Commit Graph

8389 Commits

Author SHA1 Message Date
Caitlin Potter
0802e2b262 [esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral
Fixes an error where TemplateLiteral printing in --print-ast
would try to read an element beyond the length of a vector.

BUG=v8:7415, chromium:820596
R=adamk@chromium.org, gsathya@chromium.org

Change-Id: Idf9e0da8c165ee62bc1a348a91c2ed5ed798404a
Reviewed-on: https://chromium-review.googlesource.com/957883
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#51857}
2018-03-10 01:13:50 +00:00
Benedikt Meurer
fd29e1d841 [builtins] Properly handle DICTIONARY_ELEMENTS in Promise.all closures.
Bug: chromium:820312
Change-Id: Ie9237a5c53ac7121e469af460a2f0ad5016d9d03
Reviewed-on: https://chromium-review.googlesource.com/957090
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51844}
2018-03-09 14:25:34 +00:00
Clemens Hammacher
a71e5f9a7b [wasm] Avoid integer overflow on function locals check
On 32-bit systems, the computation {count + type_list->size()} can
overflow, leading to memory corruption later on.

R=titzer@chromium.org

Bug: chromium:819869
Change-Id: Ic81d201e58211e3989b4e945cd52e98dc951fbda
Reviewed-on: https://chromium-review.googlesource.com/955025
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51817}
2018-03-08 17:00:55 +00:00
Benedikt Meurer
e583fc836b [turbofan] Fix invalid SpeculativeToNumber optimization.
When optimizing SpeculativeToNumber we need to pay attention to the
hint, otherwise we optimize away a Signed32 conversion, based on the
fact that the input is a Number.

Bug: chromium:819298
Change-Id: I2ac7b0dac708fee9083eca2880bd5674a82daaa3
Reviewed-on: https://chromium-review.googlesource.com/955423
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51805}
2018-03-08 12:38:29 +00:00
Sathya Gunasekaran
a3f0f0c6e5 [class] Add tests for private fields with eval
Bug: v8:5368
Change-Id: I3119ce753737afd44a03d2c44348912a96da6c97
Reviewed-on: https://chromium-review.googlesource.com/952481
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51794}
2018-03-07 19:33:56 +00:00
Jakob Kummerow
66f21389a7 [bigint] Fix Exponentiate for 1 ** multi_digit
Bug: chromium:819026
Change-Id: I2c58d5e2892f683747966e00aa047153085ac121
Reviewed-on: https://chromium-review.googlesource.com/950472
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51776}
2018-03-06 18:58:32 +00:00
Benedikt Meurer
6196dd051f [turbofan] Only store after all checks are done.
The optimized code for %ArrayIteratorPrototype%.next for holey arrays
was wrong, since it would first store the [[NextIndex]] and then check
whether it hit a hole. However in that case TurboFan doesn't have any
point to deoptimize to, so we need to perform the side-effecting stores
only after all checks are done.

Bug: v8:7510, v8:7514, chromium:819086
Change-Id: I0214c7124833286113e4dc7403ddc20a82fa8da3
Reviewed-on: https://chromium-review.googlesource.com/950723
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51753}
2018-03-06 09:09:11 +00:00
Taketoshi Aono
f0946c1b71 Reland proposal-numeric-separator.
Revert "Revert "[parser] Implements proposal-numeric-separator.""

This reverts commit 782f6401ee.

Original CL is https://chromium-review.googlesource.com/c/v8/v8/+/923441

Bug: v8:7317
Change-Id: I6f541c038bad0cff625094ba84aebe582bdeb12f
Reviewed-on: https://chromium-review.googlesource.com/945034
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51749}
2018-03-06 01:25:06 +00:00
Sigurd Schneider
0d5588dc2c [turbofan] Don't drop arguments in fast-path
Math fast-path cannot drop arguments because their side-effects
must be preserved. For example, Math.imul(x) dropped x entirely,
because if x is convertible to an integer, the result is 0.
This, however, is not OK because converting x to an integer might
throw.

Bug: chromium:818070, v8:7250, v8:7240
Change-Id: I8363e6dcd3fc78c879395aacb636d5782c3b023e
Reviewed-on: https://chromium-review.googlesource.com/948523
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51736}
2018-03-05 15:19:11 +00:00
Benedikt Meurer
06ee127b75 [es2015] Refactor the JSArrayIterator.
This changes the JSArrayIterator to always have only a single instance
type, instead of the zoo of instance types that we had before, and
which became less useful with the specification update to when "next"
is loaded from the iterator now. This greatly simplifies the baseline
implementation of the array iterator, which now only looks at the
iterated object during %ArrayIteratorPrototype%.next invocations.

In TurboFan we introduce a new JSCreateArrayIterator operator, that
holds the IterationKind and get's the iterated object as input. When
optimizing %ArrayIteratorPrototype%.next in the JSCallReducer, we
check whether the receiver is a JSCreateArrayIterator, and if so,
we try to infer maps for the iterated object from there. If we find
any, we speculatively assume that these won't have changed during
iteration (as we did before with the previous approach), and generate
fast code for both JSArray and JSTypedArray iteration.

Drive-by-fix: Drop the fast_array_iteration protector, it's not
necessary anymore since we have the deoptimization guard bit in
the JSCallReducer now.

This addresses the performance cliff noticed in webpack 4. The minimal
repro on the tracking bug goes from

  console.timeEnd: mono, 124.773000
  console.timeEnd: poly, 670.353000

to

  console.timeEnd: mono, 118.709000
  console.timeEnd: poly, 141.393000

so that's a 4.7x improvement.

Also make presubmit happy by adding the missing #undef's.

Bug: v8:7510, v7:7514
Change-Id: I79a46bfa2cd0f0710e09365ef72519b1bbb667b5
Reviewed-on: https://chromium-review.googlesource.com/946098
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51725}
2018-03-05 11:57:28 +00:00
Sigurd Schneider
d1df563059 [turbofan] Fix bug in Array.p.reduceRight
Bug: v8:7495
Change-Id: Id929804e0d0f78c17d81d07cd6a5c5e571449d35
Reviewed-on: https://chromium-review.googlesource.com/947974
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51720}
2018-03-05 10:52:32 +00:00
Georg Neis
c895a23a99 [ic] Relax a CHECK.
The CHECK didn't account for the recent introduction of
StoreInArrayLiteralIC.

Bug: v8:5940, chromium:818438
Change-Id: I73b4120eb39b16d766f0b1a9cb82ba44804b09a3
Reviewed-on: https://chromium-review.googlesource.com/947950
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51719}
2018-03-05 10:09:01 +00:00
Jakob Kummerow
62d1f78245 [bigint] Fix throwing in Exponentiate()
When the multiplication steps fail, they have already thrown an
exception internally, so we should not throw another.
The power-of-two fast path erroneously did not throw at all for
a few input values.

Bug: chromium:818277
Change-Id: If90f6aa3e77fc72e3434daca3b898c77739933ab
Reviewed-on: https://chromium-review.googlesource.com/947254
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51711}
2018-03-03 00:59:42 +00:00
Georg Neis
2e2860f74f [ic] Introduce new IC for storing into array literals.
... and use it in the implementation of array literal spreads,
replacing calls to %AppendElement.

Array spreads in destructuring will be taken care of in a separate CL.

Bug: v8:5940, v8:7446
Change-Id: Idec52398902a7fd3c1244852cf73246f142404f0
Reviewed-on: https://chromium-review.googlesource.com/915364
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51709}
2018-03-02 21:12:57 +00:00
Tobias Tebbi
b8abd2736e [turbofan] remove type-widening NaN-addition folding
Folding _ + NaN => NaN can widen type None to a constant type, which leads to floating DeadValue nodes. This CL fixes this by removing the optimization. Alternatively, we should consider removing all nodes of type None in simplified lowering.

Bug: chromium:817225
Change-Id: I2a126b360d70d3626f8a3c5e73ac72dc980ac8b3
Reviewed-on: https://chromium-review.googlesource.com/946129
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51699}
2018-03-02 14:19:59 +00:00
Clemens Hammacher
6195ebe160 [wasm] Fix DCHECK for lazy compilation
Table inits can contain imported functions, hence their code will be a
wasm-to-wasm wrapper.
Fix a DCHECK and add a regression test.

R=ahaas@chromium.org

Bug: chromium:817380
Change-Id: I836be589e1ae66839ccd470154c8dea488e6bc1f
Reviewed-on: https://chromium-review.googlesource.com/943107
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51685}
2018-03-02 09:48:11 +00:00
Deepti Gandluri
782f6401ee Revert "[parser] Implements proposal-numeric-separator."
This reverts commit 517df52488.

Reason for revert: Fails MSAN tests - https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/20030

Original change's description:
> [parser] Implements proposal-numeric-separator.
> 
> https://github.com/tc39/proposal-numeric-separator
> 
> This proposal-numeric-separator extends NumericLiteral and
> allows developers to insert underscore(_) inside numeric literal.
> 
> Bug: v8:7317
> Change-Id: I2a1a45cd6fe09cc5df63433bc915988fde687a33
> Reviewed-on: https://chromium-review.googlesource.com/923441
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51671}

TBR=adamk@chromium.org,jkummerow@chromium.org,hablich@chromium.org,gsathya@chromium.org,mathias@chromium.org,goto@google.com,brn@b6n.ch

Change-Id: I6dcf46820caf20f28fbc11d94a5e8ced3cbbc78d
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7317
Reviewed-on: https://chromium-review.googlesource.com/944767
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51672}
2018-03-01 23:04:36 +00:00
Taketoshi Aono
517df52488 [parser] Implements proposal-numeric-separator.
https://github.com/tc39/proposal-numeric-separator

This proposal-numeric-separator extends NumericLiteral and
allows developers to insert underscore(_) inside numeric literal.

Bug: v8:7317
Change-Id: I2a1a45cd6fe09cc5df63433bc915988fde687a33
Reviewed-on: https://chromium-review.googlesource.com/923441
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51671}
2018-03-01 22:28:14 +00:00
Jakob Kummerow
dcbcf0469d [bigint] Fix tie-to-even case in BigInt::ToNumber
Bug: v8:6791, v8:7506
Change-Id: I8ff41cb5fab03ab2ced8f21016a0744582a3fcee
Reviewed-on: https://chromium-review.googlesource.com/942387
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51666}
2018-03-01 19:46:57 +00:00
Clemens Hammacher
08a9e3eb20 [Liftoff] Fix get_use_count for register pairs
R=ahaas@chromium.org

Bug: v8:7508, v8:6600
Change-Id: I9eb04171eb489383bb746e2d04c6ffff304b7918
Reviewed-on: https://chromium-review.googlesource.com/942821
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51652}
2018-03-01 13:06:17 +00:00
Georg Neis
df35adc763 [bigint] Fix bug in exponentiation.
R=jkummerow@chromium.org

Bug: v8:7505, v8:6791
Change-Id: I11b0031dfafa499a813e3e52080ee5542224799a
Reviewed-on: https://chromium-review.googlesource.com/941130
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51639}
2018-02-28 21:16:15 +00:00
Georg Neis
148cb4d1b1 [modules] Fix handling of uninitialized exports in namespace objects.
For namespace objects, [[GetOwnProperty]] on an uninitialized property
throws a ReferenceError. This was not implemented everywhere. This CL
fixes all such issues I'm aware of.

Bug: v8:7470
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I5f024450005c4f4dcb3f41c844ef055f67a9a869
Reviewed-on: https://chromium-review.googlesource.com/937341
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51638}
2018-02-28 21:13:16 +00:00
Jakob Kummerow
c94df3cec4 Fix buffer-detached check in TypedArray.of/from
The assert-guarded comment claiming that ToNumber could not
possibly neuter the target array unfortunately turns out to
have been wishful thinking.

Bug: chromium:816961
Change-Id: Ib98f96f4cd7f33414c0b5a6037bfb881938cc15e
Reviewed-on: https://chromium-review.googlesource.com/939767
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51637}
2018-02-28 20:52:55 +00:00
Clemens Hammacher
567dcad1ae [wasm] Fix prototype property of exported functions
According to the spec, exported wasm functions should not have a
[[Construct]] method, hence they don't have a prototype.

R=bmeurer@chromium.org
CC=​titzer@chromium.org

Bug: v8:7503
Change-Id: I9e142d65a80c0ef6dbd743421771f194c2d50614
Reviewed-on: https://chromium-review.googlesource.com/939782
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51622}
2018-02-28 09:14:57 +00:00
Eric Holk
c137eb509d [typed arrays] GetBuffer returns old buffer for guarded buffers
This also adds a DCHECK that the buffer does not have guard pages in
MaterializeArrayBuffer because the code there does not know how correctly set up
a buffer with guard pages.

Bug: chromium:801849
Change-Id: Ic761fcdfbd16a2d6e87f4eb135f5d03b7aa2d71d
Reviewed-on: https://chromium-review.googlesource.com/938968
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51616}
2018-02-27 20:36:54 +00:00
Ross McIlroy
910f45fa8d Reland: [Compiler] Use CompilationCache for StreamedScript compilation.
Previously GetSharedFunctionInfoForStreamedScript didn't either check the
compilation cache or put the result of compilation into the compilation
cache. This would mean future compiles would need to re-parse / compile
the same script even if the isolate had already seen it. This CL
fixes this.

Also refactors the compilation pipelines to ensure we call debug->OnAfterCompile()
for all script compiles even when loading from a cache.

BUG=v8:5203

Change-Id: I4b06bdfc566425f4e6d70fc3e6e080b0dc497d48
Reviewed-on: https://chromium-review.googlesource.com/939464
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51607}
2018-02-27 15:41:14 +00:00
Michael Starzinger
15bf3ae5e1 [test] Re-enable tests that should no longer fail.
R=cbruni@chromium.org
BUG=v8:7438

Change-Id: I2359ff08f0c37c683bbcb164eb3120539d2bb124
Reviewed-on: https://chromium-review.googlesource.com/939468
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51605}
2018-02-27 15:31:54 +00:00
Clemens Hammacher
a0e66bca78 [Liftoff][ia32] Handle overflow in memory offset
When generating a 64bit memory operation on ia32, we need to emit two
operations, one at {offset+4}, one at {offset}. The computation
{offset+4} can overflow, which is ok because
1) it won't be used for code generation later, and
2) the generated code will not be reached because the memory access is
   always out of bounds anyway.

R=ahaas@chromium.org

Bug: v8:7499, v8:6600
Change-Id: Ia4660688c3291700c48efc201d15fc370b4dd854
Reviewed-on: https://chromium-review.googlesource.com/939389
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51604}
2018-02-27 15:06:24 +00:00
Camillo Bruni
c7d01c42ed [proxies] Use write barriers for Proxy [[Construct]] arguments
The number of arguments passed on the stack might exceed the regular
object size limits. Hence we need to emit write barriers when copying
the arguments from the stack into the allocated array.

Bug: chromium:813450
Change-Id: I829c5c32b1a7b5f4ddb01cc6ea92f85ab47126aa
Reviewed-on: https://chromium-review.googlesource.com/939174
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51603}
2018-02-27 14:41:08 +00:00
Jaroslav Sevcik
8c1234861c [turbofan] Bailout from optimizations for large bytecode sizes (>128kB).
Turbofan can only handle 64K control inputs for merges. Such large
can only be created by functions with 64K jumps, so we limit the
bytecode size to the minimum size of bytecode arrays with 64K jumps.

Bug: chromium:815392, v8:7438
Change-Id: I674705e87e19ce451b40d5827c9fe3e6ec17293a
Reviewed-on: https://chromium-review.googlesource.com/938421
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51598}
2018-02-27 13:22:53 +00:00
Clemens Hammacher
bd2c9d560c [wasm][testing] Fix definition of kSig_f_v
There is a clear mistake of using kWasmF64 instead of kWasmF32.

R=ahaas@chromium.org

Change-Id: I638d568b3736fdb8417f17bcd04d17268a45b965
Reviewed-on: https://chromium-review.googlesource.com/939178
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51595}
2018-02-27 12:52:23 +00:00
Choongwoo Han
1a1e93526e [builtins] Sort only up to a given length in Array.p.sort
Always return the given length (limit) for typed arrays in PrepareElementsForSort
since typed arrays do not have holes.

Bug: v8:6719
Change-Id: Ic455ceca6563fc66a4e4a78c7bf5df1ad17afb4a
Reviewed-on: https://chromium-review.googlesource.com/615104
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51588}
2018-02-27 10:17:03 +00:00
Adam Klein
8fa85efd27 [esnext] Remove always-disabled support for function.sent
This proposal has not moved beyoned stage 2 in two years, and has never
moved past the HARMONY_INPROGRESS state in flag-definitions.h.

It was originally added to aide in desugaring yield*, but is no longer
used for that purpose.

Bug: v8:4700, v8:7310
Change-Id: Ieca40d8e4bf565516bbe71e47b996daa70d2e835
Reviewed-on: https://chromium-review.googlesource.com/935297
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51582}
2018-02-26 20:01:41 +00:00
Peter Marshall
6b25ab2e8c [typedarray] Extend ElementsAccessor::CopyElements to all Object types
Previously, Strings without an iterator would go to the runtime path
and fail on because it expected a JSReceiver type. This was in-line
with what the elements accessor expected. We can actually handle all
object types in the final slow path (using LookupIterator) so it is no
problem to change the accept types.

Bug: chromium:816289
Change-Id: Iebb8de0bb7551aee3894c8a23836d079c93726a7
Reviewed-on: https://chromium-review.googlesource.com/937461
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51574}
2018-02-26 15:51:31 +00:00
Peter Marshall
ec5c342798 [typedarray] Fix failing DCHECK for TA.from with a length getter.
I loosened the DCHECKs here but I think they are still fundamentally
safe: `length` must be <= the actual length of the source (so that
there are actually enough elements to copy), and `length` must also be
<= the destination length, minus the offset (so there is enough space
to copy the elements into).

Bug: chromium:816317
Change-Id: Ice00ac60f4884363f6065ffee71f6ab1d1b32dbc
Reviewed-on: https://chromium-review.googlesource.com/937209
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51566}
2018-02-26 13:42:23 +00:00
Yang Guo
9a561c82af [debug] remove outdated regression test.
TBR=jgruber@chromium.org
NOTREECHECKS=true
NOTRY=true

Change-Id: Id5d81f863fa6d14ac86d49b6516e577c2da7a999
Reviewed-on: https://chromium-review.googlesource.com/936543
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51557}
2018-02-26 11:27:40 +00:00
Yang Guo
175fc49c6e [debug] remove legacy implementation for break points.
R=herhut@chromium.org, jgruber@chromium.org

Bug: v8:7310, v8:5510
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Icefd10b6cc210e5bb2684d18b091179ead387326
Reviewed-on: https://chromium-review.googlesource.com/934445
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51552}
2018-02-26 10:01:39 +00:00
Sigurd Schneider
bcb5d45210 [turbofan] Introduce StringSubstring operator
Adding the StringSubstring simplified operator is a precursor to
improve inlining of String.p.{substr,substring,slice}.
This also contains a drive-by renaming to normalize different
spellings of 'Substring'.

Bug: v8:7250, v8:7340
Change-Id: I89e0fbafeab80f5d2f3ef348a5303d32c0abfe0a
Reviewed-on: https://chromium-review.googlesource.com/919084
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51522}
2018-02-23 15:51:57 +00:00
Peter Marshall
aaa1d27153 [turbofan] Add a constructor frame state for promise constructors.
This fixes issues where the stack track contained 'Promise' but
not 'new'.

Bug: v8:7253
Change-Id: I840fcc0a76e2376aab0b64d321f5cf8ccc672956
Reviewed-on: https://chromium-review.googlesource.com/928762
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51516}
2018-02-23 14:06:17 +00:00
Sigurd Schneider
53e00e3900 Reland "[turbofan] Move String.* functions to JSCallReducer"
This is a reland of 3ff4b44735.

Original version did not handle V8_INTL_SUPPORT.

Original change's description:
> [turbofan] Move String.* functions to JSCallReducer
>
> Bug: v8:7250, v8:7340
> Change-Id: Ibb8d5badf89c66bd9bcb6bb390256ae81d0e899c
> Reviewed-on: https://chromium-review.googlesource.com/913208
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51505}

Bug: v8:7250, v8:7340
Change-Id: Id908cbcfaa9e9cf5459d6d3289e6ec00e387d287
Reviewed-on: https://chromium-review.googlesource.com/934268
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51514}
2018-02-23 13:43:28 +00:00
Sigurd Schneider
0ef07c95f4 Revert "[turbofan] Move String.* functions to JSCallReducer"
This reverts commit 3ff4b44735.

Reason for revert: Does not handle V8_INTL_SUPPORT correctly

Original change's description:
> [turbofan] Move String.* functions to JSCallReducer
> 
> Bug: v8:7250, v8:7340
> Change-Id: Ibb8d5badf89c66bd9bcb6bb390256ae81d0e899c
> Reviewed-on: https://chromium-review.googlesource.com/913208
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51505}

TBR=sigurds@chromium.org,bmeurer@chromium.org

Change-Id: I6efb3b758b0fcadc012a90c4175de3c1ebccee95
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7250, v8:7340
Reviewed-on: https://chromium-review.googlesource.com/934267
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51507}
2018-02-23 12:41:04 +00:00
Sigurd Schneider
3ff4b44735 [turbofan] Move String.* functions to JSCallReducer
Bug: v8:7250, v8:7340
Change-Id: Ibb8d5badf89c66bd9bcb6bb390256ae81d0e899c
Reviewed-on: https://chromium-review.googlesource.com/913208
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51505}
2018-02-23 12:22:13 +00:00
Sigurd Schneider
6be614fb2d Reland "[turbofan] Disable speculation for JSCall nodes by default"
This is a reland of ccbbdb93a1.

Original change's description:
> [turbofan] Disable speculation for JSCall nodes by default
>
> Change-Id: I7360601f4e1b419cf8d35480b068418bdd700be9
> Reviewed-on: https://chromium-review.googlesource.com/928649
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51467}

Bug: v8:7340

Change-Id: I5557afcdad0c7f9610a396dcfa45f8985a13c1ba
Reviewed-on: https://chromium-review.googlesource.com/931546
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51496}
2018-02-23 08:31:41 +00:00
Jakob Kummerow
ddc155d89f [bigint] Add CSA support for Big*64Array stores
Bug: v8:6791
Change-Id: I1423321552e50d9ccb40a94b73f393d6d46fa629
Reviewed-on: https://chromium-review.googlesource.com/927789
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51492}
2018-02-23 02:30:04 +00:00
Jakob Kummerow
3ef16185e4 Reland "[bigint] Implement DataView.{get,set}Big*64"
Originally reviewed at https://chromium-review.googlesource.com/929429
and landed as r51486 / d50c7731e8.

Update in reland: whitelisted new builtins as side effect free.

Bug: v8:6791
Change-Id: Iff45700c8a4eca23f3ee6fc9c0cb340dc027cbc6
Reviewed-on: https://chromium-review.googlesource.com/932802
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51491}
2018-02-23 00:57:38 +00:00
Adam Klein
f7d7b5c6a4 ToString of a Proxied function should not throw
Without --harmony-function-tostring, anything other than a JSFunction
or JSBoundFunction throw when Function.prototype.toString is called on
them. But with the toString revision, anything callable allows toString
(and for non-Functions returns the good old "function () { [native code] }"
string).

Bug: v8:7484
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I3540e213a40992151761b59666fe36e0510da908
Reviewed-on: https://chromium-review.googlesource.com/932825
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51489}
2018-02-22 22:55:50 +00:00
Michael Achenbach
56b4c41b6a Revert "[bigint] Implement DataView.{get,set}Big*64"
This reverts commit d50c7731e8.

Reason for revert: Fails on many bots, like:
https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/23331

Original change's description:
> [bigint] Implement DataView.{get,set}Big*64
> 
> Bug: v8:6791
> Change-Id: I4b5ad3cf68b5c2423d6e055332d7f0dfce7c1e99
> Reviewed-on: https://chromium-review.googlesource.com/929429
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51486}

TBR=jkummerow@chromium.org,neis@chromium.org

Change-Id: I95c260134d7d2671cd4cc0f8c07971af04d97546
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6791
Reviewed-on: https://chromium-review.googlesource.com/932801
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51487}
2018-02-22 21:29:12 +00:00
Jakob Kummerow
d50c7731e8 [bigint] Implement DataView.{get,set}Big*64
Bug: v8:6791
Change-Id: I4b5ad3cf68b5c2423d6e055332d7f0dfce7c1e99
Reviewed-on: https://chromium-review.googlesource.com/929429
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51486}
2018-02-22 20:10:10 +00:00
Clemens Hammacher
537885e829 [wasm][interpreter] Fix indirect calls to other instances
When calling a function through a function table, check whether the
instance of the called function differs from the current instance, and
in that case call the other function via a c-wasm-entry instead of
interpreting it.
The c-wasm-entry needs to pass the wasm context, so this CL changes
this to receive the wasm context as parameter instead of embedding the
context of the calling instance.

R=titzer@chromium.org

Bug: chromium:814562, v8:7400
Change-Id: Iea93f270542169f8aac4f8c81aacec559c716368
Reviewed-on: https://chromium-review.googlesource.com/930966
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51485}
2018-02-22 19:51:41 +00:00
Michael Achenbach
8d889e390b [foozzie] Migrate mjsunit harness adjustments to V8 repo
This migrates harness adjustments, to be loaded after mjsunit.js on
fuzzers for correctness fuzzing.

This is the first step adding deeper pretty printing. Other
adjustments will be added in follow ups.

Bug: chromium:813833
Change-Id: I51168a31e733d54808cb8853a1c90e897acf3791
Reviewed-on: https://chromium-review.googlesource.com/930565
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51481}
2018-02-22 18:33:59 +00:00