The problem was that parts of Simd8x16ShuffleOperand were uninitialized.
Original message:
[wasm] Stop decoding operands after error.
When we decode operands of WebAssembly instructions, we do not use the
current pc but a pc of the instruction plus some offset. However, the
pc of the instruction + offset can become invalid in case of a decoder
error. Therefore we have to stop decoding operands explicitly in case
of an error.
R=clemensh@chromium.org
Bug: chromium:795131
Change-Id: I732bc23547dbe531019d81a4397d22165a26d46b
Reviewed-on: https://chromium-review.googlesource.com/833934
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50211}
Fix report mode and make it use testcase properties so statusfile
outcomes can be private.
Bug: v8:6917
Change-Id: Id38e89e0ba427c3bbb7ad12ba93e02beb7e46219
Reviewed-on: https://chromium-review.googlesource.com/833909
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50209}
Pass shell name instead of an absolute path.
Bug: v8:796166
Change-Id: Ia9472e893fd2cb3fde2a94997f3e9daf30da06ea
Reviewed-on: https://chromium-review.googlesource.com/833917
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50207}
Move the object and array literal flag and depth initialization to when
they are visited by the bytecode generator. This avoids issues with
doing this initialization before we know whether the (syntactic) literal
is actually a literal value or a destructuring assignment.
Bug: chromium:795922
Bug: v8:7178
Change-Id: I022178ab4bc9e71f80560f3b78a759d95d4d0584
Reviewed-on: https://chromium-review.googlesource.com/833882
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50204}
First step in moving all statusfile logic into statusfile.py.
Introduce StatusFile object that will be used for storing and managing
outcomes.
Bug: v8:6917
Change-Id: I024f9b1d029830345149422a08a8905e92545252
Reviewed-on: https://chromium-review.googlesource.com/832433
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50202}
Fix unittests since they were incompatible with the
new testcase and testsuite API.
Bug: v8:6917
Change-Id: I917bf58e21402e0b90bc91c0483ade0e7c90bdd6
Reviewed-on: https://chromium-review.googlesource.com/832392
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50201}
This reverts commit 6633ad56d8.
Reason for revert:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/18850
Original change's description:
> [wasm] Stop decoding operands after error.
>
> When we decode operands of WebAssembly instructions, we do not use the
> current pc but a pc of the instruction plus some offset. However, the
> pc of the instruction + offset can become invalid in case of a decoder
> error. Therefore we have to stop decoding operands explicitly in case
> of an error.
>
> R=clemensh@chromium.org
>
> Bug: chromium:795131
> Change-Id: I3b7b45782c71a70364adf930bee3e94a1be88fea
> Reviewed-on: https://chromium-review.googlesource.com/832867
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50196}
TBR=ahaas@chromium.org,clemensh@chromium.org
Change-Id: I5a67f77285fdedc7f4645f8efaaf0087b4046011
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:795131
Reviewed-on: https://chromium-review.googlesource.com/832650
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50199}
The fast paths aren't pure and have side effects like calling out to
the debugger and runtime calls. Note: These aren't "fast" paths per se,
but just *native promise* code paths.
Forcing the slow path omits these calls to the debugger and runtime
causing test failures.
Bug: v8:7148
Change-Id: Idf46a33622a6edf03d69fefa4c6bfb7efc8ea625
Reviewed-on: https://chromium-review.googlesource.com/824102
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50197}
When we decode operands of WebAssembly instructions, we do not use the
current pc but a pc of the instruction plus some offset. However, the
pc of the instruction + offset can become invalid in case of a decoder
error. Therefore we have to stop decoding operands explicitly in case
of an error.
R=clemensh@chromium.org
Bug: chromium:795131
Change-Id: I3b7b45782c71a70364adf930bee3e94a1be88fea
Reviewed-on: https://chromium-review.googlesource.com/832867
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50196}
This is to make the diffs on rolls and releases smaller.
NOTRY=true
Change-Id: I3fb837a70e7b5be0f9d5b5b7ea6318d6a22ebd32
Reviewed-on: https://chromium-review.googlesource.com/832464
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50195}
It's still unused there but now at least it ends up in the
feedback vector.
Bug: v8:6791
Change-Id: I0114d317830b80be4715c74dc5a8950fff4d3485
Reviewed-on: https://chromium-review.googlesource.com/829136
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50194}
There was an issue when the caller of a function with multiple returns
did not use all values which were returned over the stack. The caller
used only the used returns to calculate the offsets on the stack,
whereas the callee used all returns to calculate the offsets.
With this CL also the caller uses all returns to calculate the stack
offsets and thereby agrees again with the callee on the location of
all returns.
In addition I fixed an issue on x64: A quad word is reserved on the
stack frame to spill callee-saved FP registers, which is not pointer
size.
R=titzer@chromium.org
Change-Id: Ibe56b4b57e4b6e59071a868805b1237412344f93
Reviewed-on: https://chromium-review.googlesource.com/824043
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50193}
This is the counterpart of https://crrev.com/c/822471.
It implements asm.js bounds checks for loads using normal branch nodes
and removes the need for CheckedLoad, improving maintainability at some
small cost to compilation time.
R=ahaas@chromium.orgCC=mstarzinger@chromium.org, titzer@chromium.org
Change-Id: I7a2716f364b9e4d7beb9cc460eb028c3bd1c3a99
Reviewed-on: https://chromium-review.googlesource.com/832457
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50192}
Teach the fuzzer about the new DotAll flag.
Bug: v8:6612
Change-Id: I92d6bfd920f5daef6733b1c547063ede718ecc8f
Reviewed-on: https://chromium-review.googlesource.com/832748
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50188}
The memory size is always stored as 32 bit value, so the comparison
should always be done in 32 bit space.
R=ahaas@chromium.org
Change-Id: Ic059e63bf1dc9e8bf568dbb5f8d7ccde1da4761a
Reviewed-on: https://chromium-review.googlesource.com/832473
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50187}
Bug:
Change-Id: I7d4152139548d8a24c0b444dfff3c363bf92680b
Reviewed-on: https://chromium-review.googlesource.com/816836
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50185}
Even inside an "#ifdef DEBUG", we still want to use the DCHECK macro
instead of CHECK in order to get the "correct" error message.
Drive-by: Remove "#ifdef DEBUG" around DCHECKS in macro-assembler-x64.cc
R=ahaas@chromium.orgCC=mtrofin@chromium.org
Change-Id: I5b92c87fa9b10e5751cc2704d6218bee292cfb8f
Reviewed-on: https://chromium-review.googlesource.com/832687
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50184}
Remove comment about usage of FATAL, UNREACHABLE and UNIMPLEMENTED,
which was deprecated since https://crrev.com/1410713006.
Also, refactor the FATAL macro and use it for implementing UNREACHABLE
and UNIMPLEMENTED, and in more code. The benefit over printf +
CHECK(false) is that the compiler knows that FATAL will never return.
R=bmeurer@chromium.org
Change-Id: I8c2ab3b4e6edfe8eff5ec6fdf3d92b15d0ed7126
Reviewed-on: https://chromium-review.googlesource.com/832726
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50183}
Patch will decrease size of JS files included into Chrome APK
(about 11 KB now)
Bug:
Change-Id: I701c9904fbf22fd295199f255601dea6524a3766
Reviewed-on: https://chromium-review.googlesource.com/821071
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Marcin Wiącek <marcin@mwiacek.com>
Cr-Commit-Position: refs/heads/master@{#50179}
Update tests to work with new behavior.
This feature is shipping in Firefox 54, so compatibility risk is low.
R=littledan@chromium.org, adamk@chromium.org, caitp@igalia.com
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
Bug: v8:4958
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ib16d19468cf935f961d7bcd856ebbeb5692d3e61
Reviewed-on: https://chromium-review.googlesource.com/546941
Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50178}
We should not report promise created for async function as candidate
for stepping. Regular StepInto works fine in this case.
TBR=dgozman@chromium.org
Bug: none
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I8dafec5417df0de593cb2a1c06d6a11093e7c64b
Reviewed-on: https://chromium-review.googlesource.com/828024
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50176}
I also added a test for movdqa, which was already implemented.
R=bmeurer@chromium.org
Change-Id: I6dd5cba072f1439dcdfb5f975de116e4534c7581
Reviewed-on: https://chromium-review.googlesource.com/832466
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50175}
The WasmCompiledModule is kept alive from the Script, which again is
kept alive then the debugger is enabled. This, however, should not keep
the whole context alive, including the global object.
Hence, we only store a weak reference to the native context.
R=ahaas@chromium.org
Bug: chromium:750256
Change-Id: Ia409995c40fb3e90665534fbc94c6eafc081c4e5
Reviewed-on: https://chromium-review.googlesource.com/832126
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50174}
The interface of {WasmCompiledModule} currently mostly receives and
provides handles to the contained data. Other interfaces don't (see
{object-macros.h}.
This leads to performance and memory overhead for chained accesses like
{instance->compiled_module()->shared()->script()}, because intermediate
accessors allocate Handles for no reason. It also breaks the
constraints that lower-case accessors should be trivial to execute, but
allocating a handle is not trivial (should not be done in a loop if not
needed).
It also silences gcmole errors, as documented in
https://crrev.com/c/832268.
R=ahaas@chromium.org, mtrofin@chromium.org
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ib82fb295977a47b4a8ab9bae9c9b6e2b235ad5e5
Reviewed-on: https://chromium-review.googlesource.com/832387
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50173}
This CL passes feedback from the element kind deopt points
in Array.push to the deoptimizer. If the deopt points are
triggered, further speculation on Array.push is disallowed.
Bug: v8:7127, v8:7204
Change-Id: Ie91dee598bd8b8797110c8f468406327226893a4
Reviewed-on: https://chromium-review.googlesource.com/831523
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50171}
Move the one remaining optimization disabling in AST numbering (native
function literals) to be in the parser.
Bug: v8:7178
Change-Id: Icd96020622cbe64afa11b42c5831618247e3e021
Reviewed-on: https://chromium-review.googlesource.com/814399
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50170}
Make sure that a continue still executed the increment part of a for
loop by adding another nested block for the body, which is the break
target for a continue in the body. The increment code lives outside
this block, in the original loop.
R=bradnelson@chromium.orgCC=mstarzinger@chromium.org
Bug: chromium:788916
Change-Id: I178b874ffac16d9237a0f4da097d2742bd93335a
Reviewed-on: https://chromium-review.googlesource.com/832447
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50169}
Move literal initialization out of AST numbering and into the parser.
The initialization includes setting the depth and flags of Object and
Array literals, and calculating the emit store of object literals.
Bug: v8:7178
Change-Id: I9af59a2fea44f8a1adcc5a0261f29ce97fa8da92
Reviewed-on: https://chromium-review.googlesource.com/814634
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50168}
This change is quite invasive, because CheckSmi is lowered
through representation change depending on UseInfo to several
different checked conversion operators. This CL adds feedback
to every checked conversion operator to Int32.
Bug: v8:7127, v8:7204
Change-Id: Icb780e5a69d321c2ec161c3c2a32984bdcf101f1
Reviewed-on: https://chromium-review.googlesource.com/831521
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50167}
This makes --print-code and --print-wasm-code also print code emitted
on the native wasm heap.
It also extends code printing to include the code kind and the index.
R=mtrofin@chromium.org
Change-Id: I39c23f4b65168c059f23477ec5d264924ca83e82
Reviewed-on: https://chromium-review.googlesource.com/831987
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50166}
The pattern "handle->foo(factory->NewXX())" is unsafe, because the
evaluation order of the receiver (dereferencing the handle) and the
argument (allocating something on the heap) is undefined. If the
receiver is evaluated first, then the allocation in the evaluation of
the argument might invalidate the receiver.
In general, gcmole should catch these errors, but sadly, if the
method "foo" receives a Handle, it seems to not catch them.
We should generally refactor our getters and setters to receive and
return raw pointers instead of handles, just like most other code in
our code base.
R=mtrofin@chromium.org, ahaas@chromium.org
Bug: v8:7224
Change-Id: If9e84e4ca7efe02c40b97a8c5c549c222947d6bb
Reviewed-on: https://chromium-review.googlesource.com/832268
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50165}
... by "inlining" the Tuple2 object into the data handler.
Bug: v8:7206, v8:5561
Change-Id: I8517b2faa8d13bd16b8ec99c7ea8ab97c73a5f2a
Reviewed-on: https://chromium-review.googlesource.com/819233
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50164}
Add additional protection against OOB accesses by masking the
index to access by a mask precomputed from the memory size.
R=clemensh@chromium.org, bradnelson@chromium.org
Change-Id: I1d5875121e1904074b115a2c88ca773b6c1c1a66
Reviewed-on: https://chromium-review.googlesource.com/830394
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50162}