu, 7 May 2020 12:40:08 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2187499
Regress : test\mjsunit\regress\regress-1077804.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo() {
return bar();
}
function bar(a, b) {
return a + b;
}
%PrepareFunctionForOptimization(foo);
foo();
%OptimizeFunctionOnNextCall(foo);
%PrepareFunctionForOptimization(bar);
%OptimizeFunctionOnNextCall(bar);
bar(2n, 2n);
assertTrue(Number.isNaN(foo()));
Issue: https://crbug.com/1077508
Commit: Move to slow-path in Array#sort if the array is no longer a FastJSArray
Date(Commit): Thu, 7 May 2020 09:23:50 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2187171
Regress : test\mjsunit\regress\regress-crbug-1077508.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const array = [, , , 0, 1, 2];
const comparefn = () => {
Array.prototype.__defineSetter__("0", function () {});
Array.prototype.__defineSetter__("1", function () {});
Array.prototype.__defineSetter__("2", function () {});
};
array.sort(comparefn);
assertArrayEquals([, , , , , , ], array);
Commit: [Tests] Add mjsunit test for issue 1076569.
Date(Commit): Wed, 6 May 2020 18:12:33 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2185130
Regress : test\mjsunit\regress\regress-1076569.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --turboprop
var array = new Int16Array();
function foo() {
array[0] = "123.12";
}
%PrepareFunctionForOptimization(foo);
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/v8/10484
Commit: [builtins] Fix handling of read-only length in Array.prototype.pop
Date(Commit): Wed, 6 May 2020 15:20:34 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2182452
Regress : test\mjsunit\regress\regress-v8-10484-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var ar;
Object.defineProperty(Array.prototype, 3,
{
get() {
Object.defineProperty(
ar, "length",
{ value: 3, writable: false, configurable: false });
}
});
function foo() {
ar = [1, 2, 3];
ar.length = 4;
ar.pop();
}
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
Issue: https://crbug.com/1063796
Commit: [ic] Fix KeyedHasIC_SloppyArguments implementation
Date(Commit): Fri, 1 May 2020 15:40:25 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2174504
Regress : test\mjsunit\regress\regress-crbug-1063796.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
Object.prototype[1] = 1;
function foo(baz) {
return 1 in arguments;
}
assertTrue(foo(0));
%PrepareFunctionForOptimization(foo);
assertTrue(foo(0));
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo(0));
Commit: [wasm-simd] Update SIMD opcode numbers as per the Spec change
Date(Commit): Fri, 1 May 2020 08:40:22 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2173952
Regress : test\mjsunit\regress\wasm\regress-10309.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-simd
let registry = {};
function module(bytes, valid = true) {
let buffer = new ArrayBuffer(bytes.length);
let view = new Uint8Array(buffer);
for (let i = 0; i < bytes.length; ++i) {
view[i] = bytes.charCodeAt(i);
}
let validated;
try {
validated = WebAssembly.validate(buffer);
} catch (e) {
throw new Error("Wasm validate throws");
}
if (validated !== valid) {
throw new Error("Wasm validate failure" + (valid ? "" : " expected"));
}
return new WebAssembly.Module(buffer);
}
function instance(bytes, imports = registry) {
return new WebAssembly.Instance(module(bytes), imports);
}
function call(instance, name, args) {
return instance.exports[name](...args);
}
function exports(name, instance) {
return {[name]: instance.exports};
}
function assert_return(action, expected) {
let actual = action();
if (!Object.is(actual, expected)) {
throw new Error("Wasm return value " + expected + " expected, got " + actual);
};
}
let f32 = Math.fround;
// simple.wast:1
let $1 = instance("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x09\x02\x60\x00\x00\x60\x01\x7f\x01\x7d\x03\x04\x03\x00\x00\x01\x05\x03\x01\x00\x01\x07\x1c\x02\x11\x72\x65\x70\x6c\x61\x63\x65\x5f\x6c\x61\x6e\x65\x5f\x74\x65\x73\x74\x00\x01\x04\x72\x65\x61\x64\x00\x02\x08\x01\x00\x0a\x6e\x03\x2a\x00\x41\x10\x43\x00\x00\x80\x3f\x38\x02\x00\x41\x14\x43\x00\x00\x00\x40\x38\x02\x00\x41\x18\x43\x00\x00\x40\x40\x38\x02\x00\x41\x1c\x43\x00\x00\x80\x40\x38\x02\x00\x0b\x39\x01\x01\x7b\x41\x10\x2a\x02\x00\xfd\x13\x21\x00\x20\x00\x41\x10\x2a\x01\x04\xfd\x20\x01\x21\x00\x20\x00\x41\x10\x2a\x01\x08\xfd\x20\x02\x21\x00\x20\x00\x41\x10\x2a\x01\x0c\xfd\x20\x03\x21\x00\x41\x00\x20\x00\xfd\x0b\x02\x00\x0b\x07\x00\x20\x00\x2a\x02\x00\x0b");
// simple.wast:49
call($1, "replace_lane_test", []);
// simple.wast:50
assert_return(() => call($1, "read", [0]), f32(1.0));
// simple.wast:51
assert_return(() => call($1, "read", [4]), f32(2.0));
// simple.wast:52
assert_return(() => call($1, "read", [8]), f32(3.0));
// simple.wast:53
assert_return(() => call($1, "read", [12]), f32(4.0));
Issue: https://crbug.com/1072947
Commit: [runtime] Fix miscalculated number of properties for derived class
Date(Commit): Thu, 30 Apr 2020 16:14:08 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2172964
Regress : test\mjsunit\regress\regress-crbug-1072947.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function() {
class reg extends RegExp {}
let r;
function trigger() {
try {
trigger();
} catch {
Reflect.construct(RegExp,[],reg);
}
}
trigger();
})();
(function() {
class reg extends Function {}
let r;
function trigger() {
try {
trigger();
} catch {
Reflect.construct(RegExp,[],reg);
}
}
trigger();
})();
Issue: https://crbug.com/1071190
Commit: [turbofan] Fixes incorrect DataView setters
Date(Commit): Tue, 28 Apr 2020 16:32:19 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2170091
Regress : test\mjsunit\regress\regress-1071190.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function test() {
const a = new DataView(new ArrayBuffer(32));
const b = new DataView(new ArrayBuffer(32));
a.setFloat64(0);
b.setFloat64(0, undefined);
for(let i = 0; i < 8; ++i) {
assertEquals(a.getUint8(i), b.getUint8(i));
}
}
%PrepareFunctionForOptimization(test);
test();
test();
%OptimizeFunctionOnNextCall(test);
test();
Commit: [wasm][liftoff][arm] Avoid double allocation of register is AtomicOp64
Date(Commit): Tue, 28 Apr 2020 11:37:47 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2170088
Regress : test\mjsunit\regress\wasm\regress-1074586-b.js
// // Use of this source code is governed by a BSD-style license that can be
// // found in the LICENSE file.
// Flags: --wasm-staging
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false, true);
const sig = builder.addType(makeSig(
[kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmI32],
[]));
builder.addFunction(undefined, sig).addBodyWithEnd([
// signature: v_iiiiifidi
// body:
kExprI32Const, 0x00, // i32.const
kExprI64Const, 0x00, // i64.const
kAtomicPrefix, kExprI64AtomicStore, 0x00, 0x00, // i64.atomic.store64
kExprEnd, // end @9
]);
builder.addExport('main', 0);
assertDoesNotThrow(() => builder.instantiate());
Issue: https://crbug.com/1074736
Commit: [turbofan] Fix bug in typed array iteration
Date(Commit): Tue, 28 Apr 2020 14:40:22 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2168874
Regress : test\mjsunit\compiler\regress-1074736.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
var arr = new Uint8Array();
%ArrayBufferDetach(arr.buffer);
function foo() {
return arr[Symbol.iterator]();
}
%PrepareFunctionForOptimization(foo);
assertThrows(foo, TypeError);
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, TypeError);
Issue: https://crbug.com/1069964
Commit: [protectors] Move regexp species protector back to the isolate
Date(Commit): Wed, 22 Apr 2020 08:35:06 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2157382
Regress : test\mjsunit\regress\regress-1069964.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Realm.createAllowCrossRealmAccess();
const c = Realm.global(1);
Realm.detachGlobal(1);
try { c.constructor = () => {}; } catch {}
Issue: https://crbug.com/1070892
Commit: [turbofan] Distinguish two further modes of CheckBounds
Date(Commit): Mon, 27 Apr 2020 20:59:14 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2157365
Regress : test\mjsunit\compiler\regress-1071743.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(v) {
let x = Math.floor(v);
Number.prototype[v] = 42;
return x + Math.floor(v);
}
%PrepareFunctionForOptimization(foo);
assertSame(foo(-0), -0);
assertSame(foo(-0), -0);
%OptimizeFunctionOnNextCall(foo);
assertSame(foo(-0), -0);
function bar(v) {
v = v ? (v|0) : -0; // v has now type Integral32OrMinusZero.
let x = Math.floor(v);
Number.prototype[v] = 42;
return x + Math.floor(v);
}
%PrepareFunctionForOptimization(bar);
assertSame(2, bar(1));
assertSame(2, bar(1));
%OptimizeFunctionOnNextCall(bar);
assertSame(-0, bar(-0));
Issue: https://crbug.com/1072171
Commit: Reland "[turbofan] Fix bug in Number.Min/Max typings"
Date(Commit): Tue, 21 Apr 2020 07:45:09 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2157028
Regress : test\mjsunit\compiler\regress-1072171.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function testMax1(b) {
const max = Math.max(-1, b ? -0 : 1);
return Object.is(max, -0);
}
%PrepareFunctionForOptimization(testMax1);
assertTrue(testMax1(true));
assertTrue(testMax1(true));
%OptimizeFunctionOnNextCall(testMax1);
assertTrue(testMax1(true));
function testMax2(b) {
const max = Math.max(b ? -0 : 1, -1);
return Object.is(max, -0);
}
%PrepareFunctionForOptimization(testMax2);
assertTrue(testMax2(true));
assertTrue(testMax2(true));
%OptimizeFunctionOnNextCall(testMax2);
assertTrue(testMax2(true));
function testMin1(b) {
const min = Math.min(1, b ? -0 : -1);
return Object.is(min, -0);
}
%PrepareFunctionForOptimization(testMin1);
assertTrue(testMin1(true));
assertTrue(testMin1(true));
%OptimizeFunctionOnNextCall(testMin1);
assertTrue(testMin1(true));
function testMin2(b) {
const min = Math.min(b ? -0 : -1, 1);
return Object.is(min, -0);
}
%PrepareFunctionForOptimization(testMin2);
assertTrue(testMin2(true));
assertTrue(testMin2(true));
%OptimizeFunctionOnNextCall(testMin2);
assertTrue(testMin2(true));
Issue: https://crbug.com/1068492
Commit: [ic] Use slow stub if typed arrays are in prototype chain of JSObjects
Date(Commit): Fri, 3 Apr 2020 11:47:36 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2134138
Regress : test\mjsunit\regress\regress-crbug-1053939-1.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy-feedback-allocation
v = {};
v.__proto__ = new Int32Array(1);
function foo() {
for (var i = 0; i < 2; i++) {
v[i] = 0;
}
}
foo();
assertEquals(Object.keys(v).length, 1);
Issue: https://crbug.com/1070560
Commit: [builtins] When creating new elements array initialize with holes
Date(Commit): Thu, 16 Apr 2020 15:12:04 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2150599
Regress : test\mjsunit\regress\regress-crbug-1070560.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f() {
// Create a FixedDoubleArray
var arr = [5.65];
// Force the elements to be EmptyFixedArray
arr.splice(0);
// This should create a FixedDoubleArray initialized with holes.
arr.splice(-4, 9, 10, 20);
// If the earlier spice didn't create a holes this would fail.
assertFalse(2 in arr);
}
f();
Issue: https://crbug.com/1067757
Commit: [ic] Use slow stub when storing non-existent properties to global object
Date(Commit): Wed, 15 Apr 2020 15:08:19 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2142255
Regress : test\mjsunit\regress\regress-crbug-1067757.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy-feedback-allocation
"use strict";
function foo() {
let count = 0;
try {
for (p of v) {
count += 1;
}
} catch (e) { }
assertEquals(count, 0);
}
var v = [ "0", {}];
foo();
Reflect.deleteProperty(v, '0');
let count_loop = 0;
try {
for (p of v) { count_loop += 1; }
} catch (e) {}
assertEquals(count_loop, 0);
foo();
Issue: https://crbug.com/1067621
Commit: [wasm] Fix return value of concurrent memory.grow
Date(Commit): Tue, 14 Apr 2020 15:23:05 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2144113
Regress : test\mjsunit\regress\wasm\regress-1067621.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-threads
load('test/mjsunit/wasm/wasm-module-builder.js');
const kNumberOfWorker = 4;
const workerOnMessage = function(msg) {
if (msg.module) {
let module = msg.module;
let mem = msg.mem;
this.instance = new WebAssembly.Instance(module, {m: {memory: mem}});
postMessage({instantiated: true});
} else {
const kNumberOfRuns = 20;
let result = new Array(kNumberOfRuns);
for (let i = 0; i < kNumberOfRuns; ++i) {
result[i] = instance.exports.grow();
}
postMessage({result: result});
}
};
function spawnWorkers() {
let workers = [];
for (let i = 0; i < kNumberOfWorker; i++) {
let worker = new Worker(
'onmessage = ' + workerOnMessage.toString(), {type: 'string'});
workers.push(worker);
}
return workers;
}
function instantiateModuleInWorkers(workers, module, shared_memory) {
for (let worker of workers) {
worker.postMessage({module: module, mem: shared_memory});
let msg = worker.getMessage();
if (!msg.instantiated) throw 'Worker failed to instantiate';
}
}
function triggerWorkers(workers) {
for (i = 0; i < workers.length; i++) {
let worker = workers[i];
worker.postMessage({});
}
}
(function TestConcurrentGrowMemoryResult() {
let builder = new WasmModuleBuilder();
builder.addImportedMemory('m', 'memory', 1, 500, 'shared');
builder.addFunction('grow', kSig_i_v)
.addBody([kExprI32Const, 1, kExprMemoryGrow, kMemoryZero])
.exportFunc();
const module = builder.toModule();
const shared_memory =
new WebAssembly.Memory({initial: 1, maximum: 500, shared: true});
// Spawn off the workers and run the sequences.
let workers = spawnWorkers();
instantiateModuleInWorkers(workers, module, shared_memory);
triggerWorkers(workers);
let all_results = [];
for (let worker of workers) {
let msg = worker.getMessage();
all_results = all_results.concat(msg.result);
}
all_results.sort((a, b) => a - b);
for (let i = 1; i < all_results.length; ++i) {
assertEquals(all_results[i - 1] + 1, all_results[i]);
}
// Terminate all workers.
for (let worker of workers) {
worker.terminate();
}
})();
Issue: https://crbug.com/v8/10249
Commit: [test] Crash on invalid intrinsic use unless --fuzzing is on
Date(Commit): Tue, 14 Apr 2020 15:05:13 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2137406
Regress : test\mjsunit\regress\regress-447756.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
function TestConstructor(c) {
var a = new c(-0);
assertSame(Infinity, 1 / a.length);
assertSame(Infinity, 1 / a.byteLength);
var ab = new ArrayBuffer(-0);
assertSame(Infinity, 1 / ab.byteLength);
var a1 = new c(ab, -0, -0);
assertSame(Infinity, 1 / a1.length);
assertSame(Infinity, 1 / a1.byteLength);
assertSame(Infinity, 1 / a1.byteOffset);
}
var constructors =
[ Uint8Array, Int8Array, Uint8ClampedArray,
Uint16Array, Int16Array,
Uint32Array, Int32Array,
Float32Array, Float64Array ];
for (var i = 0; i < constructors.length; i++) {
TestConstructor(constructors[i]);
}
function TestOptimizedCode() {
var a = new Uint8Array(-0);
assertSame(Infinity, 1 / a.length);
assertSame(Infinity, 1 / a.byteLength);
var ab = new ArrayBuffer(-0);
assertSame(Infinity, 1 / ab.byteLength);
var a1 = new Uint8Array(ab, -0, -0);
assertSame(Infinity, 1 / a1.length);
assertSame(Infinity, 1 / a1.byteLength);
assertSame(Infinity, 1 / a1.byteOffset);
}
%PrepareFunctionForOptimization(TestOptimizedCode);
TestOptimizedCode();
TestOptimizedCode();
%OptimizeFunctionOnNextCall(TestOptimizedCode);
TestOptimizedCode();
Issue: https://crbug.com/1068494
Commit: [turbofan] Fix bug in reduction of StoreDataPropertyInLiteral
Date(Commit): Wed, 8 Apr 2020 13:02:56 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2139581
Regress : test\mjsunit\compiler\regress-1068494.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo() {
return { ['bar']: class {} };
}
%PrepareFunctionForOptimization(foo);
assertEquals('bar', foo().bar.name);
assertEquals('bar', foo().bar.name);
%OptimizeFunctionOnNextCall(foo);
assertEquals('bar', foo().bar.name);
Issue: https://crbug.com/1067544
Commit: [turbofan] Fix bug in reduction of typed array iteration
Date(Commit): Mon, 6 Apr 2020 11:41:10 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2135632
Regress : test\mjsunit\compiler\regress-1067544.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
const v = [];
function foo() {
Int8Array.prototype.values.call([v]);
}
%PrepareFunctionForOptimization(foo);
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, TypeError);
Issue: https://crbug.com/1060023
Commit: [parser] Already break the expression scope chain for function parameters
Date(Commit): Thu, 2 Apr 2020 14:26:18 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2134006
Regress : test\mjsunit\regress\regress-crbug-1060023.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
class b extends RegExp {
exec() {
(function() { (a = (function({} = this) {})) => {} })
}
}
assertThrows(()=>'a'.match(new b), TypeError);
Issue: https://crbug.com/1053939
Commit: [ic] Use the existing prototype validity cell when recomputing handlers
Date(Commit): Thu, 2 Apr 2020 12:41:52 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2122032
Regress : test\mjsunit\regress\regress-crbug-1053939.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy-feedback-allocation
function foo(a, b) {
a[b] = 1;
return a[b];
}
v = [];
assertEquals(foo(v, 1), 1);
v.__proto__.__proto__ = new Int32Array();
assertEquals(foo(Object(), 1), 1);
assertEquals(foo(v, 2), undefined);
Issue: https://crbug.com/1065635
Commit: [asm] Fix double literals without dots
Date(Commit): Mon, 30 Mar 2020 18:34:41 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2126922
Regress : test\mjsunit\regress\wasm\regress-1065635.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function foo() {
'use asm';
function bar() {
return -1e-15;
}
return {bar: bar};
}
assertEquals(-1e-15, foo().bar());
Commit: [turbofan] Add a type check to String.prototype.startsWith
Date(Commit): Wed, 1 Apr 2020 14:45:11 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2129639
Regress : test\mjsunit\regress\regress-crbug-1065741.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt
function bar() {
String.prototype.startsWith.apply();
}
%PrepareFunctionForOptimization(bar);
assertThrows(bar, TypeError);
assertThrows(bar, TypeError);
%OptimizeFunctionOnNextCall(bar);
assertThrows(bar, TypeError);
%PrepareFunctionForOptimization(bar);
%OptimizeFunctionOnNextCall(bar);
assertThrows(bar, TypeError);
assertOptimized(bar);
Issue: https://crbug.com/1065737
Commit: [turbofan] Mark JSStoreGlobal as NeedsExactContext
Date(Commit): Wed, 1 Apr 2020 11:24:45 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2130280
Regress : test\mjsunit\compiler\regress-1065737.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo() {
class c {
static get [v = 0]() {}
}
}
%PrepareFunctionForOptimization(foo);
assertThrows(foo, ReferenceError);
assertThrows(foo, ReferenceError);
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, ReferenceError);
Issue: https://crbug.com/1065852
Commit: [asm] Avoid instantiation as resumable function
Date(Commit): Mon, 30 Mar 2020 18:06:07 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2126920
Regress : test\mjsunit\regress\wasm\regress-1065852.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function* asm() {
"use asm";
function x(v) {
v = v | 0;
}
return x;
}
// 'function*' creates a generator with an implicit 'next' method.
asm().next();
Issue: https://crbug.com/1065094
Commit: Make CreateDynamicFunction throw if disallowed
Date(Commit): Mon, 30 Mar 2020 11:55:10 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2124837
Regress : test\mjsunit\regress-1065094.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f(fnConstructor) {
return Object.is(new fnConstructor(), undefined);
}
const realmIndex = Realm.createAllowCrossRealmAccess();
const otherFunction = Realm.global(realmIndex).Function;
Realm.detachGlobal(realmIndex);
%PrepareFunctionForOptimization(f);
assertFalse(f(Function));
assertThrows(_ => f(otherFunction));
%OptimizeFunctionOnNextCall(f);
assertThrows(_ => f(otherFunction));
Issue: https://crbug.com/1063661
Commit: [turbofan] Fix NumberMin and NumberMax typings
Date(Commit): Tue, 24 Mar 2020 20:14:48 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2116199
Regress : test\mjsunit\compiler\regress-1063661.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --interrupt-budget=1024
function main() {
const v1 = [];
for (let v11 = 0; v11 < 7; v11++) {
for (let v16 = 0; v16 != 100; v16++) {}
for (let v18 = -0.0; v18 < 7; v18 = v18 || 13.37) {
const v21 = Math.max(-339,v18);
v1.fill();
undefined % v21;
}
}
}
main();
Issue: https://crbug.com/v8/10333
Commit: [mjsunit] Use smaller test array
Date(Commit): Thu, 19 Mar 2020 09:44:41 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2108547
Regress : test\mjsunit\regress\regress-crbug-1057653.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
Object.prototype.length = 3642395160;
const array = new Float32Array(2**27);
assertThrows(() => {for (const key in array) {}}, RangeError);
Issue: https://crbug.com/1062916
Commit: [turbofan] Remove bogus DCHECK and add a comment
Date(Commit): Thu, 19 Mar 2020 17:30:21 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2110027
Regress : test\mjsunit\compiler\regress-1062916.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-analyze-environment-liveness --no-use-ic
function foo(x) {
var a = [];
for (var k1 in x) {
for (var k2 in x) {
a.k2;
}
}
return a.join();
}
%PrepareFunctionForOptimization(foo);
foo({p: 42});
%OptimizeFunctionOnNextCall(foo);
foo();
Commit: Reland "[turbofan] Clean up ConstantFoldingReducer"
Date(Commit): Tue, 17 Mar 2020 09:53:42 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2098736
Regress : test\mjsunit\compiler\regress-1061803.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo() {
return arguments[1][0] === arguments[0];
}
%PrepareFunctionForOptimization(foo);
assertFalse(foo(0, 0));
assertFalse(foo(0, 0));
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, TypeError);
Issue: https://crbug.com/1059738
Commit: Fix one more LookupIterator
Date(Commit): Fri, 13 Mar 2020 13:53:19 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2101005
Regress : test\mjsunit\regress\regress-crbug-1059738.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var o = {4294967295: ({4294967295: NaN}) + "foo"};
Issue: https://crbug.com/1057094
Commit: [wasm] Fix memory limit check with custom flags
Date(Commit): Mon, 2 Mar 2020 15:30:24 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2083300
Regress : test\mjsunit\regress\wasm\regress-crbug-1057094.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-max-mem-pages=65536
try {
var __v_50189 = new WebAssembly.Memory({
initial: 65536
});
} catch (e) {
// 32-bit builds will throw a RangeError, that's okay.
assertTrue(e instanceof RangeError);
}
Commit: [mjsunit] Move all regress-*.js tests to mjsunit/regress/
Date(Commit): Tue, 3 Mar 2020 10:27:43 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2082562
Regress : test\mjsunit\regress\regress-v8-8445.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
class MyRegExp {
exec() { return null; }
}
assertEquals(["ab", ""], "abc".split(/c/g));
assertEquals([["a"]], [..."a".matchAll(/a/g)]);
Object.defineProperty(RegExp, Symbol.species, { get() { return MyRegExp; }});
assertEquals(["abc"], "abc".split(/c/g));
assertEquals([], [..."a".matchAll(/a/g)]);
Issue: https://crbug.com/1052647
Commit: [intl] Fix Intl.NumberFormat constructor
Date(Commit): Tue, 3 Mar 2020 11:14:57 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2082560
Regress : test\mjsunit\regress\regress-crbug-1052647.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let useArgs = undefined;
function f(arg) {
useArgs = 'result' + arguments[0] + arg;
}
Intl.NumberFormat.__proto__ = { [Symbol.hasInstance]: f };
new Intl.NumberFormat();
Issue: https://crbug.com/v8/10126
Commit: Reland "[wasm] The name of a custom section can cause a validation error"
Date(Commit): Tue, 25 Feb 2020 15:41:13 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2041446
Regress : test\mjsunit\regress\wasm\regress-10126.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js')
let binary = new Binary;
binary.emit_bytes([
kWasmH0, // 0 header
kWasmH1, // 1 -
kWasmH2, // 2 -
kWasmH3, // 3 -
kWasmV0, // 4 version
kWasmV1, // 5 -
kWasmV2, // 6 -
kWasmV3, // 7 -
kUnknownSectionCode, // 8 custom section
0x5, // 9 length
0x6, // 10 invalid name length
'a', // 11 payload
'b', // 12 -
'c', // 13 -
'd', // 14 -
kCodeSectionCode, // 15 code section start
0x1, // 16 code section length
19, // 17 invalid number of functions
]);
const buffer = binary.trunc_buffer();
assertThrowsAsync(
WebAssembly.compile(buffer), WebAssembly.CompileError,
'WebAssembly.compile(): expected 6 bytes, fell off end @+11');
Issue: https://crbug.com/v8/7881
Commit: [wasm] Bring memory limits up to spec
Date(Commit): Fri, 21 Feb 2020 18:00:27 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2035876
Regress : test\mjsunit\regress\wasm\regress-724846.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js');
// Flags: --wasm-max-mem-pages=49151
let builder = new WasmModuleBuilder();
const num_pages = 49152;
builder.addMemory(num_pages, num_pages);
// num_pages * 64k (page size) > kMaxInt.
assertThrows(() => builder.instantiate(), WebAssembly.CompileError);
Issue: https://crbug.com/1050046
Commit: [keys] Make sure we don't leak the enum cache in slow-mode for/in
Date(Commit): Thu, 20 Feb 2020 16:56:57 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2066959
Regress : test\mjsunit\regress\regress-crbug-1050046.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-gc
var __v_6 = new Boolean();
__v_6.first = 0;
__v_6.prop = 1;
for (var __v_2 in __v_6) {
delete __v_6.prop;
gc();
}
Issue: https://crbug.com/1051017
Commit: [turbofan] Fix bug in Typer::TypeInductionVariablePhi, again
Date(Commit): Wed, 19 Feb 2020 16:08:26 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2064222
Regress : test\mjsunit\compiler\regress-1051017.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo1() {
var x = -Infinity;
var i = 0;
for (; i < 1; i += x) {
if (i == -Infinity) x = +Infinity;
}
return i;
}
%PrepareFunctionForOptimization(foo1);
assertEquals(NaN, foo1());
assertEquals(NaN, foo1());
%OptimizeFunctionOnNextCall(foo1);
assertEquals(NaN, foo1());
function foo2() {
var i = -Infinity;
for (; i <= 42; i += Infinity) { }
return i;
}
%PrepareFunctionForOptimization(foo2);
assertEquals(NaN, foo2());
assertEquals(NaN, foo2());
%OptimizeFunctionOnNextCall(foo2);
assertEquals(NaN, foo2());
function foo3(b) {
var k = 0;
let str = b ? "42" : "0";
for (var i = str; i < 1 && k++ < 1; i -= 0) { }
return i;
}
%PrepareFunctionForOptimization(foo3);
assertEquals(0, foo3());
assertEquals(0, foo3());
%OptimizeFunctionOnNextCall(foo3);
assertEquals(0, foo3());
Issue: https://crbug.com/1053604
Commit: [turbofan] Fix bug in receiver maps inference
Date(Commit): Wed, 19 Feb 2020 10:04:19 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2062396
Regress : test\mjsunit\compiler\regress-1053604.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
let a = [0, 1, 2, 3, 4];
function empty() {}
function f(p) {
a.pop(Reflect.construct(empty, arguments, p));
}
let p = new Proxy(Object, {
get: () => (a[0] = 1.1, Object.prototype)
});
function main(p) {
f(p);
}
%PrepareFunctionForOptimization(empty);
%PrepareFunctionForOptimization(f);
%PrepareFunctionForOptimization(main);
main(empty);
main(empty);
%OptimizeFunctionOnNextCall(main);
main(p);
Issue: https://crbug.com/v8/8088
Commit: [parser] Track labels in the parser-base rather than parser+ast
Date(Commit): Tue, 18 Feb 2020 16:07:23 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2059989
Regress : test\mjsunit\asm\regress-674089.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --validate-asm --lazy-inner-functions
function outer() {
"use asm";
function inner() {
/f(/
}
}
outer();
Issue: https://crbug.com/1049982
Commit: Add test skips for deopt_fuzzer
Date(Commit): Wed, 12 Feb 2020 08:39:47 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2050402
Regress : test\mjsunit\regress\regress-1049982-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --opt
const xs = [1,2,3,4,5,6,7,8,9];
let deopt = false;
function g(acc, x, i) {
if (deopt) {
assertFalse(%IsBeingInterpreted());
Array.prototype.x = 42; // Trigger a lazy deopt.
deopt = false;
}
return acc + x;
}
function f() {
return xs.reduceRight(g, 0);
}
%PrepareFunctionForOptimization(f);
%PrepareFunctionForOptimization(g);
assertEquals(45, f());
assertEquals(45, f());
%OptimizeFunctionOnNextCall(f);
deopt = true;
assertEquals(45, f());
assertEquals(45, f());
Issue: https://crbug.com/1048241
Commit: [liftoff][ia32] Fix AtomicStore register spilling
Date(Commit): Tue, 4 Feb 2020 09:48:04 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2036073
Regress : test\mjsunit\regress\wasm\regress-1048241.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false, true);
const sig = makeSig([kWasmF64, kWasmI64, kWasmI32, kWasmF64], []);
builder.addFunction(undefined, sig).addBody([
kExprI32Const, 0x00, // -
kExprI32Const, 0x00, // -
kExprI32Const, 0x00, // -
kAtomicPrefix, kExprI32AtomicXor16U, 0x01, 0x00, // -
kAtomicPrefix, kExprI32AtomicStore8U, 0x00, 0x00, // -
]);
builder.instantiate();
Issue: https://crbug.com/1045225
Commit: [Liftoff] Clean up implementation of AtomicStore
Date(Commit): Fri, 31 Jan 2020 09:13:09 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2029414
Regress : test\mjsunit\regress\wasm\regress-1045225.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
load('test/mjsunit/wasm/wasm-module-builder.js');
(function() {
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false, true);
builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: i_iii
// body:
kExprI32Const, 0x80, 0x01,
kExprI32Clz,
kExprI32Const, 0x00,
kExprI64Const, 0x00,
kAtomicPrefix, kExprI64AtomicStore8U, 0x00, 0x00,
kExprEnd, // @13
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
print(instance.exports.main(1, 2, 3));
})();
Issue: https://crbug.com/1044909
Commit: Fix one more LookupIterator
Date(Commit): Wed, 29 Jan 2020 17:05:21 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2023558
Regress : test\mjsunit\regress\regress-crbug-1044909.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function main() {
const v2 = Object.prototype;
v2[4294967296] = {};
const v12 = {get: function() {}};
Object.defineProperty(v2, 4294967296, v12);
const v15 = {...v2};
}
%PrepareFunctionForOptimization(main);
main();
Issue: https://crbug.com/1041251
Commit: [builtins] Fix FastCreateDataProperty
Date(Commit): Tue, 28 Jan 2020 12:24:45 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2023551
Regress : test\mjsunit\regress\regress-crbug-1041251.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let v0 = [0, 1];
v0.constructor = {
[Symbol.species]: function() {
let v1 = [2];
Object.defineProperty(v1, "length", {writable: false});
return v1;
}
}
assertThrows(() => Array.prototype.map.call(v0, function() {}), TypeError);
Issue: https://crbug.com/1044919
Commit: [runtime] Don't invalidate property cell when it becomes read-only
Date(Commit): Tue, 28 Jan 2020 16:48:54 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2023562
Regress : test\mjsunit\regress\regress-1044919.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function main() {
eval();
function foo() {
bla = [];
bla.__proto__ = '';
}
%PrepareFunctionForOptimization(foo);
foo();
Object.defineProperty(this, 'bla',
{value: bla, configurable: false, writable: true});
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Object.defineProperty(this, 'bla',
{value: bla, configurable: false, writable: false});
foo();
})();
Issue: https://crbug.com/1044911
Commit: Fix ArrayLengthSetter for suddenly frozen elements
Date(Commit): Tue, 28 Jan 2020 14:49:46 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2023555
Regress : test\mjsunit\regress\regress-crbug-1044911.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let a = [0];
let l = {
valueOf: function() {
Object.freeze(a);
return 1;
}
};
a.length = l;
Commit: [wasm][liftoff] Zero-extend result of atomic.add
Date(Commit): Mon, 27 Jan 2020 12:48:17 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2020768
Regress : test\mjsunit\regress\wasm\regress-1045737.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging --liftoff --no-wasm-tier-up
load('test/mjsunit/wasm/wasm-module-builder.js');
(function() {
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false, true);
builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */).addBodyWithEnd([
// signature: i_iii
// body:
kExprI32Const, 0x00, kExprI64Const, 0xc2, 0xe6, 0x00, kAtomicPrefix,
kExprI64AtomicAdd8U, 0x00, 0xb6, 0x0e, kExprF32SConvertI64,
kExprI32SConvertF32,
kExprEnd, // @14
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertEquals(instance.exports.main(1, 2, 3), 0);
})();
Issue: https://crbug.com/v8/10021
Commit: Remove "--wasm-disable-structured-cloning" flag
Date(Commit): Wed, 22 Jan 2020 13:32:28 -0800
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1999158
Regress : test\mjsunit\regress\wasm\regress-8059.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load("test/mjsunit/wasm/wasm-module-builder.js");
(function TestPostModule() {
let builder = new WasmModuleBuilder();
builder.addFunction("add", kSig_i_ii)
.addBody([kExprLocalGet, 0, kExprLocalGet, 1, kExprI32Add])
.exportFunc();
let module = builder.toModule();
let workerScript = `
onmessage = function(module) {
try {
let instance = new WebAssembly.Instance(module);
let result = instance.exports.add(40, 2);
postMessage(result);
} catch(e) {
postMessage('ERROR: ' + e);
}
}
`;
let realm = Realm.create();
Realm.shared = { m:module, s:workerScript };
let realmScript = `
let worker = new Worker(Realm.shared.s, {type: 'string'});
worker.postMessage(Realm.shared.m);
let message = worker.getMessage();
worker.terminate();
message;
`;
let message = Realm.eval(realm, realmScript);
assertEquals(42, message);
})();
Issue: https://crbug.com/v8/4153
Commit: [64bit] Bump TypedArray max length to 2**32-1 elements
Date(Commit): Wed, 22 Jan 2020 15:39:19 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2007495
Regress : test\mjsunit\regress\regress-crbug-754175.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --mock-arraybuffer-allocator --allow-natives-syntax
function Module(stdlib, foreign, buffer) {
"use asm";
var heap = new stdlib.Int8Array(buffer);
function foo() { return heap[23] | 0 }
return { foo:foo };
}
const kLength = Math.max(0x100000000, %TypedArrayMaxLength() + 1);
function instantiate() {
// On 32-bit architectures buffer allocation will throw.
var buffer = new ArrayBuffer(kLength);
// On 64-bit architectures instantiation will throw.
var module = Module(this, {}, buffer);
}
assertThrows(instantiate, RangeError);
Issue: https://crbug.com/v8/10138
Commit: Fix native stacks flag for pointer compression
Date(Commit): Mon, 20 Jan 2020 23:36:00 -0800
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2011206
Regress : test\mjsunit\regress\regress-10138.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file
// Flags: --allow-natives-syntax --interpreted-frames-native-stack
function f() {
g();
}
function g() {
%DeoptimizeFunction(f);
%DeoptimizeFunction(f);
}
%PrepareFunctionForOptimization(f);
f(); f();
%OptimizeFunctionOnNextCall(f);
f();
Issue: https://crbug.com/1037771
Commit: [turbofan] Don't verify context input of Create*Context nodes
Date(Commit): Mon, 20 Jan 2020 13:58:49 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2010792
Regress : test\mjsunit\compiler\regress-1037771.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --interrupt-budget=1024
async function* r() {
for (var l = "" in { goo: ()=>{} }) {
for (let n = 0; n < 500; (t ? -500 : 0)) {
n++;
if (n > 1) break;
try {
r.blabadfasdfasdfsdafsdsadf();
} catch (e) {
for (let n = 0; n < 500; n++);
for (let n in t) {
return t[n];
}
}
try { r(n, null) } catch (e) {}
}
}
}
let t = r();
t.return({
get then() {
let n = r();
n.next();
}
});
Issue: https://crbug.com/v8/10072
Commit: [regexp] Fix CP advancement in all SKIP_* bytecodes
Date(Commit): Thu, 16 Jan 2020 11:27:52 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2002543
Regress : test\mjsunit\regress\regress-v8-10072.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertNull(/(?<=a[^b]*)./.exec('a'));
Issue: https://crbug.com/1042151
Commit: [test] Proper OOM handling for multi-mapped mock allocator
Date(Commit): Wed, 15 Jan 2020 12:24:58 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2002391
Regress : test\mjsunit\regress\regress-crbug-1041232.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --multi-mapped-mock-allocator
// Chosen for stress runs on 32-bit systems. Physical memory is not an issue
// thanks to the mock allocator, but virtual address space is still limited.
let kSize = 128 * 1024 * 1024;
// Must be >= MultiMappedMockAllocator::kChunkSize in d8.cc.
let kChunkSize = 2 * 1024 * 1024;
let a = new Uint8Array(kSize);
for (let i = 0; i < kChunkSize; i++) {
a[i] = 42;
}
// Check that OOB accesses return undefined and all array elements are 42.
// Importantly, nothing crashes.
assertEquals(undefined, a[-kChunkSize - 1]);
assertEquals(undefined, a[-kChunkSize]);
assertEquals(undefined, a[-1]);
assertEquals(42, a[0]);
assertEquals(42, a[1]);
// If this fails, then you probably tried to run this test without the
// multi-mapped mock allocator.
assertEquals(42, a[kChunkSize]);
assertEquals(42, a[kChunkSize + 1]);
assertEquals(42, a[kChunkSize + 1]);
assertEquals(42, a[kSize - kChunkSize]);
assertEquals(42, a[kSize - 1]);
assertEquals(undefined, a[kSize]);
assertEquals(undefined, a[kSize + 1]);
assertEquals(undefined, a[kSize + kChunkSize]);
assertEquals(undefined, a[kSize + kSize]);
// Check that excessive requests throw (crbug.com/1042173, crbug.com/1042151).
assertThrows(() => new ArrayBuffer(Number.MAX_SAFE_INTEGER));
Issue: https://crbug.com/v8/10121
Commit: Add --perf-prof-delete-file flag
Date(Commit): Tue, 14 Jan 2020 15:55:59 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2000738
Regress : test\mjsunit\regress\wasm\regress-1032753.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --perf-prof --perf-prof-delete-file
load('test/mjsunit/wasm/wasm-module-builder.js');
new WasmModuleBuilder().instantiate();
Commit: [parser] Fix cache scope recursion for with
Date(Commit): Tue, 14 Jan 2020 14:08:33 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2000133
Regress : test\mjsunit\regress\regress-crbug-1041616.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
global = 0;
(function foo() {
function bar() {
let context_allocated = 0;
with ({}) {
f = function() { ++global; }
}
function baz() { return foo(context_allocated); };
f();
};
bar();
})();
Issue: https://crbug.com/1033948
Commit: [wasm] Leave Global constructor on error
Date(Commit): Thu, 9 Jan 2020 15:01:48 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1993283
Regress : test\mjsunit\regress\wasm\regress-1033948.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const desc = {
get mutable() {
throw "foo";
},
get value() {
console.trace();
}
};
assertThrowsEquals(() => new WebAssembly.Global(desc), "foo");
Issue: https://crbug.com/1040444
Commit: [turbofan] Allow handle deferences when compiling non concurrently
Date(Commit): Thu, 9 Jan 2020 11:38:45 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1992433
Regress : test\mjsunit\regress\regress-1040403.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --trace-turbo-graph --noconcurrent-recompilation
function bytes() {
}
function __f_4622() {
var __v_22507 = {
};
}
%PrepareFunctionForOptimization(__f_4622);
%OptimizeFunctionOnNextCall(__f_4622);
42 | __f_4622();
Issue: https://crbug.com/1020162
Commit: [parser] Force stable order for variables
Date(Commit): Thu, 9 Jan 2020 09:33:44 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1977865
Regress : test\mjsunit\regress\regress-crbug-1020162.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --throws
((get = foo.get(...a, a), b) => 0)();
Issue: https://crbug.com/1038573
Commit: Fixes lost TypeError for BigInts
Date(Commit): Tue, 7 Jan 2020 17:40:17 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1986003
Regress : test\mjsunit\regress\regress-1038573.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
(function(){
function f(x) {
return "abcd".charCodeAt(BigInt.asUintN(64, 10n));
}
%PrepareFunctionForOptimization(f);
try { f(1); } catch(e) {}
try { f(1); } catch(e) {}
%OptimizeFunctionOnNextCall(f);
assertThrows(f, TypeError);
})();
(function(){
function f(x) {
return "abcd".charCodeAt(BigInt.asUintN(2, 10n));
}
%PrepareFunctionForOptimization(f);
try { f(1); } catch(e) {}
try { f(1); } catch(e) {}
%OptimizeFunctionOnNextCall(f);
assertThrows(f, TypeError);
})();
Issue: https://crbug.com/1038588
Commit: [parser] Fix conflict detection loop early exit
Date(Commit): Tue, 7 Jan 2020 12:44:00 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1985991
Regress : test\mjsunit\regress\regress-1038588.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function foo(arg){
const x = 0;
eval("var arg, x;");
}
assertThrows(foo, SyntaxError);
Issue: https://crbug.com/1033966
Commit: [protectors] Remove invalid DCHECK in protectors.
Date(Commit): Thu, 26 Dec 2019 08:53:22 -0800
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/1982582
Regress : test\mjsunit\regress\regress-1033966.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var regexp = Realm.global(Realm.createAllowCrossRealmAccess()).RegExp;
regexp.prototype.constructor = 1;