The following situation may happen which reproduces this bug:
(1) We allocate JSObject A on an evacuation candidate.
(2) We allocate JSObject B on a non-evacuation candidate.
(3) Incremental marking starts and marks object A and B.
(4) We create a reference from B.field = A; which records the slot B.field since A is on an evacuation candidate.
(5) After that we write a SMI into B.field.
(6) After that B goes into dictionary mode and shrinks its original size. B.field is now outside of the JSObject, i.e B.field is in memory that will be freed by the sweeper threads.
(7) GC is triggered.
(8) BUG: Slots buffer filtering walks over the slots buffer, SMIs are not filtered out because we assumed that SMIs are just ignored when the slots get updated later. However, recorded SMI slots of dead objects may be overwritten by double values at evacuation time.
(9) During evacuation, a heap number that looks like a valid pointer is moved over B.field.
(10) The slots buffer is scanned for updates, follows B.field since it looks like a pointer (the double value looks like a pointer), and crashes.
BUG=chromium:519577,chromium:454297
LOG=y
Review URL: https://codereview.chromium.org/1286343004
Cr-Commit-Position: refs/heads/master@{#30200}
Always unlink optimized code on deopt, even when FLAG_always_opt is present, because assumptions that the code made could have become invalid.
BUG=v8:4375
LOG=n
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/1284103006
Cr-Commit-Position: refs/heads/master@{#30196}
This removes the dependency of the MarkingDeque on the underlying
collector by moving out the live bytes accounting and object color
mutations into a wrapper. The MarkingDeque can now be split into a
separate file.
R=hpayer@chromium.org
Review URL: https://codereview.chromium.org/1293773002
Cr-Commit-Position: refs/heads/master@{#30194}
Previously, UsePositions for Phis that are constant LiveRanges which are also used
as hints for other USePositions would always force-allocate the first register in
the allocatable register file to that range.
Review URL: https://codereview.chromium.org/1289313003
Cr-Commit-Position: refs/heads/master@{#30193}
The interpreter needs to be initialized after the snapshot has been deserialized.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1290883004
Cr-Commit-Position: refs/heads/master@{#30190}
This is to prevent unnecessary script contexts to be created for
native scripts, which could end up with a script context table
containing twenty script contexts for a newly created native context.
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/1301533002
Cr-Commit-Position: refs/heads/master@{#30188}
Add Object::StrictEquals to unify the implementation of strict equality
comparison in the runtime and the api (the api was already missing a
case for SIMD). Now we (almost) have a single bottleneck for strict
equality, we just need to reduce the amount of unnecessary complexity
for the code stub.
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/1298603002
Cr-Commit-Position: refs/heads/master@{#30186}
Second item in section 13.7.5.1 states that the error should be a
SyntaxError, when previously CheckAndRewriteReferenceExpression
would always emit a ReferenceError.
BUG=v8:4373
R=adamk, rossberg
LOG=N
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1292393002
Cr-Commit-Position: refs/heads/master@{#30184}
Restricts linux perf-event code range reporting to functions only (i.e. on
stubs.) While this makes the gathered ticks less accurate, it reduces the
growth of the /tmp/perf-${pid}.map file.
BUG=v8:3453
R=hablich@chromium.org,danno@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/1292743002
Cr-Commit-Position: refs/heads/master@{#30179}
- Make the API look like v8::V8::InitializeICU.
(That is: A static method call, not an object to be created on the stack.)
- Fix path separator on Windows, by calling base::OS::isPathSeparator.
- Move into API, so that it can be called by hello-world & friends.
- Actually call it from hello-world and friends.
R=jochen@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1292053002
Cr-Commit-Position: refs/heads/master@{#30174}
This CL is a pure refactoring that makes an empty compilation unit
including just "foo.h" but not "foo-inl.h" compile without warnings or
errors. This is needed to further reduce the header dependency tangle.
This realizes above state for "spaces.h" and "mark-compact.h".
R=hpayer@chromium.org
Review URL: https://codereview.chromium.org/1288413002
Cr-Commit-Position: refs/heads/master@{#30171}
In doing so, fix calls CheckAndRewriteReferenceExpression to take proper
start and end positions (instead of just pointing at the first token in
the LHS expression).
BUG=v8:4370
LOG=n
Review URL: https://codereview.chromium.org/1290013002
Cr-Commit-Position: refs/heads/master@{#30166}
Improves on aec8987b5e by not forcing external GCs
(blink) through the GC epilogue callback.
BUG=chromium:515795
LOG=N
Review URL: https://codereview.chromium.org/1287323002
Cr-Commit-Position: refs/heads/master@{#30164}
This tries to remove includes of "-inl.h" headers from normal ".h"
headers, thereby reducing the chance of any cyclic dependencies and
decreasing the average size of our compilation units.
Note that this change still leaves 5 violations of that rule in the
code. It only tackles "node.h" including "types-inl.h".
R=titzer@chromium.org
Review URL: https://codereview.chromium.org/1288053004
Cr-Commit-Position: refs/heads/master@{#30161}
This test enumerates properties on all the builtins and makes sure that
they never change. In practice, this just generates busywork when trying
to add new language features; I've never seen it catch an
accidentally-exposed bit of API.
Review URL: https://codereview.chromium.org/1275423006
Cr-Commit-Position: refs/heads/master@{#30160}
This CL us a pure refactoring that makes an empty compilation unit
including just "foo.h" but not "foo-inl.h" compile without warnings or
errors. This is needed to further reduce the header dependency tangle.
R=rossberg@chromium.org
Review URL: https://codereview.chromium.org/1290743005
Cr-Commit-Position: refs/heads/master@{#30158}
Reason for revert:
Breaks win32 nosnap
Original issue's description:
> [runtime] Remove useless IN builtin.
>
> Similar to DELETE, the IN builtin is just a thin wrapper for %HasElement
> and %HasProperty anyway, and cannot be optimized, plus it had a weird
> special fast case (which also involved at least one LOAD_IC plus some
> intrinsic magic).
>
> R=yangguo@chromium.org,jarin@chromium.org
>
> Committed: https://crrev.com/72d60a1e80e81e2e68ca402665e2acbc46c5e471
> Cr-Commit-Position: refs/heads/master@{#30154}
TBR=yangguo@chromium.org,jarin@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1288923002
Cr-Commit-Position: refs/heads/master@{#30155}
Similar to DELETE, the IN builtin is just a thin wrapper for %HasElement
and %HasProperty anyway, and cannot be optimized, plus it had a weird
special fast case (which also involved at least one LOAD_IC plus some
intrinsic magic).
R=yangguo@chromium.org,jarin@chromium.org
Review URL: https://codereview.chromium.org/1295433002
Cr-Commit-Position: refs/heads/master@{#30154}
