In the ElementsAccessor fast-path for Array.prototype.includes, we
iterate backing-store elements according to start and length numbers
which might or might not be within the JSArray::length field, for
example when side-effects changed the receiver while start and length
are computed. So even when we have a packed ElementsKind, we might still
observe the hole. This is fine, since logical out-of-bounds accesses
are safe in this case, but it means we must not rely on the
ElementsKind telling us if we can encounter holes.
Bug: chromium:897098
Change-Id: I17db38246aef6edbdd5cee30598cbf7619aba6d8
Reviewed-on: https://chromium-review.googlesource.com/c/1293571
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56884}
The DEPS file was already up to date, so we only had to update the hash.
R=herhut@chromium.org
Change-Id: Ibbf960e140746b522339cb8f649691a08f4cd485
Reviewed-on: https://chromium-review.googlesource.com/c/1293576
Reviewed-by: Stephan Herhut <herhut@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56883}
We need to remove each Sampler from the SamplerManager before we call
the Sampler destructor. This is because the signal handler can interrupt
the destructor, and call DoSampler(), which calls sampler->SampleStack()
on the sampler being destructed, causing general unhappiness and
"Pure virtual function called!" crashes.
Bug: v8:8346, v8:5193
Change-Id: Iaa595a196eab33fb1af31584e9a68fd1ce0a18f6
Reviewed-on: https://chromium-review.googlesource.com/c/1293949
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56882}
This change added Windows ARM64 ABI support, major things are:
1. Excluding x18 register from any usage because it is reserved as
platform register. Preserve alignment after the change.
2. Fix the assumption of LP64 in arm64 backend. Windows ARM64 is
still LLP64.
3. Stack guard page probe for large allocation on stack.
Reference:
Windows ARM64 ABI:
https://docs.microsoft.com/en-us/cpp/build/arm64-windows-abi-conventions?view=vs-2017
Bug: chromium:893460
Change-Id: I325884ac8dab719154a0047141e18a9fcb8dff7e
Reviewed-on: https://chromium-review.googlesource.com/c/1285129
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56881}
This CL replaces the stack trace parameter with a the array that is
usually passed to the JS prepareStackTrace callback. This allows two
important goals to be realized: 1) we can easily stringify individual
frames and 2) we can (if needed) call back into JS from this callback
with a usable structure. If, as is sometimes the case, a v8::StackTrace
is needed, |v8::Exception::GetStackTrace| can be used on the exception
that is passed to PrepareStackTraceCallback.
Bug: v8:7637
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I57fa1f2b4552cc7f69351fe0918f4e59e3f5fce1
Reviewed-on: https://chromium-review.googlesource.com/c/1266698
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56880}
Currently Torque's Array.prototype.slice creates holey arrays for those
that don't fit in new space in its slow path (by calling
ArraySpeciesCreate), even if the source is packed. This creates regression
on packed arrays where TurboFan optimizes and then deoptimizes because
the maps don't match.
See https://chromeperf.appspot.com/report?sid=4553b0826123337f5026fd6b4a285d5fc3cd77cafb515ddd954d195630642730
This CL reduces the chance that Torque's Array.prototype.slice returns
holey arrays. In particular, in the case of a large FastJSArray,
ExtractFastJSArray can still be used because it can handle large objects,
and will return a packed array if the source array is also packed.
Change-Id: I691cf48e07c699e5d42afda0bea6cbdc117b653f
Reviewed-on: https://chromium-review.googlesource.com/c/1293372
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Hai Dang <dhai@google.com>
Cr-Commit-Position: refs/heads/master@{#56879}
This builtin was initially used to create the promise for an async
function, but that is now done by the AsyncFunctionEnter intrinsic.
Bug: v8:7253
Change-Id: I90d0bb31c1548bbfdb53833a5c06161db368f4f0
Reviewed-on: https://chromium-review.googlesource.com/c/1296129
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56878}
Add missing typing rules for calls to Promise builtins. All of these
return receivers always, since PromiseCapabilities.[[Promise]] can be
any receiver essentially. Adding the typing rules here helps to rule
out unnecessary Smi checks in the general case.
Bug: v8:7253
Change-Id: Ia51546420f331431872183a92702855f91b7daba
Reviewed-on: https://chromium-review.googlesource.com/c/1293956
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56876}
Fold methods from intl.* to objects/intl-objects.*
Move Isolate* to the first parameter for some method
Move ICUSerice type under Intl
Hide ICUTimeZoneCache under a CreateTimeZoneCache factory method.
Bug: v8:5751
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ie6f6a1ceee789333a077c1965de8e11d8c15c175
Reviewed-on: https://chromium-review.googlesource.com/c/1293109
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56873}
Full custom preview generation is moved to custom-preview file
including frontend part. New custom preview implementation returns
body getter function instead of bind function, formatter and config
objects. Body getter function calls formatter.body(object, config)
and returns json ML.
R=dgozman@chromium.org
Bug: chromium:595206
Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I14ff3d8abb4a47d2bbc2e6eaa1835fc362ac7369
Reviewed-on: https://chromium-review.googlesource.com/c/1292686
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56872}
TryLookupCode can be passed arbitrary addresses, e.g. by tentative
name lookups during disassembly. This CL makes sure that addresses
within non-builtin-code sections of the embedded blob (metadata or
padding) are handled properly.
Bug: v8:6666, v8:8334
Change-Id: I42eca57062e30eabd7bb1b069786aa809706cd2c
Reviewed-on: https://chromium-review.googlesource.com/c/1292060
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56865}
This removes a bunch of porting helpers, e.g. scopes that mark
the addressability of ebx, printing embedded builtin candidates, and
the call/jump mechanism through a virtual target register.
This also disables root register verification by default on ia32. It
can be completely removed in a bit.
Bug: v8:6666
Change-Id: I4705d61991ddc57c30981c311a1c8c5e2f8ddf4d
Reviewed-on: https://chromium-review.googlesource.com/c/1288271
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56864}
Typically compiler does not have to compile one-shot code but, there
are some cases where user can capture IIFEs and execute it multiple times.
Adding counter to track number of such closures compiled with one-shot
bytecodes.
Bug: v8:8072
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I752a12cff6ee9bb751323f4d58897cdd41c6890c
Reviewed-on: https://chromium-review.googlesource.com/c/1237679
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56862}
This removes some unnecessary runtime calls when encoding/decoding
values stored in exception objects. It reduces code size of the
generated code.
R=clemensh@chromium.org
BUG=v8:8341
Change-Id: I2394994be01d3071e58bfa2bfbba8bf72a6a04a5
Reviewed-on: https://chromium-review.googlesource.com/c/1293373
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56860}
This CL introduces a new fast-path for `Promise.all(a)` for the case
that elements in `a` are native promises, and the Promise.prototype
and Promise function itself are intact. If so, we can skip the lookups
of "resolve" on Promise and "then" on the result of invoking "resolve",
which are both quite expensive, and we can instead directly call the
PerformPromiseThen() operation on the element of `a`.
In addition to that we don't need to create and chain a result promise,
since this is only used when either async_hooks or DevTools are enabled.
Otherwise it's a "throwaway promise" only used to satisfy the operation
parameter signature (see https://github.com/tc39/ecma262/pull/1146).
This results in a significant performance improvement on `Promise.all()`
heavy code. For example the parallel-promises-es2015-native test goes
from around 84ms to roughly 68ms, which is almost a 20% improvement.
Bug: v8:7253
Ref: tc39/ecma262#1146
Change-Id: Iab9c57edb26d13a467b0653fd8de6149c382efc6
Reviewed-on: https://chromium-review.googlesource.com/c/1293374
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56858}
This removes the {error} and {verror} methods of {ResultBase} and
introduces a named constructor {Error} instead. This allows to
construct an error result in a single expression, and moves {Result}
closer to a container that is initialized once and is immutable
afterwards (just the {MoveErrorFrom} method is still violating this
pattern).
R=titzer@chromium.org
Bug: v8:8238
Change-Id: Iec16c8c6d66300ee82a48e8a9e941c72ae26e202
Reviewed-on: https://chromium-review.googlesource.com/c/1293370
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56857}
Making --data-path a subdir of --user-data-dir makes it easier to clean up
data after a benchmark run.
Bug: chromium:861668
Change-Id: If44527163ea396b11346d65d76411d03a5b9a424
Reviewed-on: https://chromium-review.googlesource.com/c/1292065
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56856}
This changes the encoding of values stored in exception objects from a
typed uint16 array (a JSObject) to a {FixedArray} instead. Note that it
increases the memory footprint of the encoding, but will allow accessing
elements directly from generated code and also encode reference types
properly. The memory footprint can/should be optimized only after the
implementation is feature complete.
R=clemensh@chromium.org
BUG=v8:8341
Change-Id: If67c4e498d815e14f95d014e6a1f7a6725aa0b3a
Reviewed-on: https://chromium-review.googlesource.com/c/1293371
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56854}
Change the status files to only run on release bots and furthermore
exclude those that run on an arm simultaor. This should still provide
sufficient coverage while keeping resource usage at bay.
Bug: v8:8331, v8:8332
Change-Id: I515e68929af660932a1224294bd09ebc05705324
Reviewed-on: https://chromium-review.googlesource.com/c/1292061
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Stephan Herhut <herhut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56850}
This improves the performance of copying Smi or Object arrays if
the new array is allocated in new space.
Bug: v8:7980
Change-Id: I8e91a879f603d118b4bb1393e7b8b92f4c0b3696
Reviewed-on: https://chromium-review.googlesource.com/c/1283053
Commit-Queue: Hai Dang <dhai@google.com>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56849}
This improves the error message for []=>{}. Now rather than pointing
at ] and saying that's the unexpected token, it reports
"SyntaxError: Malformed arrow function parameter list", pointing at [.
Change-Id: I88457dc9f929a7c2b07b36ea798f11e9a7d24414
Reviewed-on: https://chromium-review.googlesource.com/c/1293369
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56847}
Two zones in ExecuteCompilation have the same scope, so we can combine
them.
In addition I moved measurement code at the end of the function so that
we don't have to store the result of the compilation in a helper.
R=clemensh@chromium.org
Bug: v8:8238
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I3b4790fa62adbe361d41be188c7f0510b12d957c
Reviewed-on: https://chromium-review.googlesource.com/c/1291072
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56842}
This adds an attribute field to the binary encoding of exception types
in the exceptions and import section. Currently the attribute value is
not used and expected to be zero, but it ensures the binary encoding is
extensible for future changes.
R=clemensh@chromium.org
TEST=unittests/WasmModuleVerifyTest
BUG=v8:8153
Change-Id: I6f0e10cb1b6515177d8200ebf1f4f0b122832868
Reviewed-on: https://chromium-review.googlesource.com/c/1291075
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56841}
Avoid calling Map::TransitionToPrototype (which reads and writes the
JS heap) by skipping the JSCallReducer optimization of Function#bind
whenever the receiver has a custom prototype.
Bug: v8:7790
Change-Id: Ie21475c5dc5c53d90c6afae8198837deb40dac8e
Reviewed-on: https://chromium-review.googlesource.com/c/1288631
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56840}
With async_hooks it's also possible that the "current microtask" is an
await task, whose generator is already suspended, when there's an
exception thrown in the AFTER callback. In that case we cannot build
a meaningful async stack trace.
Bug: chromium:897406, v8:7522
Change-Id: I682dc1fc3ebb1864e1c2061041ff99ced0313f0c
Reviewed-on: https://chromium-review.googlesource.com/c/1292057
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56839}
This CL adds OnFailure::DUMP_ON_FAILURE representing a scope where base::
DumpWithoutCrash is called when V8 execution is detected. As V8 can't call base
functions, this CL also adds Platform::DumpWithoutCrash.
Doc: https://docs.google.com/document/d/1PStT6dPlSM7QfGUJQD6t6LNLTv_48gNMhY5RdEpt3XQ/edit?disco=AAAACJ6Xg0o&ts=5bc0be1b
BUG=chromium:870606
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I5df62fd99ed78adb4e2505aeaee3d526d6786e59
Reviewed-on: https://chromium-review.googlesource.com/c/1276325
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Hajime Hoshi <hajimehoshi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56838}
