This is a reland of e7e512da66
Original change's description:
> [turbofan] Add fast path for single-character String#startsWith()
>
> This CL adds a fast path to String#startsWith(s) if s is a
> single character string.
>
> Bug: v8:8400
> Change-Id: Ibd6a9d1e46d98f41c198d2b579208e25003eedb0
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1525362
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61504}
Bug: v8:8400
Change-Id: Ic2d60ccb8fdeb51373fcd025a7e970fda0c14d79
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1618342
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61637}
deopt-unlinked.js: bytecode flushing destroys the information that
%GetDeoptCount relies on, so turn that off for this test.
cleanupsome-after-unregister.js: the function-local object {o} is
assumed to be alive throughout the function, so make sure its live
range (from the optimizing compiler's view) extends that far.
Drive-by cleanup: drop some unnecessary casting boilerplate from
Genesis::InitializeGlobal_harmony_intl_date_format_range().
Change-Id: I28617f842fe046dd0875a9a082cfc55a3a076bcf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617674
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61621}
es6/classes is slow to run in stress mode and times out on PPC.
As a long term fix we should split this into multiple tests so
each individual test runs faster.
Bug: v8:9246
Change-Id: I95eed06d85f73cc66229dfbd83ac7521dcbbb54f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1615252
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Sergiy Belozorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61619}
Fastpath failed to store the hole on the array left side.
Bug: chromium:940274
Change-Id: I1eca7b241030474cf5aed6c68f155a1d22ae553e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617255
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61618}
This adds a constructor function to be used as the base class for all
exported functions. With type reflection enabled exported functions are
instances of this new constructor. Using the constructor directly as
well as the 'type' property is still missing.
R=jkummerow@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742
Change-Id: Id58359cf7866d24be0745abf36a839d3d86e5922
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617253
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61614}
Skipping rather than reverting the CL that introduced the slowness, due to
the fact that said CL is a Stable blocker fix.
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:9256
Change-Id: I8f8b57c415d2b54fe57c43a87e42990909295c57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1615260
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61603}
This CL extends Error.stack to include frames of functions declared
with the C++ FunctionTemplate API. For example, "print" in d8.
Two changes are necessary:
- HandleApiCall and friends need to go through an BUILTIN_EXIT frame
instead of an EXIT frame. The existing stack-trace machinery will
then pick up FunctionTemplate frames without additional changes.
- Turbofan doesn't go through HandleApiCall, but instead uses an
ASM builtin to enter FunctionTemplate functions. A "marker"
frame state is needed to include these frames in the stack trace.
Note: This CL only includes these frames in Error.stack,
but not (yet) in the stack-trace API (v8.h).
Bug: v8:8742,v8:6802
Change-Id: Ic0631af883cf56e0d0122a2e0c54e36fed324d91
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1609835
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61602}
Prior to this CL, call counts at function scope were taken from the
FeedbackVector::invocation_count field. This had two major drawbacks:
1. for generator functions, these count the number of resumptions
instead of the number of calls; and 2. the invocation count is not
maintained in optimized code.
The solution implemented here is to add a dedicated call counter at
function scope which is incremented exactly once each time the
function is called.
A minor complication is that our coverage output format expects
function-scope counts in the dedicated CoverageFunction object, and
not as a CoverageBlock. Thus function-scope block counts are initially
marked with magic positions, and later recognized and rewritten during
processing.
This CL thus fixes reported generator function call counts and enables
optimizations in block coverage modes (more to come in a follow-up).
Drive-by: Don't report functions with empty source ranges.
Bug: v8:6000,v8:9148,v8:9212
Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng
Change-Id: Idbe5edb35a595cf12b6649314738ac00efd173b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1613996
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61574}
This avoids the need to throw range errors when we run out of stack, limiting
us only by available memory.
The main parser loop is implemented by two subloops.
The first subloop finishes whenever it generates primitive values, empty
arrays, or empty objects. If a non-empty object or array is started, the loop
continues to parse its first member.
The second subloop consumes produced values and either adds them to the parent
array or object, or returns it. The second loop finishes whenever a next value
needs to be produced. When the loop itself produces a finished array or object,
the loop continues.
Exceptions are handled by moving the cursor to end-of-input. Upon end-of-input,
the first loop sets the continuation to "kFail". That causes the second loop to
tear down continuation stack and related handle scopes, resulting in an empty
handle.
The CL additionally buffers all named properties and elements so we can
immediately allocate a correctly shaped object. For object elements we'll take
flat array or dictionary encoding depending on what is more efficient.
This means that element handles are now allocated in their parent HandleScope,
rather than having local handlescopes per-property (of big objects); which is
why I've adjusted the handle-count test to not allocate as many properties. In
the future it would be nice to not have to allocate (as many) handles since
almost everything in the JSON graph will survive JSON parsing...
Bug: chromium:710383
Change-Id: Ia3a7fd0ac260fb1c0e5f929276792b2f8e5fc0ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1609802
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61533}
Tests that expect type feedback vector ensure it by using
%EnsureFeedbackVector intrinsic. These tests now work with lazy feedback
allocation as well. Hence it is no longer required to initialize the
shared function info with a special bailout id.
Bug: v8:8394
Change-Id: Iba2f94be7e5651b4faeb8b3bf604d17fb4b146ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1609542
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61509}
This CL adds a fast path to String#startsWith(s) if s is a
single character string.
Bug: v8:8400
Change-Id: Ibd6a9d1e46d98f41c198d2b579208e25003eedb0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1525362
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61504}
Previously we had a special, unshared map on the native context that was
used for results of builtin iterators, which was different from the map
that is created from an object literal like `{value, done}`. This not
only leads to unnecessary polymorphism, but also makes it impossible
for user defined iterators to take the fast-paths that we have in
various places (i.e. in collections or promises).
With this change we now properly share the map for `{value, done}` and
use that for the builtin iterator result objects, as well as the
fast-paths.
Drive-by-fix: Remove the restrictions on map caching and transition
caching during bootstrapping. This no longer makes sense.
Bug: v8:9114, v8:9243
Change-Id: I19eb9071f7ec0ed58f8a6f87eed781bc790174b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1609794
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61488}
When using the fast-properties optimization for `delete` with constant
fields we don't properly invalidate the constness on the original map
and might thereby just follow the same transition again later with the
same object, effectively violating the constness of that field. This
disables the fast-properties optimization for `delete` in case of a
field marked as "const" as a quick-fix. We might still want to change
the logic to properly invalidate the "const" bit later.
Bug: chromium:962588, v8:9233
Change-Id: I1d0a8649d117731a0cd5ebdb4b6d0b22a900f33d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1609796
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61484}
When receiver is null or undefined we should not look into key. Calling
ToName on key is observable. This cl fixes the GenericKeyedLoadIC to
miss into runtime when the receiver is null or undefined.
Bug: v8:8394
Change-Id: Iaed07cd1b77b63e550284108777e165141af57a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1605948
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61481}
For keyed stores to JSArrays we can generally allow the receiver to grow
to the necessary size by bumping the magical length property. This works
for regular Arrays, but not in the case the prototype chain contains a
TypedArray, as that is going to swallow all stores that are considered
out-of-bounds for it.
We don't wanna deal with that kind of complexity in the IC handlers, so
we just refuse to handle that case (also giving TurboFan the signal that
it shouldn't attempt to handle growing stores in that case).
Bug: chromium:960134, chromium:961709
Change-Id: Ia886de590c32ae51ed4ebe38fc237ed975a635aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1609790
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61465}
Added null check when printing the brand with --print-ast.
Bug: chromium:961507, chromium:961508
Original change's description:
> [class] implement private method declarations
>
> This patch implements the declarations of private methods, the access
> of private methods would be left to a future patch.
> When a private methods declaration is encountered, we now:
>
> - Create a brand symbol during class evaluation and store it in the
> context.
> - Create the closures for the private methods
> - Load the brand from the context and store it in the instance in the
> constructor.
>
> Design: https://docs.google.com/document/d/1T-Ql6HOIH2U_8YjWkwK2rTfywwb7b3Qe8d3jkz72KwA/edit#
>
> Bug: v8:8330
> Change-Id: I2d695cbdc8a7367ddc7620d627b318f779d36150
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1568708
> Commit-Queue: Joyee Cheung <joyee@igalia.com>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61387}
Change-Id: I3bf465f70c27914c9ec19f3f59ae018b28c9a866
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1605521
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61459}
TurboFan truncated null to +0 even in contexts such as -0 == null
because it was not handling the TypeCheck correctly. This restricts
the type conversion case to not apply truncation in this case (see
comment in patch).
Change-Id: Ia38ace9608800c8d61988de402a31dd863d9160a
Bug: chromium:961237
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1609538
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61446}
I did the implementation with a runtime function. I extracted some code
from the implementation of table.get.
By accident I formatted anyfunc.js. However, since it's an improvement,
I don't want to undo it. I didn't change anything in the older tests
though, I only added new tests at the end.
R=mstarzinger@chromium.org
Bug: v8:7581
Change-Id: I31832ccc817e1e7989f486d6487108c14d21bbea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1602701
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61442}
We need to keep strong references to the final map, otherwise the test
may start failing randomly depending on GC timing, because the optimized
code will get deoptimized when the map disappears.
Bug: v8:9236
Change-Id: I3c18cba96546020b4d70b95993e1531e787ed253
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1607652
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61438}
This is a reland of f2e652264d
Nothing has changed but
https://chromium-review.googlesource.com/c/v8/v8/+/1585269 has been rolled
back due to v8:9234.
Original change's description:
> Reland "[compiler] Don't collect source positions for the top frame"
>
> Fixed crashes by adding missing call to EnsureSourcePositionsAvailable,
> which requires clearing and restoring the pending exception.
>
> > While most source positions were not collected even throwing exceptions,
> > the top frame still was always collected as it was used to initialize
> > the JSMessageObject. This skips even that frame, by storing the
> > SharedFunctionInfo and bytecode offset in the JSMessageObject allowing
> > it to lazily evaluate the actual source position.
> >
> > Also adds tests to test-api.cc that test each of the source position
> > functions in isolation to ensure that they don't rely on previous
> > invocations to call the source collection function.
> >
> > Since no source positions are now collected at the point when an
> > exception is thrown, the mjsunit/stack-traces-overflow now passes again
> > with the flag enabled. (cctest/test-cpu-profiler/Inlining2 is now the
> > only failure).
>
> Bug: v8:8510
> Change-Id: Ifa5fe31d3db34a6c6d6a9cef3d646ad620dabd81
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1601270
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61372}
TBR=ulan@chromium.org
Bug: v8:8510
Change-Id: Iaa9e376f90d10c0f25d1bcc352808363e4ea8b4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1605946
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61418}
Everything after UNREACHABLE is dead code, so it makes sense to remove them.
Bug: v8:9183
Change-Id: If76468a73b926d74717cc2348fd5b36d30f680c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1605727
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61411}
This reverts commit b9191bd355.
Reason for revert: Clusterfuzz bugs
BUG=chromium:961507,chromium:961508
Original change's description:
> [class] implement private method declarations
>
> This patch implements the declarations of private methods, the access
> of private methods would be left to a future patch.
> When a private methods declaration is encountered, we now:
>
> - Create a brand symbol during class evaluation and store it in the
> context.
> - Create the closures for the private methods
> - Load the brand from the context and store it in the instance in the
> constructor.
>
> Design: https://docs.google.com/document/d/1T-Ql6HOIH2U_8YjWkwK2rTfywwb7b3Qe8d3jkz72KwA/edit#
>
> Bug: v8:8330
> Change-Id: I2d695cbdc8a7367ddc7620d627b318f779d36150
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1568708
> Commit-Queue: Joyee Cheung <joyee@igalia.com>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61387}
TBR=rmcilroy@chromium.org,gsathya@chromium.org,verwaest@chromium.org,joyee@igalia.com
Change-Id: I429bbe8af9f94598de132814aa2c3ab9fa69b986
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8330
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1605730
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61406}
{NativeModule::GetCode} can actually return {nullptr} if no code was
compiled yet for a function, e.g. in asm.js where we use lazy
compilation. In that case, we must not try to increment the ref count
on the nonexisting code object.
We had a few errors recently that were hard to reproduce because we do
not have a flag to enable code logging. Clusterfuzz managed to
accomplish this by passing --trace-ic.
In order to test bugs in code logging properly, this CL introduces a
new runtime function called "EnableCodeLoggingForTesting". It registers
a noop {CodeEventListener} and enables code logging in the wasm engine.
We should whitelist this flag in ClusterFuzz to potentially flush out
more bugs.
R=mstarzinger@chromium.orgCC=frgossen@chromium.org
Bug: v8:8217, chromium:961129, chromium:961245, chromium:961128
Change-Id: I2f97c109db70b41531d58580b71f6781beeb8dcb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1602700
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61404}
JSInliner class wrongly assumed that all functions passing through
JSInliningHeuristic have feedback vectors, but that's not the case
when the inlining candidate hasn't been called yet.
Bug: chromium:961522
Change-Id: I89c0f2098add19d9b59394f1e7230cbec426119d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1605720
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61400}
These are added as mjsunit tests for now since they haven't been merged
to the spec repo. When that happens, the wasm-spec-tests testsuite can
be updated to include these tests, and the tests in this directory can
be removed.
This CL also adds the test/mjsunit/wasm/bulk-memory-spec directory to a
list of directories that aren't checked for copyright (since these files
are auto-generated).
Bug: v8:7747
Change-Id: I906f2ca45f497a6728f94afb9b3330971e1d3fd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1600363
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Sergiy Belozorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61395}
This patch implements the declarations of private methods, the access
of private methods would be left to a future patch.
When a private methods declaration is encountered, we now:
- Create a brand symbol during class evaluation and store it in the
context.
- Create the closures for the private methods
- Load the brand from the context and store it in the instance in the
constructor.
Design: https://docs.google.com/document/d/1T-Ql6HOIH2U_8YjWkwK2rTfywwb7b3Qe8d3jkz72KwA/edit#
Bug: v8:8330
Change-Id: I2d695cbdc8a7367ddc7620d627b318f779d36150
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1568708
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61387}
This reverts commit f2e652264d.
Reason for revert: Speculative revert, seems to break GC stress bot and block LKGR - https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/25701
Original change's description:
> Reland "[compiler] Don't collect source positions for the top frame"
>
> Fixed crashes by adding missing call to EnsureSourcePositionsAvailable,
> which requires clearing and restoring the pending exception.
>
> > While most source positions were not collected even throwing exceptions,
> > the top frame still was always collected as it was used to initialize
> > the JSMessageObject. This skips even that frame, by storing the
> > SharedFunctionInfo and bytecode offset in the JSMessageObject allowing
> > it to lazily evaluate the actual source position.
> >
> > Also adds tests to test-api.cc that test each of the source position
> > functions in isolation to ensure that they don't rely on previous
> > invocations to call the source collection function.
> >
> > Since no source positions are now collected at the point when an
> > exception is thrown, the mjsunit/stack-traces-overflow now passes again
> > with the flag enabled. (cctest/test-cpu-profiler/Inlining2 is now the
> > only failure).
>
> Bug: v8:8510
> Change-Id: Ifa5fe31d3db34a6c6d6a9cef3d646ad620dabd81
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1601270
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61372}
TBR=ulan@chromium.org,rmcilroy@chromium.org,delphick@chromium.org
Change-Id: Ie590df6c308b38836afc5d417d03d2a63260bcb2
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8510
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1602692
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61381}
Fixed crashes by adding missing call to EnsureSourcePositionsAvailable,
which requires clearing and restoring the pending exception.
> While most source positions were not collected even throwing exceptions,
> the top frame still was always collected as it was used to initialize
> the JSMessageObject. This skips even that frame, by storing the
> SharedFunctionInfo and bytecode offset in the JSMessageObject allowing
> it to lazily evaluate the actual source position.
>
> Also adds tests to test-api.cc that test each of the source position
> functions in isolation to ensure that they don't rely on previous
> invocations to call the source collection function.
>
> Since no source positions are now collected at the point when an
> exception is thrown, the mjsunit/stack-traces-overflow now passes again
> with the flag enabled. (cctest/test-cpu-profiler/Inlining2 is now the
> only failure).
Bug: v8:8510
Change-Id: Ifa5fe31d3db34a6c6d6a9cef3d646ad620dabd81
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1601270
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61372}
A DCHECK in LookupIterator::name hits when we add a indexed property,
as it requires a named property.
This replaces it with GetName to avoid the failure.
Bug: chromium:959727
Change-Id: I1e98b313ec9257db80460a34d691016acbceb3c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1597372
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61358}
Otherwise (this) will leak into a later this=> making it seem like a valid
arrow function head.
Bug: chromium:941703
Change-Id: I5c3ff70f1d525ec0da53b401a0bfec4c1ee7812f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1601260
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61345}
This fixes a crash when using --trace-ic on Arm64 debug. For a given return
address, the assembler's `target_address_from_return_address()` method will
displace it to give you the call-site address. However, this is fragile because
it needs to decode the instruction stream to distinguish between different call
sequences. So it triggered an assertion on Arm64 because we now use BL for
builtin to buitin calls.
We only use this when tracing IC states to detect if the caller is a deoptimized
function. But to do this it doesn't matter if the address we have is the return
or the call-site address. So we can just remove the need for the fragile
Assembler method.
As a drive-by, also remove `return_address_from_call_start()` which was doing
the opposite and was unused.
Change-Id: I5988d17eadd1652ed85d662e62bc4c579665dd31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1594566
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61337}
This is a reland of 289b25765a.
The fix for failures landed here:
https://chromium-review.googlesource.com/c/v8/v8/+/1599388
Original change's description:
> [Test] Update tests to work with lazy feedback allocation.
>
> This adds either %EnsureFeedbackVectorForFunction or
> %PrepareFunctionForOptimization to allocate feedback vectors when testing
> optimization, allocation sites, IC transitions etc.,
>
> Bug: v8:8394
> Change-Id: I6ad1b6d460e4abda693b326cddb87754e080a0a1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593303
> Commit-Queue: Mythri Alle <mythria@chromium.org>
> Auto-Submit: Mythri Alle <mythria@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61212}
Bug: v8:8394
Change-Id: Idb5bba221d138e6fd73155f959b9e16fc948c709
TBR: rmcilroy@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1599607
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61332}
Bug: v8:9207
Change-Id: Ie137e8c2395e835d532394495d892ad9b2cfc90d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1601133
Commit-Queue: Mythri Alle <mythria@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Auto-Submit: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61322}
