Commit Graph

2241 Commits

Author SHA1 Message Date
Michael Starzinger
09a07038f2 [turbofan] Fix lowering of %_GetSuperConstructor intrinsic.
The above intrinsic by now has to perform a check whether the prototype
of a derived constructor is actually a constructor function itself. This
is done as part of the {JSGetConstructorCall} operator. The intrinsic
should just reduce down to the operator to maintain correct semantics.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-696622
BUG=chromium:696622

Change-Id: Ia19c188f17ad16b12248db1f01a01b8d7258499b
Reviewed-on: https://chromium-review.googlesource.com/447716
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43479}
2017-02-28 12:47:37 +00:00
Toon Verwaest
0e21a147db [runtime] Feed back normalization to constructors (behind flag)
When an instance of a constructor goes dictionary mode, this changes the initial map
of that constructor to also be in dictionary mode. This avoids spurious hidden class
creation, that also results in IC misses.

BUG=

Change-Id: I0e70f822ac345d0224f2092ec473621a603d4cc5
Reviewed-on: https://chromium-review.googlesource.com/446361
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43452}
2017-02-27 13:56:14 +00:00
Igor Sheludko
9760851789 [ic] KeyedStoreIC should use a slow stub when a prototype chain contains dictionary elements.
BUG=chromium:688734

Change-Id: If5dd370971cb02c4463fa20a489d0fa60b0423c4
Reviewed-on: https://chromium-review.googlesource.com/446845
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43451}
2017-02-27 13:41:11 +00:00
Choongwoo Han
cd3a76d56f [typedarrays] Fix Out of Bound Access in TypedArraySortFast
Compare function for std::sort should satisfy strict weak ordering
relation.

BUG=chromium:696251

Change-Id: I1c07e3bb1b012fd203bc059a21a75ae0fc61f5ac
Reviewed-on: https://chromium-review.googlesource.com/447036
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43446}
2017-02-27 11:41:25 +00:00
adamk
184e80a60d Remove a regression test that depended on utils.ImportNow()
The test itself was for an issue that's handled statically since
https://codereview.chromium.org/1302313013 (we were missing some
instance types in a switch statement).

This leaves us with only a single test that depends on the JS
native import system.

R=littledan@chromium.org

Review-Url: https://codereview.chromium.org/2707133005
Cr-Commit-Position: refs/heads/master@{#43393}
2017-02-23 17:31:51 +00:00
Michael Starzinger
beb94c5e87 [turbofan] Fix Object.prototype.__proto__ getter reduction.
This fixes a corner-case where the call reduction of the aforementioned
getter did not simulate the {ToObject} conversion of the receiver value
as required by the spec. This caused the wrong prototype to be constant
promoted (i.e. {null} instead of wrapper object prototype).

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-694709
BUG=chromium:694709

Change-Id: Idf3a37071949d9ddaf5ef43974570c06fd31c0c9
Reviewed-on: https://chromium-review.googlesource.com/445818
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43376}
2017-02-22 15:07:49 +00:00
clemensh
cc805e42af [wasm] Enforce module size limit early enough
The limit needs to be checked before casting the length to int in
ModuleWireBytes.

R=titzer@chromium.org
BUG=694433

Review-Url: https://codereview.chromium.org/2705233002
Cr-Commit-Position: refs/heads/master@{#43352}
2017-02-21 18:13:02 +00:00
Michael Starzinger
875ccb48ff [turbofan] Fix missing name check for keyed global load.
This fixes a missing name check for keyed property loads targeting the
global object where the feedback was warmed up with a single name. This
affects {JSLoadProperty} nodes only, syntactic global property loads via
the {JSLoadGlobal} operator are not affected.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-694416
BUG=chromium:694416

Change-Id: I54aa3f27eaa72630539f02602ec7642b04835b27
Reviewed-on: https://chromium-review.googlesource.com/445224
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43344}
2017-02-21 14:51:07 +00:00
jgruber
3acc00a017 [regexp] Fix smi receiver in stack accessors
info.This returns a Local<Object>, which results in a call to
Utils::OpenHandle<JSReceiver>.  Casting to a Local<Value> first uses the
correct OpenHandle<Object> overload.

BUG=chromium:693500

Review-Url: https://codereview.chromium.org/2706833002
Cr-Commit-Position: refs/heads/master@{#43314}
2017-02-20 11:48:10 +00:00
Georg Neis
8686368321 [interpreter] When generating bytecode, properly track current scope.
The bytecode generator did not necessarily know for which scope, and
thus language mode, it was generating code, because it only tracked
scopes that have a context.  This led to wrong behavior in some
examples involving class expressions (which are always in strict
mode).

With this CL, the bytecode generator explicitly tracks the current
scope, independent of whether it has a context.

BUG=v8:5927

Change-Id: Ifa6b3ee5e13e07b63d00e74c7f557a328633c88b
Reviewed-on: https://chromium-review.googlesource.com/444785
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43300}
2017-02-19 13:08:19 +00:00
vabr
6302753e2f Fix typeof optimization for undetectable
Currently, typeof o, where o is an undetectable
callable object (such as document.all), returns 'function' if
optimised. It should, however, return 'undefined'.

This CL excludes undetectable objects from the optimization
resulting in type 'function' and renames the related code to
reflect that.

BUG=v8:5972
R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2697063002
Cr-Commit-Position: refs/heads/master@{#43298}
2017-02-18 12:43:37 +00:00
binji
4dfd5e5ee2 Make regress-crbug-514081 less flaky by having max serialization size
BUG=v8:5906
R=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2697723004
Cr-Commit-Position: refs/heads/master@{#43292}
2017-02-17 18:55:54 +00:00
Camillo Bruni
3a43be9b78 [elements] Check if the backing store has been neutered for indexOf
BUG=691323

Change-Id: I84f2c90355982567c421639e115745eadd5fcb21
Reviewed-on: https://chromium-review.googlesource.com/441964
Reviewed-by: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43279}
2017-02-17 12:49:21 +00:00
Andreas Haas
5f1661aad7 [turbofan] For Word32Shl optimizations only consider the last 5 bits of the shift
One optimization in the machine-operator-reducer did not consider that
that word32 shift left instructions only consider the last 5 bits of
the shift input.

The issue only occurs for WebAssembly because in JavaScript we always
add a "& 0xf" on the shift value to the TurboFan graph.

For additional background: The JavaScript and WebAssembly spec both
say that only the last 5 bits of the shift value are used in the
word32-shift-left operation. This means that an "x << 0x29", in the
code is actually executed as "x << 0x09". Therefore the changes in
this CL are okay because they mask the last 5 bit of the shift value.

BUG=chromium:689450

Change-Id: Id92f298ed6d7f1714b109b3f4fbcecd5ac6d30f7
Reviewed-on: https://chromium-review.googlesource.com/439312
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43245}
2017-02-16 12:09:32 +00:00
jgruber
c0fe56e63d [regexp] Correct lastIndex behavior in RegExp.prototype[@@replace]
@@replace has a pretty complex implementation, taking different paths
for various situations (e.g.: global/nonglobal regexp, functional/string
replace argument, etc.). Each of these paths must implement similar
logic for calling into the RegExpBuiltinExec spec operation, and many
paths get this subtly wrong.

This CL fixes a couple of issues related to the way @@replace handles lastIndex:
* All paths now respect lastIndex when calling into exec (some used to assume 0).
* lastIndex is now advanced after a successful match for sticky regexps.
* lastIndex is now only reset to 0 on failure for sticky regexps.

BUG=v8:5361

Review-Url: https://codereview.chromium.org/2685183003
Cr-Commit-Position: refs/heads/master@{#43234}
2017-02-16 09:21:37 +00:00
Peter Marshall
817e0358e3 [builtins] Convert the hole to undefined when pushing spread arguments.
The mips64 implementation always ended up in the slowpath due to some
loads that were the wrong width, so that is also fixed here.

BUG=v8:5974

Change-Id: Ie448a1fab5b7fca87597c5a1bf75443864e30c28
Reviewed-on: https://chromium-review.googlesource.com/443247
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43222}
2017-02-15 18:32:16 +00:00
ishell@chromium.org
65f0e958f6 [runtime][tests] More *TypeFeedbackVector* -> *FeedbackVector* renamings.
BUG=

Change-Id: I859fef6b18e51cca80343a89e2b6f38eee95d408
Reviewed-on: https://chromium-review.googlesource.com/442428
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43206}
2017-02-15 08:53:51 +00:00
vabr
e3d761d94b ParserBase should accept ESCAPED_STRICT_RESERVED_WORD as an identifier
ParserBase::is_any_identifier currently does not recognise
Token::ESCAPED_STRICT_RESERVED_WORD as an identifier. This seems different
from what ParserBase::ParseIdentifierName does, and also prevents
"l\u0065t", unlike "let", from becoming a label.

This CL extends is_any_identifier to also accept ESCAPED_STRICT_RESERVED_WORD.

BUG=v8:5692

Review-Url: https://codereview.chromium.org/2695973003
Cr-Commit-Position: refs/heads/master@{#43204}
2017-02-15 02:35:12 +00:00
Michael Starzinger
6ee0b6cec6 [turbofan] Correct lazy deopt by {JSCreate} operation.
This adds support for deoptimizing into the JSConstructStub after the
receiver instantiation but before the actual constructor invocation.
Such a deoptimization point is needed for cases where instantiation
might be observed (e.g. when new.target is a proxy) and hence might
trigger a deopt.

We use this new deoptimization point for the "after" frame-state the
inliner attaches to {JSCreate} nodes being inserted when constructor
calls are being inlined.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-5638b
BUG=v8:5638

Change-Id: I7c72c807ee8fb76d12e0e9ccab86d970ab1a0efd
Reviewed-on: https://chromium-review.googlesource.com/440125
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43149}
2017-02-13 10:14:54 +00:00
bmeurer
1a2362089c [es2015] Remove the @@hasInstance protector cell.
We cannot skip the @@hasInstance lookup in instanceof depending on a
global protector cell, as the lookup of the property is observable
via proxies or accessors. So remove the global protector and properly
implement CSA::InstanceOf via GetPropertyStub, with an appropriate
fast-path for Function.prototype[@@hasInstance] where we call the
builtin code object directly if the function matches, skipping all
the checks from the call sequence, and also avoid the redundant
ToBoolean conversion on the result.

R=yangguo@chromium.org
TBR=ulan@chromium.org
BUG=v8:5958

Review-Url: https://codereview.chromium.org/2684033012
Cr-Commit-Position: refs/heads/master@{#43137}
2017-02-13 07:16:27 +00:00
mstarzinger
6c12d57ead [crankshaft] Fix Smi overflow in {HMaybeGrowElements}.
This fixes the case where the index passed to {HMaybeGrowElements} used
to derive the new capacity for the elements backing store does not fit
into Smi range. Such an overflow would fail the capacity check and cause
growing to be skipped. Subsequent keyed stores would potentially go out
of bounds.

R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-686427
BUG=chromium:686427

Review-Url: https://codereview.chromium.org/2686263002
Cr-Commit-Position: refs/heads/master@{#43101}
2017-02-10 14:20:55 +00:00
yangguo
058d7ab7f4 [debugger] implement per-function code coverage.
Collect code coverage from the available invocation counts.
The granularity is at function level, and invocation counts may
be lost to GC.

Coverage::Collect returns a std::vector of Coverage::ScriptData.
Each ScriptData contains a script ID and a std::vector of
Coverage::RangeEntry.
Each RangeEntry consists of a end position and the invocation
count. The start position is implicit from the end position of
the previous RangeEntry, or 0 if it's the first RangeEntry.

R=jgruber@chromium.org
BUG=v8:5808

Review-Url: https://codereview.chromium.org/2689493002
Cr-Commit-Position: refs/heads/master@{#43072}
2017-02-09 19:00:49 +00:00
mstarzinger
eb5915b428 Fix test to not teach ClusterFuzz ugly tricks.
R=ishell@chromium.org
TEST=mjsunit/regress/regress-5902
BUG=chromium:688837

Review-Url: https://codereview.chromium.org/2682203003
Cr-Commit-Position: refs/heads/master@{#43068}
2017-02-09 16:46:06 +00:00
jgruber
b798b5212a [regexp] Update lastIndex semantics in RegExpBuiltinExec
Updated according to the recent spec change at
https://github.com/tc39/ecma262/pull/798.

BUG=v8:5949

Review-Url: https://codereview.chromium.org/2681323002
Cr-Commit-Position: refs/heads/master@{#43062}
2017-02-09 14:54:05 +00:00
jgruber
1d3317ff05 [regexp] Ensure IrregexpExecRaw is passed a flat string
BUG=v8:5943

Review-Url: https://codereview.chromium.org/2681123002
Cr-Commit-Position: refs/heads/master@{#43058}
2017-02-09 11:24:08 +00:00
Marja Hölttä
9b35d8f575 [parsing] Produce same Scopes in Parser and PreParser when the params are not simple.
E.g.,
{ function lazy_inner(b = somevar) { let somevar; } }

If we don't produce the same scopes, PreParser thinks that the unresolved
variable inside the default parameter resolves into the variable declared inside
the function. Thus, it's not correctly recorded as a free variable.

One part is already done by https://codereview.chromium.org/2638333002 . But at
the laziness boundary, we still produced different scopes.

Unlike previously thought, this is also needed for lazy inner function
correctness, not only for "preparser scope analysis" (ie., skipping inner
functions).

BUG=v8:5938

Change-Id: I047cd43ef16478bb0f18d1f114845e7d1ab8c5f2
Reviewed-on: https://chromium-review.googlesource.com/439345
Commit-Queue: Marja Hölttä <marja@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43044}
2017-02-08 17:14:30 +00:00
Andreas Haas
59bb18867a [x64] Consider both operands when emitting the REX prefix for testb.
The testb instruction requires the REX prefix when either of its
operands uses a register with the high bit set. The existing code only
considered the register operand. In the test case the REX prefix was not
emitted because the testb instruction had the register operand RAX which
does not have the high bit set. The REX prefix was necessary though
because the memory operand used R8, which has the high bit set.

R=bmeurer@chromium.org
BUG=chromium:688876

Change-Id: Ib214bebbe75965664f2aea530e29afa95a54f44f
Reviewed-on: https://chromium-review.googlesource.com/439145
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43030}
2017-02-08 10:27:45 +00:00
hablich
5f9c89af70 Reland of [parsing] Fix maybe-assigned for loop variables. (patchset #1 id:1 of https://codereview.chromium.org/2679263002/ )
Reason for revert:
False alarm, bot hiccup

Original issue's description:
> Revert of [parsing] Fix maybe-assigned for loop variables. (patchset #3 id:40001 of https://codereview.chromium.org/2673403003/ )
>
> Reason for revert:
> Speculative revert because of https://codereview.chromium.org/2679163002/.
>
> Original issue's description:
> > [parsing] Fix maybe-assigned for loop variables.
> >
> > Due to hoisting, the value of a 'var'-declared variable may actually change even
> > if the code contains only the "initial" assignment, namely when that assignment
> > occurs inside a loop.  For example:
> >
> >   let i = 10;
> >   do { var x = i } while (i--):
> >
> > As a simple and very conservative approximation of this, we explicitly mark
> > as maybe-assigned any non-lexical variable whose "declaration" does not
> > syntactically occur in the function scope.  (In the example above, it
> > occurs in a block scope.)
> >
> > BUG=v8:5636
> >
> > Review-Url: https://codereview.chromium.org/2673403003
> > Cr-Commit-Position: refs/heads/master@{#42989}
> > Committed: a33fcd663b
>
> TBR=marja@chromium.org,adamk@chromium.org,neis@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:5636
>
> Review-Url: https://codereview.chromium.org/2679263002
> Cr-Commit-Position: refs/heads/master@{#43010}
> Committed: f3ae5ccf57

TBR=marja@chromium.org,adamk@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5636

Review-Url: https://codereview.chromium.org/2686663002
Cr-Commit-Position: refs/heads/master@{#43013}
2017-02-07 20:43:17 +00:00
hablich
f3ae5ccf57 Revert of [parsing] Fix maybe-assigned for loop variables. (patchset #3 id:40001 of https://codereview.chromium.org/2673403003/ )
Reason for revert:
Speculative revert because of https://codereview.chromium.org/2679163002/.

Original issue's description:
> [parsing] Fix maybe-assigned for loop variables.
>
> Due to hoisting, the value of a 'var'-declared variable may actually change even
> if the code contains only the "initial" assignment, namely when that assignment
> occurs inside a loop.  For example:
>
>   let i = 10;
>   do { var x = i } while (i--):
>
> As a simple and very conservative approximation of this, we explicitly mark
> as maybe-assigned any non-lexical variable whose "declaration" does not
> syntactically occur in the function scope.  (In the example above, it
> occurs in a block scope.)
>
> BUG=v8:5636
>
> Review-Url: https://codereview.chromium.org/2673403003
> Cr-Commit-Position: refs/heads/master@{#42989}
> Committed: a33fcd663b

TBR=marja@chromium.org,adamk@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5636

Review-Url: https://codereview.chromium.org/2679263002
Cr-Commit-Position: refs/heads/master@{#43010}
2017-02-07 19:40:24 +00:00
neis
a33fcd663b [parsing] Fix maybe-assigned for loop variables.
Due to hoisting, the value of a 'var'-declared variable may actually change even
if the code contains only the "initial" assignment, namely when that assignment
occurs inside a loop.  For example:

  let i = 10;
  do { var x = i } while (i--):

As a simple and very conservative approximation of this, we explicitly mark
as maybe-assigned any non-lexical variable whose "declaration" does not
syntactically occur in the function scope.  (In the example above, it
occurs in a block scope.)

BUG=v8:5636

Review-Url: https://codereview.chromium.org/2673403003
Cr-Commit-Position: refs/heads/master@{#42989}
2017-02-07 11:45:09 +00:00
petermarshall
f4739ea863 [builtins] Fix crash on stack overflow in CheckSpreadAndPushToStack.
For x64, ia32 and x87 we would pop the return address before the stack
overflow check. This meant the stack couldn't be unwound properly if
it was going to overflow. This CL moves the pop of the return address
to after the stack overflow check.

Also adds a regression test to check that a RangeError is thrown.

BUG=689016

Review-Url: https://codereview.chromium.org/2681643004
Cr-Commit-Position: refs/heads/master@{#42984}
2017-02-07 09:58:19 +00:00
mstarzinger
e34f536620 [turbofan] Mark {JSCreate} as potentially throwing.
This correctly marks the {JSCreate} operator as potentially throwing,
since it might trigger a property access of the 'prototype' property
during instantiation. This is observable, can throw (not kNoThrow),
might have side-effects (not kNoWrite), or even trigger a lazy deopt
event (not kNoDeopt). The inlining logic has been adapted to wire up
control projections accordingly.

Note that this does not yet take care of the "after" frame-state which
is associated with the {JSCreate} node introduced by the inliner. We
still might re-evaluate the property access upon lazy deoptimization.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-5638
BUG=v8:5638

Review-Url: https://codereview.chromium.org/2671203003
Cr-Commit-Position: refs/heads/master@{#42981}
2017-02-07 09:00:18 +00:00
jgruber
9576d08c92 [string] Don't tail-call into runtime with adaptor frames
TailCallRuntime currently does not seem to handle adaptor frames
correctly.

BUG=chromium:688690

Review-Url: https://codereview.chromium.org/2675133003
Cr-Commit-Position: refs/heads/master@{#42950}
2017-02-06 09:47:55 +00:00
bmeurer
c21d1281d9 [turbofan] Properly ensure that deoptimization is enabled.
We cannot optimize global proxy access unless deoptimization is enabled.

BUG=chromium:687990
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2675793002
Cr-Commit-Position: refs/heads/master@{#42928}
2017-02-03 14:06:06 +00:00
yangguo
b963cb2351 Add test case for built-in objects' property mode.
R=jgruber@chromium.org
BUG=v8:5902

Review-Url: https://codereview.chromium.org/2669423002
Cr-Commit-Position: refs/heads/master@{#42922}
2017-02-03 12:19:21 +00:00
mtrofin
b0e58a9cee [turbofan] more regalloc fixes
BUG=v8:5911

Review-Url: https://codereview.chromium.org/2667963004
Cr-Commit-Position: refs/heads/master@{#42900}
2017-02-02 22:33:40 +00:00
yangguo
8ae463d736 [debugger] remove mirror cache and v8::Debug::GetMirror.
R=jgruber@chromium.org
BUG=v8:5530

Review-Url: https://codereview.chromium.org/2670823002
Cr-Commit-Position: refs/heads/master@{#42893}
2017-02-02 14:22:15 +00:00
neis
5020db7f9c [promises] Fix .arguments on builtin function.
Using .caller, one can get access to the internal function that invokes the
handler passed to Promise.prototype.then.  This internal function is a TF
builtin that was set up as non-native and without an argument adaptor.  As a
consequence of this, when accessing .arguments on it, the frame-walking logic in
the .arguments accessor thinks the number of arguments is -1 and we try to
allocate an array of size -1.

This CL marks the builtin function as native (making its .arguments be null),
along with a few others that may have been incorrect in the same way.

BUG=chromium:682349

Review-Url: https://codereview.chromium.org/2672453002
Cr-Commit-Position: refs/heads/master@{#42855}
2017-02-01 14:06:38 +00:00
jwolfe
ea96fdec68 Enable --harmony-trailing-commas
Also updated some tests due to the change. The general pattern is when a
trailing comma is expected to cause a SyntaxError, an additional comma was
added.

BUG=v8:5051
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel

Review-Url: https://codereview.chromium.org/2638513002
Cr-Commit-Position: refs/heads/master@{#42826}
2017-01-31 23:30:57 +00:00
bmeurer
64eae6eff2 [turbofan] Remove over-restrictive DCHECKs.
The KeyedStoreMode that we get out of the FeedbackNexus doesn't
necessarily need to apply when we have "static knowledge" about
the receiver, i.e. when the receiver is a known JSTypedArray, but
the KEYED_STORE_IC has seen only JSArray instances so far. The
DCHECK was too restrictive in this case, since we can just ignore
the KEYED_STORE_IC mode (like we ignore the maps).

BUG=chromium:685050
R=ishell@chromium.org

Review-Url: https://codereview.chromium.org/2668643002
Cr-Commit-Position: refs/heads/master@{#42810}
2017-01-31 09:00:55 +00:00
bmeurer
68ae57ce1e [turbofan] Introduce ChangeTaggedToTaggedSigned operator.
We were missing a case for Tagged->TaggedSigned conversions when the
input type is known to be Type::SignedSmall.

BUG=chromium:687029
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2666863002
Cr-Commit-Position: refs/heads/master@{#42809}
2017-01-31 08:55:56 +00:00
bmeurer
b8df954993 [turbofan] Don't eliminate unused CheckFloat64Hole.
We cannot eliminate unused CheckFloat64Hole nodes, since loading from a
holey array can have side-effects, i.e. triggering getters in the
prototype chain.

R=mvstanton@chromium.org
BUG=chromium:686737

Review-Url: https://codereview.chromium.org/2665123002
Cr-Commit-Position: refs/heads/master@{#42806}
2017-01-31 08:30:55 +00:00
jkummerow
7438304229 ThinStrings: fix Factory::NewProperSubString
BUG=chromium:685504

Review-Url: https://codereview.chromium.org/2660823002
Cr-Commit-Position: refs/heads/master@{#42783}
2017-01-30 18:24:16 +00:00
jkummerow
9ea3e56bd9 ThinStrings: fix CodeStubAssembler::SubString
BUG=chromium:685965

Review-Url: https://codereview.chromium.org/2660123002
Cr-Commit-Position: refs/heads/master@{#42782}
2017-01-30 18:17:52 +00:00
bmeurer
b912851650 [turbofan] Don't constant-fold ACCESSOR properties.
R=ishell@chromium.org
BUG=chromium:686102

Review-Url: https://codereview.chromium.org/2662793002
Cr-Commit-Position: refs/heads/master@{#42767}
2017-01-30 11:15:02 +00:00
binji
966355585b [d8] Use ValueSerializer for postMessage (instead of ad-hoc serializer)
Review-Url: https://codereview.chromium.org/2643723010
Cr-Commit-Position: refs/heads/master@{#42749}
2017-01-27 20:15:37 +00:00
bmeurer
b975441e77 [turbofan] Introduce dedicated StringIndexOf operator.
The StringIndexOf operation is pure on the JS level, but the actual stub
call must be in the effect chain later so that the Scheduler doesn't
place it inside some allocation region (The %StringIndexOf runtime
function may trigger a GC for string flattening).

BUG=chromium:685580
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2657243002
Cr-Commit-Position: refs/heads/master@{#42736}
2017-01-27 12:02:42 +00:00
ishell
4a5446fb2b [tests] Make assertOptimized()/assertUnoptimized() great again.
The mentioned asserts did not work properly with interpreted and turbofanned functions.

To fix this issue %GetOptimizationStatus() now returns a set of flags instead of a single value.

This CL also adds more helper functions to mjsunit, like isNeverOptimize(), isAlwaysOptimize(),
isOptimized(fun), etc.

BUG=v8:5890

Review-Url: https://codereview.chromium.org/2654733004
Cr-Original-Commit-Position: refs/heads/master@{#42703}
Committed: d1ddec7857
Review-Url: https://codereview.chromium.org/2654733004
Cr-Commit-Position: refs/heads/master@{#42731}
2017-01-27 10:13:53 +00:00
yangguo
3f47c63ded [liveedit] reimplement frame restarting.
Previously, when restarting a frame, we would rewrite all frames
between the debugger activation and the frame to restart to squash
them, and replace the return address with that of a builtin to
leave that rewritten frame, and restart the function by calling it.

We now simply remember the frame to drop to, and upon returning
from the debugger, we check whether to drop the frame, load the
new FP, and restart the function.

R=jgruber@chromium.org, mstarzinger@chromium.org
BUG=v8:5587

Review-Url: https://codereview.chromium.org/2636913002
Cr-Commit-Position: refs/heads/master@{#42725}
2017-01-27 07:31:03 +00:00
bmeurer
7be3b4c90f [turbofan] Don't try to optimize tail calls to .apply.
BUG=chromium:685634
R=ishell@chromium.org

Review-Url: https://codereview.chromium.org/2658853002
Cr-Commit-Position: refs/heads/master@{#42713}
2017-01-26 20:52:21 +00:00