diff --git a/implementation-contributed/curation_logs/javascriptcore.json b/implementation-contributed/curation_logs/javascriptcore.json index c0e6f2bed1..d1f52af93e 100644 --- a/implementation-contributed/curation_logs/javascriptcore.json +++ b/implementation-contributed/curation_logs/javascriptcore.json @@ -1,5 +1,5 @@ { - "sourceRevisionAtLastExport": "8bfa53d50", - "targetRevisionAtLastExport": "8bc4e38a", + "sourceRevisionAtLastExport": "00228d3ccc", + "targetRevisionAtLastExport": "4314e2cab", "curatedFiles": {} -} +} \ No newline at end of file diff --git a/implementation-contributed/javascriptcore/stress/compare-eq-should-use-known-other-use.js b/implementation-contributed/javascriptcore/stress/compare-eq-should-use-known-other-use.js new file mode 100644 index 0000000000..ce5f4a7edd --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/compare-eq-should-use-known-other-use.js @@ -0,0 +1,29 @@ +function bar(testArgs) { + (() => { + try { + testArgs.func.call(1); + } catch (e) { + if (!testArgs.qux) { + return e == testArgs.qux; + } + } + })(); +} +for (var i = 0; i < 100000; i++) { + [ + { + func: ()=>{}, + }, + { + func: Int8Array.prototype.values, + foo: 0 + }, + { + func: Int8Array.prototype.values, + qux: 2 + }, + { + func: Int8Array.prototype.values, + }, + ].forEach(bar); +} diff --git a/implementation-contributed/javascriptcore/stress/default-proto-for-async-generator.js b/implementation-contributed/javascriptcore/stress/default-proto-for-async-generator.js new file mode 100644 index 0000000000..d23b9e6804 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/default-proto-for-async-generator.js @@ -0,0 +1,11 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} + +async function* asyncGenerator() { } + +var AsyncGeneratorPrototype = Object.getPrototypeOf(asyncGenerator).prototype; +asyncGenerator.prototype = null; + +shouldBe(Object.getPrototypeOf(asyncGenerator()), AsyncGeneratorPrototype); diff --git a/implementation-contributed/javascriptcore/stress/default-proto-for-generator.js b/implementation-contributed/javascriptcore/stress/default-proto-for-generator.js new file mode 100644 index 0000000000..c1c5cd08e1 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/default-proto-for-generator.js @@ -0,0 +1,11 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} + +function* generator() { } + +var GeneratorPrototype = Object.getPrototypeOf(generator).prototype; +generator.prototype = null; + +shouldBe(Object.getPrototypeOf(generator()), GeneratorPrototype); diff --git a/implementation-contributed/javascriptcore/stress/direct-arguments-check-array.js b/implementation-contributed/javascriptcore/stress/direct-arguments-check-array.js new file mode 100644 index 0000000000..3f65b336f1 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/direct-arguments-check-array.js @@ -0,0 +1,40 @@ +//@ defaultRun +//@ runNoLLInt("--useConcurrentJIT=false", "--forceEagerCompilation=True") + +// This is a regression test that verifies we handle direct arguments as ArrayStorage. This test should complete and not crash. +// It is a reduction of a fuzzing bug produced testcase. All of the code present was needed to reproduce the issue. + +let a; +let f2; +let args; + +function setup() { + a = [0]; + a.unshift(0); + for (let z of [4, 4, 4, 4, 4]) {}; + new Float64Array(a); + f2 = function() {}; + args = arguments; + args.length = 0; +}; + +function forOfArray() { + for (let z of [true, true, true, true, true, true, true]) { + } +} + +function forOfArgs() { + for (let v of args) { + } +} + +function callEveryOnArgs() { + for (i = 0; i < 1000; ++i) { + Array.prototype.every.call(args, f2, {}); + } +} + +setup(); +forOfArray(); +forOfArgs(); +callEveryOnArgs(); diff --git a/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-immutable-butterfly-out-of-bounds-foldable.js b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-immutable-butterfly-out-of-bounds-foldable.js new file mode 100644 index 0000000000..f72c5768bc --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-immutable-butterfly-out-of-bounds-foldable.js @@ -0,0 +1,56 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} + +var array0 = [1, 2, 3, 4, 5]; +var array1 = [1.2, 2.3, 3.4, 4.5, 5.6]; +var array2 = ["Hello", "New", "World", "Cappuccino", "Cocoa"]; +var array3 = [null, null, null, null, null]; +var array4 = [undefined, undefined, undefined, undefined, undefined]; +var array5 = [false, true, false, true, false]; + +function test0() +{ + return array0[5]; +} +noInline(test0); + +function test1() +{ + return array1[5]; +} +noInline(test1); + +function test2() +{ + return array2[5]; +} +noInline(test2); + +function test3() +{ + return array3[5]; +} +noInline(test3); + +function test4() +{ + return array4[5]; +} +noInline(test4); + +function test5() +{ + return array5[5]; +} +noInline(test5); + +for (var i = 0; i < 1e5; ++i) { + shouldBe(test0(), undefined); + shouldBe(test1(), undefined); + shouldBe(test2(), undefined); + shouldBe(test3(), undefined); + shouldBe(test4(), undefined); + shouldBe(test5(), undefined); +} diff --git a/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-immutable-butterfly-out-of-bounds.js b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-immutable-butterfly-out-of-bounds.js new file mode 100644 index 0000000000..400eeda658 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-immutable-butterfly-out-of-bounds.js @@ -0,0 +1,66 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} + +var array0 = [1, 2, 3, 4, 5]; +var array1 = [1.2, 2.3, 3.4, 4.5, 5.6]; +var array2 = ["Hello", "New", "World", "Cappuccino", "Cocoa"]; +var array3 = [null, null, null, null, null]; +var array4 = [undefined, undefined, undefined, undefined, undefined]; +var array5 = [false, true, false, true, false]; + +function test0() +{ + return array0[5]; +} +noInline(test0); + +function test1() +{ + return array1[5]; +} +noInline(test1); + +function test2() +{ + return array2[5]; +} +noInline(test2); + +function test3() +{ + return array3[5]; +} +noInline(test3); + +function test4() +{ + return array4[5]; +} +noInline(test4); + +function test5() +{ + return array5[5]; +} +noInline(test5); + +for (var i = 0; i < 1e5; ++i) { + shouldBe(test0(), undefined); + shouldBe(test1(), undefined); + shouldBe(test2(), undefined); + shouldBe(test3(), undefined); + shouldBe(test4(), undefined); + shouldBe(test5(), undefined); +} +// Breaking sane chains. +Array.prototype[5] = 42; +for (var i = 0; i < 1e5; ++i) { + shouldBe(test0(), 42); + shouldBe(test1(), 42); + shouldBe(test2(), 42); + shouldBe(test3(), 42); + shouldBe(test4(), 42); + shouldBe(test5(), 42); +} diff --git a/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-immutable-butterfly-with-types.js b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-immutable-butterfly-with-types.js new file mode 100644 index 0000000000..2114fa790d --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-immutable-butterfly-with-types.js @@ -0,0 +1,56 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} + +var array0 = [1, 2, 3, 4, 5]; +var array1 = [1.2, 2.3, 3.4, 4.5, 5.6]; +var array2 = ["Hello", "New", "World", "Cappuccino", "Cocoa"]; +var array3 = [null, null, null, null, null]; +var array4 = [undefined, undefined, undefined, undefined, undefined]; +var array5 = [false, true, false, true, false]; + +function test0() +{ + return array0[0]; +} +noInline(test0); + +function test1() +{ + return array1[0]; +} +noInline(test1); + +function test2() +{ + return array2[0]; +} +noInline(test2); + +function test3() +{ + return array3[0]; +} +noInline(test3); + +function test4() +{ + return array4[0]; +} +noInline(test4); + +function test5() +{ + return array5[0]; +} +noInline(test5); + +for (var i = 0; i < 1e6; ++i) { + shouldBe(test0(), 1); + shouldBe(test1(), 1.2); + shouldBe(test2(), "Hello"); + shouldBe(test3(), null); + shouldBe(test4(), undefined); + shouldBe(test5(), false); +} diff --git a/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-immutable-butterfly.js b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-immutable-butterfly.js new file mode 100644 index 0000000000..cf09b55166 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-immutable-butterfly.js @@ -0,0 +1,30 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} + +var array = [1, 2, 3, 4, 5]; + +function checking(i) +{ + if (i === (1e6 - 1)) { + // array[0] = 42; + array.ok = 4000; + } else if (i === (2e6 - 4000)) { + array.hey = 4000; + } else if (i === (1e6 * 2)) { + array[0] = 42; + } +} +noInline(checking); + +function test(i) +{ + checking(i); + return array[0] + array[1]; +} +noInline(test); + +for (var i = 0; i < 2e6; ++i) + shouldBe(test(i), 3); +shouldBe(test(2e6), 44); diff --git a/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-read-only-dont-delete-object.js b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-read-only-dont-delete-object.js new file mode 100644 index 0000000000..50fdf9f2cb --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-read-only-dont-delete-object.js @@ -0,0 +1,60 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} +noInline(shouldBe); + +var array1 = {0:0, 1:1, 2:2, 3:3, 4:4, 5:5}; +var array2 = {0:"Hello", 1:"World", 2:"Cocoa"}; +Object.freeze(array1); +Object.freeze(array2); + +function test1() +{ + return array1[0] + array1[1] + array1[2] + array1[3] + array1[4] + array1[5]; +} +noInline(test1); + +function test2() +{ + return array1[0] + array1[1] + array1[2] + array1[3] + array1[4] + array1[5] + (array1[6] | 0); +} +noInline(test2); + +function test3() +{ + return array2[0] + array2[1] + array2[2]; +} +noInline(test3); + +var array3 = {}; +Object.defineProperty(array3, 0, { + get() { return 42; } +}); +Object.defineProperty(array3, 1, { + get() { return 42; } +}); +Object.freeze(array3); + +function test4() +{ + return array3[0] + array3[1]; +} +noInline(test4); + +var array4 = {0:0, 1:1, 2:2, 3:3, 4:4, 5:5}; +Object.seal(array4); + +function test5() +{ + return array4[0] + array4[1] + array4[2] + array4[3] + array4[4] + array4[5]; +} +noInline(test5); + +for (var i = 0; i < 1e5; ++i) { + shouldBe(test1(), 15); + shouldBe(test2(), 15); + shouldBe(test3(), `HelloWorldCocoa`); + shouldBe(test4(), 84); + shouldBe(test5(), 15); +} diff --git a/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-read-only-dont-delete-runtime-array.js b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-read-only-dont-delete-runtime-array.js new file mode 100644 index 0000000000..3739b42007 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-read-only-dont-delete-runtime-array.js @@ -0,0 +1,35 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} +noInline(shouldBe); + +var array1 = $vm.createRuntimeArray(0, 1, 2, 3, 4, 5); +Object.freeze(array1); + +function test1() +{ + return array1[0] + array1[1] + array1[2] + array1[3] + array1[4] + array1[5]; +} +noInline(test1); + +function test2() +{ + return array1[0] + array1[1] + array1[2] + array1[3] + array1[4] + array1[5] + (array1[6] | 0); +} +noInline(test2); + +var array4 = $vm.createRuntimeArray(0, 1, 2, 3, 4, 5); +Object.seal(array4); + +function test5() +{ + return array4[0] + array4[1] + array4[2] + array4[3] + array4[4] + array4[5]; +} +noInline(test5); + +for (var i = 0; i < 1e5; ++i) { + shouldBe(test1(), 15); + shouldBe(test2(), 15); + shouldBe(test5(), 15); +} diff --git a/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-read-only-dont-delete.js b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-read-only-dont-delete.js new file mode 100644 index 0000000000..92fbcbfa8d --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/folding-get-by-val-with-read-only-dont-delete.js @@ -0,0 +1,60 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} +noInline(shouldBe); + +var array1 = [0, 1, 2, 3, 4, 5]; +var array2 = ["Hello", "World", "Cocoa"]; +Object.freeze(array1); +Object.freeze(array2); + +function test1() +{ + return array1[0] + array1[1] + array1[2] + array1[3] + array1[4] + array1[5]; +} +noInline(test1); + +function test2() +{ + return array1[0] + array1[1] + array1[2] + array1[3] + array1[4] + array1[5] + (array1[6] | 0); +} +noInline(test2); + +function test3() +{ + return array2[0] + array2[1] + array2[2]; +} +noInline(test3); + +var array3 = []; +Object.defineProperty(array3, 0, { + get() { return 42; } +}); +Object.defineProperty(array3, 1, { + get() { return 42; } +}); +Object.freeze(array3); + +function test4() +{ + return array3[0] + array3[1]; +} +noInline(test4); + +var array4 = [0, 1, 2, 3, 4, 5]; +Object.seal(array4); + +function test5() +{ + return array4[0] + array4[1] + array4[2] + array4[3] + array4[4] + array4[5]; +} +noInline(test5); + +for (var i = 0; i < 1e5; ++i) { + shouldBe(test1(), 15); + shouldBe(test2(), 15); + shouldBe(test3(), `HelloWorldCocoa`); + shouldBe(test4(), 84); + shouldBe(test5(), 15); +} diff --git a/implementation-contributed/javascriptcore/stress/get-by-val-fold-did-clobber-world.js b/implementation-contributed/javascriptcore/stress/get-by-val-fold-did-clobber-world.js new file mode 100644 index 0000000000..27a6f4ccea --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/get-by-val-fold-did-clobber-world.js @@ -0,0 +1,9 @@ +var __v_1673 = [16]; +function __f_443() { + for (var __v_1679 = 0; __v_1679 < 1e5; ++__v_1679) { + for (var __v_1680 = 0; __v_1680 < 7; ++__v_1680) { + var __v_1681 = __v_1673[__v_1680]; + } + } +} +__f_443() diff --git a/implementation-contributed/javascriptcore/stress/in-miss-variant-merge.js b/implementation-contributed/javascriptcore/stress/in-miss-variant-merge.js new file mode 100644 index 0000000000..552ae59a5c --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/in-miss-variant-merge.js @@ -0,0 +1,21 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} +noInline(shouldBe); + +function test(object) +{ + return 'return' in object; +} +noInline(test); + +var object1 = {}; +var object2 = { hello: 42 }; +for (var i = 0; i < 10; ++i) { + shouldBe(test(object1), false); +} +for (var i = 0; i < 1e6; ++i) { + shouldBe(test(object1), false); + shouldBe(test(object2), false); +} diff --git a/implementation-contributed/javascriptcore/stress/iterator-field-order.js b/implementation-contributed/javascriptcore/stress/iterator-field-order.js new file mode 100644 index 0000000000..cf5d410c9b --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/iterator-field-order.js @@ -0,0 +1,38 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} + +var array = [ 42 ]; + +shouldBe(JSON.stringify(array.values().next()), `{"value":42,"done":false}`); +shouldBe(JSON.stringify(array.keys().next()), `{"value":0,"done":false}`); +shouldBe(JSON.stringify(array.entries().next()), `{"value":[0,42],"done":false}`); + +async function* asyncIterator() { + yield 42; +} + +var iterator = asyncIterator(); +iterator.next().then(function (value) { + shouldBe(JSON.stringify(value), `{"value":42,"done":false}`); +}).catch($vm.abort); + +function* generator() { + yield 42; +} + +shouldBe(JSON.stringify(generator().next()), `{"value":42,"done":false}`); + +var map = new Map([[0,42]]); +shouldBe(JSON.stringify(map.keys().next()), `{"value":0,"done":false}`); +shouldBe(JSON.stringify(map.values().next()), `{"value":42,"done":false}`); +shouldBe(JSON.stringify(map.entries().next()), `{"value":[0,42],"done":false}`); + +var set = new Set([42]); +shouldBe(JSON.stringify(set.keys().next()), `{"value":42,"done":false}`); +shouldBe(JSON.stringify(set.values().next()), `{"value":42,"done":false}`); +shouldBe(JSON.stringify(set.entries().next()), `{"value":[42,42],"done":false}`); + +var string = "Cocoa"; +shouldBe(JSON.stringify(string[Symbol.iterator]().next()), `{"value":"C","done":false}`); diff --git a/implementation-contributed/javascriptcore/stress/json-stringify-gap-calculation-should-be-after-replacer-check.js b/implementation-contributed/javascriptcore/stress/json-stringify-gap-calculation-should-be-after-replacer-check.js new file mode 100644 index 0000000000..fda20d624c --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/json-stringify-gap-calculation-should-be-after-replacer-check.js @@ -0,0 +1,33 @@ +var proxy = Proxy.revocable([], {}); +proxy.revoke(); + +function shouldThrow(func, errorMessage) { + var errorThrown = false; + var error = null; + try { + func(); + } catch (e) { + errorThrown = true; + error = e; + } + if (!errorThrown) + throw new Error('not thrown'); + if (String(error) !== errorMessage) + throw new Error(`bad error: ${String(error)}`); +} + +shouldThrow(() => { + var string = new String("Hello"); + string.toString = function () { + throw new Error("Out"); + }; + JSON.stringify({}, proxy.proxy, string); +}, `TypeError: Array.isArray cannot be called on a Proxy that has been revoked`); + +shouldThrow(() => { + var string = new String("Hello"); + string.toString = function () { + throw new Error("Out"); + }; + JSON.stringify({}, [], string); +}, `Error: Out`); diff --git a/implementation-contributed/javascriptcore/stress/json-stringify-getter-call.js b/implementation-contributed/javascriptcore/stress/json-stringify-getter-call.js new file mode 100644 index 0000000000..30fdd190ef --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/json-stringify-getter-call.js @@ -0,0 +1,32 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} + +class A { + get cocoa() { + return "Cocoa"; + } + + get cappuccino() { + return "Cappuccino"; + } +} + +let a = new A(); +shouldBe(JSON.stringify(a), `{}`); +shouldBe(JSON.stringify(a, ["cocoa", "cappuccino"]), `{"cocoa":"Cocoa","cappuccino":"Cappuccino"}`); + +let array = [0, 1, 2, 3, 4]; +Object.defineProperty(array.__proto__, 1, { + get: function () { + return "Cocoa"; + } +}); +Object.defineProperty(array, 0, { + get: function () { + delete array[1]; + return "Cappuccino"; + } +}); +shouldBe(JSON.stringify(array), `["Cappuccino","Cocoa",2,3,4]`); diff --git a/implementation-contributed/javascriptcore/stress/miss-variant-merge.js b/implementation-contributed/javascriptcore/stress/miss-variant-merge.js new file mode 100644 index 0000000000..258c4415e5 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/miss-variant-merge.js @@ -0,0 +1,21 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} +noInline(shouldBe); + +function test(object) +{ + return object.return; +} +noInline(test); + +var object1 = {}; +var object2 = { hello: 42 }; +for (var i = 0; i < 10; ++i) { + shouldBe(test(object1), undefined); +} +for (var i = 0; i < 1e6; ++i) { + shouldBe(test(object1), undefined); + shouldBe(test(object2), undefined); +} diff --git a/implementation-contributed/javascriptcore/stress/prototype-for-async-generator.js b/implementation-contributed/javascriptcore/stress/prototype-for-async-generator.js new file mode 100644 index 0000000000..a3f5cdb4fd --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/prototype-for-async-generator.js @@ -0,0 +1,19 @@ +function shouldBe(actual, expected) { + if (actual !== expected) + throw new Error('bad value: ' + actual); +} + +async function* asyncGenerator() { } + +var AsyncGeneratorPrototype = Object.getPrototypeOf(asyncGenerator).prototype; + +shouldBe(Object.getPrototypeOf(asyncGenerator.prototype), AsyncGeneratorPrototype); + +class A { + async *asyncGenerator() + { + } +} + +var a = new A; +shouldBe(Object.getPrototypeOf(a.asyncGenerator.prototype), AsyncGeneratorPrototype); diff --git a/implementation-contributed/javascriptcore/stress/regexp-with-nonBMP-any.js b/implementation-contributed/javascriptcore/stress/regexp-with-nonBMP-any.js new file mode 100644 index 0000000000..979936bc87 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/regexp-with-nonBMP-any.js @@ -0,0 +1,10 @@ +// This test that . followed by fixed character terms works with non-BMP characters + +if (!/^.-clef/u.test("\u{1D123}-clef")) + throw "Should have matched string with leading non-BMP with BOL anchored . in RE"; + +if (!/c.lef/u.test("c\u{1C345}lef")) + throw "Should have matched string with non-BMP with . in RE"; + + + diff --git a/implementation-contributed/javascriptcore/stress/regress-187543-2.js b/implementation-contributed/javascriptcore/stress/regress-187543-2.js new file mode 100644 index 0000000000..2764548ca4 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/regress-187543-2.js @@ -0,0 +1,10 @@ +// This test should not crash. + +Object.defineProperty(Object.prototype, 0, { set() {} }); + +var foo = Function.bind.call(new Proxy(Array, {})); +for (var i = 10; i < 50; ++i) { + var args = Array(i).fill(i); + new foo(...args); + gc() +} diff --git a/implementation-contributed/javascriptcore/stress/regress-187543-3.js b/implementation-contributed/javascriptcore/stress/regress-187543-3.js new file mode 100644 index 0000000000..25d1b30e49 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/regress-187543-3.js @@ -0,0 +1,14 @@ +//@ requireOptions("--useDollarVM=false") + +// This test should not crash. +Date.prototype.valueOf; +Math.abs; + +Object.prototype.__defineGetter__(0, function () {}); + +class Test extends Array {} + +for (let i = 0; i < 100; i++) + new Test(1, 2, 3, -4, 5, 6, 7, 8, 9).splice(); + +gc(); diff --git a/implementation-contributed/javascriptcore/stress/regress-187543.js b/implementation-contributed/javascriptcore/stress/regress-187543.js new file mode 100644 index 0000000000..b47fb55e27 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/regress-187543.js @@ -0,0 +1,7 @@ +// This test should not crash. + +Object.defineProperty(Object.prototype, 0, { set() { } }); +var foo = Function.bind.call(new Proxy(Array, {})); +gc(); +new foo(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25); +gc(); diff --git a/implementation-contributed/javascriptcore/stress/regress-188065.js b/implementation-contributed/javascriptcore/stress/regress-188065.js new file mode 100644 index 0000000000..eb38938728 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/regress-188065.js @@ -0,0 +1,8 @@ +function test() { + var arr = new Array(400); + arr.concat([1.1]); +} +noInline(test); + +for (var i = 0; i < 10000; i++) + test(); diff --git a/implementation-contributed/javascriptcore/stress/scoped-arguments-check-array.js b/implementation-contributed/javascriptcore/stress/scoped-arguments-check-array.js new file mode 100644 index 0000000000..fac9407489 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/scoped-arguments-check-array.js @@ -0,0 +1,41 @@ +//@ defaultRun +//@ runNoLLInt("--useConcurrentJIT=false", "--forceEagerCompilation=True") + +// This is a regression test that verifies we handle direct arguments as ArrayStorage. This test should complete and not crash. +// It is a reduction of a fuzzing bug produced testcase. All of the code present was needed to reproduce the issue. + +let a; +let f2; +let args; + +function setup(arg1) { + function foo() { return arg1; } + a = [0]; + a.unshift(0); + for (let z of [4, 4, 4, 4, 4]) {}; + new Float64Array(a); + f2 = function() {}; + args = arguments; + args.length = 0; +}; + +function forOfArray() { + for (let z of [true, true, true, true, true, true, true]) { + } +} + +function forOfArgs() { + for (let v of args) { + } +} + +function callEveryOnArgs() { + for (i = 0; i < 1000; ++i) { + Array.prototype.every.call(args, f2, {}); + } +} + +setup(); +forOfArray(); +forOfArgs(); +callEveryOnArgs(); diff --git a/implementation-contributed/javascriptcore/stress/typedarray-hasOwnProperty-out-of-bounds.js b/implementation-contributed/javascriptcore/stress/typedarray-hasOwnProperty-out-of-bounds.js new file mode 100644 index 0000000000..143fb6bab2 --- /dev/null +++ b/implementation-contributed/javascriptcore/stress/typedarray-hasOwnProperty-out-of-bounds.js @@ -0,0 +1,20 @@ + +let array = new Float32Array(10); + +function test(array, indicies, result) { + for (let i of indicies) { + if (array.hasOwnProperty(i) !== result) + throw new Error("wrong value for " + i); + if (array.hasOwnProperty(i.toString()) !== result) + throw new Error("wrong value for " + i + " (as String)"); + } +} +noInline(test); + +let interestingIndicies = [0, 1, 2, 8, 9]; +for (let i = 0; i < 10000; i++) + test(array, interestingIndicies, true); + +interestingIndicies = [-1, 10, 100]; +for (let i = 0; i < 10000; i++) + test(array, interestingIndicies, false);