[test] Crash on invalid intrinsic use unless --fuzzing is on

For example, when --fuzzing is off, %OptimizeFunctionOnNextCall now
crashes when given a non-function argument.

The following behaviors remain unchanged for now:
- %DeoptimizeFunction continues to do nothing if the function is not
  optimized.
- %DeoptimizeNow continues to do nothing if the top-most JS function
  is not optimized.
- %OptimizeOSR continues to do nothing if the function already has
  optimized code.

Bug: v8:10249
Change-Id: I35d2f3d50ce3f94c8ffccabe50fb4df2b70ce028
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2137406
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67121}

src/runtime/runtime-test.cc

@@ -111,6 +111,11 @@ bool WasmInstanceOverride(const v8::FunctionCallbackInfo<v8::Value>& args) {
   return true;
 }
 
+V8_WARN_UNUSED_RESULT Object CrashUnlessFuzzing(Isolate* isolate) {
+  CHECK(FLAG_fuzzing);
+  return ReadOnlyRoots(isolate).undefined_value();
+}
+
 }  // namespace
 
 RUNTIME_FUNCTION(Runtime_ClearMegamorphicStubCache) {
@@ -163,18 +168,13 @@ RUNTIME_FUNCTION(Runtime_DeoptimizeFunction) {
   HandleScope scope(isolate);
   DCHECK_EQ(1, args.length());
 
-  // This function is used by fuzzers to get coverage in compiler.
-  // Ignore calls on non-function objects to avoid runtime errors.
   CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
-  if (!function_object->IsJSFunction()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
+  if (!function_object->IsJSFunction()) return CrashUnlessFuzzing(isolate);
   Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
 
-  // If the function is not optimized, just return.
-  if (!function->IsOptimized()) return ReadOnlyRoots(isolate).undefined_value();
-
+  if (function->IsOptimized()) {
     Deoptimizer::DeoptimizeFunction(*function);
+  }
 
   return ReadOnlyRoots(isolate).undefined_value();
 }
@@ -188,12 +188,11 @@ RUNTIME_FUNCTION(Runtime_DeoptimizeNow) {
   // Find the JavaScript function on the top of the stack.
   JavaScriptFrameIterator it(isolate);
   if (!it.done()) function = handle(it.frame()->function(), isolate);
-  if (function.is_null()) return ReadOnlyRoots(isolate).undefined_value();
-
-  // If the function is not optimized, just return.
-  if (!function->IsOptimized()) return ReadOnlyRoots(isolate).undefined_value();
+  if (function.is_null()) return CrashUnlessFuzzing(isolate);
 
+  if (function->IsOptimized()) {
     Deoptimizer::DeoptimizeFunction(*function);
+  }
 
   return ReadOnlyRoots(isolate).undefined_value();
 }
@@ -238,24 +237,19 @@ RUNTIME_FUNCTION(Runtime_IsConcurrentRecompilationSupported) {
 RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
   HandleScope scope(isolate);
 
-  // This function is used by fuzzers, ignore calls with bogus arguments count.
   if (args.length() != 1 && args.length() != 2) {
-    return ReadOnlyRoots(isolate).undefined_value();
+    return CrashUnlessFuzzing(isolate);
   }
 
-  // This function is used by fuzzers to get coverage for optimizations
-  // in compiler. Ignore calls on non-function objects to avoid runtime errors.
   CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
-  if (!function_object->IsJSFunction()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
+  if (!function_object->IsJSFunction()) return CrashUnlessFuzzing(isolate);
   Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
 
   // The following conditions were lifted (in part) from the DCHECK inside
   // JSFunction::MarkForOptimization().
 
   if (!function->shared().allows_lazy_compilation()) {
-    return ReadOnlyRoots(isolate).undefined_value();
+    return CrashUnlessFuzzing(isolate);
   }
 
   // If function isn't compiled, compile it now.
@@ -263,18 +257,18 @@ RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
   if (!is_compiled_scope.is_compiled() &&
       !Compiler::Compile(function, Compiler::CLEAR_EXCEPTION,
                          &is_compiled_scope)) {
-    return ReadOnlyRoots(isolate).undefined_value();
+    return CrashUnlessFuzzing(isolate);
   }
 
-  if (!FLAG_opt || (function->shared().optimization_disabled() &&
+  if (!FLAG_opt) return ReadOnlyRoots(isolate).undefined_value();
+
+  if (function->shared().optimization_disabled() &&
       function->shared().disable_optimization_reason() ==
-                        BailoutReason::kNeverOptimize)) {
-    return ReadOnlyRoots(isolate).undefined_value();
+          BailoutReason::kNeverOptimize) {
+    return CrashUnlessFuzzing(isolate);
   }
 
-  if (function->shared().HasAsmWasmData()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
+  if (function->shared().HasAsmWasmData()) return CrashUnlessFuzzing(isolate);
 
   if (FLAG_testing_d8_test_runner) {
     PendingOptimizationTable::MarkedForOptimization(isolate, function);
@@ -290,11 +284,8 @@ RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
 
   ConcurrencyMode concurrency_mode = ConcurrencyMode::kNotConcurrent;
   if (args.length() == 2) {
-    // Ignore invalid inputs produced by fuzzers.
     CONVERT_ARG_HANDLE_CHECKED(Object, type, 1);
-    if (!type->IsString()) {
-      return ReadOnlyRoots(isolate).undefined_value();
-    }
+    if (!type->IsString()) return CrashUnlessFuzzing(isolate);
     if (Handle<String>::cast(type)->IsOneByteEqualTo(
             StaticCharVector("concurrent")) &&
         isolate->concurrent_recompilation_enabled()) {
@@ -355,9 +346,6 @@ bool EnsureFeedbackVector(Handle<JSFunction> function) {
 RUNTIME_FUNCTION(Runtime_EnsureFeedbackVectorForFunction) {
   HandleScope scope(isolate);
   DCHECK_EQ(1, args.length());
-  if (!args[0].IsJSFunction()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
   CONVERT_ARG_HANDLE_CHECKED(JSFunction, function, 0);
   EnsureFeedbackVector(function);
   return ReadOnlyRoots(isolate).undefined_value();
@@ -366,16 +354,13 @@ RUNTIME_FUNCTION(Runtime_EnsureFeedbackVectorForFunction) {
 RUNTIME_FUNCTION(Runtime_PrepareFunctionForOptimization) {
   HandleScope scope(isolate);
   DCHECK(args.length() == 1 || args.length() == 2);
-  if (!args[0].IsJSFunction()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
+  if (!args[0].IsJSFunction()) return CrashUnlessFuzzing(isolate);
   CONVERT_ARG_HANDLE_CHECKED(JSFunction, function, 0);
 
   bool allow_heuristic_optimization = false;
   if (args.length() == 2) {
     CONVERT_ARG_HANDLE_CHECKED(Object, sync_object, 1);
-    if (!sync_object->IsString())
-      return ReadOnlyRoots(isolate).undefined_value();
+    if (!sync_object->IsString()) return CrashUnlessFuzzing(isolate);
     Handle<String> sync = Handle<String>::cast(sync_object);
     if (sync->IsOneByteEqualTo(
             StaticCharVector("allow heuristic optimization"))) {
@@ -384,7 +369,7 @@ RUNTIME_FUNCTION(Runtime_PrepareFunctionForOptimization) {
   }
 
   if (!EnsureFeedbackVector(function)) {
-    return ReadOnlyRoots(isolate).undefined_value();
+    return CrashUnlessFuzzing(isolate);
   }
 
   // If optimization is disabled for the function, return without making it
@@ -392,13 +377,10 @@ RUNTIME_FUNCTION(Runtime_PrepareFunctionForOptimization) {
   if (function->shared().optimization_disabled() &&
       function->shared().disable_optimization_reason() ==
           BailoutReason::kNeverOptimize) {
-    return ReadOnlyRoots(isolate).undefined_value();
+    return CrashUnlessFuzzing(isolate);
   }
 
-  // We don't optimize Asm/Wasm functions.
-  if (function->shared().HasAsmWasmData()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
+  if (function->shared().HasAsmWasmData()) return CrashUnlessFuzzing(isolate);
 
   // Hold onto the bytecode array between marking and optimization to ensure
   // it's not flushed.
@@ -423,12 +405,14 @@ RUNTIME_FUNCTION(Runtime_OptimizeOsr) {
   JavaScriptFrameIterator it(isolate);
   while (!it.done() && stack_depth--) it.Advance();
   if (!it.done()) function = handle(it.frame()->function(), isolate);
-  if (function.is_null()) return ReadOnlyRoots(isolate).undefined_value();
+  if (function.is_null()) return CrashUnlessFuzzing(isolate);
 
-  if (!FLAG_opt || (function->shared().optimization_disabled() &&
+  if (!FLAG_opt) return ReadOnlyRoots(isolate).undefined_value();
+
+  if (function->shared().optimization_disabled() &&
       function->shared().disable_optimization_reason() ==
-                        BailoutReason::kNeverOptimize)) {
-    return ReadOnlyRoots(isolate).undefined_value();
+          BailoutReason::kNeverOptimize) {
+    return CrashUnlessFuzzing(isolate);
   }
 
   if (FLAG_testing_d8_test_runner) {
@@ -470,12 +454,8 @@ RUNTIME_FUNCTION(Runtime_OptimizeOsr) {
 RUNTIME_FUNCTION(Runtime_NeverOptimizeFunction) {
   HandleScope scope(isolate);
   DCHECK_EQ(1, args.length());
-  // This function is used by fuzzers to get coverage for optimizations
-  // in compiler. Ignore calls on non-function objects to avoid runtime errors.
   CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
-  if (!function_object->IsJSFunction()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
+  if (!function_object->IsJSFunction()) return CrashUnlessFuzzing(isolate);
   Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
   function->shared().DisableOptimization(BailoutReason::kNeverOptimize);
   return ReadOnlyRoots(isolate).undefined_value();
@@ -500,21 +480,16 @@ RUNTIME_FUNCTION(Runtime_GetOptimizationStatus) {
     status |= static_cast<int>(OptimizationStatus::kMaybeDeopted);
   }
 
-  // This function is used by fuzzers to get coverage for optimizations
-  // in compiler. Ignore calls on non-function objects to avoid runtime errors.
   CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
-  if (!function_object->IsJSFunction()) {
-    return Smi::FromInt(status);
-  }
+  if (function_object->IsUndefined()) return Smi::FromInt(status);
+  CHECK(function_object->IsJSFunction());
   Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
+
   status |= static_cast<int>(OptimizationStatus::kIsFunction);
 
   bool sync_with_compiler_thread = true;
   if (args.length() == 2) {
-    CONVERT_ARG_HANDLE_CHECKED(Object, sync_object, 1);
-    if (!sync_object->IsString())
-      return ReadOnlyRoots(isolate).undefined_value();
-    Handle<String> sync = Handle<String>::cast(sync_object);
+    CONVERT_ARG_HANDLE_CHECKED(String, sync, 1);
     if (sync->IsOneByteEqualTo(StaticCharVector("no sync"))) {
       sync_with_compiler_thread = false;
     }
@@ -575,10 +550,9 @@ RUNTIME_FUNCTION(Runtime_GetOptimizationStatus) {
 
 RUNTIME_FUNCTION(Runtime_UnblockConcurrentRecompilation) {
   DCHECK_EQ(0, args.length());
-  if (FLAG_block_concurrent_recompilation &&
-      isolate->concurrent_recompilation_enabled()) {
+  CHECK(FLAG_block_concurrent_recompilation);
+  CHECK(isolate->concurrent_recompilation_enabled());
   isolate->optimizing_compile_dispatcher()->Unblock();
-  }
   return ReadOnlyRoots(isolate).undefined_value();
 }
 
@@ -590,14 +564,11 @@ RUNTIME_FUNCTION(Runtime_GetUndetectable) {
   HandleScope scope(isolate);
   DCHECK_EQ(0, args.length());
   v8::Isolate* v8_isolate = reinterpret_cast<v8::Isolate*>(isolate);
-
   Local<v8::ObjectTemplate> desc = v8::ObjectTemplate::New(v8_isolate);
   desc->MarkAsUndetectable();
   desc->SetCallAsFunctionHandler(ReturnThis);
-  Local<v8::Object> obj;
-  if (!desc->NewInstance(v8_isolate->GetCurrentContext()).ToLocal(&obj)) {
-    return Object();
-  }
+  Local<v8::Object> obj =
+      desc->NewInstance(v8_isolate->GetCurrentContext()).ToLocalChecked();
   return *Utils::OpenHandle(*obj);
 }
 
@@ -630,9 +601,6 @@ RUNTIME_FUNCTION(Runtime_GetCallable) {
 RUNTIME_FUNCTION(Runtime_ClearFunctionFeedback) {
   HandleScope scope(isolate);
   DCHECK_EQ(1, args.length());
-  if (!args[0].IsJSFunction()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
   CONVERT_ARG_HANDLE_CHECKED(JSFunction, function, 0);
   function->ClearTypeFeedbackInfo();
   return ReadOnlyRoots(isolate).undefined_value();
@@ -816,9 +784,7 @@ RUNTIME_FUNCTION(Runtime_DebugTrackRetainingPath) {
   HandleScope scope(isolate);
   DCHECK_LE(1, args.length());
   DCHECK_GE(2, args.length());
-  if (!FLAG_track_retaining_path) {
-    PrintF("DebugTrackRetainingPath requires --track-retaining-path flag.\n");
-  } else {
+  CHECK(FLAG_track_retaining_path);
   CONVERT_ARG_HANDLE_CHECKED(HeapObject, object, 0);
   RetainingPathOption option = RetainingPathOption::kDefault;
   if (args.length() == 2) {
@@ -826,14 +792,11 @@ RUNTIME_FUNCTION(Runtime_DebugTrackRetainingPath) {
     const char track_ephemeron_path[] = "track-ephemeron-path";
     if (str->IsOneByteEqualTo(StaticCharVector(track_ephemeron_path))) {
       option = RetainingPathOption::kTrackEphemeronPath;
-      } else if (str->length() != 0) {
-        PrintF("Unexpected second argument of DebugTrackRetainingPath.\n");
-        PrintF("Expected an empty string or '%s', got '%s'.\n",
-               track_ephemeron_path, str->ToCString().get());
+    } else {
+      CHECK_EQ(str->length(), 0);
     }
   }
   isolate->heap()->AddRetainingPathTarget(object, option);
-  }
   return ReadOnlyRoots(isolate).undefined_value();
 }
 
@@ -919,10 +882,8 @@ RUNTIME_FUNCTION(Runtime_DisassembleFunction) {
   // Get the function and make sure it is compiled.
   CONVERT_ARG_HANDLE_CHECKED(JSFunction, func, 0);
   IsCompiledScope is_compiled_scope;
-  if (!func->is_compiled() &&
-      !Compiler::Compile(func, Compiler::KEEP_EXCEPTION, &is_compiled_scope)) {
-    return ReadOnlyRoots(isolate).exception();
-  }
+  CHECK(func->is_compiled() ||
+        Compiler::Compile(func, Compiler::KEEP_EXCEPTION, &is_compiled_scope));
   StdoutStream os;
   func->code().Print(os);
   os << std::endl;
@@ -1001,7 +962,6 @@ RUNTIME_FUNCTION(Runtime_IsAsmWasmCode) {
   DCHECK_EQ(1, args.length());
   CONVERT_ARG_CHECKED(JSFunction, function, 0);
   if (!function.shared().HasAsmWasmData()) {
-    // Doesn't have wasm data.
     return ReadOnlyRoots(isolate).false_value();
   }
   if (function.shared().HasBuiltinId() &&
@@ -1080,13 +1040,12 @@ RUNTIME_FUNCTION(Runtime_GetWasmExceptionId) {
   CONVERT_ARG_HANDLE_CHECKED(WasmInstanceObject, instance, 1);
   Handle<Object> tag =
       WasmExceptionPackage::GetExceptionTag(isolate, exception);
-  if (tag->IsWasmExceptionTag()) {
+  CHECK(tag->IsWasmExceptionTag());
   Handle<FixedArray> exceptions_table(instance->exceptions_table(), isolate);
   for (int index = 0; index < exceptions_table->length(); ++index) {
     if (exceptions_table->get(index) == *tag) return Smi::FromInt(index);
   }
-  }
-  return ReadOnlyRoots(isolate).undefined_value();
+  UNREACHABLE();
 }
 
 RUNTIME_FUNCTION(Runtime_GetWasmExceptionValues) {
@@ -1102,7 +1061,6 @@ RUNTIME_FUNCTION(Runtime_GetWasmExceptionValues) {
 
 namespace {
 bool EnableWasmThreads(v8::Local<v8::Context> context) { return true; }
-
 bool DisableWasmThreads(v8::Local<v8::Context> context) { return false; }
 }  // namespace
 
@@ -1226,8 +1184,7 @@ RUNTIME_FUNCTION(Runtime_SerializeWasmModule) {
     return *array_buffer;
   }
 
-  // Error. Return undefined.
-  return ReadOnlyRoots(isolate).undefined_value();
+  UNREACHABLE();
 }
 
 // Take an array buffer and attempt to reconstruct a compiled wasm module.

test/cctest/test-api.cc

@@ -24433,8 +24433,6 @@ TEST(TurboAsmDisablesDetach) {
       "}"
       "var buffer = new ArrayBuffer(4096);"
       "var module = Module(this, {}, buffer);"
-      "%PrepareFunctionForOptimization(module.load);"
-      "%OptimizeFunctionOnNextCall(module.load);"
       "module.load();"
       "buffer";
 
@@ -24450,8 +24448,6 @@ TEST(TurboAsmDisablesDetach) {
       "}"
       "var buffer = new ArrayBuffer(4096);"
       "var module = Module(this, {}, buffer);"
-      "%PrepareFunctionForOptimization(module.store);"
-      "%OptimizeFunctionOnNextCall(module.store);"
       "module.store();"
       "buffer";
 

test/inspector/debugger/asm-js-breakpoint-before-exec-expected.txt

@@ -5,7 +5,7 @@ Running test: enableDebugger
 Running test: addScript
 Script nr 1 parsed!
 First script; assuming testFunction.
-Flooding script with breakpoints for the lines 3 to 21...
+Flooding script with breakpoints for the lines 3 to 19...
 Setting breakpoint on line 3
 error: undefined
 Setting breakpoint on line 4
@@ -38,36 +38,26 @@ Setting breakpoint on line 17
 error: undefined
 Setting breakpoint on line 18
 error: undefined
-Setting breakpoint on line 19
-error: undefined
-Setting breakpoint on line 20
-error: undefined
 
 Running test: runTestFunction
 Script nr 2 parsed!
 Paused #1
-  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":17,"columnNumber":2}
+  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":17,"columnNumber":12}
   - [1] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 Paused #2
   - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":18,"columnNumber":2}
   - [1] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 Paused #3
-  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":19,"columnNumber":12}
-  - [1] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
-Paused #4
-  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":20,"columnNumber":2}
-  - [1] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
-Paused #5
   - [0] {"functionName":"call_debugger","function_lineNumber":13,"function_columnNumber":24,"lineNumber":14,"columnNumber":4}
   - [1] {"functionName":"callDebugger","lineNumber":5,"columnNumber":6}
   - [2] {"functionName":"redirectFun","lineNumber":8,"columnNumber":6}
-  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":20,"columnNumber":2}
+  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":18,"columnNumber":2}
   - [4] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
-Paused #6
+Paused #4
   - [0] {"functionName":"call_debugger","function_lineNumber":13,"function_columnNumber":24,"lineNumber":15,"columnNumber":2}
   - [1] {"functionName":"callDebugger","lineNumber":5,"columnNumber":6}
   - [2] {"functionName":"redirectFun","lineNumber":8,"columnNumber":6}
-  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":20,"columnNumber":2}
+  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":18,"columnNumber":2}
   - [4] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 
 Running test: finished

test/inspector/debugger/asm-js-breakpoint-before-exec.js

@@ -25,8 +25,6 @@ function testFunction() {
     debugger;
   }
 
-  %PrepareFunctionForOptimization(generateAsmJs);
-  %OptimizeFunctionOnNextCall(generateAsmJs);
   var fun = generateAsmJs(this, {'call_debugger': call_debugger}, undefined);
   fun();
 }

test/inspector/debugger/asm-js-breakpoint-during-exec-expected.txt

@@ -11,10 +11,10 @@ Paused #1
   - [0] {"functionName":"call_debugger","function_lineNumber":13,"function_columnNumber":24,"lineNumber":14,"columnNumber":4}
   - [1] {"functionName":"callDebugger","lineNumber":5,"columnNumber":6}
   - [2] {"functionName":"redirectFun","lineNumber":8,"columnNumber":6}
-  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":20,"columnNumber":2}
+  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":18,"columnNumber":2}
   - [4] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 First time paused, setting breakpoints!
-Flooding script with breakpoints for all lines (0 - 24)...
+Flooding script with breakpoints for all lines (0 - 22)...
 Setting breakpoint on line 0
 error: undefined
 Setting breakpoint on line 1
@@ -59,27 +59,23 @@ Setting breakpoint on line 20
 error: undefined
 Setting breakpoint on line 21
 error: undefined
-Setting breakpoint on line 22
-error: undefined
-Setting breakpoint on line 23
-error: undefined
 Script nr 3 parsed!
 Resuming...
 Paused #2
   - [0] {"functionName":"call_debugger","function_lineNumber":13,"function_columnNumber":24,"lineNumber":15,"columnNumber":2}
   - [1] {"functionName":"callDebugger","lineNumber":5,"columnNumber":6}
   - [2] {"functionName":"redirectFun","lineNumber":8,"columnNumber":6}
-  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":20,"columnNumber":2}
+  - [3] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":18,"columnNumber":2}
   - [4] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 Script nr 4 parsed!
 Resuming...
 Paused #3
-  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":22,"columnNumber":17}
+  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":20,"columnNumber":17}
   - [1] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 Script nr 5 parsed!
 Resuming...
 Paused #4
-  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":23,"columnNumber":2}
+  - [0] {"functionName":"testFunction","function_lineNumber":0,"function_columnNumber":21,"lineNumber":21,"columnNumber":2}
   - [1] {"functionName":"","function_lineNumber":0,"function_columnNumber":0,"lineNumber":0,"columnNumber":0}
 Script nr 6 parsed!
 Resuming...

test/inspector/debugger/asm-js-breakpoint-during-exec.js

@@ -25,8 +25,6 @@ function testFunction() {
     debugger;
   }
 
-  %PrepareFunctionForOptimization(generateAsmJs);
-  %OptimizeFunctionOnNextCall(generateAsmJs);
   var fun = generateAsmJs(this, {'call_debugger': call_debugger}, undefined);
   fun();
 

test/mjsunit/asm/load-elimination.js

@@ -23,5 +23,3 @@ var foo = (function(stdlib, foreign, heap) {
 
 assertEquals(0x1234, foo());
 assertEquals(0x1234, foo());
-%OptimizeFunctionOnNextCall(foo);
-assertEquals(0x1234, foo());

test/mjsunit/compiler/osr-infinite.js

@@ -11,7 +11,6 @@ function thrower() {
   if (x == 5)  %OptimizeOsr(1);
   if (x == 10) throw "terminate";
 }
-%PrepareFunctionForOptimization(thrower);
 
 %NeverOptimizeFunction(thrower);  // Don't want to inline the thrower.
 %NeverOptimizeFunction(test);     // Don't want to inline the func into test.

test/mjsunit/es6/regress/regress-411237.js

-// Copyright 2014 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Flags: --allow-natives-syntax
-
-%PrepareFunctionForOptimization(print);
-try {
-  %OptimizeFunctionOnNextCall(print);
-} catch(e) { }
-
-try {
-  function* f() {
-  }
-  %PrepareFunctionForOptimization(f);
-  %OptimizeFunctionOnNextCall(f);
-} catch(e) { }

test/mjsunit/mjsunit.status

@@ -1137,6 +1137,7 @@
 
   # interrupt_budget overrides don't work with TurboProp.
   'interrupt-budget-override': [SKIP],
+  'never-optimize': [SKIP],
 }],  # variant == turboprop
 
 ##############################################################################

test/mjsunit/never-optimize.js

@@ -25,38 +25,23 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-// Flags: --allow-natives-syntax --opt --no-always-opt
+// Flags: --allow-natives-syntax --opt --no-always-opt --no-use-osr
+// Flags: --interrupt-budget=1024
 
-function o1() {
-}
+function o1() { }
 %PrepareFunctionForOptimization(o1);
-
 o1(); o1();
 %OptimizeFunctionOnNextCall(o1);
 o1();
-
-// Check that the given function was optimized.
 assertOptimized(o1);
 
 // Test the %NeverOptimizeFunction runtime call.
+function u1(i) { return i+1 }
+function u2(i) { return i+1 }
 %NeverOptimizeFunction(u1);
-function u1() {
-}
-
-function u2() {
+for (let i = 0; i < 1000; ++i) {
   u1();
+  u2();
 }
-%PrepareFunctionForOptimization(u1);
-%PrepareFunctionForOptimization(u2);
-
-u1(); u1();
-u2(); u2();
-
-%OptimizeFunctionOnNextCall(u1);
-%OptimizeFunctionOnNextCall(u2);
-
-u1(); u1();
-u2(); u2();
-
 assertUnoptimized(u1);
 assertOptimized(u2);

test/mjsunit/regress/regress-1365.js

@@ -43,7 +43,6 @@ assertEquals(Object.prototype, Object.prototype.valueOf());
 assertThrows(callGlobalValueOf);
 assertThrows(callGlobalHasOwnProperty);
 
-%OptimizeFunctionOnNextCall(Object.prototype.valueOf);
 Object.prototype.valueOf();
 
 assertEquals(Object.prototype, Object.prototype.valueOf());

test/mjsunit/regress/regress-347542.js

-// Copyright 2014 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Flags: --allow-natives-syntax
-
-function foo() {};
-%PrepareFunctionForOptimization(foo);
-foo();
-%OptimizeFunctionOnNextCall(foo);
-foo();
-%NeverOptimizeFunction(foo);

test/mjsunit/regress/regress-447756.js

@@ -42,7 +42,8 @@ function TestOptimizedCode() {
   assertSame(Infinity, 1 / a1.byteOffset);
 }
 
-%OptimizeFunctionOnNextCall(Uint8Array);
-for (var i = 0; i < 1000; i++) {
-  TestOptimizedCode();
-}
+%PrepareFunctionForOptimization(TestOptimizedCode);
+TestOptimizedCode();
+TestOptimizedCode();
+%OptimizeFunctionOnNextCall(TestOptimizedCode);
+TestOptimizedCode();

test/mjsunit/regress/regress-491481.js

-// Copyright 2015 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Flags: --allow-natives-syntax
-
-try {
-%OptimizeFunctionOnNextCall(print);
-try {
-  __f_16();
-} catch(e) { print(e); }
-try {
-  __f_10();
-} catch(e) {; }
-} catch(e) {}

test/mjsunit/regress/regress-crbug-754177.js

@@ -2,11 +2,14 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// Flags: --allow-natives-syntax
+// Flags: --allow-natives-syntax  --fuzzing
 
-// Do not crash on non-JSFunction input.
+// Do not crash on non-JSFunction input when fuzzing.
 %NeverOptimizeFunction(undefined);
 %NeverOptimizeFunction(true);
 %NeverOptimizeFunction(1);
 %NeverOptimizeFunction({});
 assertThrows("%NeverOptimizeFunction()", SyntaxError);
+
+%PrepareFunctionForOptimization(print);
+%OptimizeFunctionOnNextCall(print);