This is a reland of cdc8d9a5ec
Skipped tests on gc_stress and fixed CONSTEXPR_DCHECK for gcc.
Original change's description:
> [TurboProp] Avoid marking the output of a call live in its catch handler
>
> The output of a call won't be live if an exception is thrown while the
> call is on the stack and we unwind to a catch handler.
>
> BUG=chromium:1138075,v8:9684
>
> Change-Id: I95bf535bac388940869eb213e25565d64fe96df1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2476317
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70562}
Bug: chromium:1138075
Bug: v8:9684
Change-Id: I685c94ee2ffcf06658df07fcef06f58c4f01f54b
Cq-Include-Trybots: luci.v8.try:v8_linux64_gcc_compile_dbg
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2479009
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70573}
This reverts commit cdc8d9a5ec.
Reason for revert: The regression test is too slow:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/30454
Also gcc failures:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20gcc%20-%20debug/9528
Original change's description:
> [TurboProp] Avoid marking the output of a call live in its catch handler
>
> The output of a call won't be live if an exception is thrown while the
> call is on the stack and we unwind to a catch handler.
>
> BUG=chromium:1138075,v8:9684
>
> Change-Id: I95bf535bac388940869eb213e25565d64fe96df1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2476317
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#70562}
TBR=rmcilroy@chromium.org,neis@chromium.org
Change-Id: I0f6b9378d516a70401fc429fb3612bbf962b0fb2
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1138075
Bug: v8:9684
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2479007
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70564}
The output of a call won't be live if an exception is thrown while the
call is on the stack and we unwind to a catch handler.
BUG=chromium:1138075,v8:9684
Change-Id: I95bf535bac388940869eb213e25565d64fe96df1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2476317
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70562}
Rename AddSaturate and SubSaturate to the shorter version, AddSat and
SubSat, following the spec.
Bug: v8:10946,v8:10933
Change-Id: Idf74b3a1eb2e2f6d4e37d2b8e5fa6d96ea090db4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2436615
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70549}
In certain situations a phi might not be used by later code, and so
is neither spilled nor has a register allocated to it. Handle this
by removing the incorrect DCHECK.
BUG=chromium:1137979,v8:9684
Change-Id: I702dc05dba22e23dac5c1a366a770f18bac45c52
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2471998
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70536}
It is related to Reduce consecutive overflow addition with constants.
Turned out that we needs to consider also effect use before relaxing it.
This fixed the issue that fuzzer found in e93a369f7a.
Bug: chromium:1137586
Change-Id: I32fee5ecc7a6ce40d6f739f9c6e2440a647a2222
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2469597
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70514}
We fall back from irregexp to the experimental engine if a backtrack
limit is exceeded and the experimental engine can handle the regexp.
The feature can be turned on with a boolean flag, and an uint-valued
flag controls the default backtrack limit. For regexps that are
constructed with an explicit backtrack limit (API,
%NewRegExpWithBacktrackLimit), we choose the lower of the explicit and
default backtrack limits.
The default backtrack limit does not apply to regexps that can't be
handled by the experimental engine, and for such regexps an explicitly
specified backtrack limit is handled as before by returning null if we
exceed it.
Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng
Bug: v8:10765
Change-Id: I580df79bd847520985b6c2c2159bc427315c89d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2436341
Commit-Queue: Martin Bidlingmaier <mbid@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70500}
Whenever more then one value is pushed to the stack, we need to execute
a check for growing the stack first (since https://crrev.com/c/2431525).
This CL adds two missing checks.
R=thibaudm@chromium.org
Bug: chromium:1137582
Change-Id: I9755502dfdb77c03d1dde3e83fb7d33b9b99e499
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2467796
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70480}
Rename the flag --liftoff-extern-ref to
--experimental-liftoff-extern-ref to keep the fuzzer from using it.
The implementation is not complete yet, and the next steps may take a
bit.
R=clemensb@chromium.org
Bug: chromium:1137601
Change-Id: I74f1ed8faba44e42f63790d87f4a538dd59ac852
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2465838
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70476}
Use monotonic times for logging with --predictable.
Bug: v8:10937, v8:10966, v8:10668
Change-Id: I3d4f0d48375f6f5d9fa375cf5393ff3afee7c0b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2465829
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70474}
For turboprop, it's a better tradeoff to reuse the code than
specialising the code for a particular closure especially given we
optimize quite early when compared to Turbofan.
Bug: v8:9684
Change-Id: Icf5d8548bbdcac9e202dcf44c68e06cc4c732ba7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2461242
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70451}
Changes:
- Add wasm-to-js wrapper field to WasmJSFunction. A WasmJSFunction might
be called with call_ref without being imported to a module, and this
provides a call target for this scenario. The wrapper is only compiled
if --experimental-wasm-typed-funcref is set.
- Add CompileWasmToJSWrapper in wasm-compiler.
- Rename BuildLoadFunctionDataFromExportedFunction ->
BuildLoadFunctionDataFromJSFunction to reflect its wider usage.
- Rename BuildWasmImportCallWrapper -> BuildWasmToJsWrapper to reflect
this function is now also used by CompileWasmToJSWrapper (unrelated to
imports).
- (Drive-by) Remove dead arguments from wasm-module-builder.js.
Bug: v8:9495
Change-Id: I23468b69d42310cb8e96da5286ce68c701188876
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2459371
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70421}
This was not happening when there was no need to typecheck the entry.
Additional changes:
- Add tests with null table entries for typed and untyped function
tables.
- Allow AddIndirectFunctionTable in wasm-run-utils to specify table
type.
- Add possibility to define tables in test-gc.cc.
- Merge trapTableOutOfBounds with trapInvalidFunc.
- Use trapTableOutOfBounds in call_indirect as appropriate.
- Fix emission of table types in wasm-module-builder.cc.
Bug: v8:9495
Change-Id: I4a857ff4378e5a87dc0646d94b4c75635a43c55b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2442622
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70311}
Instead of loading the map from the feedback vector for monomorphic
access, this CL directly inlines the expected map constant as a static
check.
In case this static check fails, we call out to a builtin which performs
additional dynamic map checks.
There are several dynamic map checks performed by the builtin for various
cases such as:
(a) IC is monomorphic with a map that's different from the initial
static map that we checked, in which case we perform another dynamic
map check.
(b) IC is monomorphic but incoming map is a deprecated map in which case
we call out the runtime to migrate this incoming object to a new map and
then try to handle it.
(c) IC has now transitioned to polymorphic in which we use the old
dynamic polymorphic checks to validate the map and handler.
Bug: v8:10582, v8:9684
Change-Id: Id87265ed513e4aef87b8e66c826afbf10f50a1d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2429034
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70304}
It only had one callsite, and that callsite was useless:
%IsValidSmi(two_31) has never returned {true} on any
configuration we have ever shipped.
Bug: v8:10933
Change-Id: I09cdfd7bbd7960d1ec460ad4bd9f0d21e47f7393
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2434746
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70285}
AST reindexing has to skip visiting fields that are already in the
member initializer, as they will have already been visited when
visiting said initializer. This is the case for private fields and
fields with computed names.
However, the reindexer was incorrectly assuming that all properties
with a FunctionLiteral value are methods (and thus not fields, and
can safely be visited). This is not the case for fields with
function expression values.
Now, we correctly use the class property's "kind" when making this
visitation decision.
Fixed: chromium:1132111
Change-Id: Ia53d1fe713453e361b818dfb0b5f88a90cecdf21
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2440519
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70247}
Array.prototype.pop() must throw a TypeError whenever the array's
length is readonly; there is no exception to that when the length
is 0. This patch moves the length==0 special case after the read-
only length check in both fast paths (CSA and C++).
Fixed: v8:10908
Change-Id: I4a77439478cffeaf11022ff8beb78b0a907290d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2440576
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70233}
Sorting a TypedArray with a custom compare function requires us to
copy the array's contents to a FixedArray. When the TypedArray is
larger than FixedArray::kMaxLength, we should throw a RangeError
rather than crashing with an OOM message.
Fixed: v8:10931
Change-Id: I8a27cc0ac80a9172bc5e8e154fdf4ccce5974317
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2440575
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70232}
Ensure that a valid off-heap trampoline is created for the
GenericJSToWasmWrapper builtin by adding it to the list of executable
builtins.
R=ahaas@chromium.org
CC=evih@chromium.org
Bug: v8:10701
Change-Id: I49b8144237aca20f5f663c7b32810a16f715ad5f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2438415
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70218}
Changes:
- Implement WasmExportedFunction::MatchesSignature.
- Use it over comparison with == in ResolveWasmImportCall.
- Add a test which exposes the existing bug.
- Add a few reminder TODOs.
Bug: v8:9495
Change-Id: Ibbe31dbf550be212dbf2170ab8cdab9b4b6de734
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2438060
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70215}
LoadTransform operators contain a LoadKind, which can be unaligned,
protected, poisoned, normal.
If it is protected, we cannot eliminiate that load,
since we rely on the segv signal handling. So, we use partial template
specialization on LoadKind::kProtected, and don't set the operator to
not be eliminatable.
Bug: chromium:1132461
Change-Id: If45fc6562348ffd4dbaa27058e6c5d4242f79abb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2436081
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70205}
This additionally combines --future with all other standard testing
variants.
This also enables using concurrent_marking in status files to skip
tests in this variant.
This also marks a slow test that times out in the new config.
Bug: v8:10875
Change-Id: Id904f6a2c51b814eecfccb523a897de2f5d96f56
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2423719
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70180}
This test likely did something in 2013 when we still had legacy const,
but now it seems like it's mostly a poor unittest of when
optimization/deoptimization happens.
Bug: v8:10933
Change-Id: Ib816e0eddf9224a4ad37096591da9032740d5e7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2432313
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70178}
The tool has been outdated for a while and replaced by profview for
most use-cases.
The last version is still hosted under
https://v8.github.io/tools/v8.4/profviz/profviz.html
Bug: v8:9260, v8:10667
Change-Id: I54888640a627ee8e4d8ad2ab63bd91e04e6fb98f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2434335
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70159}
Currently, the generic wrapper is used for i32, i64, f32 and f64 params
and 0 or 1 i32, i64, f32, f64 return value.
Bug: v8:10701
Change-Id: I3776de617aa4a384fdff5154ddad8ff405001a33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2429266
Commit-Queue: Eva Herencsárová <evih@google.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70156}
Add opt and noturbo inlining to these tests to ensure that
they keep working.
Bug: v8:10924
Change-Id: Icdb5ddffad11ea3c2eea723e339d450d8405b6b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2426604
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70145}
This fixes the logic in the desugaring of destructuring assignments. In
particular, a spread element would not check if previous `next` results
had already been done, and would always call `next()` again.
Change-Id: I1bd384678722e6cf51c5777fc3b0dd965360291a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2430488
Commit-Queue: Gus Caplan <snek@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70144}
These instructions were changed from "s8x16" to "i8x16" prefixes in
https://github.com/WebAssembly/simd/pull/321.
This CL updates all V8 code, including arch-specific code, to match.
Bug: v8:10946, v8:10933
Change-Id: I26ef9ad77571f94501d42c1d65f57380fd507f3d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2432068
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70143}
In atomic.notify we overwrote the register which stored the index,
without checking if it was still in use or not.
R=clemensb@chromium.org
Bug: v8:10898
Change-Id: I59ed7a2c1f1342ff4252e3c4d33822111caee82c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2426616
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70125}
When loading from the exported function data without pointer
compression, wrong load was used before.
Bug: v8:10701, chromium:1130385
Change-Id: If66913bcd5284eeb6fb7b795357f1512682a062f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2426383
Commit-Queue: Eva Herencsárová <evih@google.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70124}
The actual fix is in LoadIC::ComputeHandler (checking
lookup_start_object == holder instead of receiver == holder) + the
LookupIterator changes for preserving lookup_start_object.
The rest is renaming / refactoring.
Reland: not relying on the prototype validity cell after all
Previous version: https://chromium-review.googlesource.com/c/v8/v8/+/2414039
Bug: v8:9237, chromium:1127653
Change-Id: I1949442f8ddcecb776f0c5d2cf737cb75f80e313
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2428588
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70112}
This fixes a case in which we forgot to assign flags to TextNodes
created through
AddBmpCharacters
AddNonBmpSurrogatePairs
AddLoneLeadSurrogates
AddLoneTrailSurrogates
functions. If these initially had a flag (e.g. case-insensitive 'i')
set, that information was lost. This bug resulted in missing case
folding in no_i18n builds (perhaps other things as well that just
aren't covered by our test suite).
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Bug: v8:10131,v8:10120
Change-Id: Icef4f0dbd47971a538e07bab2f1067c383fd59c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2423718
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70106}