Issue: https://crbug.com/v8/7790
Commit: Reland "[compiler] Consider IsPendingAllocation in Ref construction"
Date(Commit): Tue, 18 May 2021 13:20:34 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2874663
Regress : test\mjsunit\regress\regress-1207679.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --expose-gc --interrupt-budget=1000 --no-lazy-feedback-allocation
var __v_5;
function __v_1() {
var PI = {
get() {}
};
function __v_5() {
Object.defineProperty(PI, 'func', {
});
'𝌆'.match();
}
__v_5(...[__v_5]);
try {
__v_1();
} catch (PI) {}
}
__v_1();
gc();
__v_1();
Commit: [test] Fix TypedArray::sort for multi-mapped mock allocator
Date(Commit): Sat, 15 May 2021 00:31:30 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2897098
Regress : test\mjsunit\regress\regress-crbug-1209152.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --multi-mapped-mock-allocator
let size = 8 * 1024 * 1024;
let initialized = 2 * 1024 * 1008;
let array = new Uint8Array(size);
for (let i = 0; i < initialized; i++) {
array[i] = 42;
}
array.sort();
Issue: https://crbug.com/1205290
Commit: Speed up a new regression test
Date(Commit): Thu, 6 May 2021 15:00:41 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2876855
Regress : test\mjsunit\regress\regress-1205290.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const sync_arr = new Int32Array(new SharedArrayBuffer(4));
function waitForWorker() {
while (Atomics.load(sync_arr) == 0) {}
}
function onmessage([sab, lock]) {
const i32a = new Int32Array(sab);
Atomics.store(lock, 0, 1);
for (let j = 1; j < 1000; ++j) {
for (let i = 0; i < i32a.length; ++i) {
i32a[i] = j;
}
}
}
const worker = new Worker(`onmessage = ${onmessage}`, {type: 'string'});
const arr =
new Int32Array(new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT * 100));
worker.postMessage([arr.buffer, sync_arr]);
waitForWorker();
arr.sort();
Issue: https://crbug.com/1159307
Commit: [wasm] Consider only function names from the name section.
Date(Commit): Wed, 5 May 2021 13:50:08 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2874464
Regress : test\mjsunit\regress\wasm\regress-1046472.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --liftoff --no-wasm-tier-up --wasm-staging
load('test/mjsunit/wasm/wasm-module-builder.js');
(function() {
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false);
builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
// Generate function 1 (out of 1).
builder.addFunction('main', 0 /* sig */)
.addBodyWithEnd([
// signature: i_iii
// body:
kExprI32Const, 0x20,
kExprI64LoadMem, 0x00, 0xce, 0xf2, 0xff, 0x01,
kExprBlock, kWasmF32, // @9 f32
kExprI32Const, 0x04,
kExprI32Const, 0x01,
kExprBrTable, 0x01, 0x01, 0x00, // entries=1
kExprEnd, // @19
kExprUnreachable,
kExprEnd, // @21
]);
builder.addExport('main', 0);
assertThrows(
() => {builder.toModule()}, WebAssembly.CompileError,
'WebAssembly.Module(): Compiling function #0:\"main\" failed: ' +
'type error in branch[0] (expected f32, got i32) @+57');
})();
Issue: https://crbug.com/1204748
Commit: [regalloc] Avoid duplicate moves for slot constraint
Date(Commit): Tue, 4 May 2021 17:34:23 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2871462
Regress : test\mjsunit\regress\regress-1204748.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --assert-types
function __f_2(__v_4, __v_5) {
let __v_6 = __v_4 >= __v_5;
while (__v_6 != 0) {
__v_4 = __v_4 | __v_5 - __v_4;
let __v_7 = __v_4 >= __v_5;
new Int32Array(__v_4);
__v_6 = __v_4 < __v_5;
}
}
function __f_3() {
__f_2(Infinity, 1);
__f_2();
}
%PrepareFunctionForOptimization(__f_3);
%PrepareFunctionForOptimization(__f_2);
__f_3();
%OptimizeFunctionOnNextCall(__f_3);
__f_3();
Commit: [wasm][test] Initializer exprs. for element segments
Date(Commit): Wed, 5 May 2021 07:14:19 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2857638
Regress : test\mjsunit\regress\wasm\regress-v8-9106.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Make sure DCHECK doesn't fire when passive data segment is at the end of the
// module.
let bytes = new Uint8Array([
0, 97, 115, 109, 1, 0, 0, 0, 1, 132, 128, 128, 128, 0, 1,
96, 0, 0, 3, 133, 128, 128, 128, 0, 4, 0, 0, 0, 0, 5,
131, 128, 128, 128, 0, 1, 0, 1, 7, 187, 128, 128, 128, 0, 4,
12, 100, 114, 111, 112, 95, 112, 97, 115, 115, 105, 118, 101, 0, 0,
12, 105, 110, 105, 116, 95, 112, 97, 115, 115, 105, 118, 101, 0, 1,
11, 100, 114, 111, 112, 95, 97, 99, 116, 105, 118, 101, 0, 2, 11,
105, 110, 105, 116, 95, 97, 99, 116, 105, 118, 101, 0, 3, 12, 129,
128, 128, 128, 0, 2, 10, 183, 128, 128, 128, 0, 4, 133, 128, 128,
128, 0, 0, 252, 9, 0, 11, 140, 128, 128, 128, 0, 0, 65, 0,
65, 0, 65, 0, 252, 8, 0, 0, 11, 133, 128, 128, 128, 0, 0,
252, 9, 1, 11, 140, 128, 128, 128, 0, 0, 65, 0, 65, 0, 65,
0, 252, 8, 1, 0, 11, 11, 136, 128, 128, 128, 0, 2, 1, 0,
0, 65, 0, 11, 0
]);
new WebAssembly.Instance(new WebAssembly.Module(bytes));
Issue: https://crbug.com/1201938
Commit: [const-tracking] Generalize constness when delete properties
Date(Commit): Mon, 3 May 2021 18:26:15 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2859960
Regress : test\mjsunit\regress\regress-crbug-1195331.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
let o1 = { a: 1, b: 0 };
let o2 = { a: 2, b: 0 };
assertTrue(%HaveSameMap(o1, o2));
assertTrue(%HasOwnConstDataProperty(o1, "a"));
assertTrue(%HasOwnConstDataProperty(o1, "b"));
Object.defineProperty(o1, "b", {
value: 4.2, enumerable: true, configurable: true, writable: true,
});
assertFalse(%HaveSameMap(o1, o2));
assertTrue(%HasOwnConstDataProperty(o1, "a"));
assertFalse(%HasOwnConstDataProperty(o1, "b"));
assertTrue(%HasOwnConstDataProperty(o2, "a"));
assertTrue(%HasOwnConstDataProperty(o2, "b"));
let o3 = { a: "foo", b: 0 };
assertFalse(%HaveSameMap(o2, o3));
assertTrue(%HasOwnConstDataProperty(o3, "a"));
assertFalse(%HasOwnConstDataProperty(o3, "b"));
Object.defineProperty(o2, "a", {
value:2, enumerable: false, configurable: true, writable: true,
});
assertTrue(%HasOwnConstDataProperty(o1, "a"));
assertFalse(%HasOwnConstDataProperty(o1, "b"));
assertTrue(%HasOwnConstDataProperty(o3, "a"));
assertFalse(%HasOwnConstDataProperty(o3, "b"));
assertFalse(%HasOwnConstDataProperty(o2, "a"));
assertTrue(%HasOwnConstDataProperty(o2, "b"));
Commit: [compiler] Enable an accidentally disabled test
Date(Commit): Thu, 29 Apr 2021 14:08:43 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2857966
Regress : test\mjsunit\compiler\regress-1196683.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function() {
const arr = new Uint32Array([2**31]);
function foo() {
return (arr[0] ^ 0) + 1;
}
%PrepareFunctionForOptimization(foo);
assertEquals(-(2**31) + 1, foo());
%OptimizeFunctionOnNextCall(foo);
assertEquals(-(2**31) + 1, foo());
})();
// The remaining tests already passed without the bugfix.
(function() {
const arr = new Uint16Array([2**15]);
function foo() {
return (arr[0] ^ 0) + 1;
}
%PrepareFunctionForOptimization(foo);
assertEquals(2**15 + 1, foo());
%OptimizeFunctionOnNextCall(foo);
assertEquals(2**15 + 1, foo());
})();
(function() {
const arr = new Uint8Array([2**7]);
function foo() {
return (arr[0] ^ 0) + 1;
}
%PrepareFunctionForOptimization(foo);
assertEquals(2**7 + 1, foo());
%OptimizeFunctionOnNextCall(foo);
assertEquals(2**7 + 1, foo());
})();
(function() {
const arr = new Int32Array([-(2**31)]);
function foo() {
return (arr[0] >>> 0) + 1;
}
%PrepareFunctionForOptimization(foo);
assertEquals(2**31 + 1, foo());
%OptimizeFunctionOnNextCall(foo);
assertEquals(2**31 + 1, foo());
})();
Issue: https://crbug.com/1203692
Commit: [wasm] Fix BigInt imports to asm.js modules
Date(Commit): Wed, 28 Apr 2021 19:23:35 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2856842
Regress : test\mjsunit\regress\wasm\regress-crbug-1203692.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function asm(stdlib, foreign) {
"use asm";
var unused = foreign.a | 0;
function fun() { }
return fun;
}
assertThrows(() => asm(null, { a: 1n }).fun(), TypeError);
Issue: https://crbug.com/1202312
Commit: [compiler] Fix RepresentationSelector::VisitUnused
Date(Commit): Wed, 28 Apr 2021 10:48:53 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2850917
Regress : test\mjsunit\compiler\regress-1203116.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function bar(x) {
x.f = 13.37;
}
function foo() {
const v2 = {};
const v3 = {a:42};
const v4 = {a:42};
v3.d = 42;
v4.b = v2;
v4.b = 42;
v4.b;
v3.f = v2;
bar(v4);
const v10 = {a:42};
for (let i = 0; i < 10; i++) {
bar(v10);
}
}
%PrepareFunctionForOptimization(foo);
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/1202736
Commit: [wasm][liftoff] Fix handling of register pairs in clear_used
Date(Commit): Tue, 27 Apr 2021 18:43:49 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2853601
Regress : test\mjsunit\regress\wasm\regress-1202736.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addMemory(1, 1, false, true);
builder.addType(
makeSig([kWasmF64, kWasmI32, kWasmI32, kWasmF64, kWasmF32], [kWasmI64]));
builder.addFunction(undefined, 0 /* sig */)
.addLocals(kWasmI64, 1)
.addBodyWithEnd([
// signature: l_diidf
// body:
kExprLoop, 0x7e, // loop @3 i64
kExprI64Const, 0x01, // i64.const
kExprEnd, // end @7
kExprBlock, 0x7f, // block @8 i32
kExprLocalGet, 0x05, // local.get
kExprLocalSet, 0x05, // local.set
kExprI32Const, 0x00, // i32.const
kExprEnd, // end @16
kExprLocalGet, 0x05, // local.get
kExprLocalGet, 0x05, // local.get
kAtomicPrefix, kExprI64AtomicCompareExchange, 0x00, 0x04,
kExprI64GtS, // i64.gt_s
kExprDrop, // drop
kExprI64Const, 0x01, // i64.const
kExprEnd, // end @29
]);
const instance = builder.instantiate();
Commit: [wasm][test] Improve initializer expressions in mjsunit
Date(Commit): Tue, 27 Apr 2021 15:05:16 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2851892
Regress : test\mjsunit\regress\wasm\regress-10702.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addGlobal(kWasmI32, true, WasmInitExpr.I32Const(35));
builder.addType(makeSig([], [kWasmI32]));
builder.addType(makeSig([kWasmI32, kWasmI32], [kWasmI32]));
// Generate function 1 (out of 3).
builder.addFunction(undefined, 0 /* sig */).addBody([
// signature: i_v
// body:
kExprI32Const, 1, // i32.const
]);
// Generate function 2 (out of 3).
builder.addFunction(undefined, 0 /* sig */).addBody([
// signature: i_v
// body:
kExprI32Const, 0, // i32.const
]);
// Generate function 3 (out of 3).
builder.addFunction(undefined, 1 /* sig */).addBody([
// signature: i_ii
// body:
kExprBlock, kWasmI32, // block @1 i32
kExprF64Const, 0, 0, 0, 0, 0, 0, 0, 0, // f64.const
kExprI32SConvertF64, // i32.trunc_f64_s
kExprCallFunction, 1, // call function #1: i_v
kExprBrIf, 0, // br_if depth=0
kExprGlobalGet, 0, // global.get
kExprCallFunction, 0, // call function #0: i_v
kExprBrIf, 0, // br_if depth=0
kExprI32ShrS, // i32.shr_s
kExprEnd, // end @24
]);
builder.addExport('f', 2);
const instance = builder.instantiate();
assertEquals(35, instance.exports.f(0, 0));
Issue: https://crbug.com/1202924
Commit: [compiler] Fix a monotonicity issue in SimplifiedLowering
Date(Commit): Tue, 27 Apr 2021 08:53:03 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2851880
Regress : test\mjsunit\compiler\regress-1202924.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy-feedback-allocation --interrupt-budget=1000
// Flags: --no-analyze-environment-liveness
function foo() {
for (var i = 1; i < 10; i++) {
var n = 1;
for (var j = 1; j < 10; j++) {
if (n == j) j = 0;
foo = j % - n;
n++;
}
}
}
foo();
Issue: https://crbug.com/1196837
Commit: [wasm][ia32] Spill result register of CompareExchange before using it
Date(Commit): Mon, 26 Apr 2021 11:58:32 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2850646
Regress : test\mjsunit\regress\wasm\regress-1196837.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false);
builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: i_iii
// body:
kExprLocalGet, 0x01,
kExprLocalGet, 0x01,
kExprLocalGet, 0x01,
kExprLocalGet, 0x01,
kAtomicPrefix, kExprI32AtomicCompareExchange16U, 0x00, 0x7a,
kExprLocalGet, 0x01,
kExprLocalGet, 0x01,
kExprLocalGet, 0x01,
kExprLocalGet, 0x00,
kExprMemoryGrow, 0x00,
kAtomicPrefix, kExprI32AtomicCompareExchange16U, 0x00, 0x7a,
kExprLocalGet, 0x01,
kExprLocalGet, 0x00,
kAtomicPrefix, kExprI32AtomicCompareExchange16U, 0x00, 0x7a,
kExprLocalGet, 0x01,
kExprLocalGet, 0x00,
kAtomicPrefix, kExprI32AtomicCompareExchange16U, 0x00, 0x7a,
kExprLocalGet, 0x01,
kExprReturnCall, 0x00,
kExprEnd,
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertTraps(kTrapUnalignedAccess, () => instance.exports.main(0, 0, 0));
Issue: https://crbug.com/1201340
Commit: [liftoff] Fix >=2GB memory accesses on 32-bit
Date(Commit): Fri, 23 Apr 2021 16:15:49 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2848467
Regress : test\mjsunit\regress\wasm\regress-1201340.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js');
builder = new WasmModuleBuilder();
builder.addImportedMemory();
let leb = [0x80, 0x80, 0x80, 0x80, 0x0c];
builder.addFunction('store', makeSig([kWasmI32, kWasmI32], []))
.addBody([kExprLocalGet, 0, kExprLocalGet, 1, kExprI32StoreMem, 0, ...leb])
.exportFunc();
builder.toModule();
Issue: https://crbug.com/1195650
Commit: [compiler] Aggressively lower pure dead operations to DeadValue
Date(Commit): Fri, 23 Apr 2021 09:26:19 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2831490
Regress : test\mjsunit\compiler\regress-1195650.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function() {
var gaga = "gaga";
function foo(a) {
let y = Math.min(Infinity ? gaga : Infinity, -0) / 0;
if (a) y = -0;
return y ? 1 : 0;
}
%PrepareFunctionForOptimization(foo);
foo(false);
%OptimizeFunctionOnNextCall(foo);
assertEquals(0, foo(false));
})();
(function() {
var gaga = "gaga";
function foo(a) {
let y = Math.min(Infinity ? gaga : Infinity, -0) % 0;
if (a) y = 1.3;
return y ? 1 : 0;
}
%PrepareFunctionForOptimization(foo);
foo(false);
%OptimizeFunctionOnNextCall(foo);
assertEquals(0, foo(false));
})();
Issue: https://crbug.com/1200231
Commit: [wasm] Abort wrapper compilation on isolate shutdown
Date(Commit): Thu, 22 Apr 2021 18:22:57 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2846881
Regress : test\mjsunit\regress\wasm\regress-1200231.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-reftypes --trace-turbo-graph
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addFunction(`get`, makeSig([], [kWasmExternRef]))
.addBody([kExprTableGet])
.exportFunc();
builder.addFunction(`fill`, makeSig([kWasmI32, kWasmAnyFunc, kWasmI32], []))
.addBody([])
.exportFunc();
try {
builder.toModule();
} catch {}
Issue: https://crbug.com/1201114
Commit: [disassembler] Fix unimplemented instruction
Date(Commit): Wed, 21 Apr 2021 16:19:51 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2843819
Regress : test\mjsunit\regress\regress-1201114.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --turboprop --allow-natives-syntax --print-code
var a = {b: 1};
function nop() { return false; }
function __f_4(a) { return a; }
function __f_5(__v_2) {
__f_4(__v_2.a);
nop(__f_5)&a.b;
}
%PrepareFunctionForOptimization(__f_5);
__f_5(true);
%OptimizeFunctionOnNextCall(__f_5);
try {
__f_5();
} catch {}
Issue: https://crbug.com/1201057
Commit: [test] Fix null dererefence in d8.test.FastCAPI
Date(Commit): Wed, 21 Apr 2021 14:35:28 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2843347
Regress : test\mjsunit\compiler\regress-crbug-1201057.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --turbo-fast-api-calls
const fast_c_api = new d8.test.FastCAPI();
const fast_obj = Object.create(fast_c_api);
assertThrows(() => fast_obj.supports_fp_params);
Issue: https://crbug.com/1189077
Commit: [TurboFan] Fix max double string length in JSNativeContextSpecialization
Date(Commit): Wed, 21 Apr 2021 14:43:36 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2843361
Regress : test\mjsunit\regress\regress-1189077.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
const string_max_length = %StringMaxLength();
const longest_double = -2.2250738585105353E-308;
const s18 = "A".repeat(string_max_length - 18);
const s23 = "A".repeat(string_max_length - 23);
const s24 = "A".repeat(string_max_length - 24);
const s25 = "A".repeat(string_max_length - 25);
(function() {
function f() {
return s18 + longest_double;
}
%PrepareFunctionForOptimization(f);
assertThrows(f, RangeError);
%OptimizeFunctionOnNextCall(f);
assertThrows(f, RangeError);
})();
(function() {
function f() {
return s23 + longest_double;
}
%PrepareFunctionForOptimization(f);
assertThrows(f, RangeError);
%OptimizeFunctionOnNextCall(f);
assertThrows(f, RangeError);
})();
(function() {
function f() {
return s24 + longest_double;
}
%PrepareFunctionForOptimization(f);
assertEquals(string_max_length, f().length);
%OptimizeFunctionOnNextCall(f);
assertEquals(string_max_length, f().length);
})();
(function() {
function f() {
return s25 + longest_double;
}
%PrepareFunctionForOptimization(f);
assertEquals(string_max_length - 1, f().length);
%OptimizeFunctionOnNextCall(f);
assertEquals(string_max_length - 1, f().length);
})();
Issue: https://crbug.com/1201011
Commit: [test] Fix a crash in fast API interface types test
Date(Commit): Wed, 21 Apr 2021 09:31:42 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2843344
Regress : test\mjsunit\compiler\regress-crbug-1201082.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --turbo-fast-api-calls
const fast_c_api = new d8.test.FastCAPI();
function foo(obj) {
return fast_c_api.is_fast_c_api_object(false, obj);
}
foo(1);
Issue: https://crbug.com/v8/11542
Commit: [wasm-simd] Add regression test for shuffle canonicalization
Date(Commit): Mon, 19 Apr 2021 13:25:55 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2836825
Regress : test\mjsunit\regress\wasm\regress-1199662.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
load('test/mjsunit/wasm/wasm-module-builder.js');
// This is a regression test that is minimized and manually trimmed down. It
// exercises a bug in our attempt to canonicalize shuffle in platform
// independent code, see
// https://bugs.chromium.org/p/v8/issues/detail?id=11542#c6.
const builder = new WasmModuleBuilder();
builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */).addBodyWithEnd([
// signature: i_iii
// body:
kExprI32Const, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprI8x16Shuffle,
0x00, 0x15,
0x00, 0x00,
0x00, 0x00,
0x00, 0x00,
0x00, 0x00,
0x00, 0x00,
0x00, 0x00,
0x00, 0x00, // i8x16.shuffle
kSimdPrefix, kExprI64x2BitMask,
0x01, // i64x2.bitmask
kExprEnd, // end @30
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertEquals(0, instance.exports.main(1, 2, 3));
Issue: https://crbug.com/1163499
Commit: [keys] Fix dictionary-mode prototype invalidation
Date(Commit): Fri, 16 Apr 2021 16:44:23 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2831871
Regress : test\mjsunit\regress\regress-crbug-1163499.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const o1 = {k:1};
const o2 = Object.create(o1);
for (let i = 0; i < 1100; i++) {
Object.defineProperty(o1, "k" + i, {value: 0, enumerable: false});
}
Object.defineProperty(o1, "enum", {value: 1, enumerable: false, configurable: true});
for (let k in o2) {}
Object.defineProperty(o1, "enum", {value: 1, enumerable: true, configurable: true});
let last;
for (let k in o2) { last = k }
assertEquals("enum", last);
Issue: https://crbug.com/v8/10782
Commit: Fix for Issue 10782: Bug in semantics of ArraySetLength.
Date(Commit): Tue, 13 Apr 2021 08:38:00 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2818067
Regress : test\mjsunit\regress-10782.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function f() {
let x = [0,0,0,0,0];
Object.defineProperty(x, 'length', {value : 4, enumerable : true});
}
assertThrows(f, TypeError);
Issue: https://crbug.com/v8/11564
Commit: [turbofan] Move large array allocation bailout earlier
Date(Commit): Mon, 12 Apr 2021 20:15:46 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2807609
Regress : test\mjsunit\compiler\regress-crbug-11564.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --max-optimized-bytecode-size=300000
const args = new Array(35000).fill('arg');
// Regression test for ReduceJSCreateAsyncFunctionObject.
function outer_async() {
async function g(replace_me) {}
%PrepareFunctionForOptimization(g);
%OptimizeFunctionOnNextCall(g);
new Promise(g);
}
const outer_async_many_args = outer_async.toLocaleString().replace('replace_me', args);
eval(outer_async_many_args);
outer_async();
// Regression test for ReduceJSCreateBoundFunction.
function outer_bind(arg) {
function b() { return 42; };
return b.bind(null, replace_me);
}
const outer_bind_many_args = outer_bind.toLocaleString().replace('replace_me', args);
eval(outer_bind_many_args);
%PrepareFunctionForOptimization(outer_bind);
outer_bind();
%OptimizeFunctionOnNextCall(outer_bind);
outer_bind();
Issue: https://crbug.com/1197393
Commit: [turbofan][arm64] The input count for selects is not fixed
Date(Commit): Mon, 12 Apr 2021 16:36:46 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2821435
Regress : test\mjsunit\regress\wasm\regress-1197393.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addType(makeSig([kWasmI32, kWasmI64, kWasmF64, kWasmI64], []));
builder.addType(makeSig([kWasmF64], [kWasmF64]));
// Generate function 1 (out of 2).
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: v_ildl
// body:
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x3f, // f64.const
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x3f, // f64.const
kExprLocalGet, 0x00, // local.get
kExprI32Const, 0x82, 0x7f, // i32.const
kExprI32DivS, // i32.div_s
kExprSelect, // select
kExprCallFunction, 0x01, // call function #1: d_d
kExprDrop, // drop
kExprEnd, // end @29
]);
// Generate function 2 (out of 2).
builder.addFunction(undefined, 1 /* sig */)
.addBodyWithEnd([
// signature: d_d
// body:
kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x3f, // f64.const
kExprEnd, // end @10
]);
const instance = builder.instantiate();
Issue: https://crbug.com/1195777
Commit: [compiler] Fix bug in RepresentationChanger::GetWord32RepresentationFor
Date(Commit): Mon, 12 Apr 2021 12:53:24 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2817791
Regress : test\mjsunit\compiler\regress-1195777.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
(function() {
function foo(b) {
let y = (new Date(42)).getMilliseconds();
let x = -1;
if (b) x = 0xFFFF_FFFF;
return y < Math.max(1 << y, x, 1 + y);
}
assertTrue(foo(true));
%PrepareFunctionForOptimization(foo);
assertTrue(foo(false));
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo(true));
})();
(function() {
function foo(b) {
let x = 0;
if (b) x = -1;
return x == Math.max(-1, x >>> Infinity);
}
assertFalse(foo(true));
%PrepareFunctionForOptimization(foo);
assertTrue(foo(false));
%OptimizeFunctionOnNextCall(foo);
assertFalse(foo(true));
})();
(function() {
function foo(b) {
let x = -1;
if (b) x = 0xFFFF_FFFF;
return -1 < Math.max(0, x, -1);
}
assertTrue(foo(true));
%PrepareFunctionForOptimization(foo);
assertTrue(foo(false));
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo(true));
})();
(function() {
function foo(b) {
let x = 0x7FFF_FFFF;
if (b) x = 0;
return 0 < (Math.max(-5 >>> x, -5) % -5);
}
assertTrue(foo(true));
%PrepareFunctionForOptimization(foo);
assertTrue(foo(false));
%OptimizeFunctionOnNextCall(foo);
assertTrue(foo(true));
})();
Issue: https://crbug.com/1196185
Commit: [compiler] Handle Dead nodes in ShouldUseCallICFeedback
Date(Commit): Mon, 12 Apr 2021 14:01:41 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2817792
Regress : test\mjsunit\compiler\regress-1196185.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --disable-in-process-stack-traces
// Flags: --gc-interval=500 --stress-compaction
class X {}
function rando() {}
let named;
function foo(input) {
var b;
rando(), {
blah: function () { b = b(); },
};
for (var i = 0; i < 10; i++) {
var r = rando();
var broom;
try {
input[r];
named();
} catch (e) {}
try {
broom = __v_859.exports.main;
} catch (e) {}
try {
for (var j = 0; j < 10; j++) {
broom();
}
} catch (e) {}
}
}
function testfunc() {
for (var i = 0; i < 10; i++) {
%PrepareFunctionForOptimization(foo);
%OptimizeFunctionOnNextCall(foo);
foo();
}
}
testfunc();
Issue: https://crbug.com/v8/11290
Commit: [regexp] Don't propagate lookaround eats_at_least to surroundings
Date(Commit): Wed, 7 Apr 2021 12:34:28 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2808944
Regress : test\mjsunit\regress\regress-v8-11290.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertEquals("zzz".match(/(z(?=.)){2}/), ["zz", "z"]);
Issue: https://crbug.com/v8/11616
Commit: [regexp] Don't use eats_at_least for backwards loops
Date(Commit): Wed, 7 Apr 2021 09:25:56 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2807596
Regress : test\mjsunit\regress\regress-v8-11616.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
assertEquals("x".repeat(3).match(/x(?<=^x{3})/), ["x"]);
assertEquals("x".repeat(4).match(/x(?<=^x{4})/), ["x"]);
assertEquals("x".repeat(7).match(/x(?<=^x{7})/), ["x"]);
assertEquals("x".repeat(17).match(/x(?<=^x{17})/), ["x"]);
Issue: https://crbug.com/1194869
Commit: Clamp properly in the String.p.indexOf reduction
Date(Commit): Thu, 1 Apr 2021 14:18:30 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2799359
Regress : test\mjsunit\regress\regress-1194869.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --no-lazy-feedback-allocation
// Flags: --interrupt-budget=100
function f() {
return "".indexOf("", 2);
}
%PrepareFunctionForOptimization(f)
assertEquals(f(), 0);
assertEquals(f(), 0);
%OptimizeFunctionOnNextCall(f)
assertEquals(f(), 0);
assertEquals(f(), 0);
function g() {
return "".indexOf("", 2);
}
for (let i = 0; i < 191; i++) {
// Expect a natural optimization here due to low interrupt budget.
assertEquals(g(), 0);
}
Issue: https://crbug.com/1193903
Commit: Reland "[string] Fix non-SeqStrings in IsEqualTo"
Date(Commit): Thu, 1 Apr 2021 09:54:03 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2794426
Regress : test\mjsunit\regress\regress-1193903.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
var no_sync_uninternalized = "no " + "sync";
%InternalizeString(no_sync_uninternalized);
// Make sure %GetOptimizationStatus works with a non-internalized string
// parameter.
%GetOptimizationStatus(function() {}, no_sync_uninternalized)
Issue: https://crbug.com/1194026
Commit: [Atomics.waitAsync] Add a regression test
Date(Commit): Wed, 31 Mar 2021 11:34:40 +0200
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2794436
Regress : test\mjsunit\regress\regress-chromium-1194026.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --harmony-sharedarraybuffer
function workerCode1() {
onmessage = function(e) {
const a = new Int32Array(e.sab);
while(true) {
// This worker tries to switch the value from 1 to 2; if it succeeds, it
// also notifies.
const ret = Atomics.compareExchange(a, 0, 1, 2);
if (ret === 1) {
Atomics.notify(a, 0);
}
// Check if we're asked to terminate:
if (Atomics.load(a, 1) == 1) {
return;
}
}
}
}
function workerCode2() {
const MAX_ROUNDS = 40;
onmessage = function(e) {
const a = new Int32Array(e.sab);
let round = 0;
function nextRound() {
while (true) {
if (round == MAX_ROUNDS) {
// Tell worker1 to terminate.
Atomics.store(a, 1, 1);
postMessage('done');
return;
}
// This worker changes the value to 1, and waits for it to change to 2
// via Atomics.waitAsync.
Atomics.store(a, 0, 1);
const res = Atomics.waitAsync(a, 0, 1);
if (res.async) {
res.value.then(() => { ++round; nextRound();},
()=> {});
return;
}
// Else: continue looping. (This happens when worker1 changed the value
// back to 2 before waitAsync started.)
}
}
nextRound();
}
}
let sab = new SharedArrayBuffer(8);
let w1 = new Worker(workerCode1, {type: 'function'});
w1.postMessage({sab: sab});
let w2 = new Worker(workerCode2, {type: 'function'});
w2.postMessage({sab: sab});
// Wait for worker2.
w2.getMessage();
w1.terminate();
w2.terminate();
Commit: Fix stack overflow on regress-1067270.js
Date(Commit): Tue, 30 Mar 2021 13:28:10 -0400
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2794429
Regress : test\mjsunit\regress\regress-1067270.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --stack-size=1200
const needle = Array(1802).join(" +") + Array(16884).join("A");
const string = "A";
assertEquals(string.search(needle), -1);
assertEquals(string.search(needle), -1);
Issue: https://crbug.com/v8/11248
Commit: [dict-proto] TF support for constants in dictionary mode protos, pt. 4
Date(Commit): Fri, 26 Mar 2021 18:02:15 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2780292
Regress : test\mjsunit\regress\regress-crbug-1161847-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(first_run) {
let o = { x: 0 };
if (first_run) assertTrue(%HasOwnConstDataProperty(o, 'x'));
Object.defineProperty(o, 'x', { get() { return 1; }, configurable: true, enumerable: true });
delete o.x;
o.x = 23;
if (%IsDictPropertyConstTrackingEnabled()) {
// TODO(11248, ishell) Adding a property always sets it to constant if
// V8_DICT_PROPERTY_CONST_TRACKING is enabled, even if the property was
// deleted before and is re-added. See
// LookupIterator::PrepareTransitionToDataProperty, specically the usage of
// PropertyDetails::kConstIfDictConstnessTracking in there.
return;
}
if (first_run) assertFalse(%HasOwnConstDataProperty(o, 'x'));
}
%PrepareFunctionForOptimization(foo);
foo(true);
foo(false);
%OptimizeFunctionOnNextCall(foo);
foo(false);
Issue: https://crbug.com/v8/11420
Commit: Reland "Reland "[sparkplug][deoptimizer] Deoptimize to baseline.""
Date(Commit): Wed, 24 Mar 2021 15:24:39 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2695591
Regress : test\mjsunit\regress\regress-crbug-1191886.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let arr = [];
for (var i = 0; i < 1000000; i++) {
arr[i] = [];
}
assertEquals(1000000, i);
Commit: [wasm] Rename kWasmStmt -> kWasmVoid
Date(Commit): Mon, 22 Mar 2021 06:56:01 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2775565
Regress : test\mjsunit\regress\wasm\regress-9832.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-eh
load("test/mjsunit/wasm/wasm-module-builder.js");
(function TestRegress9832() {
let builder = new WasmModuleBuilder();
let f = builder.addFunction("f", kSig_i_i)
.addBody([
kExprLocalGet, 0,
kExprLocalGet, 0,
kExprI32Add,
]).exportFunc();
builder.addFunction("main", kSig_i_i)
.addBody([
kExprTry, kWasmVoid,
kExprLocalGet, 0,
kExprCallFunction, f.index,
kExprCallFunction, f.index,
kExprLocalSet, 0,
kExprCatchAll,
kExprLocalGet, 0,
kExprCallFunction, f.index,
kExprLocalSet, 0,
kExprEnd,
kExprLocalGet, 0,
]).exportFunc();
let instance = builder.instantiate();
assertEquals(92, instance.exports.main(23));
})();
Issue: https://crbug.com/v8/11510
Commit: Reland "[turbofan] Optimize TrapIf/Unless in BranchElim. and CommonOp-Reducer"
Date(Commit): Fri, 19 Mar 2021 12:08:10 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2752876
Regress : test\mjsunit\regress\wasm\regress-1189454.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-gc --experimental-wasm-threads
// During Turbofan optimizations, when a TrapIf/Unless node is found to always
// trap, its uses need to be marked as dead. However, in the case that one of
// these uses is a Merge or Loop node, only the input of the Merge/Loop that
// corresponds to the trap should be marked as dead.
load('test/mjsunit/wasm/wasm-module-builder.js');
var builder = new WasmModuleBuilder();
builder.addStruct([makeField(kWasmI32, true)]);
builder.addFunction('test', makeSig([wasmOptRefType(0)], [kWasmI32]))
.addBody([
kExprLocalGet, 0,
kExprRefIsNull,
kExprIf, kWasmI32,
kExprLocalGet, 0,
kGCPrefix, kExprStructGet, 0, 0,
kExprElse,
kExprI32Const, 42,
kExprEnd
])
.exportFunc();
builder.instantiate();
// We include a clusterfuzz-generated testcase for this error verbatim.
const module = new WebAssembly.Module(new Uint8Array([
0, 97, 115, 109, 1, 0, 0, 0, 1, 51, 9, 96, 0, 0, 96,
0, 1, 125, 96, 0, 1, 124, 96, 2, 124, 127, 1, 125, 96, 4,
126, 126, 125, 127, 1, 127, 96, 1, 126, 1, 127, 96, 7, 127, 126,
126, 125, 124, 127, 125, 1, 124, 96, 0, 1, 127, 96, 1, 124, 1,
125, 3, 23, 22, 0, 4, 0, 5, 6, 0, 7, 0, 2, 0, 3,
1, 0, 8, 0, 0, 0, 0, 0, 2, 2, 0, 4, 5, 1, 112,
1, 9, 9, 5, 4, 1, 3, 1, 1, 6, 6, 1, 127, 1, 65,
10, 11, 7, 213, 1, 14, 6, 102, 117, 110, 99, 95, 48, 0, 0,
14, 102, 117, 110, 99, 95, 49, 95, 105, 110, 118, 111, 107, 101, 114,
0, 2, 14, 102, 117, 110, 99, 95, 52, 95, 105, 110, 118, 111, 107,
101, 114, 0, 5, 14, 102, 117, 110, 99, 95, 54, 95, 105, 110, 118,
111, 107, 101, 114, 0, 7, 14, 102, 117, 110, 99, 95, 56, 95, 105,
110, 118, 11, 107, 101, 114, 0, 9, 7, 102, 117, 110, 99, 95, 49,
49, 0, 11, 15, 102, 117, 110, 99, 95, 49, 49, 95, 105, 110, 118,
111, 107, 101, 114, 0, 12, 15, 102, 117, 110, 99, 95, 49, 51, 95,
105, 110, 118, 111, 107, 101, 114, 0, 14, 7, 102, 117, 110, 99, 95,
49, 53, 0, 15, 15, 102, 117, 110, 99, 95, 49, 53, 95, 105, 110,
118, 111, 107, 101, 114, 0, 16, 15, 102, 117, 110, 99, 95, 49, 55,
95, 105, 110, 118, 111, 107, 101, 114, 0, 18, 7, 102, 117, 110, 99,
95, 49, 57, 0, 19, 7, 102, 117, 110, 99, 95, 50, 48, 0, 20,
20, 104, 97, 110, 103, 76, 105, 109, 105, 116, 73, 110, 105, 116, 105,
97, 108, 105, 122, 101, 114, 0, 21, 9, 15, 1, 0, 65, 0, 11,
9, 4, 6, 6, 8, 10, 11, 11, 15, 15, 10, 220, 18, 22, 113,
0, 35, 0, 69, 4, 64, 15, 11, 35, 0, 65, 1, 107, 36, 0,
3, 64, 35, 0, 69, 4, 64, 15, 11, 35, 0, 65, 1, 107, 36,
0, 2, 127, 35, 0, 69, 4, 64, 15, 11, 35, 0, 65, 1, 107,
36, 0, 65, 128, 128, 128, 4, 11, 4, 127, 65, 193, 255, 3, 5,
2, 127, 3, 64, 35, 0, 69, 4, 64, 15, 11, 35, 0, 65, 1,
107, 36, 0, 3, 64, 35, 0, 69, 4, 64, 15, 11, 35, 0, 65,
1, 107, 36, 0, 12, 1, 11, 0, 65, 0, 13, 1, 0, 11, 0,
11, 11, 26, 12, 0, 11, 0, 11, 131, 3, 1, 1, 125, 35, 0,
69, 4, 64, 65, 128, 128, 128, 2, 15, 11, 35, 0, 65, 1, 107,
36, 0, 2, 127, 2, 64, 66, 157, 228, 193, 147, 127, 3, 126, 35,
0, 69, 4, 64, 65, 224, 196, 126, 15, 11, 35, 0, 65, 1, 107,
36, 0, 35, 0, 69, 4, 64, 65, 129, 128, 124, 15, 11, 35, 0,
65, 1, 107, 36, 0, 32, 3, 65, 105, 13, 2, 13, 0, 66, 128,
128, 128, 128, 192, 0, 11, 2, 125, 35, 0, 69, 4, 64, 32, 3,
15, 11, 35, 0, 65, 1, 107, 36, 0, 67, 0, 0, 80, 193, 32,
2, 2, 127, 35, 0, 69, 4, 64, 65, 117, 15, 11, 35, 0, 65,
1, 107, 36, 0, 32, 3, 11, 27, 34, 4, 67, 0, 0, 0, 0,
32, 4, 32, 4, 91, 27, 11, 32, 3, 16, 1, 3, 127, 35, 0,
69, 4, 64, 65, 168, 186, 126, 15, 11, 35, 0, 65, 1, 107, 36,
0, 35, 0, 69, 4, 64, 65, 128, 1, 15, 11, 35, 0, 65, 1,
107, 36, 0, 65, 255, 0, 32, 3, 69, 13, 2, 34, 3, 13, 0,
32, 3, 11, 69, 13, 1, 32, 3, 69, 13, 1, 65, 220, 188, 126,
13, 1, 34, 3, 4, 64, 2, 64, 2, 127, 35, 0, 69, 4, 64,
65, 128, 128, 128, 128, 120, 15, 11, 35, 0, 65, 1, 107, 36, 0,
32, 3, 32, 3, 13, 0, 13, 3, 35, 0, 69, 4, 64, 32, 3,
15, 11, 35, 0, 65, 1, 107, 36, 0, 12, 1, 11, 26, 3, 127,
35, 0, 69, 4, 64, 32, 3, 15, 11, 35, 0, 65, 1, 107, 36,
0, 32, 3, 13, 0, 65, 1, 11, 26, 12, 2, 11, 35, 0, 69,
4, 64, 65, 167, 127, 15, 11, 35, 0, 65, 1, 107, 36, 0, 35,
0, 69, 4, 64, 65, 128, 192, 0, 15, 11, 35, 0, 65, 1, 107,
36, 0, 35, 0, 69, 4, 64, 32, 3, 15, 11, 35, 0, 65, 1,
107, 36, 0, 65, 147, 127, 12, 2, 5, 35, 0, 69, 4, 64, 65,
129, 128, 128, 128, 120, 15, 11, 35, 0, 65, 1, 107, 36, 0, 11,
11, 65, 255, 255, 125, 11, 11, 33, 0, 66, 252, 130, 221, 255, 15,
66, 255, 255, 255, 255, 255, 255, 255, 255, 255, 0, 67, 0, 0, 234,
66, 65, 252, 224, 168, 179, 122, 16, 1, 26, 11, 178, 2, 1, 2,
127, 35, 0, 69, 4, 64, 65, 120, 15, 11, 35, 0, 65, 1, 107,
36, 0, 2, 127, 35, 0, 69, 4, 64, 65, 0, 15, 11, 35, 0,
65, 1, 107, 36, 0, 2, 127, 35, 0, 69, 4, 64, 65, 0, 15,
11, 35, 0, 65, 1, 107, 36, 0, 65, 128, 8, 11, 4, 127, 65,
0, 5, 2, 127, 65, 0, 65, 129, 126, 69, 13, 2, 4, 64, 3,
64, 35, 0, 69, 4, 64, 65, 159, 216, 137, 124, 15, 11, 35, 0,
65, 1, 107, 36, 0, 65, 0, 40, 2, 3, 26, 35, 0, 69, 4,
64, 65, 222, 136, 126, 15, 11, 35, 0, 65, 1, 107, 36, 0, 3,
64, 35, 0, 4, 64, 35, 0, 65, 1, 107, 36, 0, 12, 1, 5,
65, 128, 8, 15, 11, 0, 11, 0, 11, 0, 5, 3, 64, 35, 0,
69, 4, 64, 65, 0, 15, 11, 35, 0, 65, 1, 107, 36, 0, 2,
127, 35, 0, 69, 4, 64, 65, 0, 15, 11, 35, 0, 65, 1, 107,
36, 0, 65, 0, 2, 127, 35, 0, 69, 4, 64, 65, 0, 15, 11,
35, 0, 65, 1, 107, 36, 0, 3, 64, 35, 0, 69, 4, 64, 65,
0, 15, 11, 35, 0, 65, 1, 107, 36, 0, 11, 65, 1, 254, 18,
0, 22, 11, 69, 13, 0, 11, 13, 0, 35, 0, 69, 4, 64, 65,
128, 124, 15, 11, 35, 0, 65, 1, 107, 36, 0, 3, 64, 35, 0,
69, 4, 64, 65, 224, 216, 2, 15, 11, 35, 0, 65, 1, 107, 36,
0, 35, 0, 69, 4, 64, 65, 128, 128, 2, 15, 11, 35, 0, 65,
1, 107, 36, 0, 65, 190, 127, 12, 3, 11, 0, 11, 0, 11, 0,
11, 11, 11, 11, 23, 0, 35, 0, 69, 4, 64, 32, 4, 15, 11,
35, 0, 65, 1, 107, 36, 0, 65, 0, 43, 3, 2, 11, 116, 0,
65, 141, 176, 126, 66, 217, 236, 126, 66, 128, 1, 67, 0, 0, 0,
79, 68, 0, 0, 0, 0, 0, 0, 80, 64, 65, 76, 67, 0, 0,
128, 95, 16, 4, 26, 65, 32, 66, 129, 128, 128, 128, 120, 66, 230,
212, 156, 252, 15, 67, 0, 0, 160, 64, 68, 0, 0, 0, 0, 0,
0, 224, 67, 65, 127, 67, 0, 0, 128, 128, 16, 4, 26, 65, 255,
166, 200, 177, 123, 66, 185, 127, 66, 128, 128, 128, 128, 8, 67, 0,
0, 0, 93, 68, 0, 0, 0, 0, 0, 0, 96, 67, 65, 150, 224,
126, 67, 0, 0, 0, 88, 16, 4, 26, 11, 111, 0, 35, 0, 69,
4, 64, 65, 144, 194, 0, 15, 11, 35, 0, 65, 1, 107, 36, 0,
3, 64, 35, 0, 69, 4, 64, 65, 0, 15, 11, 35, 0, 65, 1,
107, 36, 0, 3, 64, 35, 0, 69, 4, 64, 65, 124, 15, 11, 35,
0, 65, 1, 107, 36, 0, 35, 0, 69, 4, 64, 65, 111, 15, 11,
35, 0, 65, 1, 107, 36, 0, 3, 127, 35, 0, 69, 4, 64, 65,
128, 128, 2, 15, 11, 35, 0, 65, 1, 107, 36, 0, 65, 128, 128,
126, 11, 69, 13, 0, 12, 1, 11, 0, 69, 0, 13, 0, 0, 11,
0, 11, 14, 0, 16, 6, 26, 16, 6, 26, 16, 6, 26, 16, 6,
26, 11, 34, 0, 35, 0, 69, 4, 64, 68, 0, 0, 0, 0, 0,
0, 224, 67, 15, 11, 35, 0, 65, 1, 107, 36, 0, 68, 26, 192,
255, 255, 255, 255, 255, 255, 11, 5, 0, 16, 8, 26, 11, 26, 0,
35, 0, 69, 4, 64, 67, 0, 0, 0, 0, 15, 11, 35, 0, 65,
1, 107, 36, 0, 67, 0, 0, 128, 214, 11, 26, 0, 35, 0, 69,
4, 64, 67, 0, 0, 0, 90, 15, 11, 35, 0, 65, 1, 107, 36,
0, 67, 0, 0, 44, 194, 11, 8, 0, 16, 11, 26, 16, 11, 26,
11, 26, 0, 35, 0, 69, 4, 64, 67, 0, 0, 0, 197, 15, 11,
35, 0, 65, 1, 107, 36, 0, 67, 117, 227, 255, 255, 11, 38, 0,
68, 129, 255, 255, 255, 255, 255, 255, 255, 16, 13, 26, 68, 0, 0,
0, 0, 0, 0, 16, 65, 16, 13, 26, 68, 193, 255, 255, 255, 255,
255, 255, 255, 16, 13, 26, 11, 30, 0, 35, 0, 69, 4, 64, 15,
11, 35, 0, 65, 1, 107, 36, 0, 35, 0, 69, 4, 64, 15, 11,
35, 0, 65, 1, 107, 36, 0, 11, 6, 0, 16, 15, 16, 15, 11,
16, 0, 35, 0, 69, 4, 64, 15, 11, 35, 0, 65, 1, 107, 36,
0, 11, 8, 0, 16, 17, 16, 17, 16, 17, 11, 52, 0, 35, 0,
69, 4, 64, 68, 0, 0, 0, 0, 0, 0, 0, 0, 15, 11, 35,
0, 65, 1, 107, 36, 0, 3, 124, 35, 0, 4, 124, 35, 0, 65,
1, 107, 36, 0, 12, 1, 5, 68, 0, 0, 0, 0, 0, 128, 109,
64, 11, 11, 11, 218, 7, 3, 4, 127, 1, 126, 2, 125, 35, 0,
69, 4, 64, 68, 255, 255, 255, 255, 255, 255, 239, 255, 15, 11, 35,
0, 65, 1, 107, 36, 0, 2, 124, 3, 64, 35, 0, 69, 4, 64,
68, 0, 0, 0, 0, 0, 0, 42, 192, 15, 11, 35, 0, 65, 1,
107, 36, 0, 2, 64, 3, 64, 35, 0, 69, 4, 64, 68, 0, 0,
0, 0, 0, 0, 176, 64, 15, 11, 35, 0, 65, 1, 107, 36, 0,
65, 128, 127, 34, 2, 4, 127, 32, 0, 5, 35, 0, 69, 4, 64,
68, 0, 0, 192, 137, 207, 250, 239, 65, 15, 11, 35, 0, 65, 1,
107, 36, 0, 3, 64, 35, 0, 69, 4, 64, 68, 0, 0, 0, 245,
255, 255, 239, 65, 15, 11, 35, 0, 65, 1, 107, 36, 0, 65, 134,
82, 34, 0, 33, 3, 32, 1, 69, 13, 0, 11, 35, 0, 69, 4,
64, 68, 0, 0, 0, 0, 0, 0, 144, 192, 15, 11, 35, 0, 65,
1, 107, 36, 0, 32, 1, 69, 13, 2, 32, 4, 16, 3, 13, 1,
65, 116, 33, 0, 12, 3, 11, 33, 2, 3, 127, 35, 0, 69, 4,
64, 68, 77, 69, 29, 145, 255, 255, 255, 255, 15, 11, 35, 0, 65,
1, 107, 36, 0, 32, 1, 13, 0, 32, 2, 34, 0, 34, 1, 11,
13, 0, 11, 3, 64, 35, 0, 69, 4, 64, 68, 0, 0, 0, 0,
0, 0, 48, 64, 15, 11, 35, 0, 65, 1, 107, 36, 0, 35, 0,
69, 4, 64, 68, 0, 0, 0, 0, 0, 160, 102, 64, 15, 11, 35,
0, 65, 1, 107, 36, 0, 32, 1, 33, 2, 65, 7, 17, 0, 0,
3, 127, 35, 0, 69, 4, 64, 68, 0, 0, 0, 0, 0, 0, 240,
63, 15, 11, 35, 0, 65, 1, 107, 36, 0, 2, 127, 35, 0, 69,
4, 64, 68, 0, 0, 0, 0, 0, 128, 78, 192, 15, 11, 35, 0,
65, 1, 107, 36, 0, 66, 129, 128, 128, 128, 120, 66, 128, 128, 2,
32, 0, 27, 33, 4, 65, 177, 152, 126, 11, 4, 64, 3, 64, 35,
0, 69, 4, 64, 68, 0, 0, 0, 0, 0, 0, 16, 195, 15, 11,
35, 0, 65, 1, 107, 36, 0, 16, 6, 65, 15, 113, 65, 130, 128,
126, 254, 0, 2, 0, 4, 64, 32, 0, 32, 1, 32, 2, 27, 4,
127, 65, 207, 230, 157, 153, 4, 34, 0, 5, 65, 140, 226, 132, 187,
6, 11, 26, 5, 67, 151, 255, 255, 255, 33, 6, 11, 32, 2, 13,
0, 66, 128, 128, 128, 128, 128, 1, 33, 4, 11, 11, 3, 64, 35,
0, 69, 4, 64, 68, 0, 0, 0, 0, 32, 250, 239, 64, 15, 11,
35, 0, 65, 1, 107, 36, 0, 32, 6, 26, 3, 127, 35, 0, 69,
4, 64, 68, 0, 0, 0, 0, 0, 0, 128, 67, 15, 11, 35, 0,
65, 1, 107, 36, 0, 3, 127, 35, 0, 69, 4, 64, 68, 0, 0,
0, 0, 0, 0, 77, 64, 15, 11, 35, 0, 65, 1, 107, 36, 0,
67, 80, 255, 55, 202, 33, 6, 32, 2, 69, 13, 0, 65, 110, 11,
34, 3, 13, 4, 32, 2, 33, 0, 32, 3, 69, 13, 0, 65, 128,
96, 11, 69, 13, 0, 32, 1, 4, 127, 2, 127, 35, 0, 69, 4,
64, 68, 138, 255, 255, 255, 255, 255, 255, 255, 15, 11, 35, 0, 65,
1, 107, 36, 0, 35, 0, 69, 4, 64, 68, 215, 255, 255, 255, 255,
255, 255, 255, 15, 11, 35, 0, 65, 1, 107, 36, 0, 65, 185, 127,
2, 127, 35, 0, 69, 4, 64, 68, 0, 0, 0, 0, 0, 0, 224,
195, 15, 11, 35, 0, 65, 1, 107, 36, 0, 65, 0, 11, 13, 0,
4, 64, 68, 0, 0, 0, 0, 0, 0, 240, 66, 32, 3, 65, 4,
17, 3, 0, 26, 5, 32, 1, 69, 13, 3, 11, 32, 2, 34, 1,
11, 5, 65, 129, 1, 34, 1, 34, 0, 11, 69, 13, 2, 11, 32,
1, 65, 15, 113, 65, 128, 128, 32, 34, 1, 254, 0, 2, 0, 69,
13, 0, 65, 128, 128, 32, 65, 129, 128, 124, 32, 0, 27, 11, 34,
0, 13, 0, 65, 4, 66, 217, 208, 176, 127, 254, 24, 3, 0, 12,
0, 11, 0, 11, 3, 127, 35, 0, 69, 4, 64, 68, 0, 0, 0,
0, 0, 128, 84, 64, 15, 11, 35, 0, 65, 1, 107, 36, 0, 35,
0, 69, 4, 64, 68, 177, 255, 255, 255, 255, 255, 255, 255, 15, 11,
35, 0, 65, 1, 107, 36, 0, 32, 2, 13, 0, 35, 0, 69, 4,
64, 68, 0, 0, 0, 0, 0, 0, 64, 195, 15, 11, 35, 0, 65,
1, 107, 36, 0, 32, 0, 69, 13, 0, 35, 0, 69, 4, 64, 68,
0, 0, 0, 0, 0, 0, 96, 64, 15, 11, 35, 0, 65, 1, 107,
36, 0, 3, 124, 35, 0, 69, 4, 64, 68, 0, 0, 0, 0, 0,
0, 16, 184, 15, 11, 35, 0, 65, 1, 107, 36, 0, 32, 3, 13,
0, 68, 0, 0, 0, 0, 0, 0, 224, 195, 11, 32, 0, 13, 2,
26, 35, 0, 69, 4, 64, 68, 0, 0, 0, 0, 0, 0, 192, 66,
15, 11, 35, 0, 65, 1, 107, 36, 0, 32, 1, 13, 0, 35, 0,
69, 4, 64, 68, 0, 0, 0, 0, 0, 0, 240, 191, 15, 11, 35,
0, 65, 1, 107, 36, 0, 65, 128, 126, 11, 13, 0, 11, 35, 0,
69, 4, 64, 68, 136, 255, 255, 255, 255, 255, 255, 255, 15, 11, 35,
0, 65, 1, 107, 36, 0, 68, 0, 0, 0, 0, 0, 0, 0, 192,
11, 11, 6, 0, 65, 10, 36, 0, 11, 11, 15, 1, 0, 65, 0,
11, 9, 109, 0, 0, 0, 0, 0, 0, 0, 38
]));
Issue: https://crbug.com/v8/11573
Commit: [interpreter] Apply Reflect.apply transform in BytecodeGenerator
Date(Commit): Thu, 18 Mar 2021 13:29:55 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2765783
Regress : test\mjsunit\regress\regress-11558.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Spread calls get rewritten to CallRuntime, which should be aware of optional
// chaining.
for (let nullish of [undefined, null]) {
const fn = nullish;
const n = nullish;
const o = {};
assertEquals(fn?.(...[], 1), undefined);
assertEquals(fn?.(...[], ...[]), undefined);
assertEquals(o.method?.(...[], 1), undefined);
assertEquals(n?.method(...[], 1), undefined);
}
Issue: https://crbug.com/1146880
Commit: [regalloc] Fix slot requirement for live ranges defined by a const
Date(Commit): Thu, 18 Mar 2021 13:11:35 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2563689
Regress : test\mjsunit\regress\regress-1146880.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --assert-types
function f(a,b) {
let t = a >= b;
while (t != 0) {
a = a | (b - a);
let unused = a >= b;
t = a < b;
}
}
function test() {
f(Infinity,1);
f(undefined, undefined);
}
// Trigger TurboFan compilation
%PrepareFunctionForOptimization(test);
%PrepareFunctionForOptimization(f);
test();
test();
%OptimizeFunctionOnNextCall(test);
test();
Issue: https://crbug.com/v8/11238
Commit: [wasm] Move asm regress tests into regress/asm
Date(Commit): Wed, 17 Mar 2021 09:55:35 -0700
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2767600
Regress : test\mjsunit\regress\asm\regress-743622.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --validate-asm
function Module(stdlib, foreign, heap) {
"use asm";
var a = stdlib.Math.PI;
function f() { return a }
return { f:f };
}
Module.length
Issue: https://crbug.com/v8/11525
Commit: [web snapshots] d8 support for the initial version
Date(Commit): Tue, 16 Mar 2021 14:02:35 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2759517
Regress : test\mjsunit\regress\regress-v8-9534.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --stack-size=100 --ignore-unhandled-promises
let i = 0;
function f() {
i++;
if (i > 10) {
%PrepareFunctionForOptimization(f);
%OptimizeFunctionOnNextCall(f);
}
new Promise(f);
return f.x;
}
f();
Commit: Reland: [compiler] Cache StateValue processing in InstructionSelector.
Date(Commit): Fri, 12 Mar 2021 16:15:17 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2756535
Regress : test\mjsunit\regress\regress-1187170.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --no-lazy-feedback-allocation
var bar = 0;
function foo(outer_arg) {
var arr = [1];
var func = function (arg) {
bar += arg;
if (outer_arg) {}
};
try {
arr.filter(func);
} catch (e) {}
};
%PrepareFunctionForOptimization(foo);
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
bar = {};
foo();
Issue: https://crbug.com/1182647
Commit: [deoptimizer] Fix bug in OptimizedFrame::Summarize
Date(Commit): Wed, 10 Mar 2021 18:18:44 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2748593
Regress : test\mjsunit\compiler\regress-1182647.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --verify-heap
function foo() {
const arr = Array(1000);
function bar() {
try { ({a: p4nda, b: arr.length}); } catch(e) {}
}
for (var i = 0; i < 25; i++) bar();
/p4nda/.test({}); // Deopt here.
arr.shift();
}
%PrepareFunctionForOptimization(foo);
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/v8/10946
Commit: [wasm-simd] Rename vXXXX.all_true to iXXXX.all_true
Date(Commit): Fri, 5 Mar 2021 15:56:29 -0800
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2740488
Regress : test\mjsunit\regress\wasm\regress-10831.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-simd
load('test/mjsunit/wasm/wasm-module-builder.js');
// This test is shrunk from a test case provided at https://crbug.com/v8/10831.
// This exercises a aligned-load bug in ia32. Some SIMD operations were using
// instructions that required aligned operands (like movaps and movapd), but we
// don't have the right memory alignment yet, see https://crbug.com/v8/9198,
// resulting in a SIGSEGV when running the generated code.
const builder = new WasmModuleBuilder();
builder.addType(makeSig([], [kWasmI32]));
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: i_v
// body:
kExprI32Const, 0xfc, 0xb6, 0xed, 0x02, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0xfc, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprI64x2Sub, 0x01, // i64x2.sub
kExprI32Const, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x81, 0x96, 0xf0, 0xe3, 0x07, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprF64x2Max, 0x01, // f64x2.max
kSimdPrefix, kExprI64x2Sub, 0x01, // i64x2.sub
kExprI32Const, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x00, // i32.const
kExprI32Const, 0x0b, // i32.const
kExprI32LtU, // i32.lt_u
kSimdPrefix, kExprI8x16ReplaceLane, 0x00, // i8x16.replace_lane
kExprI32Const, 0xfc, 0xf8, 0x01, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprF64x2Max, 0x01, // f64x2.max
kSimdPrefix, kExprI16x8MaxS, 0x01, // i16x8.max_s
kSimdPrefix, kExprI8x16AllTrue, // i8x16.all_true
kExprEnd, // end @70
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
print(instance.exports.main());
Issue: https://crbug.com/v8/11519
Commit: Use map of prototype in Map::Hash.
Date(Commit): Tue, 9 Mar 2021 08:04:42 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2739646
Regress : test\mjsunit\regress\regress-11519.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --gc-interval=500 --stress-compaction
function bar(a) {
return Object.defineProperty(a, 'x', {get() { return 1; }});
}
function foo() {
return {};
}
%NeverOptimizeFunction(bar);
%PrepareFunctionForOptimization(foo);
const o = foo(); // Keep a reference so the GC doesn't kill the map.
%SimulateNewspaceFull();
bar(o);
const a = bar(foo());
%SimulateNewspaceFull();
%OptimizeFunctionOnNextCall(foo);
const b = bar(foo());
assertTrue(%HaveSameMap(a, b));
Issue: https://crbug.com/1161847
Commit: Add another test for crbug 1161847
Date(Commit): Mon, 8 Mar 2021 16:52:00 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2739592
Regress : test\mjsunit\regress\regress-crbug-1161847-3.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function bar(x) { delete x.bla; x.bla = 23 }
function foo() {
let obj = {bla: 0};
Object.defineProperty(obj, 'bla', {writable: false});
bar(obj);
return obj.bla;
}
%PrepareFunctionForOptimization(foo);
assertEquals(23, foo());
assertEquals(23, foo());
%OptimizeFunctionOnNextCall(foo);
assertEquals(23, foo());
Issue: https://crbug.com/1185464
Commit: [liftoff][arm64] Add ValueKinds for AcquireByType
Date(Commit): Mon, 8 Mar 2021 11:45:53 -0800
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2742017
Regress : test\mjsunit\regress\wasm\regress-1185464.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --liftoff --no-wasm-tier-up --wasm-tier-mask-for-testing=2
// Flags: --experimental-wasm-reftypes
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
// Generate a Liftoff call with too many reference parameters to fit in
// parameter registers, to force stack parameter slots.
const kManyParams = 32;
const kSigWithManyRefParams = makeSig(
new Array(kManyParams).fill(kWasmExternRef), []);
const kPrepareManyParamsCallBody = Array.from(
{length: kManyParams * 2},
(item, index) => index % 2 == 0 ? kExprLocalGet : 0);
builder.addFunction(undefined, kSigWithManyRefParams).addBody([
]);
builder.addFunction(undefined, kSigWithManyRefParams)
.addBody([
...kPrepareManyParamsCallBody,
kExprCallFunction, 0, // call 0
]);
builder.addFunction(undefined, kSigWithManyRefParams).addBody([
...kPrepareManyParamsCallBody,
kExprCallFunction, 1, // call 1
]).exportAs('manyRefs');
const instance = builder.instantiate();
instance.exports.manyRefs();
Issue: https://crbug.com/1184964
Commit: [wasm] Add missing validation on Drop
Date(Commit): Mon, 8 Mar 2021 12:14:17 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2739588
Regress : test\mjsunit\regress\wasm\regress-1184964.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-lazy-compilation
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addFunction('foo', kSig_v_v).addBody([kExprDrop]);
assertThrows(() => builder.instantiate(), WebAssembly.CompileError);
Issue: https://crbug.com/v8/11491
Commit: [generators] Let parameters and register FixedArray be a large object
Date(Commit): Mon, 22 Feb 2021 15:06:22 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2712782
Regress : test\mjsunit\regress\regress-11491.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function test() {
// Create a generator constructor with the maximum number of allowed parameters.
const args = new Array(65535);
function* gen() {}
const c = gen.constructor.apply(null, args);
// 'c' having 65535 parameters causes the parameters/registers fixed array
// attached to the generator object to be considered a large object.
// We call it twice so that it both covers the CreateJSGeneratorObject() C++
// runtime function as well as the CreateGeneratorObject() CSA builtin.
c();
c();
}
test();
Issue: https://crbug.com/v8/1185072
Commit: [array] Fix bounds check in ArrayConcat
Date(Commit): Mon, 8 Mar 2021 08:41:35 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2742196
Regress : test\mjsunit\regress\regress-1185072.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function __getProperties(obj) {
let properties = [];
for (let name of Object.getOwnPropertyNames(obj)) {
properties.push(name);
}
return properties;
}
function __getRandomProperty(obj, seed) {
let properties = __getProperties(obj);
return properties[seed % properties.length];
}
let __v_19 = [];
class __c_0 extends Array {}
Object.defineProperty(__v_19, 'constructor', {
get() {
return __c_0;
}
});
Object.defineProperty(__v_19, __getRandomProperty(__v_19, 776790), {
value: 4294967295
});
assertThrows(() => __v_19.concat([1])[9], RangeError);
Issue: https://crbug.com/1161847
Commit: [const-tracking] Mark const field as mutable when reconfiguring
Date(Commit): Fri, 5 Mar 2021 12:20:51 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2727272
Regress : test\mjsunit\regress\regress-crbug-1161847-1.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(first_run) {
let o = { x: 0 };
if (first_run) assertTrue(%HasOwnConstDataProperty(o, 'x'));
Object.defineProperty(o, 'x', { writable: false });
delete o.x;
o.x = 23;
if (first_run) assertFalse(%HasOwnConstDataProperty(o, 'x'));
}
%PrepareFunctionForOptimization(foo);
foo(true);
foo(false);
%OptimizeFunctionOnNextCall(foo);
foo(false);
Issue: https://crbug.com/1181240
Commit: [turbofan] Frame size computation should include additional arguments
Date(Commit): Mon, 1 Mar 2021 10:50:36 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2723252
Regress : test\mjsunit\regress\regress-1181240.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function runNearStackLimit(f) {
function t() {
try {
t();
} catch (e) {
f(true);
}
}
t();
}
var a = {x: 10};
var b = {y: 10};
function inner(should_deopt) {
if (should_deopt == true) {
a.x;
}
return b.y;
}
%PrepareFunctionForOptimization(f);
%PrepareFunctionForOptimization(inner);
f(false);
f(false);
%OptimizeFunctionOnNextCall(f);
f(false);
function f(x) {
// Pass a large number of arguments so the stack check would fail.
inner(x,
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
);
}
runNearStackLimit(f);
Issue: https://crbug.com/v8/11092
Commit: [compiler] Enable inlining of JS-to-Wasm calls inside try/catch
Date(Commit): Mon, 22 Feb 2021 04:12:53 -0800
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2678341
Regress : test\mjsunit\regress\wasm\regress-crbug-1168612.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --turbo-inline-js-wasm-calls
load('test/mjsunit/wasm/wasm-module-builder.js');
function getMain() {
var builder = new WasmModuleBuilder();
builder.addFunction("main", kSig_v_v)
.addBody([kExprUnreachable])
.exportAs("main");
return builder.instantiate().exports.main;
}
let foo = getMain();
function loop() {
for (let i = 0; i < 2; i++) {
try {
foo();
} catch (e) {
if (i) {
throw e;
}
}
}
}
%PrepareFunctionForOptimization(loop);
assertThrows(loop, WebAssembly.RuntimeError, "unreachable");
%OptimizeFunctionOnNextCall(loop);
assertThrows(loop, WebAssembly.RuntimeError, "unreachable");
Issue: https://crbug.com/1180690
Commit: [wasm] Fix thread_in_wasm_flag in exception handling
Date(Commit): Tue, 23 Feb 2021 15:23:52 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2713103
Regress : test\mjsunit\regress\wasm\regress-1180690.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --wasm-test-streaming --wasm-lazy-compilation --wasm-lazy-validation
load('test/mjsunit/wasm/wasm-module-builder.js');
(function f1() {
const builder = new WasmModuleBuilder();
builder.addMemory(1, 1);
builder.addFunction('main', kSig_i_i).addBody([
kExprLocalGet, 0,
kExprI32LoadMem, 0, 0
]).exportFunc();
const instance = builder.instantiate();
instance.exports.main();
})();
(function f2() {
const builder = new WasmModuleBuilder();
builder.addFunction('id', kSig_i_i).addBody([]).exportFunc();
const buffer = builder.toBuffer();
const instance = builder.instantiate();
try {
instance.exports.id();
} catch {}
})();
Issue: https://crbug.com/1179065
Commit: [wasm] Fix instance caching with dynamic tiering
Date(Commit): Tue, 23 Feb 2021 10:52:41 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2714544
Regress : test\mjsunit\regress\wasm\regress-1179065.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging --wasm-dynamic-tiering
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addMemory(1, 10);
builder.addFunction('load', kSig_i_i).addBody([
// signature: i_i
// body:
kExprLocalGet, 0, // local.get
kExprI32LoadMem, 0, 0, // i32.load_mem
]).exportFunc();
const instance = builder.instantiate();
// Call multiple times to trigger dynamic tiering.
for (let i = 0; i < 20; ++i) {
instance.exports.load(1);
}
Issue: https://crbug.com/1181246
Commit: [compiler] Fix return type of GetCharAsString
Date(Commit): Tue, 23 Feb 2021 13:11:21 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2712965
Regress : test\mjsunit\regress\regress-1181246.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
Object.defineProperty(String.prototype, "0", { __v_1: 1});
var __f_2 = function() {
function __f_2() {
''[0];
};
%PrepareFunctionForOptimization(__f_2);
return __f_2;
}();
%PrepareFunctionForOptimization(__f_2);
__f_2();
__f_2();
%OptimizeFunctionOnNextCall(__f_2);
__f_2();
Issue: https://crbug.com/1158138
Commit: [map transitions] Fix setting writable=false for sealed objects
Date(Commit): Fri, 12 Feb 2021 14:37:46 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2691050
Regress : test\mjsunit\regress\regress-crbug-1158138.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
let a = { foo: 4 };
Object.seal(a);
assertTrue(Object.getOwnPropertyDescriptor(a, 'foo').writable);
Object.defineProperty(a, 'foo', { writable: false });
assertFalse(Object.getOwnPropertyDescriptor(a, 'foo').writable);
Issue: https://crbug.com/v8/11238
Commit: [wasm] Move regression tests to wasm directory
Date(Commit): Mon, 22 Feb 2021 16:13:51 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2712243
Regress : test\mjsunit\regress\wasm\regress-crbug-969498.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let global = new WebAssembly.Global({value: 'f32', mutable: true}, 2e66);
global.value = 2e66;
// Custom additional test case:
const kRoundsDown = 3.4028235677973362e+38;
const kRoundsToInf = 3.4028235677973366e+38;
var floats = new Float32Array([kRoundsDown, kRoundsToInf]);
assertNotEquals(Infinity, floats[0]);
assertEquals(Infinity, floats[1]);
floats.set([kRoundsDown, kRoundsToInf]);
assertNotEquals(Infinity, floats[0]);
assertEquals(Infinity, floats[1]);
Issue: https://crbug.com/v8/7790
Commit: Reland "[compiler] Direct heap reads for JSArrayRef"
Date(Commit): Mon, 22 Feb 2021 12:24:34 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2695403
Regress : test\mjsunit\regress\regress-1180012.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
var __v_10 = {};
var __v_9 = [-1];
function __f_7() {
(__v_10[65535] | 65535) / __v_9[2147483648];
}
%PrepareFunctionForOptimization(__f_7);
__f_7();
__f_7();
%OptimizeFunctionOnNextCall(__f_7);
__f_7();
Issue: https://crbug.com/v8/11238
Commit: [asm] Move regression tests to own directory
Date(Commit): Sun, 21 Feb 2021 21:22:39 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2710427
Regress : test\mjsunit\regress\asm\regress-wasm-crbug-618602.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --validate-asm --allow-natives-syntax
function __f_1() {
'use asm';
function __f_3() {
var __v_11 = 1, __v_10 = 0, __v_12 = 0;
__v_12 = (__v_10 | 12) % 4294967295 | -1073741824;
}
return { __f_3: __f_3 };
}
assertFalse(%IsAsmWasmCode(__f_1));
Issue: https://crbug.com/v8/11472
Commit: [wasm][eh] Fix merge with phi in delegate
Date(Commit): Fri, 19 Feb 2021 17:00:34 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2707167
Regress : test\mjsunit\regress\wasm\regress-11472.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --experimental-wasm-eh
load("test/mjsunit/wasm/wasm-module-builder.js");
(function Regress11472() {
print(arguments.callee.name);
let builder = new WasmModuleBuilder();
let throw_fn = builder.addFunction('throw', kSig_v_v)
.addBody([kExprNop])
.exportFunc();
builder.addFunction('test', kSig_i_ii)
.addBody([
kExprTry, kWasmI32,
kExprCallFunction, throw_fn.index,
kExprCallFunction, throw_fn.index,
kExprTry, kWasmI32,
kExprCallFunction, throw_fn.index,
kExprI32Const, 1,
kExprDelegate, 0,
kExprCatchAll,
kExprI32Const, 2,
kExprEnd,
]).exportFunc();
instance = builder.instantiate();
})();
Issue: https://crbug.com/v8/11453
Commit: [liftoff] Add support for throwing exceptions
Date(Commit): Fri, 19 Feb 2021 16:58:03 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2704659
Regress : test\mjsunit\regress\wasm\regress-8896.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-eh --allow-natives-syntax
// Disable Liftoff so we can serialize the module.
// Flags: --no-liftoff
load("test/mjsunit/wasm/wasm-module-builder.js");
(function TestSerializeDeserializeRuntimeCall() {
var builder = new WasmModuleBuilder();
var except = builder.addException(kSig_v_v);
builder.addFunction("f", kSig_v_v)
.addBody([
kExprThrow, except,
]).exportFunc();
var wire_bytes = builder.toBuffer();
var module = new WebAssembly.Module(wire_bytes);
var instance1 = new WebAssembly.Instance(module);
var serialized = %SerializeWasmModule(module);
module = %DeserializeWasmModule(serialized, wire_bytes);
var instance2 = new WebAssembly.Instance(module);
assertThrows(() => instance2.exports.f(), WebAssembly.RuntimeError);
})();
Issue: https://crbug.com/1179025
Commit: [liftoff] Fix handling of pinned registers
Date(Commit): Wed, 17 Feb 2021 12:53:59 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2699254
Regress : test\mjsunit\regress\wasm\regress-1179025.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addMemory(1, 1, false, true);
builder.addType(makeSig([], []));
builder.addType(makeSig([kWasmI64], [kWasmF32]));
// Generate function 1 (out of 2).
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: v_v
// body:
kExprNop, // nop
kExprEnd, // end @2
]);
// Generate function 2 (out of 2).
builder.addFunction(undefined, 1 /* sig */)
.addLocals(kWasmI64, 1)
.addBodyWithEnd([
// signature: f_l
// body:
kExprBlock, kWasmF32, // block @3 f32
kExprI32Const, 0x00, // i32.const
kExprI32Const, 0x01, // i32.const
kExprIf, kWasmI64, // if @9 i64
kExprI64Const, 0x00, // i64.const
kExprElse, // else @13
kExprUnreachable, // unreachable
kExprEnd, // end @15
kAtomicPrefix, kExprI64AtomicStore, 0x03, 0x04, // i64.atomic.store64
kExprF32Const, 0x00, 0x00, 0x00, 0x00, // f32.const
kExprEnd, // end @25
kExprDrop, // drop
kExprF32Const, 0x00, 0x00, 0x80, 0x51, // f32.const
kExprEnd, // end @32
]);
builder.instantiate();
Issue: https://crbug.com/v8/11363
Commit: [regexp] Skip regression test for experimental engine.
Date(Commit): Wed, 17 Feb 2021 09:05:40 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2699251
Regress : test\mjsunit\regress\regress-1166138.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-enable-experimental-regexp-engine
let badregexp = "(?:" + " ".repeat(32768*2)+ ")*";
reg = RegExp(badregexp);
assertThrows(() => reg.test(), SyntaxError);
Issue: https://crbug.com/1177368
Commit: [compiler] Create canonical handles in JSTypedArrayRef::buffer()
Date(Commit): Fri, 12 Feb 2021 15:00:52 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2692246
Regress : test\mjsunit\compiler\regress-1177369.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
try {
let array = new ArrayBuffer();
array.constructor = {
get [Symbol.species]() {
%ArrayBufferDetach(array);
}
};
array.slice();
} catch (e) {}
var array = new Int8Array(100);
function foo() {
for (var i = 0; i < 100; i += 4) {
array[i] = i;
}
}
%PrepareFunctionForOptimization(foo);
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/v8/7790
Commit: Reland "[compiler] Directly read PropertyCells"
Date(Commit): Fri, 12 Feb 2021 13:41:33 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2661462
Regress : test\mjsunit\regress\regress-1176504.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-lazy-feedback-allocation
function foo() {
'use strict';
x = 42;
}
__proto__ = {x: 1};
assertThrows(foo);
assertThrows(foo);
Issue: https://crbug.com/1172797
Commit: [turboprop] Add intrinsics to tier up from Turboprop to TurboFan
Date(Commit): Thu, 11 Feb 2021 10:47:03 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2682638
Regress : test\mjsunit\regress\regress-1172797.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --turboprop --opt --no-always-opt
var v_0 = {};
function f_0(o, v) {
o.f = v;
}
function f_1() {
return v_0.f;
}
%PrepareFunctionForOptimization(f_0);
f_0(v_0, 42);
f_0(v_0, 42);
%OptimizeFunctionOnNextCall(f_0);
f_0(v_0, 42);
// TP tier up
%PrepareFunctionForOptimization(f_1);
f_1();
f_1();
%OptimizeFunctionOnNextCall(f_1);
f_1();
// Now TF tier up
%PrepareFunctionForOptimization(f_1);
f_1();
%TierupFunctionOnNextCall(f_1);
f_1();
assertOptimized(f_0);
// TODO(mythria): Add an option to assert on the optimization tier and assert
// f_1 is optimized with TurboFan.
assertOptimized(f_1);
// Store in f_0 should trigger a change to the constness of the field.
f_0(v_0, 53);
// f_0 does a eager deopt and lets the interpreter update the field constness.
assertUnoptimized(f_0);
if (!%IsTopTierTurboprop()) {
// f_1 has TurboFan code and should deopt because of dependency change.
assertUnoptimized(f_1);
}
assertEquals(v_0.f, 53);
assertEquals(f_1(), 53);
Issue: https://crbug.com/177058
Commit: [d8] Fix new style worker creation
Date(Commit): Thu, 11 Feb 2021 10:24:25 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2689187
Regress : test\mjsunit\regress\regress-crbug-1177058.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function __f_8() {
Object.prototype.__defineGetter__(0, () => {
throw Error();
});
})();
function __f_9() {
};
assertThrows( () => { new Worker(__f_9, {
type: 'function',
arguments: [,]})});
Issue: https://crbug.com/1075514
Commit: [regexp] Don't update last match info in @@split special case
Date(Commit): Thu, 11 Feb 2021 07:01:12 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2681950
Regress : test\mjsunit\regress\regress-1075514.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const re = /$/;
// The runtime path (Runtime::kRegExpExec).
assertEquals(["a"], "a".split(re));
assertEquals("", RegExp.input);
// Runtime / compilation to generated code.
assertEquals(["a"], "a".split(re));
assertEquals("", RegExp.input);
// Generated code.
assertEquals(["a"], "a".split(re));
assertEquals("", RegExp.input);
// Once again just because we can.
assertEquals(["a"], "a".split(re));
assertEquals("", RegExp.input);
Issue: https://crbug.com/v8/11092
Commit: [compiler] Re-reland "Faster JS-to-Wasm calls"
Date(Commit): Thu, 4 Feb 2021 07:46:10 -0800
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2649777
Regress : test\mjsunit\regress\wasm\regress-crbug-1168386.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --interrupt-budget=100
function __f_0(__v_8) {
var __v_9 = "mod_";
var __v_10 = eval(
'function Module(stdlib, foreign, heap) {\n' +
' "use asm";\n' +
' function ' + __v_9 + '(dividend) {\n' +
' dividend = dividend | 0;\n' +
' return ((dividend | 0) % ' + __v_8 + ') | 0;\n'
+ ' }\n' +
' return { f: ' + __v_9 + '}\n'
+ '}; Module');
return __v_10().f;
}
try {
const __v_5 = -1;
const __v_6 = __f_0(1);
for (var __v_7 = 0; __v_7 < 100; __v_7++) {
__v_7 % __v_5 | __v_6();
}
} catch (e) {}
Issue: https://crbug.com/v8/11247
Commit: [dict-proto] Constness tracking of dictionary properties (jitless)
Date(Commit): Thu, 4 Feb 2021 11:42:49 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2566757
Regress : test\mjsunit\regress\regress-crbug-605060.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
Array.prototype.__defineGetter__('map', function(){});
Array.prototype.__defineGetter__('map', function(){});
Array.prototype.__defineGetter__('map', function(){});
assertEquals(!%IsDictPropertyConstTrackingEnabled(),
%HasFastProperties(Array.prototype));
Issue: https://crbug.com/1162473
Commit: Reland [d8] Fix a crash when getting the worker's onmessage handler
Date(Commit): Tue, 2 Feb 2021 14:26:50 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2667512
Regress : test\mjsunit\regress\regress-crbug-1162473.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const script = `__proto__ = Realm.global(Realm.create());`;
const w = new Worker(script, {type : 'string'});
w.postMessage('hi');
Commit: [wasm-gc] Fix ref.is_null in Liftoff
Date(Commit): Mon, 1 Feb 2021 19:10:09 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2664447
Regress : test\mjsunit\regress\wasm\regress-crbug-1172912.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-reftypes --experimental-wasm-typed-funcref
let raw = new Uint8Array([
0x00, 0x61, 0x73, 0x6d, // wasm magic
0x01, 0x00, 0x00, 0x00, // wasm version
0x01, // section: types
0x05, // section length
0x01, // types count
0x60, // function type
0x00, // param count
0x01, // return count
0x7f, // i32
0x03, // section: functions
0x02, // section size: 2
0x01, // function count: 1
0x00, // sig index: 0
0x07, // section: exports
0x08, // section size
0x01, // exports count
0x04, // name length: 4
0x6d, 0x61, 0x69, 0x6e, // name: "main"
0x00, // export kind: function
0x00, // export function index: 0
0x0a, // section: code
0x0d, // section length
0x01, // functions count: 1
0x0b, // body size
0x00, // locals count
0xd2, 0x00, // ref.func 0
0xd1, // ref.is_null
0x04, 0x40, // if [void]
0x05, // else
0x0b, // end
0x41, 0x2a, // i32.const: 42
0x0b, // end
]);
let buff = raw.buffer;
let mod = new WebAssembly.Module(buff);
let inst = new WebAssembly.Instance(mod);
let result = inst.exports.main();
assertEquals(42, result);
Issue: https://crbug.com/1171954
Commit: [interpreter] Store accumulator to callee after optional chain checks
Date(Commit): Tue, 2 Feb 2021 10:20:39 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2665466
Regress : test\mjsunit\regress\regress-crbug-1171954.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --always-opt
// This causes the register used by the call in the later try-catch block to be
// used by the ToName conversion for null which causes a DCHECK fail when
// compiling. If register allocation changes, this test may no longer reproduce
// the crash but it is not easy write a proper test because it is linked to
// register allocation. This test should always work, so shouldn't cause any
// flakes.
try {
var { [null]: __v_12, } = {};
} catch (e) {}
try {
assertEquals((__v_40?.o?.m)().p);
} catch (e) {}
Issue: https://crbug.com/v8/11331
Commit: Reland "[wasm-simd] Merge all any_true to v128.any_true"
Date(Commit): Fri, 29 Jan 2021 14:48:10 -0800
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2639033
Regress : test\mjsunit\regress\wasm\regress-1081030.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-simd
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */).addBodyWithEnd([
// signature: i_iii
// body:
kExprF32Const, 0xf8, 0xf8, 0xf8, 0xf8,
kSimdPrefix, kExprF32x4Splat, // f32x4.splat
kExprF32Const, 0xf8, 0xf8, 0xf8, 0xf8,
kSimdPrefix, kExprF32x4Splat, // f32x4.splat
kSimdPrefix, kExprF32x4Min, 0x01, // f32x4.min
kSimdPrefix, kExprV128AnyTrue, 0x01, // v128.any_true
kExprEnd, // end @16
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertEquals(1, instance.exports.main(1, 2, 3));
Issue: https://crbug.com/1171788
Commit: [wasm][liftoff][arm] Add missing handling of reference types to ...
Date(Commit): Fri, 29 Jan 2021 12:22:35 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2659255
Regress : test\mjsunit\regress\wasm\regress-1171788.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addType(makeSig(
[
kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmFuncRef, kWasmI32, kWasmI32,
kWasmI32, kWasmI32, kWasmI32
],
[kWasmF64]));
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: d_iiiiniiiii
// body:
kExprLocalGet, 0x03, // local.get
kExprLocalGet, 0x08, // local.get
kExprLocalGet, 0x00, // local.get
kExprI32Const, 0x01, // i32.const
kExprLocalGet, 0x04, // local.get
kExprLocalGet, 0x05, // local.get
kExprLocalGet, 0x06, // local.get
kExprLocalGet, 0x00, // local.get
kExprLocalGet, 0x07, // local.get
kExprLocalGet, 0x06, // local.get
kExprCallFunction, 0x00, // call function #0: d_iiiiniiiii
kExprLocalGet, 0x00, // local.get
kExprLocalGet, 0x01, // local.get
kExprLocalGet, 0x00, // local.get
kExprLocalGet, 0x08, // local.get
kExprLocalGet, 0x01, // local.get
kExprLocalGet, 0x00, // local.get
kExprLocalGet, 0x01, // local.get
kExprLocalGet, 0x07, // local.get
kExprLocalGet, 0x08, // local.get
kExprLocalGet, 0x09, // local.get
kExprCallFunction, 0x00, // call function #0: d_iiiiniiiii
kExprUnreachable, // unreachable
kExprEnd, // end @46
]);
assertThrows(function() { builder.instantiate(); }, WebAssembly.CompileError);
Issue: https://crbug.com/v8/9237
Commit: Reland2 [super] Store home object in Context instead of JSFunction
Date(Commit): Fri, 29 Jan 2021 09:24:03 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2655509
Regress : test\mjsunit\regress\regress-crbug-1171600.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function TestSpreadAfterMethodUsingSuper() {
let v = {
m() {
{ super.x; };
},
...[() => {}]
};
})();
(function TestSpreadAfterMethodUsingEval() {
let v = {
m() {
{ eval(); };
},
...[() => {}]
};
})();
Issue: https://crbug.com/v8/11360
Commit: [class] Fix compound assignment w/ private accessors
Date(Commit): Thu, 28 Jan 2021 16:40:25 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2652495
Regress : test\mjsunit\regress\regress-v8-11360.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function TestCompoundAssignmentToPrivateField() {
class C {
#foo = 1;
m() {
return this.#foo += 1;
}
}
assertEquals(2, (new C()).m());
})();
(function TestCompoundAssignmentToPrivateFieldWithOnlyGetter() {
class C {
get #foo() { return 1; }
m() {
return this.#foo += 1;
}
}
assertThrows(() => { (new C()).m(); });
})();
(function TestCompoundAssignmentToPrivateFieldWithOnlySetter() {
class C {
set #foo(a) { }
m() {
return this.#foo += 1;
}
}
assertThrows(() => { (new C()).m(); });
})();
(function TestCompoundAssignmentToPrivateFieldWithGetterAndSetter() {
class C {
get #foo() { return 1; }
set #foo(a) { }
m() {
return this.#foo += 1;
}
}
assertEquals(2, (new C()).m());
})();
(function TestCompoundAssignmentToPrivateMethod() {
class C {
m() {
return this.#pm += 1;
}
#pm() {}
}
assertThrows(() => { (new O()).m(); });
})();
(function TestCompoundAssignmentToStaticPrivateField() {
class C {
static #foo = 1;
m() {
return C.#foo += 1;
}
}
assertEquals(2, (new C()).m());
})();
(function TestCompoundAssignmentToStaticPrivateFieldWithOnlyGetter() {
class C {
static get #foo() { return 1; }
m() {
return C.#foo += 1;
}
}
assertThrows(() => { (new C()).m(); });
})();
(function TestCompoundAssignmentToStaticPrivateFieldWithOnlySetter() {
class C {
static set #foo(a) { }
m() {
return C.#foo += 1;
}
}
assertThrows(() => { (new C()).m(); });
})();
(function TestCompoundAssignmentToStaticPrivateFieldWithGetterAndSetter() {
class C {
static get #foo() { return 1; }
static set #foo(a) { }
m() {
return C.#foo += 1;
}
}
assertEquals(2, (new C()).m());
})();
(function TestCompoundAssignmentToStaticPrivateMethod() {
class C {
m() {
return C.#pm += 1;
}
static #pm() {}
}
assertThrows(() => { (new O()).m(); });
})();
// The following tests test the above cases w/ brand check failures.
(function TestBrandCheck_CompoundAssignmentToPrivateField() {
class C {
#foo = 1;
m() {
return this.#foo += 1;
}
}
assertThrows(() => { C.prototype.m.call({}); }, TypeError,
/Cannot read private member/);
// It's the same error we get from this case:
class C2 {
#foo = 1;
m() {
return this.#foo;
}
}
assertThrows(() => { C2.prototype.m.call({}); }, TypeError,
/Cannot read private member/);
})();
(function TestBrandCheck_CompoundAssignmentToPrivateFieldWithOnlyGetter() {
class C {
get #foo() { return 1; }
m() {
return this.#foo += 1;
}
}
assertThrows(() => { C.prototype.m.call({}); }, TypeError,
/Object must be an instance of class/);
// It's the same error we get from this case:
class C2 {
get #foo() { return 1; }
m() {
return this.#foo;
}
}
assertThrows(() => { C2.prototype.m.call({}); }, TypeError,
/Object must be an instance of class/);
})();
(function TestBrandCheck_CompoundAssignmentToPrivateFieldWithOnlySetter() {
class C {
set #foo(a) { }
m() {
return this.#foo += 1;
}
}
assertThrows(() => { C.prototype.m.call({}); }, TypeError,
/Object must be an instance of class/);
})();
(function TestBrandCheck_CompoundAssignmentToPrivateFieldWithGetterAndSetter() {
class C {
get #foo() { return 1; }
set #foo(a) { }
m() {
return this.#foo += 1;
}
}
assertThrows(() => { C.prototype.m.call({}); }, TypeError,
/Object must be an instance of class/);
// It's the same error we get from this case:
class C2 {
get #foo() { return 1; }
set #foo(a) { }
m() {
return this.#foo;
}
}
assertThrows(() => { C2.prototype.m.call({}); }, TypeError,
/Object must be an instance of class/);
})();
(function TestBrandCheck_CompoundAssignmentToPrivateMethod() {
class C {
m() {
return this.#pm += 1;
}
#pm() {}
}
assertThrows(() => { C.prototype.m.call({}); }, TypeError,
/Object must be an instance of class/);
})();
Issue: https://crbug.com/v8/11357
Commit: [wasm] Fix data race in lazy compilation
Date(Commit): Wed, 27 Jan 2021 16:48:19 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2653226
Regress : test\mjsunit\regress\wasm\regress-1161555.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-simd --wasm-lazy-compilation
// Test case copied from clusterfuzz, this exercises a bug in WasmCompileLazy
// where we are not correctly pushing the full 128-bits of a SIMD register.
load('test/mjsunit/wasm/wasm-module-builder.js');
const __v_0 = new WasmModuleBuilder();
__v_0.addImportedMemory('m', 'imported_mem');
__v_0.addFunction('main', makeSig([], [])).addBodyWithEnd([
kExprI32Const, 0, kSimdPrefix, kExprS128LoadMem, 0, 0, kExprCallFunction,
0x01, kExprEnd
]);
__v_0.addFunction('function2', makeSig([kWasmS128], [])).addBodyWithEnd([
kExprI32Const, 17, kExprLocalGet, 0, kSimdPrefix, kExprS128StoreMem, 0, 0,
kExprI32Const, 9, kExprLocalGet, 0, kExprCallFunction, 0x02, kExprEnd
]);
__v_0.addFunction('function3', makeSig([kWasmI32, kWasmS128], []))
.addBodyWithEnd([
kExprI32Const, 32, kExprLocalGet, 1, kSimdPrefix, kExprS128StoreMem, 0, 0,
kExprEnd
]);
__v_0.addExport('main');
var __v_1 = new WebAssembly.Memory({
initial: 1,
});
const __v_2 = __v_0.instantiate({m: {imported_mem: __v_1}});
const __v_3 = new Uint8Array(__v_1.buffer);
for (let __v_4 = 0; __v_4 < 16; __v_4++) {
__v_3[__v_4] = __v_4 * 2;
}
__v_2.exports.main();
for (let __v_5 = 0; __v_5 < 16; __v_5++) {
assertEquals(__v_3[__v_5], __v_3[__v_5 + 32]);
}
Issue: https://crbug.com/1170261
Commit: [TurboFan] Relax DCHECK that is too strong
Date(Commit): Wed, 27 Jan 2021 13:38:43 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2652491
Regress : test\mjsunit\regress\regress-1170261.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
function foo(unused1, unused2, bigint) {
const temp = -bigint;
}
function bar() {
const arr = Array();
const obj = Object();
arr.reduce(foo, 0)
}
%PrepareFunctionForOptimization(foo);
foo(0, 0, 2316465375n);
%OptimizeFunctionOnNextCall(foo);
foo(0, 0, 2316465375n);
%PrepareFunctionForOptimization(bar);
bar();
%OptimizeFunctionOnNextCall(bar);
bar();
Issue: https://crbug.com/1168116
Commit: [wasm] Implement pushing of externref parameters on the stack
Date(Commit): Thu, 21 Jan 2021 19:33:12 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2642263
Regress : test\mjsunit\regress\wasm\regress-1168116.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addType(makeSig([kWasmF32, kWasmF32, kWasmI32, kWasmI32, kWasmI32, kWasmExternRef, kWasmI32, kWasmI32, kWasmI32, kWasmI32], [kWasmI64]));
// Generate function 1 (out of 2).
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: l_ffiiiniiii
// body:
]);
// Generate function 2 (out of 2).
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: l_ffiiiniiii
// body:
kExprLocalGet, 0x00, // local.get
kExprLocalGet, 0x01, // local.get
kExprLocalGet, 0x02, // local.get
kExprLocalGet, 0x03, // local.get
kExprI32Const, 0x05, // i32.const
kExprLocalGet, 0x05, // local.get
kExprLocalGet, 0x06, // local.get
kExprLocalGet, 0x07, // local.get
kExprI32Const, 0x5b, // i32.const
kExprI32Const, 0x30, // i32.const
kExprCallFunction, 0x01, // call function #1: l_ffiiiniiii
kExprLocalGet, 0x00, // local.get
kExprLocalGet, 0x01, // local.get
kExprLocalGet, 0x02, // local.get
kExprLocalGet, 0x03, // local.get
kExprLocalGet, 0x07, // local.get
kExprLocalGet, 0x05, // local.get
kExprLocalGet, 0x06, // local.get
kExprLocalGet, 0x07, // local.get
kExprI32Const, 0x7f, // i32.const
kExprI64DivS, // i64.div_s
kExprF64Eq, // f64.eq
kExprI32DivU, // i32.div_u
kExprTableGet, 0x7f, // table.get
kExprI64ShrS, // i64.shr_s
]);
assertThrows(function() { builder.instantiate(); }, WebAssembly.CompileError);
Issue: https://crbug.com/1166095
Commit: [object] Add string reader lock to StringCharacterStream
Date(Commit): Thu, 21 Jan 2021 15:13:10 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2637861
Regress : test\mjsunit\regress\regress-crbug-1166095.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --trace-turbo-reduction
function foo() {
const v11 = new Int8Array(150);
Object(v11,...v11,v11);
}
for (i = 0; i < 100; i++)
foo();
Commit: [d8] Throw Error objects instead of strings by default
Date(Commit): Wed, 20 Jan 2021 14:43:42 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2639767
Regress : test\mjsunit\regress\regress-740694.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --harmony --allow-natives-syntax --stack-size=100
function __f_0() {
try {
return __f_0();
} catch(e) {
return import('no-such-file');
}
}
var done = false;
var error;
var promise = __f_0();
promise.then(assertUnreachable,
err => { done = true; error = err });
%PerformMicrotaskCheckpoint();
assertTrue(error.message.startsWith('d8: Error reading'));
assertTrue(done);
Commit: [TurboFan] Ensure PossiblyBackgroundSerialized objects are considered serialized
Date(Commit): Wed, 20 Jan 2021 18:24:04 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2640479
Regress : test\mjsunit\regress\regress-1168435.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --concurrent-inlining
function bar() {
arr = new Array(4);
iter = arr[Symbol.iterator];
return iter;
}
function foo(a) {
iter = bar();
return iter.isPrototypeOf(iter);
}
%PrepareFunctionForOptimization(foo);
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
Issue: https://crbug.com/v8/11332
Commit: [deoptimizer] Use consistent terms for the bytecode offset
Date(Commit): Wed, 20 Jan 2021 09:41:21 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2639756
Regress : test\mjsunit\regress\regress-2326.js
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// This tests that we do not share optimized code across closures that were
// optimized using OSR (for a particular OSR entry bytecode offset) even if
// caching of optimized code kicks in.
function makeClosure() {
function f(mode, iterations) {
var accumulator = 0;
if (mode == 1) {
while (--iterations > 0) accumulator = Math.ceil(accumulator);
return 1;
} else {
while (--iterations > 0) accumulator = Math.floor(accumulator);
return 2;
}
}
return f;
}
// Generate two closures sharing the same underlying function literal.
var f1 = makeClosure();
var f2 = makeClosure();
// This function should be optimized via OSR in the first tight loop.
assertSame(1, f1(1, 100000));
// This function should be optimized via OSR in the second tight loop.
assertSame(2, f2(2, 100000));
Issue: https://crbug.com/1034322
Commit: Reland "[compiler] Emit a function-entry stack check on OSR-entry"
Date(Commit): Wed, 20 Jan 2021 07:20:50 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2625872
Regress : test\mjsunit\regress\regress-1034322.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --stack-size=103
let ticks = 0;
function v0() {
try { v1(); } catch {}
// This triggers the deopt that may overflow the stack.
try { undefined[null] = null; } catch {}
}
function v1() {
while (!v0()) {
// Trigger OSR early to get a crashing case asap.
if (ticks == 5) %OptimizeOsr();
// With the bug fixed, there's no easy way to trigger termination. Instead,
// run until we reach a certain number of ticks. The crash triggers locally
// at tick 7562, thus running until 20k ticks to be somewhat safe.
if (ticks >= 20000) exit(0);
ticks++;
}
}
%PrepareFunctionForOptimization(v0);
%PrepareFunctionForOptimization(v1);
v0();
Commit: [Turboprop] Avoid using SAME_INPUT_OUTPUT registers for USED_AT_END inputs.
Date(Commit): Mon, 18 Jan 2021 17:57:06 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2632700
Regress : test\mjsunit\regress\regress-1163715.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --turboprop --allow-natives-syntax
let last_value;
let throwFunc;
function foo(count) {
let val = 1;
for (let i = 16; i < count; ++i) {
try {
throwFunc();
} catch (e) {
}
val *= 2;
last_value = val;
}
}
%PrepareFunctionForOptimization(foo);
foo(20);
foo(21);
%OptimizeFunctionOnNextCall(foo);
foo(47);
assertEquals(2147483648, last_value);
Issue: https://crbug.com/1167709
Commit: [compiler] Don't iterate past end of StateValuesAccess iterator
Date(Commit): Tue, 19 Jan 2021 09:48:49 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2637213
Regress : test\mjsunit\regress\regress-1167709-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --no-lazy-feedback-allocation
function __f_0() {
}
function __f_3( __v_7, ...__v_8) {
return new __f_0( ...__v_8);
}
function __f_5() {
__f_3();
}
%PrepareFunctionForOptimization(__f_5);
__f_5();
%OptimizeFunctionOnNextCall(__f_5);
__f_5();
Issue: https://crbug.com/1166136
Commit: [compiler] Use StateValuesAccess to access frame state parameters
Date(Commit): Mon, 18 Jan 2021 08:16:58 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2625879
Regress : test\mjsunit\regress\regress-1166136-2.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax --opt --turbo-inlining
function main() {
function vul(x0, x1, ...args) {
const res = Reflect.construct(Array,args,vul);
let local_1;
let local_2;
let local_3;
let local_4;
let local_5;
return res;
}
%PrepareFunctionForOptimization(vul);
return vul(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12);
}
%PrepareFunctionForOptimization(main);
main();
const unoptimized_result = main();
%OptimizeFunctionOnNextCall(main);
const optimized_result = main();
assertEquals(unoptimized_result, optimized_result);
Issue: https://crbug.com/1165966
Commit: [wasm-simd][ia32] Fix instruction operand constraints for ext mul
Date(Commit): Wed, 13 Jan 2021 04:24:00 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2626711
Regress : test\mjsunit\regress\wasm\regress-1165966.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
// This test case is simplified slightly from a fuzzer-generated test case. It
// causes spills for one of the inputs to kExprI64x2ExtMulHighI32x4U, which the
// codegen incorrectly assumes will always be a register.
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32, false, true);
// Generate function 1 (out of 1).
builder.addFunction(undefined, kSig_i_v)
.addLocals(kWasmI64, 1)
.addBodyWithEnd([
// signature: i_v
// body:
kExprI32Const, 0x00, // i32.const
kExprI32Const, 0x00, // i32.const
kExprI32Const, 0x00, // i32.const
kExprSelectWithType, 0x01, 0x7f, // select
kExprMemoryGrow, 0x00, // memory.grow
kExprI32Const, 0xb0, 0xde, 0xc9, 0x03, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0xb0, 0xe0, 0xc0, 0x01, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprI64x2ExtMulHighI32x4U, 0x01, // i64x2.extmul_high_i32x4_u
kSimdPrefix, kExprF32x4Le, // f32x4.le
kSimdPrefix, kExprI32x4ExtractLane, 0x00, // i32x4.extract_lane
kExprI32DivS, // i32.div_s
kExprEnd, // end @41
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertThrows(
() => instance.exports.main(),
WebAssembly.RuntimeError,
"divide by zero");
Issue: https://crbug.com/v8/1163184
Commit: Evict deoptimized code on feedback vector after creating the closure
Date(Commit): Mon, 11 Jan 2021 09:40:30 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2613034
Regress : test\mjsunit\regress\regress-crbug-1163184.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --stress-compact
let arr = [20];
// This forces arr.concat to create a new dictionary map which can be collected
// on a GC.
arr[Symbol.isConcatSpreadable] = true;
for (let i = 0; i < 4; ++i) {
function tmp() {
// Creates a new map that is collected on a GC.
let c = arr.concat();
// Access something from c, so c's map is embedded in code object.
c.x;
};
%PrepareFunctionForOptimization(tmp);
tmp();
// Optimize on the second iteration, so the optimized code isn't function
// context specialized and installed on feedback vector.
if (i == 1) {
%OptimizeFunctionOnNextCall(tmp);
tmp();
}
// Simulate full Newspace, so on next closure creation we cause a GC.
if (i == 2) %SimulateNewspaceFull();
}
Issue: https://crbug.com/1161357
Commit: [compiler] Update test expectation
Date(Commit): Fri, 8 Jan 2021 09:46:03 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2616220
Regress : test\mjsunit\compiler\regress-1161357.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
for (let i = 0; i < 3; i++) {
for (let j = 0; j < 32767; j++) Number;
for (let j = 0; j < 2335; j++) Number;
var arr = [, ...(new Int16Array(0xffff)), 0.5];
arr.concat(Number, arr)
}
Issue: https://crbug.com/1160677
Commit: [wasm] Remove the --experimental-wasm-bigint flag
Date(Commit): Tue, 5 Jan 2021 17:22:51 +0100
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2610965
Regress : test\mjsunit\regress\wasm\regress-9447.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-simd
load('test/mjsunit/wasm/wasm-module-builder.js');
let kSig_s_v = makeSig([], [kWasmS128]);
// Generate a re-exported function that wraps a JavaScript callable, but with a
// function signature that is incompatible (i.e. simd return type) with JS.
var fun1 = (function GenerateFun1() {
let builder = new WasmModuleBuilder();
function fun() { return 0 }
let fun_index = builder.addImport('m', 'fun', kSig_s_v)
builder.addExport("fun", fun_index);
let instance = builder.instantiate({ m: { fun: fun }});
return instance.exports.fun;
})();
// Generate an exported function that calls the above re-export from another
// module, still with a function signature that is incompatible with JS.
var fun2 = (function GenerateFun2() {
let builder = new WasmModuleBuilder();
let fun_index = builder.addImport("m", "fun", kSig_s_v)
builder.addFunction('main', kSig_v_v)
.addBody([
kExprCallFunction, fun_index,
kExprDrop
])
.exportFunc();
let instance = builder.instantiate({ m: { fun: fun1 }});
return instance.exports.main;
})();
// Both exported functions should throw, no matter how often they get wrapped.
assertThrows(fun1, TypeError,
/type incompatibility when transforming from\/to JS/);
assertThrows(fun2, TypeError,
/type incompatibility when transforming from\/to JS/);
Issue: https://crbug.com/1124885
Commit: [wasm-simd][scalar-lowering] Add regression test
Date(Commit): Tue, 5 Jan 2021 09:05:56 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2610508
Regress : test\mjsunit\regress\wasm\regress-1124885.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-simd
// This exercises an bug in scalar-lowering for load transforms. In
// particular, if the index input to v128.load32_splat was a extract_lane, the
// input wasn't correctly lowered. This caused the extract_lane node to stick
// around until code-generator, where we hit a mismatch in the register types.
load('test/mjsunit/wasm/wasm-module-builder.js');
(function() {
const builder = new WasmModuleBuilder();
builder.addMemory(1, 1);
builder.addFunction(undefined, kSig_i_ii)
.addBodyWithEnd([
kExprI32Const, 0,
kExprLocalGet, 0,
kExprI32StoreMem, 0, 0,
kExprI32Const, 4,
kExprLocalGet, 0,
kExprI32StoreMem, 0, 0,
kExprI32Const, 8,
kExprLocalGet, 0,
kExprI32StoreMem, 0, 0,
kExprI32Const, 12,
kExprLocalGet, 0,
kExprI32StoreMem, 0, 0,
// Memory now looks like (in bytes):
// [4, 0, 0, 0, 4, 0, 0, 0, 4, 0, 0, 0, 4, 0, 0, 0]
kExprI32Const, 0,
kSimdPrefix, kExprS128LoadMem, 0, 0,
kSimdPrefix, kExprI32x4ExtractLane, 0,
// load 32-bit from byte 4, then splat to all lanes.
kSimdPrefix, kExprS128Load32Splat, 0, 0,
kSimdPrefix, kExprI32x4ExtractLane, 3,
kExprEnd,
])
.exportAs('main');
const instance = builder.instantiate();
assertEquals(4, instance.exports.main(4));
})();
Issue: https://crbug.com/v8/11282
Commit: [ia32][wasm-simd] Fix s128select
Date(Commit): Tue, 5 Jan 2021 00:32:53 +0000
Code Review : https://chromium-review.googlesource.com/c/v8/v8/+/2603764
Regress : test\mjsunit\regress\wasm\regress-1161954.js
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
// This test is manually reduced from a fuzzer test case at
// https://crbug.com/1161954. This exercises a bug in IA32 instruction
// selection for v128.select, in the AVX case it was too flexible and allowed
// the input operands to be slots, but the code-gen required them to be
// registers.
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
// Generate function 1 (out of 1).
builder.addFunction(undefined, kSig_i_v)
.addBodyWithEnd([
// signature: i_v
// body:
kExprI32Const, 0x37, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0xb9, 0xf2, 0xd8, 0x01, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprS128AndNot, // s128.andnot
kExprI32Const, 0xb2, 0xf2, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0xf2, 0x82, 0x02, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprF64x2Max, 0x01, // f64x2.max
kSimdPrefix, kExprI16x8Add, 0x01, // i16x8.add
kSimdPrefix, kExprS128Or, // s128.or
kSimdPrefix, kExprI8x16Neg, // i8x16.neg
kExprI32Const, 0x8e, 0x1c, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x9d, 0x26, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0xf0, 0xe0, 0x01, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprI8x16LeS, // i8x16.le_s
kSimdPrefix, kExprI8x16LeS, // i8x16.le_s
kExprI32Const, 0xff, 0xfb, 0x03, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x93, 0x26, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x9d, 0x26, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprI8x16GtU, // i8x16.gt_u
kExprI32Const, 0xf0, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprI16x8Mul, 0x01, // i16x8.mul
kSimdPrefix, kExprF32x4Ge, // f32x4.ge
kSimdPrefix, kExprI8x16LeS, // i8x16.le_s
kSimdPrefix, kExprI8x16LeS, // i8x16.le_s
kExprI32Const, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0xc1, 0x8e, 0x35, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x0d, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprI32x4Ne, // i32x4.ne
kSimdPrefix, kExprF32x4Ge, // f32x4.ge
kSimdPrefix, kExprI8x16LeS, // i8x16.le_s
kExprI32Const, 0xc1, 0x8e, 0x35, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x0d, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprS128Select, // s128.select
kSimdPrefix, kExprF64x2Div, 0x01, // f64x2.div
kSimdPrefix, kExprF64x2ExtractLane, 0x00, // f64x2.extract_lane
kNumericPrefix, kExprI32SConvertSatF64, // i32.trunc_sat_f64_s
kExprEnd, // end @142
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
print(instance.exports.main());