Update V8 to version 4.1.0.21
This is a cherry-pick of all commits up to and including the
4.1.0.21 cherry-pick in Chromium.
Original commit message:
Version 4.1.0.21 (cherry-pick)
Merged 206e9136bde0f2b5ae8cb77afbb1e7833e5bd412
Unlink pages from the space page list after evacuation.
BUG=430201
LOG=N
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/953813002
Cr-Commit-Position: refs/branch-heads/4.1@{#22}
Cr-Branched-From: 2e08d2a7aa9d65d269d8c57aba82eb38a8cb0a18-refs/heads/candidates@{#25353}
---
FPIIM-449
Change-Id: I8c23c7bbb70772b4858fe8a47b64fa97ee0d1f8c
diff --git a/test/mjsunit/regress/regress-136048.js b/test/mjsunit/regress/regress-136048.js
index c9972e9..21ae622 100644
--- a/test/mjsunit/regress/regress-136048.js
+++ b/test/mjsunit/regress/regress-136048.js
@@ -26,9 +26,9 @@
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
try {
- /foo/\u0069
+ eval("/foo/\\u0069")
} catch (e) {
assertEquals(
- "SyntaxError: Invalid flags supplied to RegExp constructor '\\u0069'",
+ "SyntaxError: Invalid regular expression flags",
e.toString());
}
diff --git a/test/mjsunit/regress/regress-1757.js b/test/mjsunit/regress/regress-1757.js
index 35e7355..a850f70 100644
--- a/test/mjsunit/regress/regress-1757.js
+++ b/test/mjsunit/regress/regress-1757.js
@@ -27,6 +27,7 @@
// Flags: --string-slices --expose-externalize-string
-var a = "abcdefghijklmnopqrstuvqxy"+"z";
+var a = "internalized dummy";
+a = "abcdefghijklmnopqrstuvqxy"+"z";
externalizeString(a, true);
assertEquals('b', a.substring(1).charAt(0));
diff --git a/test/mjsunit/regress/regress-2506.js b/test/mjsunit/regress/regress-2506.js
new file mode 100644
index 0000000..0eb2770
--- /dev/null
+++ b/test/mjsunit/regress/regress-2506.js
@@ -0,0 +1,78 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --harmony-scoping
+
+'use strict';
+
+// Top-level code
+let s = 0;
+let f = [undefined, undefined, undefined]
+for (const x of [1,2,3]) {
+ s += x;
+ f[x-1] = function() { return x; }
+}
+assertEquals(6, s);
+assertEquals(1, f[0]());
+assertEquals(2, f[1]());
+assertEquals(3, f[2]());
+
+let x = 1;
+s = 0;
+for (const x of [x, x+1, x+2]) {
+ s += x;
+}
+assertEquals(6, s);
+
+s = 0;
+var q = 1;
+for (const q of [q, q+1, q+2]) {
+ s += q;
+}
+assertEquals(6, s);
+
+let z = 1;
+s = 0;
+for (const x = 1; z < 2; z++) {
+ s += x + z;
+}
+assertEquals(2, s);
+
+
+s = "";
+for (const x in [1,2,3]) {
+ s += x;
+}
+assertEquals("012", s);
+
+assertThrows("'use strict'; for (const x in [1,2,3]) { x++ }", TypeError);
+
+// Function scope
+(function() {
+ let s = 0;
+ for (const x of [1,2,3]) {
+ s += x;
+ }
+ assertEquals(6, s);
+
+ let x = 1;
+ s = 0;
+ for (const x of [x, x+1, x+2]) {
+ s += x;
+ }
+ assertEquals(6, s);
+
+ s = 0;
+ var q = 1;
+ for (const q of [q, q+1, q+2]) {
+ s += q;
+ }
+ assertEquals(6, s);
+
+ s = "";
+ for (const x in [1,2,3]) {
+ s += x;
+ }
+ assertEquals("012", s);
+}());
diff --git a/test/mjsunit/regress/regress-2615.js b/test/mjsunit/regress/regress-2615.js
new file mode 100644
index 0000000..6b277e8
--- /dev/null
+++ b/test/mjsunit/regress/regress-2615.js
@@ -0,0 +1,96 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+a = [1];
+Object.defineProperty(a, "1", {writable:false, configurable:false, value: 100});
+assertThrows("a.unshift(4);", TypeError);
+assertEquals([1, 100, 100], a);
+var desc = Object.getOwnPropertyDescriptor(a, "1");
+assertEquals(false, desc.writable);
+assertEquals(false, desc.configurable);
+
+a = [1];
+var g = function() { return 100; };
+Object.defineProperty(a, "1", {get:g});
+assertThrows("a.unshift(0);", TypeError);
+assertEquals([1, 100, 100], a);
+desc = Object.getOwnPropertyDescriptor(a, "1");
+assertEquals(false, desc.configurable);
+assertEquals(g, desc.get);
+
+a = [1];
+var c = 0;
+var s = function(v) { c += 1; };
+Object.defineProperty(a, "1", {set:s});
+a.unshift(10);
+assertEquals([10, undefined, undefined], a);
+assertEquals(1, c);
+desc = Object.getOwnPropertyDescriptor(a, "1");
+assertEquals(false, desc.configurable);
+assertEquals(s, desc.set);
+
+a = [1];
+Object.defineProperty(a, "1", {configurable:false, value:10});
+assertThrows("a.splice(1,1);", TypeError);
+assertEquals([1, 10], a);
+desc = Object.getOwnPropertyDescriptor(a, "1");
+assertEquals(false, desc.configurable);
+
+a = [0,1,2,3,4,5,6];
+Object.defineProperty(a, "3", {configurable:false, writable:false, value:3});
+assertThrows("a.splice(1,4);", TypeError);
+assertEquals([0,5,6,3,,,,], a);
+desc = Object.getOwnPropertyDescriptor(a, "3");
+assertEquals(false, desc.configurable);
+assertEquals(false, desc.writable);
+
+a = [0,1,2,3,4,5,6];
+Object.defineProperty(a, "5", {configurable:false, value:5});
+assertThrows("a.splice(1,4);", TypeError);
+assertEquals([0,5,6,3,4,5,,], a);
+desc = Object.getOwnPropertyDescriptor(a, "5");
+assertEquals(false, desc.configurable);
+
+a = [1,2,3,,5];
+Object.defineProperty(a, "1", {configurable:false, writable:true, value:2});
+assertEquals(1, a.shift());
+assertEquals([2,3,,5], a);
+desc = Object.getOwnPropertyDescriptor(a, "1");
+assertEquals(false, desc.configurable);
+assertEquals(true, desc.writable);
+assertThrows("a.shift();", TypeError);
+assertEquals([3,3,,5], a);
+desc = Object.getOwnPropertyDescriptor(a, "1");
+assertEquals(false, desc.configurable);
+assertEquals(true, desc.writable);
+
+a = [1,2,3];
+Object.defineProperty(a, "2", {configurable:false, value:3});
+assertThrows("a.pop();", TypeError);
+assertEquals([1,2,3], a);
+desc = Object.getOwnPropertyDescriptor(a, "2");
+assertEquals(false, desc.configurable);
diff --git a/test/mjsunit/regress/regress-3229.js b/test/mjsunit/regress/regress-3229.js
new file mode 100644
index 0000000..1a0ed64
--- /dev/null
+++ b/test/mjsunit/regress/regress-3229.js
@@ -0,0 +1,26 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Escape '/'.
+function testEscapes(expected, regexp) {
+ assertEquals(expected, regexp.source);
+ assertEquals("/" + expected + "/", regexp.toString());
+}
+
+testEscapes("\\/", /\//);
+testEscapes("\\/\\/", /\/\//);
+testEscapes("\\/", new RegExp("/"));
+testEscapes("\\/", new RegExp("\\/"));
+testEscapes("\\\\/", new RegExp("\\\\/"));
+testEscapes("\\/\\/", new RegExp("\\/\\/"));
+testEscapes("\\/\\/\\/\\/", new RegExp("////"));
+testEscapes("\\/\\/\\/\\/", new RegExp("\\//\\//"));
+testEscapes("(?:)", new RegExp(""));
+testEscapes("(?:)", RegExp.prototype);
+
+// Read-only property.
+var r = /\/\//;
+testEscapes("\\/\\/", r);
+r.source = "garbage";
+testEscapes("\\/\\/", r);
diff --git a/test/mjsunit/regress/regress-3483.js b/test/mjsunit/regress/regress-3483.js
new file mode 100644
index 0000000..dec95c4
--- /dev/null
+++ b/test/mjsunit/regress/regress-3483.js
@@ -0,0 +1,30 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+assertFalse(Object.prototype.isPrototypeOf.call());
+assertFalse(Object.prototype.isPrototypeOf.call(null, 1));
+assertFalse(Object.prototype.isPrototypeOf.call(undefined, 1));
diff --git a/test/mjsunit/regress/regress-3612.js b/test/mjsunit/regress/regress-3612.js
new file mode 100644
index 0000000..8c30ebf
--- /dev/null
+++ b/test/mjsunit/regress/regress-3612.js
@@ -0,0 +1,21 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var a = [1];
+var getterValue = 2;
+var endIndex = 0xffff;
+Object.defineProperty(a, endIndex, {
+ get: function() {
+ this[1] = 3;
+ return getterValue;
+ },
+ set: function(val) {
+ getterValue = val;
+ },
+ configurable: true,
+ enumerable: true
+});
+a.reverse();
+assertFalse(a.hasOwnProperty(1));
+assertEquals(3, a[endIndex-1]);
diff --git a/test/mjsunit/regress/regress-3621.js b/test/mjsunit/regress/regress-3621.js
new file mode 100644
index 0000000..16ddde1
--- /dev/null
+++ b/test/mjsunit/regress/regress-3621.js
@@ -0,0 +1,11 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var a = [];
+var endIndex = 0xffff;
+a[endIndex] = 3;
+Object.defineProperty(a, 0, { get: function() { this[1] = 2; return 1; } });
+assertEquals('123', a.join(''));
+delete a[1]; // reset the array
+assertEquals('1,2,', a.join().slice(0, 4));
diff --git a/test/mjsunit/regress/regress-3643.js b/test/mjsunit/regress/regress-3643.js
new file mode 100644
index 0000000..bbc94fd
--- /dev/null
+++ b/test/mjsunit/regress/regress-3643.js
@@ -0,0 +1,30 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function newArrayWithGetter() {
+ var arr = [1, 2, 3];
+ Object.defineProperty(arr, '1', {
+ get: function() { delete this[1]; return undefined; },
+ configurable: true
+ });
+ return arr;
+}
+
+var a = newArrayWithGetter();
+var s = a.slice(1);
+assertTrue('0' in s);
+
+// Sparse case should hit the same code as above due to presence of the getter.
+a = newArrayWithGetter();
+a[0xffff] = 4;
+s = a.slice(1);
+assertTrue('0' in s);
+
+a = newArrayWithGetter();
+a.shift();
+assertTrue('0' in a);
+
+a = newArrayWithGetter();
+a.unshift(0);
+assertTrue('2' in a);
diff --git a/test/mjsunit/regress/regress-3687.js b/test/mjsunit/regress/regress-3687.js
new file mode 100644
index 0000000..e1df1b4
--- /dev/null
+++ b/test/mjsunit/regress/regress-3687.js
@@ -0,0 +1,22 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var t1 = { f1: 0 };
+var t2 = { f2: 0 };
+
+var z = {
+ x: {
+ x: t1,
+ y: {
+ x: {},
+ z1: {
+ x: t2,
+ y: 1
+ }
+ }
+ },
+ z2: 0
+};
diff --git a/test/mjsunit/regress/regress-3709.js b/test/mjsunit/regress/regress-3709.js
new file mode 100644
index 0000000..d2de711
--- /dev/null
+++ b/test/mjsunit/regress/regress-3709.js
@@ -0,0 +1,28 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function getobj() {
+ return { bar : function() { return 0}};
+}
+
+function foo() {
+ var obj = getobj();
+ var length = arguments.length;
+ if (length == 0) {
+ obj.bar();
+ } else {
+ obj.bar.apply(obj, arguments);
+ }
+}
+
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();
+assertOptimized(foo);
+foo(10);
+assertUnoptimized(foo);
+%ClearFunctionTypeFeedback(foo);
diff --git a/test/mjsunit/regress/regress-3717.js b/test/mjsunit/regress/regress-3717.js
new file mode 100644
index 0000000..1f7bc7d
--- /dev/null
+++ b/test/mjsunit/regress/regress-3717.js
@@ -0,0 +1,33 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-debug-as debug --no-lazy
+
+Debug = debug.Debug;
+var exception = null;
+var break_count = 0;
+
+function f() {
+ function g(p) {
+ return 1;
+ }
+ g(1);
+};
+
+function listener(event, exec_state, event_data, data) {
+ try {
+ if (event == Debug.DebugEvent.Break) break_count++;
+ } catch (e) {
+ exception = e;
+ }
+}
+
+Debug.setListener(listener);
+var bp = Debug.setBreakPoint(f, 2);
+f();
+Debug.clearBreakPoint(bp);
+Debug.setListener(null);
+
+assertEquals(1, break_count);
+assertNull(exception);
diff --git a/test/mjsunit/regress/regress-3756.js b/test/mjsunit/regress/regress-3756.js
new file mode 100644
index 0000000..6b1f029
--- /dev/null
+++ b/test/mjsunit/regress/regress-3756.js
@@ -0,0 +1,74 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(function TestIdentityEscapes() {
+ // \u not followed by 4 hex digits is treated as an identity escape.
+ var r0 = /\u/;
+ assertTrue(r0.test("u"));
+
+ r0 = RegExp("\\u");
+ assertTrue(r0.test("u"));
+
+ var r1 = /\usecond/;
+ assertTrue(r1.test("usecond"));
+
+ r1 = RegExp("\\usecond");
+ assertTrue(r1.test("usecond"));
+
+ var r2 = /first\u/;
+ assertTrue(r2.test("firstu"));
+ // This used to return true (which was a bug).
+ assertFalse(r2.test("first\\u"));
+
+ r2 = RegExp("first\\u");
+ assertTrue(r2.test("firstu"));
+ // This used to return true (which was a bug).
+ assertFalse(r2.test("first\\u"));
+
+ var r3 = /first\usecond/;
+ assertTrue(r3.test("firstusecond"));
+ assertFalse(r3.test("first\\usecond"));
+
+ r3 = RegExp("first\\usecond");
+ assertTrue(r3.test("firstusecond"));
+ assertFalse(r3.test("first\\usecond"));
+
+ var r4 = /first\u123second/;
+ assertTrue(r4.test("firstu123second"));
+ assertFalse(r4.test("first\\u123second"));
+
+ r4 = RegExp("first\\u123second");
+ assertTrue(r4.test("firstu123second"));
+ assertFalse(r4.test("first\\u123second"));
+
+ // \X where X is not a legal escape character is treated as identity escape
+ // too.
+ var r5 = /\a/;
+ assertTrue(r5.test("a"));
+
+ r5 = RegExp("\\a");
+ assertTrue(r5.test("a"));
+
+ var r6 = /\asecond/;
+ assertTrue(r6.test("asecond"));
+
+ r6 = RegExp("\\asecond");
+ assertTrue(r6.test("asecond"));
+
+ var r7 = /first\a/;
+ assertTrue(r7.test("firsta"));
+ assertFalse(r7.test("first\\a"));
+
+ r7 = RegExp("first\\a");
+ assertTrue(r7.test("firsta"));
+ assertFalse(r7.test("first\\a"));
+
+ var r8 = /first\asecond/;
+ assertTrue(r8.test("firstasecond"));
+ assertFalse(r8.test("first\\asecond"));
+
+ r8 = RegExp("first\\asecond");
+ assertTrue(r8.test("firstasecond"));
+ assertFalse(r8.test("first\\asecond"));
+})();
diff --git a/test/mjsunit/regress/regress-385565.js b/test/mjsunit/regress/regress-385565.js
new file mode 100644
index 0000000..d2a0875
--- /dev/null
+++ b/test/mjsunit/regress/regress-385565.js
@@ -0,0 +1,70 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax --noalways-opt
+
+var calls = 0;
+
+function callsFReceiver(o) {
+ return [].f.call(new Number(o.m), 1, 2, 3);
+}
+
+// For the HConstant
+Array.prototype.f = function() {
+ calls++;
+ return +this;
+};
+
+
+var o1 = {m: 1};
+var o2 = {a: 0, m:1};
+
+var r1 = callsFReceiver(o1);
+callsFReceiver(o1);
+%OptimizeFunctionOnNextCall(callsFReceiver);
+var r2 = callsFReceiver(o1);
+assertOptimized(callsFReceiver);
+callsFReceiver(o2);
+assertUnoptimized(callsFReceiver);
+var r3 = callsFReceiver(o1);
+
+assertEquals(1, r1);
+assertTrue(r1 === r2);
+assertTrue(r2 === r3);
+
+r1 = callsFReceiver(o1);
+callsFReceiver(o1);
+%OptimizeFunctionOnNextCall(callsFReceiver);
+r2 = callsFReceiver(o1);
+callsFReceiver(o2);
+r3 = callsFReceiver(o1);
+
+assertEquals(1, r1);
+assertTrue(r1 === r2);
+assertTrue(r2 === r3);
+
+assertEquals(10, calls);
diff --git a/test/mjsunit/regress/regress-410030.js b/test/mjsunit/regress/regress-410030.js
new file mode 100644
index 0000000..efd4b1e
--- /dev/null
+++ b/test/mjsunit/regress/regress-410030.js
@@ -0,0 +1,43 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+try {
+ throw 0;
+} catch(e) {
+ assertSame(3, eval("delete x; const x=3; x"));
+}
+
+
+try {
+ throw 0;
+} catch(e) {
+ assertSame(3, (1,eval)("delete x1; const x1=3; x1"));
+}
+
+
+try {
+ throw 0;
+} catch(e) {
+ with({}) {
+ assertSame(3, eval("delete x2; const x2=3; x2"));
+ }
+}
+
+
+(function f() {
+ try {
+ throw 0;
+ } catch(e) {
+ assertSame(3, eval("delete x; const x=3; x"));
+ }
+}());
+
+
+(function f() {
+ try {
+ throw 0;
+ } catch(e) {
+ assertSame(3, (1,eval)("delete x4; const x4=3; x4"));
+ }
+}());
diff --git a/test/mjsunit/regress/regress-416730.js b/test/mjsunit/regress/regress-416730.js
new file mode 100644
index 0000000..8d7f207
--- /dev/null
+++ b/test/mjsunit/regress/regress-416730.js
@@ -0,0 +1,24 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var d = {x: undefined, y: undefined};
+
+function Crash(left, right) {
+ var c = {
+ x: right.x - left.x,
+ y: right.y - left.y
+ };
+ return c.x * c.y;
+}
+
+var a = {x: 0.5, y: 0};
+var b = {x: 1, y: 0};
+
+for (var i = 0; i < 3; i++) Crash(a, b);
+%OptimizeFunctionOnNextCall(Crash);
+Crash(a, b);
+
+Crash({x: 0, y: 0.5}, b);
diff --git a/test/mjsunit/regress/regress-417709a.js b/test/mjsunit/regress/regress-417709a.js
new file mode 100644
index 0000000..7c4d4f7
--- /dev/null
+++ b/test/mjsunit/regress/regress-417709a.js
@@ -0,0 +1,16 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --stack-size=100 --turbo-deoptimization
+
+var a = [];
+
+Object.observe(a, function() {});
+
+function f(a, x) {
+ a.length = x;
+ f(a, x + 1);
+}
+
+assertThrows(function() { f(a, 1); }, RangeError);
diff --git a/test/mjsunit/regress/regress-417709b.js b/test/mjsunit/regress/regress-417709b.js
new file mode 100644
index 0000000..7680543
--- /dev/null
+++ b/test/mjsunit/regress/regress-417709b.js
@@ -0,0 +1,16 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --stack-size=100
+
+var a = [];
+
+Array.observe(a, function() {});
+
+function f(a, x) {
+ a.length = x;
+ f(a, x + 1);
+}
+
+assertThrows(function() { f(a, 1); }, RangeError);
diff --git a/test/mjsunit/regress/regress-419663.js b/test/mjsunit/regress/regress-419663.js
new file mode 100644
index 0000000..6f51741
--- /dev/null
+++ b/test/mjsunit/regress/regress-419663.js
@@ -0,0 +1,37 @@
+// Copyright 2012 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-debug-as debug
+
+var o = {
+ f: function(x) {
+ var a = x + 1;
+ o = 1;
+ }
+}
+
+function sentinel() {}
+
+var Debug = debug.Debug;
+
+Debug.setListener(function() {});
+
+var script = Debug.findScript(sentinel);
+
+// Used in Debug.setScriptBreakPointById.
+var p = Debug.findScriptSourcePosition(script, 9, 0);
+var q = Debug.setBreakPointByScriptIdAndPosition(script.id, p).actual_position;
+var r = Debug.setBreakPointByScriptIdAndPosition(script.id, q).actual_position;
+
+assertEquals(q, r);
+
+function assertLocation(p, l, c) {
+ var location = script.locationFromPosition(p, false);
+ assertEquals(l, location.line);
+ assertEquals(c, location.column);
+}
+
+assertLocation(p, 9, 0);
+assertLocation(q, 9, 4);
+assertLocation(r, 9, 4);
diff --git a/test/mjsunit/regress/regress-423633.js b/test/mjsunit/regress/regress-423633.js
new file mode 100644
index 0000000..12d2483
--- /dev/null
+++ b/test/mjsunit/regress/regress-423633.js
@@ -0,0 +1,18 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+Object.defineProperty(Array.prototype, '0', {
+ get: function() { return false; },
+});
+var a = [1, 2, 3];
+assertEquals(a, a.slice());
+assertEquals([3], a.splice(2, 1));
+
+a = [1, 2, 3];
+a[0xffff] = 4;
+// nulling the prototype lets us stay in the sparse case; otherwise the
+// getter on Array.prototype would force us into the non-sparse code.
+a.__proto__ = null;
+assertEquals(a, Array.prototype.slice.call(a));
+assertEquals([3], Array.prototype.splice.call(a, 2, 1));
diff --git a/test/mjsunit/regress/regress-425551.js b/test/mjsunit/regress/regress-425551.js
new file mode 100644
index 0000000..eee5e32
--- /dev/null
+++ b/test/mjsunit/regress/regress-425551.js
@@ -0,0 +1,7 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var array = new Int8Array(10);
+array[/\u007d\u00fc\u0043/] = 1.499
+assertEquals(1.499, array[/\u007d\u00fc\u0043/]);
diff --git a/test/mjsunit/regress/regress-430201.js b/test/mjsunit/regress/regress-430201.js
new file mode 100644
index 0000000..b53383e
--- /dev/null
+++ b/test/mjsunit/regress/regress-430201.js
@@ -0,0 +1,41 @@
+// Copyright 2010 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+var array_1 = [];
+
+%SetFlags("--stress-compaction");
+for (var a = 0; a < 10000; a++) { array_1[a * 100] = 0; }
+
+gc();
+gc();
+
+var array_2 = [];
+for (var i = 0; i < 321361; i++) {
+ array_2[i] = String.fromCharCode(i)[0];
+}
diff --git a/test/mjsunit/regress/regress-435073.js b/test/mjsunit/regress/regress-435073.js
new file mode 100644
index 0000000..dbaa612
--- /dev/null
+++ b/test/mjsunit/regress/regress-435073.js
@@ -0,0 +1,12 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --verify-heap
+
+function test(x) { [x,,]; }
+
+test(0);
+test(0);
+%OptimizeFunctionOnNextCall(test);
+test(0);
diff --git a/test/mjsunit/regress/regress-435477.js b/test/mjsunit/regress/regress-435477.js
new file mode 100644
index 0000000..0a15000
--- /dev/null
+++ b/test/mjsunit/regress/regress-435477.js
@@ -0,0 +1,16 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+var a = new Array(128);
+
+function f(a, base) {
+ a[base] = 2;
+}
+
+f(a, undefined);
+f("r12", undefined);
+f(a, 0);
+%OptimizeFunctionOnNextCall(f);
+f(a, 0);
diff --git a/test/mjsunit/regress/regress-436893.js b/test/mjsunit/regress/regress-436893.js
new file mode 100644
index 0000000..38e7b5f
--- /dev/null
+++ b/test/mjsunit/regress/regress-436893.js
@@ -0,0 +1,37 @@
+// Copyright 2010 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Flags: --allow-natives-syntax
+
+var x = 11;
+function foo() {
+ return 42;
+}
+// Test passing null or undefined as receiver.
+function g() { return foo.apply(null, x()++); }
+%OptimizeFunctionOnNextCall(g);
+assertThrows(g);
diff --git a/test/mjsunit/regress/regress-436896.js b/test/mjsunit/regress/regress-436896.js
new file mode 100644
index 0000000..344a7a3
--- /dev/null
+++ b/test/mjsunit/regress/regress-436896.js
@@ -0,0 +1,17 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(x) {
+ const x = 0;
+ return x;
+}
+
+function g(x) {
+ return f(x);
+}
+
+%OptimizeFunctionOnNextCall(g);
+assertThrows(function() { g(42); }, TypeError);
diff --git a/test/mjsunit/regress/regress-437765.js b/test/mjsunit/regress/regress-437765.js
new file mode 100644
index 0000000..88d5388
--- /dev/null
+++ b/test/mjsunit/regress/regress-437765.js
@@ -0,0 +1,22 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --no-fold-constants
+
+function foo(x, y) {
+ return Math.floor(x / y);
+}
+
+function bar(x, y) {
+ return foo(x + 1, y + 1);
+}
+
+function baz() {
+ bar(64, 2);
+}
+
+baz();
+baz();
+%OptimizeFunctionOnNextCall(baz);
+baz();
diff --git a/test/mjsunit/regress/regress-441099.js b/test/mjsunit/regress/regress-441099.js
new file mode 100644
index 0000000..63aecfd
--- /dev/null
+++ b/test/mjsunit/regress/regress-441099.js
@@ -0,0 +1,53 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var Module;
+if (!Module) Module = eval('(function() { try { return Module || {} } catch(e) { return {} } })()');
+else if (ENVIRONMENT_IS_SHELL) {
+}
+var Runtime = {
+ stackSave: function () {
+ },
+ alignMemory: function (quantum) { var ret = size = Math.ceil()*(quantum ? quantum : 8); return ret; }}
+function allocate() {
+}
+function callRuntimeCallbacks(callbacks) {
+ var callback = callbacks.shift();
+ var func = callback.func;
+ if (typeof func === 'number') {
+ } else {
+ func();
+ }
+}
+var __ATINIT__ = []; // functions called during startup
+function ensureInitRuntime() {
+ callRuntimeCallbacks(__ATINIT__);
+}
+/* global initializers */ __ATINIT__.push({ func: function() { runPostSets() } });
+ function __formatString() {
+ switch (next) {
+ }
+ }
+ var Browser={mainLoop:{queue:[],pause:function () {
+ }},moduleContextCreatedCallbacks:[],workers:[],init:function () {
+ }};
+var asm = (function() {
+ 'use asm';
+function setThrew() {
+}
+function runPostSets() {
+}
+function _main() {
+}
+function _free() {
+}
+ return { runPostSets: runPostSets};
+})
+();
+var runPostSets = Module["runPostSets"] = asm["runPostSets"];
+var i64Math = (function() { // Emscripten wrapper
+ /**
+ */
+})();
+ ensureInitRuntime();
diff --git a/test/mjsunit/regress/regress-447756.js b/test/mjsunit/regress/regress-447756.js
new file mode 100644
index 0000000..1fc7518
--- /dev/null
+++ b/test/mjsunit/regress/regress-447756.js
@@ -0,0 +1,48 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+function TestConstructor(c) {
+ var a = new c(-0);
+ assertSame(Infinity, 1 / a.length);
+ assertSame(Infinity, 1 / a.byteLength);
+
+ var ab = new ArrayBuffer(-0);
+ assertSame(Infinity, 1 / ab.byteLength);
+
+ var a1 = new c(ab, -0, -0);
+ assertSame(Infinity, 1 / a1.length);
+ assertSame(Infinity, 1 / a1.byteLength);
+ assertSame(Infinity, 1 / a1.byteOffset);
+}
+
+var constructors =
+ [ Uint8Array, Int8Array, Uint8ClampedArray,
+ Uint16Array, Int16Array,
+ Uint32Array, Int32Array,
+ Float32Array, Float64Array ];
+for (var i = 0; i < constructors.length; i++) {
+ TestConstructor(constructors[i]);
+}
+
+
+function TestOptimizedCode() {
+ var a = new Uint8Array(-0);
+ assertSame(Infinity, 1 / a.length);
+ assertSame(Infinity, 1 / a.byteLength);
+
+ var ab = new ArrayBuffer(-0);
+ assertSame(Infinity, 1 / ab.byteLength);
+
+ var a1 = new Uint8Array(ab, -0, -0);
+ assertSame(Infinity, 1 / a1.length);
+ assertSame(Infinity, 1 / a1.byteLength);
+ assertSame(Infinity, 1 / a1.byteOffset);
+}
+
+%OptimizeFunctionOnNextCall(Uint8Array);
+for (var i = 0; i < 1000; i++) {
+ TestOptimizedCode();
+}
diff --git a/test/mjsunit/regress/regress-78270.js b/test/mjsunit/regress/regress-78270.js
index b9ce286..02c4b14 100644
--- a/test/mjsunit/regress/regress-78270.js
+++ b/test/mjsunit/regress/regress-78270.js
@@ -25,6 +25,8 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+// Flags: --turbo-deoptimization
+
for (var i = 0; i < 10000; i++) {
try {
var object = { };
diff --git a/test/mjsunit/regress/regress-assignment-in-test-context.js b/test/mjsunit/regress/regress-assignment-in-test-context.js
new file mode 100644
index 0000000..bc40985
--- /dev/null
+++ b/test/mjsunit/regress/regress-assignment-in-test-context.js
@@ -0,0 +1,20 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --always-opt
+// Flags: --turbo-filter=* --turbo-deoptimization
+
+function assertEquals() {}
+
+function f(o) {
+ if (o.setterProperty = 0) {
+ return 1;
+ }
+ return 2;
+}
+
+function deopt() { %DeoptimizeFunction(f); }
+
+assertEquals(2,
+ f(Object.defineProperty({}, "setterProperty", { set: deopt })));
diff --git a/test/mjsunit/regress/regress-crbug-109362.js b/test/mjsunit/regress/regress-crbug-109362.js
new file mode 100644
index 0000000..b156013
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-109362.js
@@ -0,0 +1,26 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+
+function test(expectation, f) {
+ var stack;
+ try {
+ f();
+ } catch (e) {
+ stack = e.stack;
+ }
+ print(stack);
+ assertTrue(stack.indexOf("at eval (evaltest:" + expectation + ")") > 0);
+}
+
+test("1:5", new Function(
+ '1 + reference_error //@ sourceURL=evaltest'));
+test("2:6", new Function(
+ 'x', '\n 1 + reference_error //@ sourceURL=evaltest'));
+test("2:6", new Function(
+ 'x\n\n', "z//\n", "y", '\n 1 + reference_error //@ sourceURL=evaltest'));
+test("1:5", new Function(
+ 'x/*', "z//\n", "y*/", '1 + reference_error //@ sourceURL=evaltest'));
+test("2:6", eval(
+ '(function () {\n 1 + reference_error //@ sourceURL=evaltest\n})'));
diff --git a/test/mjsunit/regress/regress-crbug-320922.js b/test/mjsunit/regress/regress-crbug-320922.js
index 9ba759a..f199628 100644
--- a/test/mjsunit/regress/regress-crbug-320922.js
+++ b/test/mjsunit/regress/regress-crbug-320922.js
@@ -27,8 +27,10 @@
// Flags: --allow-natives-syntax
-var string = "hello world";
-var expected = "Hello " + "world";
+var string = "internalized dummy";
+var expected = "internalized dummy";
+string = "hello world";
+expected = "Hello " + "world";
function Capitalize() {
%_OneByteSeqStringSetChar(0, 0x48, string);
}
diff --git a/test/mjsunit/regress/regress-crbug-323936.js b/test/mjsunit/regress/regress-crbug-323936.js
new file mode 100644
index 0000000..d896ead
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-323936.js
@@ -0,0 +1,46 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-debug-as debug
+
+Debug = debug.Debug;
+
+var step = 0;
+var exception = null;
+
+function listener(event, exec_state, event_data, data) {
+ if (event != Debug.DebugEvent.Break) return;
+ try {
+ if (step == 0) {
+ assertEquals("error", exec_state.frame(0).evaluate("e").value());
+ exec_state.frame(0).evaluate("e = 'foo'");
+ exec_state.frame(0).evaluate("x = 'modified'");
+ } else {
+ assertEquals("argument", exec_state.frame(0).evaluate("e").value());
+ exec_state.frame(0).evaluate("e = 'bar'");
+ }
+ step++;
+ } catch (e) {
+ print(e + e.stack);
+ exception = e;
+ }
+}
+
+Debug.setListener(listener);
+
+function f(e, x) {
+ try {
+ throw "error";
+ } catch(e) {
+ debugger;
+ assertEquals("foo", e);
+ }
+ debugger;
+ assertEquals("bar", e);
+ assertEquals("modified", x);
+}
+
+f("argument")
+assertNull(exception);
+assertEquals(2, step);
diff --git a/test/mjsunit/regress/regress-crbug-409614.js b/test/mjsunit/regress/regress-crbug-409614.js
new file mode 100644
index 0000000..7b27404
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-409614.js
@@ -0,0 +1,37 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-debug-as debug
+
+Debug = debug.Debug;
+var exception = null;
+var error_count = 0;
+
+function f() {
+ return 0; // Break
+}
+
+function listener(event, exec_state, event_data, data) {
+ if (event != Debug.DebugEvent.Break) return;
+ try {
+ if (exec_state.frame(0).sourceLineText().indexOf("Break") <0) {
+ error_count++;
+ }
+ exec_state.prepareStep(Debug.StepAction.StepIn, 2);
+ f(); // We should not break in this call of f().
+ } catch (e) {
+ print(e + e.stack);
+ exception = e;
+ }
+}
+
+Debug.setListener(listener);
+
+debugger; // Break
+f();
+
+Debug.setListener(null); // Break
+
+assertNull(exception);
+assertEquals(0, error_count);
diff --git a/test/mjsunit/regress/regress-crbug-410033.js b/test/mjsunit/regress/regress-crbug-410033.js
new file mode 100644
index 0000000..63693e6
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-410033.js
@@ -0,0 +1,7 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+%GetScript('v8/gc');
diff --git a/test/mjsunit/regress/regress-crbug-412319.js b/test/mjsunit/regress/regress-crbug-412319.js
index 21386e3..c597b0d 100644
--- a/test/mjsunit/regress/regress-crbug-412319.js
+++ b/test/mjsunit/regress/regress-crbug-412319.js
@@ -15,5 +15,5 @@
%OptimizeFunctionOnNextCall(__f_6);
__f_6();
function __f_7(__v_7) {
- __v_7.push(Infinity);
+ __v_7.pop();
}
diff --git a/test/mjsunit/regress/regress-crbug-416558.js b/test/mjsunit/regress/regress-crbug-416558.js
new file mode 100644
index 0000000..375ad40
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-416558.js
@@ -0,0 +1,115 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(function() {
+ function store(x) { x[0] = 0; }
+ store([]);
+ var c = /x/;
+ store(c);
+ function get_hole() {
+ var b = /x/;
+ store(b);
+ return b[1];
+ }
+ assertEquals(undefined, get_hole());
+ assertEquals(undefined, get_hole());
+})();
+
+(function() {
+ function store(x) { x[0] = 0; }
+ store([]);
+ var c = new Date();
+ store(c);
+ function get_hole() {
+ var b = new Date();
+ store(b);
+ return b[1];
+ }
+ assertEquals(undefined, get_hole());
+ assertEquals(undefined, get_hole());
+})();
+
+(function() {
+ function store(x) { x[0] = 0; }
+ store([]);
+ var c = new Number(1);
+ store(c);
+ function get_hole() {
+ var b = new Number(1);
+ store(b);
+ return b[1];
+ }
+ assertEquals(undefined, get_hole());
+ assertEquals(undefined, get_hole());
+})();
+
+(function() {
+ function store(x) { x[0] = 0; }
+ store([]);
+ var c = new Boolean();
+ store(c);
+ function get_hole() {
+ var b = new Boolean();
+ store(b);
+ return b[1];
+ }
+ assertEquals(undefined, get_hole());
+ assertEquals(undefined, get_hole());
+})();
+
+(function() {
+ function store(x) { x[0] = 0; }
+ store([]);
+ var c = new Map();
+ store(c);
+ function get_hole() {
+ var b = new Map();
+ store(b);
+ return b[1];
+ }
+ assertEquals(undefined, get_hole());
+ assertEquals(undefined, get_hole());
+})();
+
+(function() {
+ function store(x) { x[0] = 0; }
+ store([]);
+ var c = new Set();
+ store(c);
+ function get_hole() {
+ var b = new Set();
+ store(b);
+ return b[1];
+ }
+ assertEquals(undefined, get_hole());
+ assertEquals(undefined, get_hole());
+})();
+
+(function() {
+ function store(x) { x[0] = 0; }
+ store([]);
+ var c = new WeakMap();
+ store(c);
+ function get_hole() {
+ var b = new WeakMap();
+ store(b);
+ return b[1];
+ }
+ assertEquals(undefined, get_hole());
+ assertEquals(undefined, get_hole());
+})();
+
+(function() {
+ function store(x) { x[0] = 0; }
+ store([]);
+ var c = new WeakSet();
+ store(c);
+ function get_hole() {
+ var b = new WeakSet();
+ store(b);
+ return b[1];
+ }
+ assertEquals(undefined, get_hole());
+ assertEquals(undefined, get_hole());
+})();
diff --git a/test/mjsunit/regress/regress-crbug-424142.js b/test/mjsunit/regress/regress-crbug-424142.js
new file mode 100644
index 0000000..0a370d4
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-424142.js
@@ -0,0 +1,36 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-debug-as debug
+
+(function outer() {
+ var C = (function C_() {
+ var y = 1;
+ function CC() {
+ this.x = 0;
+ }
+ CC.prototype.f = function CCf() {
+ this.x += y;
+ return this.x;
+ };
+ return CC;
+ })();
+
+ var c = new C(0);
+})
+
+function sentinel() {}
+
+Debug = debug.Debug;
+
+var script = Debug.findScript(sentinel);
+var line = 14;
+var line_start = Debug.findScriptSourcePosition(script, line, 0);
+var line_end = Debug.findScriptSourcePosition(script, line + 1, 0) - 1;
+var actual = Debug.setBreakPointByScriptIdAndPosition(
+ script.id, line_start).actual_position;
+// Make sure the actual break position is within the line where we set
+// the break point.
+assertTrue(line_start <= actual);
+assertTrue(actual <= line_end);
diff --git a/test/mjsunit/regress/regress-crbug-425519.js b/test/mjsunit/regress/regress-crbug-425519.js
new file mode 100644
index 0000000..d08e7b9
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-425519.js
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function load(a, i) {
+ return a[i];
+}
+
+load([]);
+load(0);
+load("x", 0);
+%OptimizeFunctionOnNextCall(load);
+load([], 0);
diff --git a/test/mjsunit/regress/regress-crbug-425585.js b/test/mjsunit/regress/regress-crbug-425585.js
new file mode 100644
index 0000000..c27febb
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-425585.js
@@ -0,0 +1,48 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+var correct_result = "This is the correct result.";
+
+function foo(recursion_depth) {
+ if (recursion_depth > 0) return foo(recursion_depth - 1);
+ return new String(correct_result, 1, 2, 3, 4, 5, 6);
+}
+
+// Roll our own non-strict assertEquals replacement.
+function test(i) {
+ var actual = foo(i);
+ if (correct_result != actual) {
+ var msg = "Expected \"" + correct_result + "\", found " + actual;
+ throw new MjsUnitAssertionError(msg);
+ }
+}
+
+test(1);
+test(1);
+test(10);
+test(100);
diff --git a/test/mjsunit/regress/regress-crbug-429159.js b/test/mjsunit/regress/regress-crbug-429159.js
new file mode 100644
index 0000000..69f1856
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-429159.js
@@ -0,0 +1,12 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+try {
+ var src = "return " + Array(12000).join("src,") + "src";
+ var fun = Function(src);
+ assertEquals(src, fun());
+} catch (e) {
+ // Some architectures throw a RangeError, that is fine.
+ assertInstanceof(e, RangeError);
+}
diff --git a/test/mjsunit/regress/regress-crbug-430846.js b/test/mjsunit/regress/regress-crbug-430846.js
new file mode 100644
index 0000000..3047c7f
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-430846.js
@@ -0,0 +1,14 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() { return 1; };
+var o1 = {};
+o1.foo = foo;
+
+var json = '{"foo": {"x": 1}}';
+var o2 = JSON.parse(json);
+var o3 = JSON.parse(json);
+assertTrue(%HaveSameMap(o2, o3));
diff --git a/test/mjsunit/regress/regress-crbug-431602.js b/test/mjsunit/regress/regress-crbug-431602.js
new file mode 100644
index 0000000..2467aaf
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-431602.js
@@ -0,0 +1,23 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --always-opt
+
+var heap_number_producer = {y:1.5};
+heap_number_producer.y = 0;
+var heap_number_zero = heap_number_producer.y;
+var non_constant_eight = {};
+non_constant_eight = 8;
+
+function BreakIt() {
+ return heap_number_zero | (1 | non_constant_eight);
+}
+
+function expose(a, b, c) {
+ return b;
+}
+
+assertEquals(9, expose(8, 9, 10));
+assertEquals(9, expose(8, BreakIt(), 10));
+assertEquals(9, BreakIt());
diff --git a/test/mjsunit/regress/regress-crbug-432493.js b/test/mjsunit/regress/regress-crbug-432493.js
new file mode 100644
index 0000000..87c4f83
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-432493.js
@@ -0,0 +1,57 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-debug-as debug
+
+function f() {
+ var a = 1;
+ var b = 2;
+ return a + b;
+}
+
+var exception = null;
+var break_count = 0;
+var throw_count = 0;
+
+function listener(event, exec_state, event_data, data) {
+ try {
+ if (event == Debug.DebugEvent.Break) {
+ break_count++;
+ // Disable all breakpoints from within the debug event callback.
+ Debug.debuggerFlags().breakPointsActive.setValue(false);
+ } else if (event = Debug.DebugEvent.Exception) {
+ throw_count++;
+ // Enable all breakpoints from within the debug event callback.
+ Debug.debuggerFlags().breakPointsActive.setValue(true);
+ }
+ } catch (e) {
+ exception = e;
+ }
+}
+
+Debug = debug.Debug;
+
+Debug.setListener(listener);
+Debug.setBreakOnException();
+Debug.setBreakPoint(f, 2);
+
+f();
+f();
+
+assertEquals(1, break_count);
+assertEquals(0, throw_count);
+
+// Trigger exception event.
+try { throw 1; } catch (e) {}
+
+f();
+f();
+
+Debug.setListener(null);
+Debug.clearBreakOnException();
+Debug.debuggerFlags().breakPointsActive.setValue(true);
+
+assertEquals(2, break_count);
+assertEquals(1, throw_count);
+assertNull(exception);
diff --git a/test/mjsunit/regress/regress-crbug-433332.js b/test/mjsunit/regress/regress-crbug-433332.js
new file mode 100644
index 0000000..d763243
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-433332.js
@@ -0,0 +1,16 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(foo) {
+ var g;
+ true ? (g = 0.1) : g |= null;
+ if (null != g) {}
+};
+
+f(1.4);
+f(1.4);
+%OptimizeFunctionOnNextCall(f);
+f(1.4);
diff --git a/test/mjsunit/regress/regress-crbug-433766.js b/test/mjsunit/regress/regress-crbug-433766.js
new file mode 100644
index 0000000..fae9483
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-433766.js
@@ -0,0 +1,16 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var filler = "//" + new Array(('@')).join('x');
+
+// Test strict eval in global context.
+eval(
+ "'use strict';" +
+ "var x = 23;" +
+ "var f = function bozo1() {" +
+ " return x;" +
+ "};" +
+ "f;" +
+ filler
+)();
diff --git a/test/mjsunit/regress/regress-crbug-435825.js b/test/mjsunit/regress/regress-crbug-435825.js
new file mode 100644
index 0000000..e10b812
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-435825.js
@@ -0,0 +1,11 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+Error.prepareStackTrace = function (a,b) { return b; };
+
+try {
+ /(invalid regexp/;
+} catch (e) {
+ e.stack[0].getThis().toString();
+}
diff --git a/test/mjsunit/regress/regress-crbug-436820.js b/test/mjsunit/regress/regress-crbug-436820.js
new file mode 100644
index 0000000..eea386c
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-436820.js
@@ -0,0 +1,13 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function c(p) {
+ return {__proto__: p};
+}
+var p = {};
+var o = c(p);
+p.x = 0.6;
+Object.defineProperty(p, "x", { writable: false });
diff --git a/test/mjsunit/regress/regress-eval-cache.js b/test/mjsunit/regress/regress-eval-cache.js
new file mode 100644
index 0000000..8f8dc18
--- /dev/null
+++ b/test/mjsunit/regress/regress-eval-cache.js
@@ -0,0 +1,19 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(function f() {
+ try {
+ throw 1;
+ } catch (e) {
+ var a = 0;
+ var b = 0;
+ var c = 0;
+ var x = 1;
+ var result = eval('eval("x")').toString();
+ assertEquals("1", result);
+ }
+ var x = 2;
+ var result = eval('eval("x")').toString();
+ assertEquals("2", result);
+})();
diff --git a/test/mjsunit/regress/regress-lea-matching.js b/test/mjsunit/regress/regress-lea-matching.js
new file mode 100644
index 0000000..988368a
--- /dev/null
+++ b/test/mjsunit/regress/regress-lea-matching.js
@@ -0,0 +1,14 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f(a, b, c) {
+ a = a|0;
+ b = b|0;
+ c = c|0;
+ var r = 0;
+ r = a + ((b << 1) + c) | 0;
+ return r|0;
+}
+
+assertEquals(8, f(1, 2, 3));
diff --git a/test/mjsunit/regress/regress-parse-object-literal.js b/test/mjsunit/regress/regress-parse-object-literal.js
index 96d63c2..93725eb 100644
--- a/test/mjsunit/regress/regress-parse-object-literal.js
+++ b/test/mjsunit/regress/regress-parse-object-literal.js
@@ -24,6 +24,8 @@
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// Flags: --noharmony-classes --noharmony-object-literals
// Should throw, not crash.
assertThrows("var o = { get /*space*/ () {} }");
diff --git a/test/mjsunit/regress/regress-shift-enumerable.js b/test/mjsunit/regress/regress-shift-enumerable.js
new file mode 100644
index 0000000..f3ee258
--- /dev/null
+++ b/test/mjsunit/regress/regress-shift-enumerable.js
@@ -0,0 +1,16 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var arr = [1, 2];
+Object.defineProperty(arr, 0xfffe, {
+ value: 3,
+ configurable: true,
+ writable: true,
+ enumerable: false
+});
+arr[0xffff] = 4;
+arr.shift();
+var desc = Object.getOwnPropertyDescriptor(arr, 0xfffe);
+assertEquals(4, desc.value);
+assertFalse(desc.enumerable);
diff --git a/test/mjsunit/regress/regress-splice-large-index.js b/test/mjsunit/regress/regress-splice-large-index.js
new file mode 100644
index 0000000..5da17ee
--- /dev/null
+++ b/test/mjsunit/regress/regress-splice-large-index.js
@@ -0,0 +1,40 @@
+// Copyright 2013 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+// * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following
+// disclaimer in the documentation and/or other materials provided
+// with the distribution.
+// * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived
+// from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+var a = [];
+a[0xfffffffe] = 10;
+assertThrows("a.unshift(1);", RangeError);
+assertEquals(0xffffffff, a.length);
+assertEquals(10, a[0xffffffff]);
+assertEquals(undefined, a[0xfffffffe]);
+
+a = [1,2,3];
+a[0xfffffffe] = 10;
+assertThrows("a.splice(1,1,7,7,7,7,7);", RangeError);
+assertEquals([1,7,7,7,7,7,3], a.slice(0, 7));
+assertEquals(0xffffffff, a.length);
+assertEquals(10, a[0xfffffffe + 5 - 1]);
diff --git a/test/mjsunit/regress/regress-unsigned-mul-add.js b/test/mjsunit/regress/regress-unsigned-mul-add.js
new file mode 100644
index 0000000..0a2fc65
--- /dev/null
+++ b/test/mjsunit/regress/regress-unsigned-mul-add.js
@@ -0,0 +1,10 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f(a) {
+ var x = a >>> 0;
+ return (x * 1.0 + x * 1.0) << 0;
+}
+
+assertEquals(-2, f(-1));
diff --git a/test/mjsunit/regress/regress-weakening-multiplication.js b/test/mjsunit/regress/regress-weakening-multiplication.js
new file mode 100644
index 0000000..dcf0011
--- /dev/null
+++ b/test/mjsunit/regress/regress-weakening-multiplication.js
@@ -0,0 +1,12 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f() {
+ for (var j = 1; j < 1; j *= -8) {
+ }
+ for (var i = 1; i < 1; j += 2) {
+ j * -1;
+ }
+}
+f();