From 3a8e8230eeeb1340ba4b8b99c7a58127f594f3fd Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Wed, 6 Apr 2016 12:07:45 +0200
Subject: deps: upgrade to V8 4.9.385.35

PR-URL: https://github.com/nodejs/node/pull/6077
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
---
 deps/v8/test/mjsunit/regress/regress-4800.js       | 76 ++++++++++++++++++++++
 .../test/mjsunit/regress/regress-crbug-589792.js   | 20 ++++++
 .../regress/regress-crbug-594574-concat-leak-1.js  | 36 ++++++++++
 .../regress/regress-crbug-594574-concat-leak-2.js  | 35 ++++++++++
 4 files changed, 167 insertions(+)
 create mode 100644 deps/v8/test/mjsunit/regress/regress-4800.js
 create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-589792.js
 create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-594574-concat-leak-1.js
 create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-594574-concat-leak-2.js

(limited to 'deps/v8/test/mjsunit/regress')

diff --git a/deps/v8/test/mjsunit/regress/regress-4800.js b/deps/v8/test/mjsunit/regress/regress-4800.js
new file mode 100644
index 0000000000..af7cbc0b8f
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-4800.js
@@ -0,0 +1,76 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(x, len) {
+  var distraction = [];
+  var result = new Array(25);
+
+  // Create a bunch of double values with long live ranges.
+  var d0 = x + 0.5;
+  var d1 = x + 1.5;
+  var d2 = x + 2.5;
+  var d3 = x + 3.5;
+  var d4 = x + 4.5;
+  var d5 = x + 5.5;
+  var d6 = x + 6.5;
+  var d7 = x + 7.5;
+  var d8 = x + 8.5;
+  var d9 = x + 9.5;
+  var d10 = x + 10.5;
+  var d11 = x + 11.5;
+  var d12 = x + 12.5;
+  var d13 = x + 13.5;
+  var d14 = x + 14.5;
+  var d15 = x + 15.5;
+  var d16 = x + 16.5;
+  var d17 = x + 17.5;
+  var d18 = x + 18.5;
+  var d19 = x + 19.5;
+  var d20 = x + 20.5;
+  var d21 = x + 21.5;
+  var d22 = x + 22.5;
+  var d23 = x + 23.5;
+  var d24 = x + 24.5;
+
+  // Trigger a stub failure when the array grows too big.
+  distraction[len] = 0;
+
+  // Write the long-lived doubles to memory and verify them.
+  result[0] = d0;
+  result[1] = d1;
+  result[2] = d2;
+  result[3] = d3;
+  result[4] = d4;
+  result[5] = d5;
+  result[6] = d6;
+  result[7] = d7;
+  result[8] = d8;
+  result[9] = d9;
+  result[10] = d10;
+  result[11] = d11;
+  result[12] = d12;
+  result[13] = d13;
+  result[14] = d14;
+  result[15] = d15;
+  result[16] = d16;
+  result[17] = d17;
+  result[18] = d18;
+  result[19] = d19;
+  result[20] = d20;
+  result[21] = d21;
+  result[22] = d22;
+  result[23] = d23;
+  result[24] = d24;
+
+  for (var i = 0; i < result.length; i++) {
+    assertEquals(x + i + 0.5, result[i]);
+  }
+}
+
+f(0, 10);
+f(0, 10);
+%OptimizeFunctionOnNextCall(f);
+f(0, 80000);
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-589792.js b/deps/v8/test/mjsunit/regress/regress-crbug-589792.js
new file mode 100644
index 0000000000..f735afceae
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-589792.js
@@ -0,0 +1,20 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var boom = (function(stdlib, foreign, heap) {
+  "use asm";
+  var MEM8 = new stdlib.Uint8Array(heap);
+  var MEM32 = new stdlib.Int32Array(heap);
+  function foo(i, j) {
+    j = MEM8[256];
+    // This following value '10' determines the value of 'rax'
+    MEM32[j >> 10] = 0xabcdefaa;
+    return MEM32[j >> 2] + j
+  }
+  return foo
+})(this, 0, new ArrayBuffer(256));
+%OptimizeFunctionOnNextCall(boom);
+boom(0, 0x1000);
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-594574-concat-leak-1.js b/deps/v8/test/mjsunit/regress/regress-crbug-594574-concat-leak-1.js
new file mode 100644
index 0000000000..d5f51a49ca
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-594574-concat-leak-1.js
@@ -0,0 +1,36 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+
+array = new Array(10);
+array[0] = 0.1;
+// array[1] = THE_HOLE, reading through the prototype chain
+array[2] = 2.1;
+array[3] = 3.1;
+
+var copy = array.slice(0, array.length);
+
+// Change the array's prototype.
+var proto = {};
+array.__proto__ = proto;
+
+// Define [1] on the prototype to alter the array during concatenation.
+Object.defineProperty(
+  proto, 1, {
+    get() {
+      // Alter the array.
+      array.length = 1;
+      // Force gc to move the array.
+      gc();
+      return "value from proto";
+    },
+    set(new_value) { }
+});
+
+var concatted_array = Array.prototype.concat.call(array);
+assertEquals(concatted_array[0], 0.1);
+assertEquals(concatted_array[1], "value from proto");
+assertEquals(concatted_array[2], undefined);
+assertEquals(concatted_array[3], undefined);
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-594574-concat-leak-2.js b/deps/v8/test/mjsunit/regress/regress-crbug-594574-concat-leak-2.js
new file mode 100644
index 0000000000..f359cfd80b
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-594574-concat-leak-2.js
@@ -0,0 +1,35 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+
+array = new Array(10);
+array[0] = 0.1;
+// array[1] = THE_HOLE, reading through the prototype chain
+array[2] = 2.1;
+array[3] = 3.1;
+
+var copy = array.slice(0, array.length);
+
+// Use the defaul array prototype.
+var proto = array.__proto__;
+
+// Define [1] on the prototype to alter the array during concatenation.
+Object.defineProperty(
+  proto, 1, {
+    get() {
+      // Alter the array.
+      array.length = 1;
+      // Force gc to move the array.
+      gc();
+      return "value from proto";
+    },
+    set(new_value) { }
+});
+
+var concatted_array = Array.prototype.concat.call(array);
+assertEquals(concatted_array[0], 0.1);
+assertEquals(concatted_array[1], "value from proto");
+assertEquals(concatted_array[2], undefined);
+assertEquals(concatted_array[3], undefined);
-- 
cgit v1.2.1