Commit Graph

2241 Commits

Author SHA1 Message Date
bmeurer
64a7bd3877 [turbofan] Don't treat the hole NaN as constant inside the compiler.
We use a signaling NaN to represent the hole in
FAST_HOLEY_DOUBLE_ELEMENTS backing stores, but on Intel processors, the
C++ compiler may decide to (or be forced to due to calling conventions)
use X87 registers for double values. However transfering to X87
registers automatically quietens the NaNs and there's no way to disable
this. Therefore we should just always load the hole NaN from the canonical
place identified by the address_of_hole_nan external reference instead,
which might even be more efficient in some cases.

R=jarin@chromium.org, jkummerow@chromium.org
BUG=v8:5332

Review-Url: https://codereview.chromium.org/2303643002
Cr-Commit-Position: refs/heads/master@{#39062}
2016-09-01 06:02:19 +00:00
bmeurer
7b79224b21 [crankshaft] Disable further folding already folded allocations.
When we try to further fold previously folded allocations in Crankshaft
GVN we don't properly transform the allocations involved, which causes
the mechanism to leave holes in the new/old space (and thereby violate
the iterability property of the new/old space).

BUG=chromium:621868
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2297983003
Cr-Commit-Position: refs/heads/master@{#39040}
2016-08-31 09:48:45 +00:00
bmeurer
864cdc124c [test] Speed-up regression test for growing stores.
TBR=machenbach@chromium.org
BUG=chromium:635798,chromium:638295

Review-Url: https://codereview.chromium.org/2288813003
Cr-Commit-Position: refs/heads/master@{#38991}
2016-08-30 04:04:32 +00:00
littledan
5af4cd9840 Disallow tail calls from async functions and generators
Tail calls don't make sense from async functions and generators, as
each activation of these functions needs to make a new, distnict,
non-reused generator object. These tail calls are not required per
spec. This patch disables both syntactic and implicit tail calls
in async functions and generators.

R=neis
BUG=v8:5301,chromium:639270

Review-Url: https://codereview.chromium.org/2278413003
Cr-Commit-Position: refs/heads/master@{#38986}
2016-08-29 18:31:35 +00:00
mstarzinger
b52aecac7e [compiler] Make Compiler::EnsureBytecode not switch tiers.
This preserves the original shared code of the underlying function when
bytecode is provided. The method in question should only ensure bytecode
is present, but should avoid switching compilation tiers of the given
function. It might be that the function was fast-tracked to baseline by
inlining without going through the interpreted tier first.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-635923
BUG=chromium:635923

Review-Url: https://codereview.chromium.org/2278543002
Cr-Commit-Position: refs/heads/master@{#38866}
2016-08-24 14:09:59 +00:00
bmeurer
6646d73b6f [turbofan] Use ObjectIsReceiver directly for inlining.
Don't bother using %_IsJSReceiver, which immediately gets lowered to
ObjectIsReceiver anyways (by the JSIntrinsicLowering), but requires
some complicated rewiring of effect/control chains.

R=mstarzinger@chromium.org
BUG=chromium:640369

Review-Url: https://codereview.chromium.org/2271973003
Cr-Commit-Position: refs/heads/master@{#38864}
2016-08-24 11:09:32 +00:00
bradnelson
e5f5ac7d2b [wasm] asm.js - Remove Wasm.instantiateModuleFromAsm, use asm.js directly.
Make use of %IsAsmWasmCode in place of Wasm.instantiateModuleFromAsm,
in order to reduce the surface area of the Wasm object,
and to focus on testing asm.js coming in via the parser.

Ignore extra CONST_LEGACY assignment introduced by the parser
when modules have the form:
(function Foo(a, b, c) {..});
This requires both a validator and AsmWasmBuilder change.

Move stdlib use collection to import time,
to reject modules that import a function, even if not used.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=jpp@chromium.org,titzer@chromium.org

Review-Url: https://codereview.chromium.org/2264913002
Cr-Commit-Position: refs/heads/master@{#38806}
2016-08-23 04:07:23 +00:00
bradnelson
561bfcb70d [wasm] asm.js - Check stdlib.NaN is valid, prepare for the rest.
Record which asm.js stdlib members are used and add a check that NaN is actually correctly set. Other stdlib members to be added in a later change.

Also add a stdlib argument to Wasm.instantiateModuleFromAsm, in preparation for that function to be replaced by normal asm.js instantiation.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=jpp@chromium.org,titzer@chromium.org

Review-Url: https://codereview.chromium.org/2251433002
Cr-Commit-Position: refs/heads/master@{#38760}
2016-08-19 18:26:24 +00:00
mstarzinger
8ab555cc15 [interpreter] Fix canonicalization when preserving bytecode.
This fixes canonicalization of {SharedFunctionInfo} objects in the
{Compiler::GetSharedFunctionInfo} method when bytecode is preserved.
Eager compilation is only triggered when no code is present.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-638551
BUG=chromium:638551

Review-Url: https://codereview.chromium.org/2245263006
Cr-Commit-Position: refs/heads/master@{#38709}
2016-08-18 10:42:40 +00:00
rmcilroy
477495c886 [Parser] Track ContainsDot for SMI values.
Ensures SMI values have SMI type even if they have a dot (e.g., 1.0).
Adds SMI_WITH_DOT type to maintain this.

BUG=chromium:638134

Review-Url: https://codereview.chromium.org/2248693005
Cr-Commit-Position: refs/heads/master@{#38698}
2016-08-18 08:15:43 +00:00
bmeurer
665f0e4020 [turbofan] Fix CheckedInt32Mod lowering for -0 case with negative left hand side.
Properly deoptimize if the left hand side of a CheckedInt32Mod is
negative and the result of the operation is zero.

R=jarin@chromium.org
BUG=v8:5286

Review-Url: https://codereview.chromium.org/2243803002
Cr-Commit-Position: refs/heads/master@{#38615}
2016-08-12 12:13:51 +00:00
jgruber
d252808011 Handle missing context when getting frame details
This bug was triggered by a very specific combination:

* A context-allocated variable at script scope.
* OSR optimization.
* A scheduled breakpoint, which triggers at stack checks.

Stack checks differ from other possible breakpoint locations in that
the context (among other things) may be in a register and not on the
stack, making it impossible to recover during deoptimization. The
frame_inspector then returns undefined when asked for the context.

In GetFrameDetails, handle this case by omitting all context-allocated
variables.

BUG=v8:5279

Review-Url: https://codereview.chromium.org/2245603002
Cr-Commit-Position: refs/heads/master@{#38611}
2016-08-12 11:20:19 +00:00
bmeurer
7060bab81c [turbofan] Properly guard keyed stores wrt. setters in the prototype chain.
For holey/growing keyed stores, we need to check that there are no
setters in the prototype chain and protect against changes to that
via code dependencies.

R=verwaest@chromium.org
BUG=v8:5275,v8:5276

Review-Url: https://codereview.chromium.org/2231683002
Cr-Commit-Position: refs/heads/master@{#38514}
2016-08-10 06:30:22 +00:00
bmeurer
78727d4362 [runtime] %GrowArrayElements doesn't have a native context in TurboFan.
When we compile a growing store in TurboFan, we don't pass a (native)
context to the %GrowArrayElements fallback function, as the whole logic
is actually context independent. However, that means that we need to
bailout early in case the object is a prototype, which requires context
dependent checks in the array protector code.

R=cbruni@chromium.org
BUG=chromium:635798

Review-Url: https://codereview.chromium.org/2224253003
Cr-Commit-Position: refs/heads/master@{#38491}
2016-08-09 13:03:07 +00:00
rmcilroy
c1ae15d930 [Interpreter] Don't try to create bytecode array if HasStackOverflow().
BUG=chromium:635429

Review-Url: https://codereview.chromium.org/2228503004
Cr-Commit-Position: refs/heads/master@{#38474}
2016-08-09 07:24:13 +00:00
hpayer
caf5c5a194 [heap] Use smaller minimum allocation limit growing step when optimizing for memory usage.
BUG=chromium:634900

Review-Url: https://codereview.chromium.org/2223493002
Cr-Commit-Position: refs/heads/master@{#38435}
2016-08-08 11:32:01 +00:00
mstarzinger
f00b42ae31 [interpreter] Fix profiler when hitting OSR frame.
This fixes the runtime profiler to no longer assume that seeing an
optimized frame on the stack implies the underlying function is not
being interpreted when entered normally. This no longer holds with code
generated for OSR directly from bytecode (not installed on function).

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-632800
BUG=chromium:632800

Review-Url: https://codereview.chromium.org/2208603005
Cr-Commit-Position: refs/heads/master@{#38360}
2016-08-05 08:47:48 +00:00
mstarzinger
5671b663f9 [interpreter] Avoid tier-up when there is an OSR activation.
This makes sure we prevent a tier-up for function which also have an
optimized activation of OSR code on the stack. In case the OSR code
deoptimizes, it needs the bytecode to still be around.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-5262
BUG=v8:5262

Review-Url: https://codereview.chromium.org/2206363004
Cr-Commit-Position: refs/heads/master@{#38359}
2016-08-05 07:55:03 +00:00
yangguo
771b81f806 [debug] fix exception prediction for asm frames.
R=mstarzinger@chromium.org
BUG=chromium:633999

Review-Url: https://codereview.chromium.org/2215713002
Cr-Commit-Position: refs/heads/master@{#38358}
2016-08-05 07:14:21 +00:00
bmeurer
cad5b29610 [turbofan] Remove unnecessary prototype checks for element access.
We don't need to add stability dependencies on JSObject prototypes when
storing to an element, because we do the map check (and thereby guard
the elements kind) and we also properly deoptimize on holes if the array
protector is not usable.

R=verwaest@chromium.org
BUG=chromium:616709

Review-Url: https://codereview.chromium.org/2198833002
Cr-Commit-Position: refs/heads/master@{#38355}
2016-08-05 04:55:03 +00:00
adamk
e6d2c9b584 Properly pass InitializationFlag back from ScriptContextTable lookups
This was dropped accidentally in bb97d27ab.

R=verwaest@chromium.org
BUG=chromium:633884

Review-Url: https://codereview.chromium.org/2203213003
Cr-Commit-Position: refs/heads/master@{#38345}
2016-08-04 16:13:41 +00:00
mstarzinger
667d8ad099 [turbofan] Fix missing bailout for accessors in literals.
This adds the missing lazy bailout point when defining accessor pairs
within object literals via Runtime::kDefineAccessorPropertyUnchecked.
The runtime function in question can indeed trigger a lazy deopt due
to a DependentCode::kPrototypeCheckGroup dependency.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-633585
BUG=chromium:633585

Review-Url: https://codereview.chromium.org/2207413002
Cr-Commit-Position: refs/heads/master@{#38336}
2016-08-04 10:28:46 +00:00
jgruber
ea6b9609a6 Handle stack overflows in NoSideEffectToString
An infinite recursion can be triggered when NoSideEffectToString is
called on an error object with its name property set to itself.

BUG=633998

Review-Url: https://codereview.chromium.org/2206313002
Cr-Commit-Position: refs/heads/master@{#38325}
2016-08-04 07:45:11 +00:00
rmcilroy
aacbdacb89 [Crankshaft] Move don't crankshaft check before EnsureDeoptimizationSupport.
Avoids compiling baseline code when the function isn't able to be
optimized by crankshaft.

BUG=chromium:632289

Review-Url: https://codereview.chromium.org/2194453002
Cr-Commit-Position: refs/heads/master@{#38304}
2016-08-03 15:02:38 +00:00
jgruber
d48170dbf5 Move NoSideEffectToString to C++
BUG=

Review-Url: https://codereview.chromium.org/2206573002
Cr-Commit-Position: refs/heads/master@{#38289}
2016-08-03 12:22:23 +00:00
bmeurer
c9324fe6c5 [turbofan] Fix invalid representation selection for Phis/Selects.
We cannot just blindly make a representation selection for Phi or Select
based on the truncations, but we also need to consider the type of the
inputs (or actually of the Phi/Select node itself). We can only use
Word32 representation based on Word32 truncation if the inputs are
Number or Oddball, same for Float64.

R=epertoso@chromium.org
BUG=v8:5255

Review-Url: https://codereview.chromium.org/2206553002
Cr-Commit-Position: refs/heads/master@{#38241}
2016-08-02 12:11:09 +00:00
mstarzinger
962fd4ae4b [interpreter] Elide OSR polling from fake loops.
This makes sure we are not inserting {OsrPoll} instructions for any
statements that are not actually loops and have no back edges. Without
back edges the {BytecodeGraphBuilder} is unable to deduce loop ranges
and hence cannot construct a graph for OSR entry.

R=neis@chromium.org
TEST=mjsunit/regress/regress-5252
BUG=v8:5252

Review-Url: https://codereview.chromium.org/2200733002
Cr-Commit-Position: refs/heads/master@{#38233}
2016-08-02 09:16:59 +00:00
bmeurer
a758144329 [turbofan] Fix invalid comparison operator narrowing.
When we narrow a signed32 comparison to uint8 or uint16 representation,
we also need to change the condition to unsigned comparisons otherwise
the comparison will be done on int16/int8 which interprets the narrowed
bits wrong.

R=epertoso@chromium.org
BUG=v8:5254

Review-Url: https://codereview.chromium.org/2202803003
Cr-Commit-Position: refs/heads/master@{#38231}
2016-08-02 07:46:15 +00:00
jgruber
061d082dd3 Properly set function index in CallSite constructor
BUG=632965
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2199673002
Cr-Commit-Position: refs/heads/master@{#38208}
2016-08-01 12:59:57 +00:00
jgruber
1c7c0521f1 Set Error.stack property writable
Previously, the stack property was set up in JS as read-only; but since
it had a JS setter, writability was ignored and writing to stack was
possible.

This is no longer the case now that stack is either an actual data
property, or is associated with C++ accessors. Explicitly set the
property as writable to preserve old behavior.

BUG=5245
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2190313002
Cr-Commit-Position: refs/heads/master@{#38158}
2016-07-29 08:15:26 +00:00
ishell
fc66694de8 [fullcode][mips][mips64][ppc][s390] Avoid trashing of a home object when doing a count operation with keyed load/store to a super.
BUG=chromium:631917

Review-Url: https://codereview.chromium.org/2191663004
Cr-Commit-Position: refs/heads/master@{#38139}
2016-07-28 14:31:07 +00:00
danno
7f1fa30e34 [stubs] Port CreateWeakCellStub to turbofan
In the process also inline the stub into the appropriate interpreter bytecode
handler and make sure that the context register is preserved in hand-written
assembly code that calls the stub and expects the context register to be
preserved.

BUG=608675

Review-Url: https://codereview.chromium.org/2188993003
Cr-Commit-Position: refs/heads/master@{#38132}
2016-07-28 11:49:00 +00:00
mlippautz
e97b8686f2 [heap] Don't consider mementos on pages below age mark
Objects that reside below the age mark could be on pages that have been moved
within new space. In this case mementos survived which can actually point to
already-collected allocation sites.

BUG=chromium:631050,chromium:581412
R=hpayer@chromium.org

Review-Url: https://codereview.chromium.org/2179033005
Cr-Commit-Position: refs/heads/master@{#38094}
2016-07-27 12:18:16 +00:00
yangguo
071b655fa9 [debugger] Scope iterator should not visit inner function literals.
R=marja@chromium.org
BUG=chromium:621361

Review-Url: https://codereview.chromium.org/2185913003
Cr-Commit-Position: refs/heads/master@{#38087}
2016-07-27 09:04:20 +00:00
mstarzinger
908f355ecc [interpreter] Enable OSR test that no longer fails.
R=mythria@chromium.org
TEST=mjsunit/regress/regress-2618
BUG=v8:4764

Review-Url: https://codereview.chromium.org/2183463003
Cr-Commit-Position: refs/heads/master@{#38085}
2016-07-27 08:58:53 +00:00
bmeurer
32346aaea0 [turbofan] Fix overly aggressive dead code elimination.
When we eliminate nodes during truncation analysis that have no value
uses, we must make sure that we do not eliminate speculative number
operations that would have side effects depending on the inputs, i.e.
for example a SpeculativeNumberMultiply(x,y) does ToNumber(x) and
ToNumber(y) first, so if either x or y could throw an exception during
ToNumber conversion, we must not eliminate the multiplication, even if
it has no value uses (some later pass may kill the actual machine
multiplication, but the checks on the inputs have to remain still).
So we check whether both x and y are PlainPrimitive, i.e. neither
Receiver nor Symbol, which could raise exceptions for ToNumber, and
only in that case we propagate the "unusedness" of the node to its
inputs.

This also uncovered a bug with the type of Dead, which must be None,
as this represents an impossible value, so we had to fix that too.

Also the dead code removal will not work correctly for constants (i.e.
pure nodes with no value inputs), as those might be cached and hence
we might resurrect them for an unrelated node lowering during
SimplifiedLowering and only later kill the actual node (replacing its
uses with Dead), which would then also replace the new use with Dead.
So that was fixed as well. This shouldn't change anything for the
result, as unused constants automagically disappear from the graph later
on anyways.

R=yangguo@chromium.org
BUG=chromium:631318

Review-Url: https://codereview.chromium.org/2182003002
Cr-Commit-Position: refs/heads/master@{#38038}
2016-07-26 07:09:58 +00:00
neis
88a795d1c8 Remove the --ignition-generators flag.
This flag has been enabled by default for over a month now.

R=mstarzinger@chromium.org, rmcilroy@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2176143002
Cr-Commit-Position: refs/heads/master@{#38020}
2016-07-25 12:56:27 +00:00
mvstanton
480f155ed6 [Turbofan] IsUseLessGeneral shouldn't consider machine representation.
BUG=chromium:630952

Review-Url: https://codereview.chromium.org/2177193002
Cr-Commit-Position: refs/heads/master@{#38014}
2016-07-25 12:01:54 +00:00
bmeurer
5bed1516c8 [turbofan] Avoid introducing machine operators during typed lowering.
Introducing machine operators early causes trouble for the typing,
truncation analysis and representation selection, so we should rather
stick to simplified operators instead. Now there's only the for-in case
left, which is not clear how we can handle this in a better way.

Drive-by-fix: Also don't introduce Int32Constant and Word32Shl in
JSTypedLowering, but use NumberConstant and proper NumberShiftLeft
operators instead.

R=jarin@chromium.org
BUG=chromium:630951

Review-Url: https://codereview.chromium.org/2182453002
Cr-Commit-Position: refs/heads/master@{#38008}
2016-07-25 10:38:00 +00:00
yangguo
986814218b Native try-catch syntax parsing should not crash.
R=littledan@chromium.org
BUG=chromium:630559

Review-Url: https://codereview.chromium.org/2176613002
Cr-Commit-Position: refs/heads/master@{#37996}
2016-07-25 05:32:28 +00:00
bmeurer
e3e347b85c [turbofan] Remove overly restrictive DCHECK.
The dead code elimination in SimplifiedLowering can eliminate pure nodes
if they don't have value uses. But some of those can indeed have control
inputs, i.e. Phi nodes do of course have a control input.

R=jarin@chromium.org
BUG=chromium:630923

Review-Url: https://codereview.chromium.org/2177133002
Cr-Commit-Position: refs/heads/master@{#37995}
2016-07-25 05:22:19 +00:00
cbruni
7ede61ed1d [elements] Omit fast path in PrependElementIndices
In PrependElementIndicesImpl we sort a FixedArray of indices potentially
containing HeapNumbers. During the string conversion we might trigger a GC.
This in turn might try to read a slot where we previously had a HeapNumber
but the sort sneaked a SMI in there which is not a valid pointer.

BUG=chromium:630561

Review-Url: https://codereview.chromium.org/2173653003
Cr-Commit-Position: refs/heads/master@{#37993}
2016-07-23 12:16:14 +00:00
jgruber
89403e0316 Omit frames up to new target in Error constructor
BUG=v8:5216
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2175603003
Cr-Commit-Position: refs/heads/master@{#37978}
2016-07-22 11:45:50 +00:00
yangguo
6d0a420298 [debug] use catch prediction flag for promise rejections.
This is in preparation to implementing exception prediction for async
functions.  Each handler table entry can now predict "caught", "uncaught", or
"promise". The latter indicates that the exception will lead to a promise
rejection.

To mark the relevant try-catch blocks, we add a new native syntax.
try { } %catch (e) { } indicates a TryCatchStatement with the "promise"
prediction.

The previous implementation of using the function to tell the relevant
try-catch apart from inner try-catch blocks will not work for async functions
since these can have inner try-catch blocks inside the same function.

BUG=v8:5167

Review-Url: https://codereview.chromium.org/2161263003
Cr-Commit-Position: refs/heads/master@{#37966}
2016-07-22 06:04:54 +00:00
ivica.bogosavljevic
eaa86cbf06 MIPS: Fix infinite loop in Math.pow(2,-2147483648)
BUG=v8:5213

Review-Url: https://codereview.chromium.org/2163963003
Cr-Commit-Position: refs/heads/master@{#37955}
2016-07-21 19:38:01 +00:00
yangguo
07a0f9ebff [debugger] be more lenient about argument type in %DebugGetProperty.
R=mstarzinger@chromium.org
BUG=chromium:629996

Review-Url: https://codereview.chromium.org/2166123003
Cr-Commit-Position: refs/heads/master@{#37942}
2016-07-21 11:29:24 +00:00
jacob.bramley
e83739c0ae [arm] Fix infinite loop in Math.pow(2,2147483648).
BUG=v8:5214

Review-Url: https://codereview.chromium.org/2166743003
Cr-Commit-Position: refs/heads/master@{#37933}
2016-07-21 09:30:32 +00:00
bmeurer
f793cb1fc3 [runtime] %TransitionElementsKind works for any kind of JSObject.
The optimizing compilers actually invoke %TransitionElementsKind for
any kind of JSObject, the only relevant thing is the elements kind.
The runtime function was however checking for JSArray unnecessarily.
This only worked by coincindence in Crankshaft because the stub would
normally not call into the runtime fallback.

R=jarin@chromium.org
BUG=chromium:629823

Review-Url: https://codereview.chromium.org/2166963004
Cr-Commit-Position: refs/heads/master@{#37919}
2016-07-21 07:23:58 +00:00
jgruber
9211dee01a Move Error methods to C++
This ports a large portion of Error methods to C++,
including the constructor, stack setter and getter,
and Error.prototype.toString.

BUG=

Committed: https://crrev.com/5742da056a290caa13a0b8717ddb1e43424e0d31
Review-Url: https://codereview.chromium.org/2142933003
Cr-Original-Commit-Position: refs/heads/master@{#37870}
Cr-Commit-Position: refs/heads/master@{#37908}
2016-07-20 13:05:47 +00:00
jgruber
8c163cfe45 Revert of Move Error methods to C++ (patchset #11 id:200001 of https://codereview.chromium.org/2142933003/ )
Reason for revert:
Clusterfuzz failures: https://bugs.chromium.org/p/chromium/issues/detail?id=629749

Original issue's description:
> Move Error methods to C++
>
> This ports a large portion of Error methods to C++,
> including the constructor, stack setter and getter,
> and Error.prototype.toString.
>
> BUG=
>
> Committed: https://crrev.com/5742da056a290caa13a0b8717ddb1e43424e0d31
> Cr-Commit-Position: refs/heads/master@{#37870}

TBR=yangguo@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2159223004
Cr-Commit-Position: refs/heads/master@{#37881}
2016-07-20 06:45:49 +00:00
jgruber
5742da056a Move Error methods to C++
This ports a large portion of Error methods to C++,
including the constructor, stack setter and getter,
and Error.prototype.toString.

BUG=

Review-Url: https://codereview.chromium.org/2142933003
Cr-Commit-Position: refs/heads/master@{#37870}
2016-07-19 13:51:07 +00:00
yangguo
4de5e1456e [debug] add test case for scope iterator using correct language mode.
TBR=mstarzinger@chromium.org
BUG=v8:5207

Review-Url: https://codereview.chromium.org/2154393003
Cr-Commit-Position: refs/heads/master@{#37860}
2016-07-19 11:07:03 +00:00
bmeurer
e0b8707c78 [turbofan] Fix typing rule for number addition.
R=jarin@chromium.org
BUG=chromium:629435

Review-Url: https://codereview.chromium.org/2161013002
Cr-Commit-Position: refs/heads/master@{#37859}
2016-07-19 10:08:13 +00:00
bmeurer
15f99cd5b5 [turbofan] Properly handle bit->float64 representation changes.
BUG=chromium:629062
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2155323003
Cr-Commit-Position: refs/heads/master@{#37853}
2016-07-19 08:29:52 +00:00
bmeurer
173313e297 [crankshaft] Guard against side effects in Array.prototype.shift lowering.
We need to pay attention to potential side effects from parameter
evaluation when inlining the fast case Array.prototype.shift.

R=yangguo@chromium.org
BUG=chromium:614644

Review-Url: https://codereview.chromium.org/2161943002
Cr-Commit-Position: refs/heads/master@{#37850}
2016-07-19 06:43:04 +00:00
yangguo
a51f429772 [regexp] Fix case-insensitive matching for one-byte subjects.
The bug occurs because we do not canonicalize character class ranges
before adding case equivalents. While adding case equivalents, we abort
early for one-byte subject strings, assuming that the ranges are sorted.
Which they are not.

R=marja@chromium.org
BUG=v8:5199

Review-Url: https://codereview.chromium.org/2159683002
Cr-Commit-Position: refs/heads/master@{#37833}
2016-07-18 12:03:37 +00:00
mstarzinger
a95cdbb4b4 [turbofan] Fix deopt point for [[ToObject]] lazy bailout.
This fixes the deoptimization information for the lazy bailout point
after a [[ToObject]] operation inserted for with statements. The result
value was pushed on the operand stack but erroneously ignored and left
on the operand stack by the FullCodeGenerator.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-5205
BUG=v8:5205

Review-Url: https://codereview.chromium.org/2158443002
Cr-Commit-Position: refs/heads/master@{#37818}
2016-07-18 08:08:47 +00:00
ishell
5d66a7f76b [fullcode] Restore context after calling ToNumber builtin.
BUG=chromium:628573

Review-Url: https://codereview.chromium.org/2153783002
Cr-Commit-Position: refs/heads/master@{#37796}
2016-07-15 13:18:57 +00:00
neis
1c1bdfe17e [test] Extend a test of destructuring.
R=adamk@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2147733003
Cr-Commit-Position: refs/heads/master@{#37773}
2016-07-14 16:11:41 +00:00
mstarzinger
95ba1af314 [i18n] Make regression test work without i18n.
TBR=machenbach@chromium.org
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2144263002
Cr-Commit-Position: refs/heads/master@{#37759}
2016-07-14 12:32:45 +00:00
bmeurer
6530a16eb5 [stubs] Properly handle length overflow in StringAddStub.
Using the Hydrogen code stub bailout mechanism is not correct for the
string length overflow check in the StringAddStub. Instead make sure we
just throw the proper exception.

R=mstarzinger@chromium.org
BUG=chromium:627934

Review-Url: https://codereview.chromium.org/2146353002
Cr-Commit-Position: refs/heads/master@{#37758}
2016-07-14 11:47:42 +00:00
mstarzinger
8226c88b52 [i18n] Ensure [[ToString]] conversion of time zone names.
This adds a missing conversion of time zone names to string primitives
before case conversion and regular expression matching are applied.

This is in sync with ECMA-402, section 12.1.1.1, step 16(a).

R=jochen@chromium.org
TEST=mjsunit/regress/regress-crbug-627935
BUG=chromium:627935

Review-Url: https://codereview.chromium.org/2143003005
Cr-Commit-Position: refs/heads/master@{#37757}
2016-07-14 11:31:29 +00:00
jpp
aa91225289 V8. ASM-2-WASM. Migrates asm-wasm-builder to the new asm-typer.
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
TEST=mjsunit/wasm/*
LOG=N

Review-Url: https://codereview.chromium.org/2134333003
Cr-Commit-Position: refs/heads/master@{#37729}
2016-07-13 19:40:10 +00:00
mstarzinger
a2f1519f68 [turbofan] Fix deopt point for [[ToName]] lazy bailout.
This fixes the deoptimization information for the lazy bailout point
after a [[ToName]] operation inserted for object literals and class
literals. The result value was erroneously ignored.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-627828
BUG=chromium:627828

Review-Url: https://codereview.chromium.org/2149493003
Cr-Commit-Position: refs/heads/master@{#37719}
2016-07-13 15:18:10 +00:00
mythria
fd420203ec [Interpreter] Collect type feedback for calls in the bytecode handler
Collect type feedback in the call bytecode handler. The current
implementation only collects feedback for JS function objects. The other
objects and Array functions do not collect any feedback. They will be
marked Megamorphic.

BUG=v8:4280, v8:4780
LOG=N

Review-Url: https://codereview.chromium.org/2122183002
Cr-Commit-Position: refs/heads/master@{#37700}
2016-07-13 08:00:23 +00:00
aseemgarg
cd95c600be [wasm] allow array access with unsigned indices
BUG=618608
R=bradnelson@chromium.org
TEST=regress-618608.js

Review-Url: https://codereview.chromium.org/2138243002
Cr-Commit-Position: refs/heads/master@{#37693}
2016-07-12 21:56:38 +00:00
cbruni
d234118e29 Revert of making heap verification more aggressive (patchset #7 id:120001 of https://codereview.chromium.org/2126613002/ )
Reason for revert:
failing gc stress tests: https://build.chromium.org/p/client.v8/builders/V8%20Mac%20GC%20Stress/builds/7223/steps/Mjsunit/logs/stdio

Original issue's description:
> [runtime] making heap verification more aggressive
>
> - check that packed elements do not contain the_hole (with fix)
> - verify argument objects with elements kind
> - use JSObjectVerifiy in all JSObject "subclasses"
> - change initialization order for ArrayLiteralBoilerplate to simplify verification
>
> BUG=v8:5188
>
> Committed: https://crrev.com/599aa2e106ca8ab79f5cc489d1b93b6a26b19714
> Cr-Commit-Position: refs/heads/master@{#37680}

TBR=ishell@chromium.org,ulan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5188

Review-Url: https://codereview.chromium.org/2140163002
Cr-Commit-Position: refs/heads/master@{#37682}
2016-07-12 14:07:17 +00:00
cbruni
599aa2e106 [runtime] making heap verification more aggressive
- check that packed elements do not contain the_hole (with fix)
- verify argument objects with elements kind
- use JSObjectVerifiy in all JSObject "subclasses"
- change initialization order for ArrayLiteralBoilerplate to simplify verification

BUG=v8:5188

Review-Url: https://codereview.chromium.org/2126613002
Cr-Commit-Position: refs/heads/master@{#37680}
2016-07-12 13:32:03 +00:00
yangguo
bbb2159d4c [regexp] Fix regexp source escaping with preceding backslashes.
R=franzih@chromium.org
BUG=chromium:515897

Review-Url: https://codereview.chromium.org/2137033002
Cr-Commit-Position: refs/heads/master@{#37664}
2016-07-12 05:36:17 +00:00
aseemgarg
8474f24450 [wasm] throw in case of assignment to module parameters
BUG=613928
R=bradnelson@chromium.org
TEST=regress-613928.js

Review-Url: https://codereview.chromium.org/2123283007
Cr-Commit-Position: refs/heads/master@{#37653}
2016-07-11 17:41:30 +00:00
ishell
b030a6f59d [runtime] Follow-up fix for "Better encapsulation of dictionary objects handling in lookup iterator."
BUG=chromium:626715

Review-Url: https://codereview.chromium.org/2135253002
Cr-Commit-Position: refs/heads/master@{#37651}
2016-07-11 15:51:58 +00:00
caitp
08d0012dda [keys] propagate PropertyFilter to proxy targets in KeyAccumulator
BUG=v8:5174, v8:1543
R=cbruni@chromium.org, littledan@chromium.org

Review-Url: https://codereview.chromium.org/2129193003
Cr-Commit-Position: refs/heads/master@{#37634}
2016-07-11 10:39:35 +00:00
jgruber
be5808bff8 Correctly format builtin constructors in stack traces
CallSite::IsConstructor() was unable to recognize builtin construct stubs
(NumberConstructor_ConstructStub and StringConstructor_ConstructStub) as
constructors, and thus these frames were not formatted correctly in stack
traces.

Fix this by explicitly marking their Code objects as construct stubs and
passing along a special receiver value when we encounter such cases in
CaptureSimpleStackTrace.

R=mstarzinger@chromium.org, yangguo@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2125163004
Cr-Commit-Position: refs/heads/master@{#37631}
2016-07-11 10:05:03 +00:00
jgruber
d49d3864d7 [builtins] Construct builtin frame in String/Number ctors
BUG=v8:5173
R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2118283003
Cr-Commit-Position: refs/heads/master@{#37598}
2016-07-08 06:38:19 +00:00
jkummerow
b36237b8a3 [ForIn] Fix HasEnumerableProperty for Proxies with null prototype
BUG=v8:5181

Review-Url: https://codereview.chromium.org/2129563002
Cr-Commit-Position: refs/heads/master@{#37577}
2016-07-07 10:12:06 +00:00
neis
4a4f7175df [parser] Fix bug in destructuring binding for catch.
For variables introduced as part of a catch pattern, we used to set their
"initializer position" to the beginning of the pattern.  This lead to
full-codegen eliminating crucial hole checks when reading such variables
inside the pattern itself.

R=adamk@chromium.org, littledan@chromium.org
BUG=v8:5178

Review-Url: https://codereview.chromium.org/2123953002
Cr-Commit-Position: refs/heads/master@{#37569}
2016-07-07 07:31:16 +00:00
mlippautz
9f7fd3a554 [heap] Remove test running OOM on some bots
While the test was useful to reproduce the issue locally it creates a lot of
heap pressure and causes all sorts of troubles (OOM, slowness) on the bots, so
let's drop it.

R=hpayer@chromium.org

Review-Url: https://codereview.chromium.org/2127803002
Cr-Commit-Position: refs/heads/master@{#37551}
2016-07-06 13:09:03 +00:00
mstarzinger
c4781e344c [runtime] Deprecate RUNTIME_ASSERT from debugger methods.
This removes explicit uses of the RUNTIME_ASSERT macro from some runtime
methods. The implicit ones in CONVERT_FOO_ARG_CHECKED will be addressed
in a separate CL for all runtime modules at once.

R=yangguo@chromium.org
BUG=v8:5066

Review-Url: https://codereview.chromium.org/2053573004
Cr-Commit-Position: refs/heads/master@{#37545}
2016-07-06 09:06:58 +00:00
neis
45a8167477 [debugger] Don't leak holes from generator arguments.
This is a quick fix for the hole leaking from generators via the debugger's frame
inspection feature: when collecting the arguments, convert each hole to undefined.
In the long term, we probably want to remember and restore the actual arguments
rather than pushing these dummy arguments on each resume.

BUG=v8:5164

Review-Url: https://codereview.chromium.org/2122923003
Cr-Commit-Position: refs/heads/master@{#37544}
2016-07-06 08:11:29 +00:00
mlippautz
da3745d8d9 Reland "[heap] Track length for array buffers to avoid free-ing dependency"
The dependency would only happen if we have a smi overflow for the length and
have create a heap number. In this case the heap number would've to survive
until the array buffer is collected.

To avoid this dependency we track the length (as we previously used to).

BUG=chromium:625752
LOG=N
TEST=test/mjsunit/regress/regress-625752.js
R=hpayer@chromium.org

This reverts commit 1791d7bb9a.

Review-Url: https://codereview.chromium.org/2127643002
Cr-Commit-Position: refs/heads/master@{#37537}
2016-07-05 16:32:17 +00:00
machenbach
1791d7bb9a Revert of [heap] Track length for array buffers to avoid free-ing dependency (patchset #2 id:20001 of https://codereview.chromium.org/2122603004/ )
Reason for revert:
[Sheriff] This makes mjsunit/regress/regress-625752 extremely slow on all gc stress bots and leads to timeouts with custom snapshot:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/6602

Original issue's description:
> [heap] Track length for array buffers to avoid free-ing dependency
>
> The dependency would only happen if we have a smi overflow for the length and
> have create a heap number. In this case the heap number would've to survive
> until the array buffer is collected.
>
> To avoid this dependency we track the length (as we previously used to).
>
> BUG=chromium:625748,chromium:625752
> LOG=N
> TEST=test/mjsunit/regress/regress-625752.js
> R=hpayer@chromium.org
>
> Committed: https://crrev.com/ddc75cc1356a58b6cfd63f9da0586e1150496b3d
> Cr-Commit-Position: refs/heads/master@{#37530}

TBR=hpayer@chromium.org,mlippautz@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:625748,chromium:625752

Review-Url: https://codereview.chromium.org/2127483003
Cr-Commit-Position: refs/heads/master@{#37533}
2016-07-05 14:43:24 +00:00
mlippautz
ddc75cc135 [heap] Track length for array buffers to avoid free-ing dependency
The dependency would only happen if we have a smi overflow for the length and
have create a heap number. In this case the heap number would've to survive
until the array buffer is collected.

To avoid this dependency we track the length (as we previously used to).

BUG=chromium:625748,chromium:625752
LOG=N
TEST=test/mjsunit/regress/regress-625752.js
R=hpayer@chromium.org

Review-Url: https://codereview.chromium.org/2122603004
Cr-Commit-Position: refs/heads/master@{#37530}
2016-07-05 13:15:22 +00:00
jgruber
971468031a Use toString tag to format receiver in stack traces
This concerns formatting of calls to, e.g., Math.acos in stack traces,
in which the receiver is an object with an attached toString tag. If
such a tag exists, use it to format the receiver typename to ensure that
the stack trace includes 'Math.acos' instead of 'Object.acos'.

R=yangguo@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2110683007
Cr-Commit-Position: refs/heads/master@{#37513}
2016-07-05 07:42:53 +00:00
jgruber
f59a23356b [builtins] Add receiver to builtin exit frames
Stack trace generation requires access to the receiver; and while the
receiver is already on the stack, we cannot determine its position
during stack trace generation (it's stored in argv[0], and argc is only
stored in a callee-saved register).

This patch grants access to the receiver by pushing argc onto builtin
exit frames as an extra argument. Compared to simply pushing the
receiver, this requires an additional dereference during stack trace
generation, but one fewer during builtin calls.

BUG=v8:4815

Review-Url: https://codereview.chromium.org/2106883003
Cr-Commit-Position: refs/heads/master@{#37500}
2016-07-04 12:46:47 +00:00
ishell
43aee0331d [fullcode][mips][mips64][ppc][s390] Avoid trashing of a home object when doing a keyed store to a super.
BUG=chromium:625590

Review-Url: https://codereview.chromium.org/2120963002
Cr-Commit-Position: refs/heads/master@{#37497}
2016-07-04 11:42:39 +00:00
ishell
acd674db10 [crankshaft] Use canonical nan_value or minus_zero_value objects instead of constant heap numbers with NaN or -0.0 values.
BUG=chromium:625547

Review-Url: https://codereview.chromium.org/2115413002
Cr-Commit-Position: refs/heads/master@{#37495}
2016-07-04 09:59:26 +00:00
littledan
0ff7b4830c Implement immutable prototype chains
This patch implements "immutable prototype exotic objects" from the ECMAScript
spec, which are objects whose __proto__ cannot be changed, but are not otherwise
frozen. They are introduced in order to prevent a Proxy from being introduced
to the prototype chain of the global object.

The API is extended by a SetImmutablePrototype() call in ObjectTemplate, which
can be used to vend new immutable prototype objects. Additionally, Object.prototype
is an immutable prototype object.

In the implementation, a new bit is added to Maps to say whether the prototype is
immutable, which is read by SetPrototype. Map transitions to the immutable prototype
state are not saved in the transition tree because the main use case is just for
the prototype chain of the global object, which there will be only one of per
Context, so no need to take up the extra word for a pointer in each full transition
tree.

BUG=v8:5149

Review-Url: https://codereview.chromium.org/2108203002
Cr-Commit-Position: refs/heads/master@{#37482}
2016-07-01 19:20:11 +00:00
mstarzinger
a757a62bf5 [turbofan] Broaden checkpoint elimination on returns.
This makes the elimination of checkpoints flowing effect-wise into nodes
having the {Return} operator more permissive. We can cut out checkpoints
even when they are not wholly owned by the return. This also alleviates
a problem where TCO no longer applies.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-624747
BUG=chromium:624747

Review-Url: https://codereview.chromium.org/2118793002
Cr-Commit-Position: refs/heads/master@{#37480}
2016-07-01 13:53:45 +00:00
bmeurer
9c281f2407 [turbofan] Properly lower NumberSinh, NumberCosh and NumberTanh.
R=jarin@chromium.org
BUG=chromium:625121

Review-Url: https://codereview.chromium.org/2116533004
Cr-Commit-Position: refs/heads/master@{#37479}
2016-07-01 12:53:04 +00:00
mstarzinger
920bc17c97 [turbofan] Fix eager bailout point after comma expression.
This ensures no eager bailout point is emitted after a comma expression
in test context where the right-hand side omitted an eager bailout point
as well. This is to stay in sync with full-codegen.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-624919
BUG=chromium:624919

Review-Url: https://codereview.chromium.org/2113893004
Cr-Commit-Position: refs/heads/master@{#37475}
2016-07-01 09:51:50 +00:00
verwaest
c17b44bd3a Fix double canonicalization
This turns the blacklist back into a white-list adding all binary operations as allowed operations. The one known fix is that it forces canonicalization of the double-hole as double constant.

BUG=chromium:621147

Review-Url: https://codereview.chromium.org/2106393002
Cr-Commit-Position: refs/heads/master@{#37452}
2016-06-30 15:18:16 +00:00
jgruber
5febc27b5d [builtins] New frame type for exits to C++ builtins
Prior to this commit, calls to C++ builtins created standard exit
frames, which are skipped when constructing JS stack traces. In order to
show these calls on traces, we introduce a new builtin exit frame type.

Builtin exit frames contain target and new.target on the stack and are
not skipped during stack trace construction.

BUG=v8:4815
R=bmeurer@chromium.org, yangguo@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel;tryserver.v8:v8_linux_nosnap_dbg

Committed: https://crrev.com/3c60c6b105f39344f93a8407f41534e5e60cf19a
Review-Url: https://codereview.chromium.org/2090723005
Cr-Original-Commit-Position: refs/heads/master@{#37384}
Cr-Commit-Position: refs/heads/master@{#37416}
2016-06-30 06:58:23 +00:00
adamk
7166503f6e Do all parsing for try/catch destructuring inside the appropriate scopes
Previously, any expressions inside destructuring patterns in a catch
would be parsed in the surrounding scope, instead of in the catch's
scope. This change fixes that by entering not only the catch scope,
but also the block scope inside it.

R=neis@chromium.org
BUG=v8:5106, v8:5112

Review-Url: https://codereview.chromium.org/2110193002
Cr-Commit-Position: refs/heads/master@{#37415}
2016-06-30 06:52:13 +00:00
bmeurer
5927deaaf1 Revert of [builtins] New frame type for exits to C++ builtins (patchset #5 id:80001 of https://codereview.chromium.org/2090723005/ )
Reason for revert:
Looks like this breaks on nosnap: http://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosnap%20-%20debug/builds/7626

Original issue's description:
> [builtins] New frame type for exits to C++ builtins
>
> Prior to this commit, calls to C++ builtins created standard exit
> frames, which are skipped when constructing JS stack traces. In order to
> show these calls on traces, we introduce a new builtin exit frame type.
>
> Builtin exit frames contain target and new.target on the stack and are
> not skipped during stack trace construction.
>
> BUG=v8:4815
> R=bmeurer@chromium.org, yangguo@chromium.org
> CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
>
> Committed: https://crrev.com/3c60c6b105f39344f93a8407f41534e5e60cf19a
> Cr-Commit-Position: refs/heads/master@{#37384}

TBR=yangguo@chromium.org,jgruber@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4815

Review-Url: https://codereview.chromium.org/2106113002
Cr-Commit-Position: refs/heads/master@{#37394}
2016-06-29 12:39:36 +00:00
jgruber
3c60c6b105 [builtins] New frame type for exits to C++ builtins
Prior to this commit, calls to C++ builtins created standard exit
frames, which are skipped when constructing JS stack traces. In order to
show these calls on traces, we introduce a new builtin exit frame type.

Builtin exit frames contain target and new.target on the stack and are
not skipped during stack trace construction.

BUG=v8:4815
R=bmeurer@chromium.org, yangguo@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review-Url: https://codereview.chromium.org/2090723005
Cr-Commit-Position: refs/heads/master@{#37384}
2016-06-29 11:10:27 +00:00
hpayer
46a365faae [heap] Reland uncommit unused large object page memory.
BUG=

Review-Url: https://codereview.chromium.org/2109943003
Cr-Commit-Position: refs/heads/master@{#37376}
2016-06-29 09:38:45 +00:00
neis
40641fbc03 [regexp] Fix writing of lastIndex in JSRegExp::Initialize.
The lastIndex property must be written with the semantics of a strict [[Set]],
so an exception must be thrown when the attributes don't allow writing.  We used
to ignore the attributes.

R=littledan@chromium.org, yangguo@chromium.org
BUG=v8:5138

Review-Url: https://codereview.chromium.org/2109593002
Cr-Commit-Position: refs/heads/master@{#37369}
2016-06-29 08:48:03 +00:00
aseemgarg
fa5cb207a1 [wasm] fix loops and if-else to take int type instead of signed
BUG=617526
R=bradnelson@chromium.org
TEST=regress-617526.js

Review-Url: https://codereview.chromium.org/2101923003
Cr-Commit-Position: refs/heads/master@{#37354}
2016-06-29 00:40:32 +00:00
bradnelson
e42983d147 [wasm] Making compare and conditionals more correct.
Comparisons were allowing asm 'int' values in places
that require strict 'signed' or 'unsigned' but not both.

Fixes crash when these make it to asm-wasm.

BUG=599413
BUG=v8:4203
R=aseemgarg@chromium.org

Review-Url: https://codereview.chromium.org/2106683003
Cr-Commit-Position: refs/heads/master@{#37353}
2016-06-28 23:50:14 +00:00
bradnelson
c5856779eb [wasm] Forbid sign mismatch in asm typer.
asm.js forbids mixing signed and unsigned % or /.
We had been allowing these.

Fixes crash.

BUG=618602
BUG=v8:4203
R=aseemgarg@chromium.org

Review-Url: https://codereview.chromium.org/2107683002
Cr-Commit-Position: refs/heads/master@{#37350}
2016-06-28 21:01:36 +00:00
bradnelson
58920e04bc [wasm] Require wasm explicit asm instantiation to be of a function.
We were not checking that the string passed to instantiateFromAsm
contains a function declaration (any declaration was allowed).

Fixes crash.

BUG=620649
BUG=v8:4203
R=aseemgarg@chromium.org

Review-Url: https://codereview.chromium.org/2109533002
Cr-Commit-Position: refs/heads/master@{#37349}
2016-06-28 20:58:28 +00:00
hpayer
f99f633309 Revert of [heap] Reland uncommit unused large object page memory. (patchset #1 id:1 of https://codereview.chromium.org/2101383002/ )
Reason for revert:
Crashes unbox-double-arrays

Original issue's description:
> [heap] Reland uncommit unused large object page memory.
>
> BUG=
>
> Committed: https://crrev.com/dd0ee5fd11653ba41a292641ccd66ae7cc5a8398
> Cr-Commit-Position: refs/heads/master@{#37341}

TBR=ulan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2106933003
Cr-Commit-Position: refs/heads/master@{#37347}
2016-06-28 20:22:35 +00:00
hpayer
dd0ee5fd11 [heap] Reland uncommit unused large object page memory.
BUG=

Review-Url: https://codereview.chromium.org/2101383002
Cr-Commit-Position: refs/heads/master@{#37341}
2016-06-28 17:41:30 +00:00
nikolaos
61c137c811 Fix bug with re-scoping arrow function parameter initializers
When re-scoping arrow function parameter initializers, temporaries
should be moved from the closure of the old scope to the closure of
the new scope, if necessary.

R=adamk@chromium.org, rossberg@chromium.org
BUG=chromium:622663
LOG=N

Review-Url: https://codereview.chromium.org/2083083007
Cr-Commit-Position: refs/heads/master@{#37335}
2016-06-28 15:10:17 +00:00
mstarzinger
4af80298b6 [turbofan] Fix missing lazy deopt in object literals.
This adds a missing lazy bailout point when defining data properties
with computed property names in object literals. The runtime call to
Runtime::kDefineDataPropertyInLiteral can trigger deopts. The necessary
bailout ID already exists and is now properly used.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-621816
BUG=chromium:621816

Review-Url: https://codereview.chromium.org/2099133003
Cr-Commit-Position: refs/heads/master@{#37294}
2016-06-27 13:56:00 +00:00
adamk
c7eb436d09 Remove all harmony runtime flags which shipped in M51
Flags removed (all begin with "harmony-"):
  function-name
  instanceof
  iterator-close
  unicode-regexps
  regexp-exec
  regexp-subclass
  species

BUG=v8:3566, v8:3648, v8:3699, v8:4093, v8:4447, v8:4602

Review-Url: https://codereview.chromium.org/2096933002
Cr-Commit-Position: refs/heads/master@{#37235}
2016-06-24 01:13:10 +00:00
adamk
f795a79010 Rewrite scopes in computed properties in destructured parameters
While we properly handled scopes of initializers in destructured parameters,
we never did the right thing for computed properties. This patch fixes that
by factoring out PatternRewriter's scope rewriting logic and calls it
for the computed property case.

BUG=chromium:620119

Review-Url: https://codereview.chromium.org/2084103002
Cr-Commit-Position: refs/heads/master@{#37228}
2016-06-23 20:47:18 +00:00
adamk
7b011fc9db Array splice should only normalize deleted_elements if it's an array
Also slightly expand regression test to end with a return instead of
an exception.

R=cbruni@chromium.org
BUG=chromium:618788

Review-Url: https://codereview.chromium.org/2090193002
Cr-Commit-Position: refs/heads/master@{#37223}
2016-06-23 17:23:20 +00:00
ishell
a81c66546e [mips] Fix using signaling NaN for holes in fixed double arrays.
BUG=chromium:620650

Review-Url: https://codereview.chromium.org/2086343002
Cr-Commit-Position: refs/heads/master@{#37207}
2016-06-23 08:27:54 +00:00
littledan
2601900dda Reland of write scopes of non-simple default arguments (patchset #1 id:1 of https://codereview.chromium.org/2081323006/ )
Reason for revert:
Infra issue appears to be over

TBR=adamk@chromium.org

Original issue's description:
> Revert of Rewrite scopes of non-simple default arguments (patchset #5 id:80001 of https://codereview.chromium.org/2077283004/ )
>
> Reason for revert:
> Seems to close tree (but it could be an infra issue)
>
> Original issue's description:
> > Rewrite scopes of non-simple default arguments
> >
> > Default parameters have additional declaration block scopes inserted
> > around them when something in the function scope calls eval. This
> > patch sets the parent scope of the expressions introduced due to
> > those defaults to the new block scope.
> >
> > R=adamk
> > BUG=chromium:616386
> >
> > Committed: https://crrev.com/0e14baf712955a1993f742647bb2adc293702b80
> > Cr-Commit-Position: refs/heads/master@{#37198}
>
> TBR=adamk@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:616386
>
> Committed: https://crrev.com/dd50262933d2ac087da32be887a7c18385fd998e
> Cr-Commit-Position: refs/heads/master@{#37201}

TBR=adamk@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:616386

Review-Url: https://codereview.chromium.org/2086353003
Cr-Commit-Position: refs/heads/master@{#37202}
2016-06-22 21:09:57 +00:00
littledan
dd50262933 Revert of Rewrite scopes of non-simple default arguments (patchset #5 id:80001 of https://codereview.chromium.org/2077283004/ )
Reason for revert:
Seems to close tree (but it could be an infra issue)

Original issue's description:
> Rewrite scopes of non-simple default arguments
>
> Default parameters have additional declaration block scopes inserted
> around them when something in the function scope calls eval. This
> patch sets the parent scope of the expressions introduced due to
> those defaults to the new block scope.
>
> R=adamk
> BUG=chromium:616386
>
> Committed: https://crrev.com/0e14baf712955a1993f742647bb2adc293702b80
> Cr-Commit-Position: refs/heads/master@{#37198}

TBR=adamk@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:616386

Review-Url: https://codereview.chromium.org/2081323006
Cr-Commit-Position: refs/heads/master@{#37201}
2016-06-22 19:58:10 +00:00
littledan
0e14baf712 Rewrite scopes of non-simple default arguments
Default parameters have additional declaration block scopes inserted
around them when something in the function scope calls eval. This
patch sets the parent scope of the expressions introduced due to
those defaults to the new block scope.

R=adamk
BUG=chromium:616386

Review-Url: https://codereview.chromium.org/2077283004
Cr-Commit-Position: refs/heads/master@{#37198}
2016-06-22 18:22:18 +00:00
mlippautz
7a88ff3cc0 [heap] Filter out stale left-trimmed handles for scavenges
The missing part from
  https://codereview.chromium.org/2078403002/

R=jochen@chromium.org
BUG=chromium:621869
LOG=N

Review-Url: https://codereview.chromium.org/2077353004
Cr-Commit-Position: refs/heads/master@{#37184}
2016-06-22 12:22:46 +00:00
mlippautz
21b55c4aa5 [heap] Fix check in AdvancePage
Failing to do the right check in AdvancePage results in a crash in a CHECK later
in EnsureCurrentCapacity.

BUG=chromium:620750,chromium:622115
LOG=N
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2090013002
Cr-Commit-Position: refs/heads/master@{#37171}
2016-06-22 09:10:09 +00:00
yangguo
5eaf4ac48f [debugger] add test case for scope materialization and rest params.
R=jgruber@chromium.org
BUG=v8:4703

Review-Url: https://codereview.chromium.org/2088703002
Cr-Commit-Position: refs/heads/master@{#37169}
2016-06-22 08:35:28 +00:00
jwolfe
d8147eb98c Reland: change most cases of variable redeclaration from TypeError to SyntaxError.
Reland of https://codereview.chromium.org/2048703002/

Code like `let a; eval("var a;");` should throw a SyntaxError, not a TypeError
(this caused a test262 failure.). However, the code `eval("function NaN() {}");`
should actually throw a TypeError. This patch changes most cases of
redeclaration errors from TypeError to SyntaxError. See the test
mjsunit/regress/redeclaration-error-types for a thorough analysis with spec
references.

The relevant sections of the spec are ES#sec-globaldeclarationinstantiation and
ES#sec-evaldeclarationinstantiation

BUG=v8:4955
LOG=y
CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel
R=adamk

Review-Url: https://codereview.chromium.org/2086063002
Cr-Commit-Position: refs/heads/master@{#37156}
2016-06-21 20:19:59 +00:00
bmeurer
5e0cd389bf [turbofan] MemoryOptimizer cannot deal with dead nodes in use lists.
We need to trim the graph before we execute the MemoryOptimizer, because
that just walks the effect chain from Start to End and cannot deal with
dead nodes in the use lists.

R=jarin@chromium.org
BUG=chromium:614292

Review-Url: https://codereview.chromium.org/2080703003
Cr-Commit-Position: refs/heads/master@{#37133}
2016-06-21 10:40:44 +00:00
bmeurer
7877ddecdb [builtins] Make sure the Math functions and constants agree.
While the EcmaScript specification doesn't define precise values for the
Math constants or the Math functions, we should at least ensure that the
values of the constants and the functions agree, i.e. Math.E should be
exactly the same value as Math.exp(1).

Also make sure that Math.exp(1) returns the expected value; we should
revisit the fdlibm algorithm and figure out why it's wrong in the last
bit.

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
BUG=chromium:626111,v8:3266,v8:3468,v8:3493,v8:5086,v8:5108
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2079233005
Cr-Commit-Position: refs/heads/master@{#37128}
2016-06-21 07:02:16 +00:00
mlippautz
d800a65967 [heap] Filter out stale left-trimmed handles
BUG=chromium:620553
LOG=N
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2078403002
Cr-Commit-Position: refs/heads/master@{#37108}
2016-06-20 14:32:15 +00:00
jgruber
198e09de5a [builtins] Use BUILTIN frame in DatePrototype_GetField
Construct a BUILTIN frame before throwing an exception from runtime.

R=bmeurer@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2078443002
Cr-Commit-Position: refs/heads/master@{#37053}
2016-06-17 07:44:42 +00:00
jgruber
f47b9e9810 [builtins] Introduce a proper BUILTIN frame type.
This adds a new BUILTIN frame type, which supports variable number of
arguments for builtins implemented in hand-written native code (we will
extend this mechanism to TurboFan builtins at some point). Convert the
Math.max and Math.min builtins to construct a BUILTIN frame if required.

This does not yet work for C++ builtins, but that'll be the next step.

R=bmeurer@chromium.org, jarin@chromium.org
BUG=v8:4815
LOG=n

Review-Url: https://codereview.chromium.org/2069423002
Cr-Commit-Position: refs/heads/master@{#37051}
2016-06-17 07:41:34 +00:00
mstarzinger
e55384b28e [d8] Make exception reporting more resilient.
This makes sure exception reporting done by the debug shell behaves
gracefully even near the stack limit. When line number determination
fails we just fallback to not printing source information.

R=yangguo@chromium.org
TEST=mjsunit/regress/regress-crbug-620253
BUG=chromium:620253

Review-Url: https://codereview.chromium.org/2069543007
Cr-Commit-Position: refs/heads/master@{#37031}
2016-06-16 10:14:08 +00:00
bmeurer
47fb39e4de Revert of [turbofan] Properly handle dictionary maps in the prototype chain. (patchset #1 id:1 of https://codereview.chromium.org/2067423003/ )
Reason for revert:
As discussed offline with Toon, this is not the correct fix here.

Original issue's description:
> [turbofan] Properly handle dictionary maps in the prototype chain.
>
> Dictionary prototypes don't have stable maps, but still don't matter for
> element access. Generalized the JSNativeContextSpecialization a bit to
> handle everything that Crankshaft can handle in this regard.
>
> R=jarin@chromium.org
> BUG=chromium:616709
>
> Committed: https://crrev.com/1c7bdc7f6f4d9512f4982590bd949f265ee9c8c3
> Cr-Commit-Position: refs/heads/master@{#37019}

TBR=jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:616709

Review-Url: https://codereview.chromium.org/2076493002
Cr-Commit-Position: refs/heads/master@{#37029}
2016-06-16 09:17:35 +00:00
bmeurer
1c7bdc7f6f [turbofan] Properly handle dictionary maps in the prototype chain.
Dictionary prototypes don't have stable maps, but still don't matter for
element access. Generalized the JSNativeContextSpecialization a bit to
handle everything that Crankshaft can handle in this regard.

R=jarin@chromium.org
BUG=chromium:616709

Review-Url: https://codereview.chromium.org/2067423003
Cr-Commit-Position: refs/heads/master@{#37019}
2016-06-16 05:27:20 +00:00
gsathya
3624a5e110 Promises: Add regression test for promise resolution with proxy
BUG=v8:5004

Review-Url: https://codereview.chromium.org/2070213002
Cr-Commit-Position: refs/heads/master@{#37015}
2016-06-16 02:00:26 +00:00
mstarzinger
d21b50ad6a [test] Bump stack size of regression test.
This is to make sure the test in question does not run out of stack
space during bootstrapping on any configuration. Our fuzzers take the
test an run it against a broad spectrum of configuration. The new size
of 100 is used throughout our test suite as "the smallest" stack size.

R=jkummerow@chromium.org
TEST=mjsunit/regress/regress-1132
BUG=chromium:619744

Review-Url: https://codereview.chromium.org/2068993002
Cr-Commit-Position: refs/heads/master@{#36995}
2016-06-15 11:19:43 +00:00
mlippautz
d6473f5c14 [Heap] Fix comparing against new space top pointer
See bug description.

BUG=chromium:619382
LOG=N
R=ulan@chromium.org

Review-Url: https://codereview.chromium.org/2065063002
Cr-Commit-Position: refs/heads/master@{#36968}
2016-06-14 13:52:01 +00:00
adamk
56ea2f9731 Array.prototype.slice should only normalize result if it's an array
R=cbruni@chromium.org
BUG=chromium:618788

Review-Url: https://codereview.chromium.org/2058013002
Cr-Commit-Position: refs/heads/master@{#36955}
2016-06-14 09:39:23 +00:00
littledan
85c2c8d847 Revert of change most cases of variable redeclaration from TypeError to SyntaxError (patchset #8 id:140001 of https://codereview.chromium.org/2048703002/ )
Reason for revert:
This is going to break the LayoutTest inspector-protocol/console/console-let-const-with-api.html as seen in https://build.chromium.org/p/tryserver.v8/builders/v8_linux_blink_rel/builds/2247 . Please run this test manually, using instructions at https://www.chromium.org/developers/testing/webkit-layout-tests , and fix on the Chrome side if needed before resubmitting this patch.

Original issue's description:
> change most cases of variable redeclaration from TypeError to SyntaxError.
>
> Code like `let a; eval("var a;");` should throw a SyntaxError, not a TypeError
> (this caused a test262 failure.). However, the code `eval("function NaN() {}");`
> should actually throw a TypeError. This patch changes most cases of
> redeclaration errors from TypeError to SyntaxError. See the test
> mjsunit/regress/redeclaration-error-types for a thorough analysis with spec
> references.
>
> The relevant sections of the spec are ES#sec-globaldeclarationinstantiation and
> ES#sec-evaldeclarationinstantiation
>
> BUG=v8:4955
> LOG=y
>
> Committed: https://crrev.com/2b787561763d0f7e8dab698652715a742cf78291
> Cr-Commit-Position: refs/heads/master@{#36940}

TBR=adamk@chromium.org,jwolfe@igalia.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4955

Review-Url: https://codereview.chromium.org/2064793002
Cr-Commit-Position: refs/heads/master@{#36941}
2016-06-13 18:23:57 +00:00
jwolfe
2b78756176 change most cases of variable redeclaration from TypeError to SyntaxError.
Code like `let a; eval("var a;");` should throw a SyntaxError, not a TypeError
(this caused a test262 failure.). However, the code `eval("function NaN() {}");`
should actually throw a TypeError. This patch changes most cases of
redeclaration errors from TypeError to SyntaxError. See the test
mjsunit/regress/redeclaration-error-types for a thorough analysis with spec
references.

The relevant sections of the spec are ES#sec-globaldeclarationinstantiation and
ES#sec-evaldeclarationinstantiation

BUG=v8:4955
LOG=y

Review-Url: https://codereview.chromium.org/2048703002
Cr-Commit-Position: refs/heads/master@{#36940}
2016-06-13 18:14:41 +00:00
mstarzinger
e95cfafb67 Fix arguments object stubs for large arrays.
This fixes FastNewStrictArgumentsStub and FastNewRestParameterStub to no
longer assume that the strict arguments object being allocated will fit
into new-space. The case where said object needs to move to large object
space is now handled in the runtime.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-614727
BUG=chromium:614727

Review-Url: https://codereview.chromium.org/2054853002
Cr-Commit-Position: refs/heads/master@{#36917}
2016-06-13 08:25:43 +00:00
neis
6899f878ac [generators] Improve a test.
R=mstarzinger@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2056283002
Cr-Commit-Position: refs/heads/master@{#36895}
2016-06-10 13:27:27 +00:00
jkummerow
3b87e9aa03 Fix stale IC::receiver_map_ after prototype fastification
BUG=chromium:618845

Review-Url: https://codereview.chromium.org/2058063002
Cr-Commit-Position: refs/heads/master@{#36891}
2016-06-10 11:43:33 +00:00
neis
54b405ce65 [generators] Make runtime functions more robust.
Only look at the --ignition-generators flag when determining whether to use
Ignition (in compiler.cc).  In generator runtime functions, instead of looking
at the flag, determine the generator kind based on whether the generator has a
bytecode array.  This allows compiling some generator function using
full-codegen and others using Ignition, e.g when using --ignition-filter.

R=mstarzinger@chromium.org
BUG=chromium:618657,v8:4907

Review-Url: https://codereview.chromium.org/2052873002
Cr-Commit-Position: refs/heads/master@{#36864}
2016-06-09 14:20:58 +00:00
mstarzinger
206cf39851 [runtime] Deprecate RUNTIME_ASSERT from object ops.
This removes explicit uses of the RUNTIME_ASSERT macro from some runtime
methods. The implicit ones in CONVERT_FOO_ARG_CHECKED will be addressed
in a separate CL for all runtime modules at once.

R=bmeurer@chromium.org
BUG=v8:5066

Review-Url: https://codereview.chromium.org/2045193002
Cr-Commit-Position: refs/heads/master@{#36852}
2016-06-09 11:22:19 +00:00
bmeurer
eb1c9e2723 [es6] Fix prototype chain walk for instanceof.
When walking up the prototype chain during OrdinaryHasInstance, we first
check if the current prototype equals the expected one, and only
afterwards check the current prototype against null. That's obviously
wrong if we check something like Proxy, whose prototype is null.

R=yangguo@chromium.org
BUG=v8:5085

Review-Url: https://codereview.chromium.org/2041103007
Cr-Commit-Position: refs/heads/master@{#36840}
2016-06-09 06:26:03 +00:00
jkummerow
be0494ba5b Keep prototype maps in dictionary mode until ICs see them
Adding properties to prototypes is faster when we don't force their
maps into fast mode yet. Once a prototype shows up in the IC system,
its setup phase is likely over, and it makes sense to transition it
to fast properties.
This patch speeds up the microbenchmark in the bug by 20x.
Octane-Typescript sees a 3% improvement.

BUG=chromium:607010

Review-Url: https://codereview.chromium.org/2036493006
Cr-Commit-Position: refs/heads/master@{#36828}
2016-06-08 14:43:47 +00:00
yangguo
7c3cad2d14 [crankshaft] do not sign-extend int32 immediate in DoMathMinMax.
R=bmeurer@chromium.org
BUG=chromium:495493

Review-Url: https://codereview.chromium.org/2044353002
Cr-Commit-Position: refs/heads/master@{#36818}
2016-06-08 10:12:16 +00:00
mstarzinger
8e02f47ea1 [runtime] Deprecate RUNTIME_ASSERT from primitive ops.
This removes explicit uses of the RUNTIME_ASSERT macro from some runtime
methods. The implicit ones in CONVERT_FOO_ARG_CHECKED will be addressed
in a separate CL for all runtime modules at once.

R=verwaest@chromium.org
BUG=v8:5066

Review-Url: https://codereview.chromium.org/2041353003
Cr-Commit-Position: refs/heads/master@{#36815}
2016-06-08 09:29:27 +00:00
yangguo
ada6fa1fda Add test case for 85b8c2dc (fix observable array access in messages.js).
R=bmeurer@chromium.org
BUG=chromium:617527

Review-Url: https://codereview.chromium.org/2045153002
Cr-Commit-Position: refs/heads/master@{#36813}
2016-06-08 07:54:26 +00:00
machenbach
67af060318 Revert of [heap] Clear out of live range remembered set slots in large objects. (patchset #2 id:20001 of https://codereview.chromium.org/2043713006/ )
Reason for revert:
Fails arm sim:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm%20-%20sim/builds/1012

Original issue's description:
> [heap] Clear out of live range remembered set slots in large objects.
>
> BUG=chromium:617882
> LOG=n
>
> Committed: https://crrev.com/38ad63ff15d7e379423be4c57ae94ae2c9ffb4af
> Cr-Commit-Position: refs/heads/master@{#36795}

TBR=ulan@chromium.org,hpayer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:617882

Review-Url: https://codereview.chromium.org/2042403002
Cr-Commit-Position: refs/heads/master@{#36799}
2016-06-07 18:32:33 +00:00
hpayer
38ad63ff15 [heap] Clear out of live range remembered set slots in large objects.
BUG=chromium:617882
LOG=n

Review-Url: https://codereview.chromium.org/2043713006
Cr-Commit-Position: refs/heads/master@{#36795}
2016-06-07 15:21:37 +00:00
ishell
3e0be8d7fc [runtime] Don't use ElementsTransitionAndStoreStub for transitions that involve instance rewriting.
BUG=chromium:617524, v8:5009
LOG=Y

Review-Url: https://codereview.chromium.org/2044003003
Cr-Commit-Position: refs/heads/master@{#36780}
2016-06-07 09:50:04 +00:00
yangguo
0b65799534 Remove accidentally added files.
These files somehow got added due to some rebase issues I had locally.

R=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2042203002
Cr-Commit-Position: refs/heads/master@{#36772}
2016-06-07 07:13:53 +00:00
Yang Guo
7c3748a9c4 [debug] load correct stack slot for frame details.
R=bmeurer@chromium.org
BUG=v8:5071

Review URL: https://codereview.chromium.org/2045863002 .

Cr-Commit-Position: refs/heads/master@{#36769}
2016-06-07 06:25:15 +00:00
titzer
0b91952913 [asmjs] Validator should reject modules with repeated functions.
R=ahaas@chromium.org,aseemgarg@chromium.org,bradnelson@chromium.org
BUG=chromium:617525

Review-Url: https://codereview.chromium.org/2040983002
Cr-Commit-Position: refs/heads/master@{#36748}
2016-06-06 13:40:42 +00:00
titzer
dc98fabf15 [asmjs] Validator should reject assignments to heap variables in functions.
BUG=chromium:617529

Review-Url: https://codereview.chromium.org/2041843002
Cr-Commit-Position: refs/heads/master@{#36747}
2016-06-06 13:30:13 +00:00
mstarzinger
826627d9fd [turbofan] Make FindFrameStateBefore handle dead paths.
This makes sure {NodeProperties::FindFrameStateBefore} can deal with
effect chains that are marked as dead. This can happen when reducers
looking for frame states run together with other reducers killing some
execution paths within the same reduction phase.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-617567
BUG=chromium:617567,chromium:617224

Review-Url: https://codereview.chromium.org/2041833002
Cr-Commit-Position: refs/heads/master@{#36743}
2016-06-06 12:34:53 +00:00
bmeurer
f2da19fe39 [builtins] Migrate Math.log to TurboFan.
Introduce a dedicated Float64Log machine operator, that is either
implemented by a direct C call or by platform specific code, i.e.
using the FPU on x64 and ia32.

This operator is used to implement Math.log as a proper TurboFan
builtin on top of the CodeStubAssembler.

Also introduce a NumberLog simplified operator on top of Float64Log
and use that for the fast inline path of Math.log inside TurboFan
optimized code.

BUG=v8:5065

Review-Url: https://codereview.chromium.org/2029413005
Cr-Commit-Position: refs/heads/master@{#36703}
2016-06-03 09:48:25 +00:00
jarin
0d4c526a1d [crankshaft] Reland "Only exclude explicit 'arguments' (and 'this') from liveness analysis."
Reland of https://codereview.chromium.org/2026173003 (reverted by
https://codereview.chromium.org/2029563002).

Additionally, we need to record environment markers even for the
case of a.length, where a is aliased arguments (which crankshaft
optimizes to constant for the inlined case or to HArgumentsLength
when not inlined).

BUG=chromium:612146

Review-Url: https://codereview.chromium.org/2028243002
Cr-Commit-Position: refs/heads/master@{#36662}
2016-06-02 04:30:17 +00:00
gsathya
a7d091ffe3 math.js: Use %_TypedArrayGetLength to get length
https://codereview.chromium.org/2001393004 makes TypedArray
length property writable, which means we shouldn't depend on it.
Instead, use %_TypedArrayGetLength% to get length.

Attached regression test.

BUG=chromium:615776

Review-Url: https://codereview.chromium.org/2020203006
Cr-Commit-Position: refs/heads/master@{#36655}
2016-06-01 18:44:30 +00:00
ishell
9fa206e1f4 [runtime] Ensure that all elements kind transitions are chained to the root map.
This CL also updates the elements kind transition lookup logic:
1) First we go back to the root map,
2) Follow elements kind transitions,
3) Replay the property transitions.

BUG=v8:5009
LOG=Y
TBR=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2015513002
Cr-Commit-Position: refs/heads/master@{#36652}
2016-06-01 15:55:11 +00:00
machenbach
8b0a6dd652 Revert of [crankshaft] Only exclude explicit 'arguments' (and 'this') from liveness analysis. (patchset #2 id:20001 of https://codereview.chromium.org/2026173003/ )
Reason for revert:
Triggers crashes on the deopt fuzzer:
https://build.chromium.org/p/client.v8/builders/V8%20Deopt%20Fuzzer/builds/10608

Repro:
out/Release/d8 --test --random-seed=849179141 --deopt-every-n-times 149 --nohard-abort --nodead-code-elimination --nofold-constants --noconcurrent-recompilation test/webkit/resources/standalone-pre.js test/webkit/dfg-arguments-mixed-alias.js test/webkit/resources/standalone-post.js

Original issue's description:
> [crankshaft] Only exclude explicit 'arguments' (and 'this') from liveness analysis.
>
> Currently, we do not emit EnvironmentMarkers if the hydrogen value
> in the environment is arguments object. As the hydrogen value can change
> for local variables, we emit only some environment markers. That can
> cause environment liveness analysis to mark part of live range as live
> and part as dead. The zapping phase then only inserts zaps in
> live->dead transitions, potentially zapping a live value.
>
> With this CL, we only emit EnvironmentMarkers for 'this' and
> 'arguments' local variables, disregarding the hydrogen value.
>
> BUG=chromium:612146
> LOG=n
>
> Committed: https://crrev.com/1428fbe224dc2df0cb6f59e4959430f7aa614064
> Cr-Commit-Position: refs/heads/master@{#36641}

TBR=jkummerow@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:612146

Review-Url: https://codereview.chromium.org/2029563002
Cr-Commit-Position: refs/heads/master@{#36644}
2016-06-01 12:45:06 +00:00
jarin
1428fbe224 [crankshaft] Only exclude explicit 'arguments' (and 'this') from liveness analysis.
Currently, we do not emit EnvironmentMarkers if the hydrogen value
in the environment is arguments object. As the hydrogen value can change
for local variables, we emit only some environment markers. That can
cause environment liveness analysis to mark part of live range as live
and part as dead. The zapping phase then only inserts zaps in
live->dead transitions, potentially zapping a live value.

With this CL, we only emit EnvironmentMarkers for 'this' and
'arguments' local variables, disregarding the hydrogen value.

BUG=chromium:612146
LOG=n

Review-Url: https://codereview.chromium.org/2026173003
Cr-Commit-Position: refs/heads/master@{#36641}
2016-06-01 12:04:35 +00:00
bmeurer
7554360f28 [builtins] Migrate String.fromCharCode to TurboFan code stub.
When we moved the String.fromCharCode builtin to C++, we slightly
regressed the fast single character code argument case. Recovered some
of the performance by implementing the builtin using the TurboFan
CodeStubAssembler.

Drive-by-fix: Make sure the stack trace from the implicit ToNumber
conversion in String.fromCharCode includes the builtin by adding a
regression test for that.

R=yangguo@chromium.org
BUG=chromium:609831,chromium:613947,v8:5049

Review-Url: https://codereview.chromium.org/2021143003
Cr-Commit-Position: refs/heads/master@{#36611}
2016-05-31 11:39:05 +00:00
clemensh
25c2203a8f Check CallSite arguments more rigorously
Before, it was possible to construct invalid CallSite objects, which
would trigger a runtime assert when any function is called on it.
This check ensures to throw a TypeError when invalid information is
passed to the CallSite constructor.

This reverts part of this CL: https://codereview.chromium.org/2006603002

R=ishell@chromium.org, titzer@chromium.org, yangguo@chromium.org
BUG=chromium:614295

Review-Url: https://codereview.chromium.org/2010493002
Cr-Commit-Position: refs/heads/master@{#36578}
2016-05-30 10:30:13 +00:00
franzih
8c31bd81f2 [builtins] Rewrite uri.js as builtin functions.
Rewrite decodeURI and decodeURIComponent as builtin functions
and install them in the bootstrapper.

Delete unused runtime functions:
 - TruncateString
 - NewString
 - OneByteSeqStringGetChar
 - OneByteSeqStringSetChar
 - TwoByteSeqStringGetChar
 - TwoByteSeqStringSetChar

Add regression test for decoding large strings. Clusterfuzz detected
a problem with %TruncateString, see
https://bugs.chromium.org/p/chromium/issues/detail?id=612109#c6
This is automatically fixed by this rewrite because %TruncateString
is deleted anyways.

Crude benchmark on 585 decodeURI and decodeURIComponent tests
averaged over five runs:

* builtin functions
real	0m9.69s
user	2m39.8816s
sys    	0m12.6398s

* JS functions calling into the runtime e.g., for %TruncateString
real	0m11.0598s
user	3m6.7026s
sys	0m13.5756s

By running:
$  time tools/run-tests.py   --arch=x64  --mode=Release --buildbot
  test262/built-ins/decodeURI* mjsunit/uri
>>> Running tests for x64.Release

BUG=v8:4912, chromium:612109
R=yangguo@chromium.org, bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/1994733003
Cr-Commit-Position: refs/heads/master@{#36543}
2016-05-27 09:57:07 +00:00
gsathya
91e2039df0 TypedArray: Make byteOffset, byteLength, and length configurable
Removes the DONT_DELETE enum bit from the properties to make them
configurable.

Also, updates the regress-typedarray-length test to --
- Check for true boolean return value on deletion of these
  properties.
- Check for undefined return value on trying to access these
  properties after deletion.

BUG=v8:4902
LOG=Y

Review-Url: https://codereview.chromium.org/2001393004
Cr-Commit-Position: refs/heads/master@{#36528}
2016-05-25 19:09:56 +00:00
yangguo
5d93296a5c [regexp] fix /ui regexp desugaring for text nodes.
R=littledan@chromium.org
BUG=v8:5036

Review-Url: https://codereview.chromium.org/2005753003
Cr-Commit-Position: refs/heads/master@{#36453}
2016-05-23 22:23:43 +00:00
danno
f43aa0bc6c [turbofan] Correctly call ArrayNoArgumentConstructor stub from TF code
BUG=chromium:612412
LOG=N

Review-Url: https://codereview.chromium.org/1999783004
Cr-Commit-Position: refs/heads/master@{#36448}
2016-05-23 16:44:13 +00:00
mstarzinger
3cc2adb319 [deoptimizer] Fix materialization of sloppy arguments.
This makes sure the deoptimizer can materialize sloppy arguments objects
with the FAST_SLOPPY_ARGUMENTS_ELEMENTS elements kind. TurboFan's escape
analysis treates those as normal JSObject types and hence materializes
them differently than Crankshaft does.

R=verwaest@chromium.org
TEST=mjsunit/regress/regress-crbug-613919
BUG=chromium:613919

Review-Url: https://codereview.chromium.org/2001133002
Cr-Commit-Position: refs/heads/master@{#36440}
2016-05-23 13:52:35 +00:00
mstarzinger
dbd7d5a59f [turbofan] Skip data-flow analysis of code entry field.
This makes escape analysis skip analyzing the code entry field within
JSFunction objects. Said field is an untagged pointer field and hence
cannot be tracked by an ObjectState node.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-613494
BUG=chromium:613494

Review-Url: https://codereview.chromium.org/1997353002
Cr-Commit-Position: refs/heads/master@{#36436}
2016-05-23 10:40:29 +00:00
yangguo
46aeb2aed8 [json] fix encoding change for two-byte gap strings.
R=mstarzinger@chromium.org
BUG=chromium:613570

Review-Url: https://codereview.chromium.org/1997003002
Cr-Commit-Position: refs/heads/master@{#36433}
2016-05-23 09:18:58 +00:00
ishell
a7a14fdebc [runtime] Don't crash when trying to access manually constructed CallSite object.
... but hit the runtime assert instead.
|
| Runtime error in ../src/runtime/runtime-internal.cc, line 409
|
| call_site.IsJavaScript() || call_site.IsWasm()
|

BUG=chromium:613905
LOG=N

Review-Url: https://codereview.chromium.org/2006603002
Cr-Commit-Position: refs/heads/master@{#36430}
2016-05-23 09:01:29 +00:00
bmeurer
cc71837fda [builtins] Migrate String.fromCharCode to C++.
The previous JavaScript version created way too many ConsStrings for
longer strings, i.e. when using String.fromCharCode together with
Function.prototype.apply and arrays of char codes.

This version now always allocates sequential strings and therefore uses
way less memory when turning longer character sequences into strings,
and therefore fixes the memory regression on Google Maps.

BUG=chromium:609831
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2004733002
Cr-Commit-Position: refs/heads/master@{#36427}
2016-05-21 16:59:59 +00:00
jkummerow
43547df9c7 [crankshaft] Don't inline "dont_crankshaft" functions
Crankshaft shouldn't try to inline functions it knows it can't handle.

BUG=v8:5033

Review-Url: https://codereview.chromium.org/2000703002
Cr-Commit-Position: refs/heads/master@{#36417}
2016-05-20 15:20:15 +00:00
mvstanton
b71f1cc2f4 Bugfix: Crankshaft array literals with incorrect values.
In VisitArrayLiteral(), we stopped creating boilerplates during
 compilation. This created a bug, because we'd emit an HStoreKeyed with an
 ElementsKind based on the initial elements kind of the boilerplate. Since
 boilerplates may transition as part of elements transition feedback, this can
 lead to incorrect values (storing a smi in a double array).

BUG=chromium:606021

Review-Url: https://codereview.chromium.org/2000673002
Cr-Commit-Position: refs/heads/master@{#36408}
2016-05-20 13:07:52 +00:00
adamk
de7d47e22f Remove now-incorrect DataView accessor optimization
In ES2015, the "byteLength" and "byteOffset" properties of DataViews are
getters on the prototype, so the previously-used strategy of special-casing
them using only the receiver map is invalid.

A future CL will need to use the same strategy which will be taken for
TypedArray "length", "byteLength", and "byteOffset": adding a prototype
chain check.

BUG=v8:5018, chromium:593634

Review-Url: https://codereview.chromium.org/1984043002
Cr-Commit-Position: refs/heads/master@{#36382}
2016-05-19 19:49:35 +00:00
mstarzinger
d5aa995e3c [turbofan] Make escape analysis non-experimental.
This promotes the escape analysis from an experimental feature to be a
fully supported feature. The main goal is to unleach ClusterFuzz on the
implementation so that we can stabilize it.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1989833002
Cr-Commit-Position: refs/heads/master@{#36324}
2016-05-18 13:51:01 +00:00
bmeurer
33e571ff4b [turbofan] Kill type Guard nodes during effect/control linearization.
These guards are useless anyways once you make it throw the
effect/control linearizer because all memory operations and
calls are connected to the control and/or effect chain anyways
afterwards.

Drive-by-fix: Fail in the InstructionSelector if we ever see
a Guard node.

R=jarin@chromium.org
BUG=chromium:612142

Review-Url: https://codereview.chromium.org/1980383002
Cr-Commit-Position: refs/heads/master@{#36302}
2016-05-18 05:38:22 +00:00
mstarzinger
7cef5593e4 [turbofan] Escape analysis treats guard nodes as escaping.
This makes escape analysis treat all guard nodes in the graph as an
escaping use. We eventually want to properly handle guard nodes, this
just serves as a temporary workaround to get things going.

R=bmeurer@chromium.org
BUG=v8:602595
LOG=n

Review-Url: https://codereview.chromium.org/1972323004
Cr-Commit-Position: refs/heads/master@{#36286}
2016-05-17 15:47:35 +00:00
yangguo
8e303dd0b3 Fix %FunctionGetName and %_ClassOf for bound functions.
R=bmeurer@chromium.org
BUG=v8:5010

Review-Url: https://codereview.chromium.org/1980463002
Cr-Commit-Position: refs/heads/master@{#36276}
2016-05-17 11:26:00 +00:00
gsathya
d33aedb7b9 Revert "Fix TypedArray Property optimizations", add regression test and eliminate dead code
This reverts commit 41d571dfe8.

Reason for revert: This patch breaks the correctness of the typedarray
properties such as length, byteOffset, byteLength.

The accessor check optimization code is dead code eliminated. A follow
up patch will fix this optimization correctly.

BUG=chromium:593634

Review-Url: https://codereview.chromium.org/1977983002
Cr-Commit-Position: refs/heads/master@{#36254}
2016-05-13 22:31:07 +00:00
bmeurer
fa7460adbc [turbofan] Fix optimized lowering of Math.imul.
We eagerly inserted Int32Mul for Math.imul during builtin lowering and
messed up with the types, which confused the representation selection.
This adds a proper NumberImul operator, and fixes the builtin reducer to
do the right thing according to the spec.

R=mstarzinger@chromium.org
BUG=v8:5006
LOG=n

Review-Url: https://codereview.chromium.org/1971163002
Cr-Commit-Position: refs/heads/master@{#36219}
2016-05-12 18:43:32 +00:00
yangguo
ea0dcad0a6 [debugger] keep scope and context chain for hidden scopes in sync.
R=jgruber@chromium.org
BUG=chromium:609046
LOG=N

Review-Url: https://codereview.chromium.org/1957303002
Cr-Commit-Position: refs/heads/master@{#36160}
2016-05-11 08:24:33 +00:00
mstarzinger
afb69f7438 [fullcodegen] Add missing bailout points for super calls.
The bailout points for named and keyed property loads when doing super
property calls are not being prepared by full-codegen, even though we
are using them in TurboFan for deopts and stack traces.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-4971
BUG=v8:4971
LOG=n

Review-Url: https://codereview.chromium.org/1960083002
Cr-Commit-Position: refs/heads/master@{#36109}
2016-05-09 13:44:40 +00:00
mstarzinger
434ef2ccfd [turbofan] Remove deprecated --turbo-osr flag.
The flag in question used to fall-back to Crankshaft whenever an OSR
request couldn't be handled by TurboFan. By now OSR in TurboFan is
sufficiently stabilized that one single --use-osr flag should do it.

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/1960043002
Cr-Commit-Position: refs/heads/master@{#36102}
2016-05-09 09:12:01 +00:00
ishell
8758245a62 Don't crash when load eval origin of a call site.
BUG=chromium:610207
LOG=N

Review-Url: https://codereview.chromium.org/1958043002
Cr-Commit-Position: refs/heads/master@{#36101}
2016-05-09 09:00:52 +00:00
ishell
e17a283f92 [es6] Properly handle the case when an inlined getter/setter/constructor does a tail call.
Deoptimizer is now able to reconstruct topmost accessor and constructor frames.

BUG=chromium:608278, v8:4698
LOG=N
TBR=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/1936043002
Cr-Commit-Position: refs/heads/master@{#36075}
2016-05-06 12:37:13 +00:00
adamk
75f2d65f00 Don't treat catch scopes as possibly-shadowing for sloppy eval
Scope analysis is over-conservative when treating variable resolutions
as possibly-shadowed by a sloppy eval. In the attached bug, this comes
into play since catch scopes have different behavior with respect to
the "calls eval" in eager vs lazy compilation (in the latter, they
are never marked as "calls eval" because CatchContexts don't have
an associated ScopeInfo).

This patch changes the scope-type check to also eliminate a few other
cases where shadowing isn't possible, such as non-declaration block scopes.

BUG=chromium:608279
LOG=n

Review-Url: https://codereview.chromium.org/1950803002
Cr-Commit-Position: refs/heads/master@{#36046}
2016-05-04 21:36:13 +00:00
titzer
f82b33781d [wasm] Fix for 608630: allow proxies as FFI.
R=ahaas@chromium.org,bradnelson@chromium.org
BUG=chromium:608630
LOG=Y

Review-Url: https://codereview.chromium.org/1943313002
Cr-Commit-Position: refs/heads/master@{#36008}
2016-05-04 08:54:00 +00:00
bmeurer
c3218375c1 [turbofan] Implement %_NewObject using FastNewObjectStub.
The inline allocation sequence in the optimizing compilers cannot deal
well with funky types like JSRegExp, which have some magic fields in
addition to the inobject properties. In Crankshaft we already use the
FastNewObjectStub for %_NewObject in general, so fix TurboFan to the same.
Hopefully one day we can kill %_NewObject completely.

R=jarin@chromium.org
BUG=chromium:609029
LOG=n

Review-Url: https://codereview.chromium.org/1943403004
Cr-Commit-Position: refs/heads/master@{#36006}
2016-05-04 07:35:22 +00:00
adamk
c8a342a582 Fix 'eval' in class extends clauses to be always-strict
Compiler backends get their language mode from the current
function, but should instead be deriving it from the current scope.
This allows proper handling of the always-strictness of class declarations
and expressions, and in particular the treatment of 'eval' calls in an
extends clause as a strict eval.

Also fix the parser's RecordEvalCall logic to only reach out to the
DeclarationScope in sloppy mode, which fixes the strange case of a
sloppy function thinking it contains a sloppy eval when in fact
it contains only a strict eval.

BUG=v8:4970
LOG=n

Review-Url: https://codereview.chromium.org/1931003003
Cr-Commit-Position: refs/heads/master@{#36001}
2016-05-03 22:36:29 +00:00
titzer
d622c3a8bd [wasm] Disallow runtime calls in asm.js modules.
R=ahaas@chromium.org,bradnelson@chromium.org
BUG=chromium:592352
LOG=Y

Review-Url: https://codereview.chromium.org/1943373002
Cr-Commit-Position: refs/heads/master@{#35992}
2016-05-03 15:57:23 +00:00
titzer
98c2312995 [wasm] Fix bug with empty input to Wasm.instantiateModuleFromAsm()
R=ahaas@chromium.org,bradnelson@chromium.org
BUG=chromium:605488
LOG=Y

Review-Url: https://codereview.chromium.org/1940243002
Cr-Commit-Position: refs/heads/master@{#35974}
2016-05-03 11:15:24 +00:00
littledan
4f374bbc94 Use InternalArrays from certain Intl code
The ECMA 402 implementation previously pushed directly to real
Arrays, which risks having observably incorrect behavior in the
presence of monkey patching. This patch uses InternalArrays instead
to avoid that hazard.

R=jshin@chromium.org,yangguo@chromium.org
BUG=chromium:604299
LOG=N

Review-Url: https://codereview.chromium.org/1923803002
Cr-Commit-Position: refs/heads/master@{#35949}
2016-05-02 18:19:25 +00:00
adamk
567aa1be6d [full-codegen] Fix stack depth tracking when reporting unsupported super usages
Also mark VisitSuperCallReference as unreachable, as it's handled by VisitCall.

R=mstarzinger@chromium.org
BUG=v8:4967
LOG=n

Review-Url: https://codereview.chromium.org/1929213002
Cr-Commit-Position: refs/heads/master@{#35945}
2016-05-02 17:28:54 +00:00
ishell
b83edcc8b1 [runtime] Don't crash when creating an instance of a class inherited from a Proxy.
BUG=v8:4972
LOG=N

Review-Url: https://codereview.chromium.org/1925803005
Cr-Commit-Position: refs/heads/master@{#35911}
2016-04-29 15:07:35 +00:00
machenbach
819371c628 Revert of Remove more dead code after Object.observe removal (patchset #5 id:80001 of https://codereview.chromium.org/1904313004/ )
Reason for revert:
[Sheriff] Looks like this breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/6442

Original issue's description:
> Remove more dead code after Object.observe removal
>
> This moves __{define,lookup}{Getter,Setter}__ to builtins.cc to free up the JavaScript implementation of DefineOwnProperty for deletion.

TBR=verwaest@chromium.org,jkummerow@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/1929293002
Cr-Commit-Position: refs/heads/master@{#35886}
2016-04-29 06:31:02 +00:00
littledan
3d66e5d1d7 Add checks for detached ArrayBuffers to ArrayBuffer.prototype.slice
These checks ensure that a TypeError is thrown, per spec, rather than
a runtime assert failure.

BUG=v8:4964
R=adamk
LOG=Y

Review-Url: https://codereview.chromium.org/1929123002
Cr-Commit-Position: refs/heads/master@{#35885}
2016-04-28 22:50:56 +00:00
jkummerow
15e106382e Remove more dead code after Object.observe removal
This moves __{define,lookup}{Getter,Setter}__ to builtins.cc to free up the JavaScript implementation of DefineOwnProperty for deletion.

Review-Url: https://codereview.chromium.org/1904313004
Cr-Commit-Position: refs/heads/master@{#35876}
2016-04-28 18:35:42 +00:00
verwaest
f1cc6e646f Check the state of the current binary op IC before patching smi code
Between the miss and patching, we run user code. That may already patch the same code. IC refactoring broke this (again), so including a regression test this time around.

BUG=chromium:601392
LOG=n

Review URL: https://codereview.chromium.org/1925583002

Cr-Commit-Position: refs/heads/master@{#35811}
2016-04-27 09:19:15 +00:00
yangguo
d1e08e7a72 [debugger] do not expose temporary variables introduced by the parser.
R=bmeurer@chromium.org, kozyatinskiy@chromium.org
BUG=chromium:582048
LOG=N

Review URL: https://codereview.chromium.org/1916343002

Cr-Commit-Position: refs/heads/master@{#35805}
2016-04-27 04:49:46 +00:00
adamk
967a04634d Forward accept_IN to ParseYieldExpression
This allows "yield 'x' in o" as an expression in a generator.

R=ishell@chromium.org
BUG=v8:4945
LOG=n

Review URL: https://codereview.chromium.org/1916183003

Cr-Commit-Position: refs/heads/master@{#35798}
2016-04-26 17:24:49 +00:00
yangguo
eee6ddb2ac [debugger] add test case for debug-evaluate for values in TDZ.
R=jkummerow@chromium.org
BUG=chromium:605581
LOG=N

Review URL: https://codereview.chromium.org/1920953003

Cr-Commit-Position: refs/heads/master@{#35794}
2016-04-26 14:11:21 +00:00
verwaest
1678bb557c MigrateInstance(target) before Object.assign(target, ...)
If the target is deprecated, the object will be updated on first store. If the source for that store equals the target, this will invalidate the cached representation of the source. Preventively upgrade the target.

BUG=chromium:604300
LOG=n

Review URL: https://codereview.chromium.org/1905933002

Cr-Commit-Position: refs/heads/master@{#35770}
2016-04-25 15:41:21 +00:00
yangguo
6f67d171f1 [regexp] Fix non-match and max match length in RegExpCharacterClass.
R=mstarzinger@chromium.org
BUG=chromium:605862
LOG=N

Review URL: https://codereview.chromium.org/1916763002

Cr-Commit-Position: refs/heads/master@{#35764}
2016-04-25 13:32:14 +00:00
yangguo
3c7391093b [debugger] fix mjsunit/regress/regress-crbug-119800 for ignition.
R=vogelheim@chromium.org
BUG=v8:4690
LOG=N

Review URL: https://codereview.chromium.org/1907293002

Cr-Commit-Position: refs/heads/master@{#35758}
2016-04-25 11:37:12 +00:00
rmcilroy
11e3ba34f5 [Interpreter] Fix incorrect Register OperandSize calculation for ExtraWide.
Fixes a mistake made in r35618 for register OperandSize calculations.

BUG=605470
LOG=N

Review URL: https://codereview.chromium.org/1908033002

Cr-Commit-Position: refs/heads/master@{#35719}
2016-04-22 10:32:14 +00:00
jkummerow
f4a9a50147 [tests] Add testcase for r35397
This is a follow-up to 58429beb7b
"Fix KeyedStore stub selection for STRING_WRAPPER_ELEMENTS".

BUG=chromium:602184
LOG=n

Review URL: https://codereview.chromium.org/1912443004

Cr-Commit-Position: refs/heads/master@{#35715}
2016-04-22 09:08:46 +00:00
adamk
6a370a6f01 Remove support for Object.observe
The feature was deprecated in M49 and flagged off in M50.
This patch removes it entirely from the codebase.

Review URL: https://codereview.chromium.org/1909433003

Cr-Commit-Position: refs/heads/master@{#35714}
2016-04-22 09:02:41 +00:00
jkummerow
9bebebd909 [ic] Restore PROPERTY key tracking in keyed ICs
Non-vectorized KeyedLoadICs used to remember whether they had seen Names
as keys; Crankshaft uses this information to avoid emitting elements
accesses which would always deopt. This CL restores that functionality
for vector ICs.

BUG=chromium:594183
LOG=y
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1912593002

Cr-Commit-Position: refs/heads/master@{#35706}
2016-04-21 13:18:28 +00:00
verwaest
7dfb5beeec Fix 'typeof null' canonicalization in crankshaft
BUG=

Review URL: https://codereview.chromium.org/1912553002

Cr-Commit-Position: refs/heads/master@{#35699}
2016-04-21 11:24:31 +00:00
verwaest
4a6a0f5530 Make sure we always try to make prototypes fast again when transitioning accessors
BUG=chromium:605060
LOG=n

Review URL: https://codereview.chromium.org/1907953002

Cr-Commit-Position: refs/heads/master@{#35697}
2016-04-21 11:18:08 +00:00
ishell
b4dbb2f710 [deoptimizer] Do not modify stack_fp which is used as a key for lookup of previously materialized objects.
BUG=chromium:604680, v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1904663003

Cr-Commit-Position: refs/heads/master@{#35693}
2016-04-21 09:54:33 +00:00
adamk
e96cbdcdd6 More accurately record an end position for default parameters in arrows
Our previous over-conservative answer caused us to emit hole checks in
full-codegen when eagerly parsing but not when lazily parsing.

With this patch, we use the positions of the BinaryOperations making up
the parameter list (which are the positions of the commas) to determine
the appropriate "end position" for each parameter's initializer. This means
that we get accurate-enough positions for the initializers in the eager
parsing step to get the same answers for hole-check-elimination that we
will later during ParseLazy.

In the included test case, for example:

  (function() { ((s = 17, y = s) => s)(); } )();
                        ^2     ^1

The old code would generate a hole check when trying to load
|s| for assignment to |y| (because it treated the closing parentheses
pointed to by "^1" as the "initialization position" of |s|).

The new code uses the comma pointed to by "^2" as the initialization
position of |s|. Since that occurs textually before the load of |s|,
full-codegen knows it can avoid the hole check.

BUG=v8:4908
LOG=n

Review URL: https://codereview.chromium.org/1900343002

Cr-Commit-Position: refs/heads/master@{#35678}
2016-04-20 20:49:16 +00:00
titzer
b994ad45b0 [turbofan] Length and index2 are unsigned in CheckedLoad/CheckedStore.
Also factor out test cases from test-run-machops.cc into test-run-load-store.cc

BUG=chromium:599717
LOG=Y

Review URL: https://codereview.chromium.org/1858323003

Cr-Commit-Position: refs/heads/master@{#35651}
2016-04-20 09:35:06 +00:00
ishell
28113880e3 Fix polymorphic keyed load handler selection for proxies.
BUG=chromium:603463
LOG=N

Review URL: https://codereview.chromium.org/1894203002

Cr-Commit-Position: refs/heads/master@{#35607}
2016-04-19 08:58:43 +00:00
bmeurer
e96c143171 [turbofan] Optimize typeof in abstract/strict equality comparison.
Add support to optimize certain comparisons of typeof with known
strings to utilize the existing ObjectIs<Type> predicates. Also
add a new ObjectIsCallable, which is used to optimize the common
typeof x === "function" pattern.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1898653003

Cr-Commit-Position: refs/heads/master@{#35562}
2016-04-18 07:03:23 +00:00
mvstanton
401450493e Security: type confusion lead to information leak in decodeURI
Quit using the global array in uri code.

R=yangguo@chromium.org
BUG=chromium:602970
LOG=N

Review URL: https://codereview.chromium.org/1889133003

Cr-Commit-Position: refs/heads/master@{#35530}
2016-04-15 13:09:45 +00:00
yangguo
93135d8c0d [regexp] fix assertion failure when parsing close to stack overflow.
R=jkummerow@chromium.org
BUG=chromium:600257
LOG=N

Review URL: https://codereview.chromium.org/1884143002

Cr-Commit-Position: refs/heads/master@{#35496}
2016-04-14 14:44:28 +00:00
hablich
b88d048adf Reland of [compiler] Make feedback vector cope with flag changes. (patchset #1 id:1 of https://codereview.chromium.org/1876103002/ )
Reason for revert:
Did not fail on another roll including this CL ..

Original issue's description:
> Revert of [compiler] Make feedback vector cope with flag changes. (patchset #1 id:1 of https://codereview.chromium.org/1869693003/ )
>
> Reason for revert:
> Blocks current roll: https://codereview.chromium.org/1876713002/ according to bisect: https://codereview.chromium.org/1872353002/#ps80001
>
> Original issue's description:
> > [compiler] Make feedback vector cope with flag changes.
> >
> > This fixes corner cases where the layout of feedback vectors baked into
> > the snapshot is different from the expected layout, depending on some
> > runtime flags. We make sure the feedback vector is regenereated for
> > functions that are not compiled. Flag changes of this kind are only
> > allowed when code is not serialized.
> >
> > An alternative solution would be to not serialize the feedback vector
> > for such cases in the first place. That solution however would have a
> > higher overhead, as it would required the serializer to be able to
> > recognize feedback vectors while generating a snapshot.
> >
> > R=mvstanton@chromium.org
> > TEST=mjsunit/regress/regress-crbug-600995
> > BUG=chromium:600995
> > LOG=n
> >
> > Committed: https://crrev.com/460bff5fb6af2bd79e610f89afdf6da9dba3cf0c
> > Cr-Commit-Position: refs/heads/master@{#35339}
>
> TBR=mvstanton@chromium.org,mstarzinger@chromium.org
>
> BUG=chromium:600995
> LOG=N
> NOTRY=true
>
> Committed: https://crrev.com/78049e9c4837f053575d6c71e53ae12fec99f1aa
> Cr-Commit-Position: refs/heads/master@{#35392}

TBR=mvstanton@chromium.org,mstarzinger@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:600995

Review URL: https://codereview.chromium.org/1876973002

Cr-Commit-Position: refs/heads/master@{#35398}
2016-04-11 18:56:37 +00:00
hablich
78049e9c48 Revert of [compiler] Make feedback vector cope with flag changes. (patchset #1 id:1 of https://codereview.chromium.org/1869693003/ )
Reason for revert:
Blocks current roll: https://codereview.chromium.org/1876713002/ according to bisect: https://codereview.chromium.org/1872353002/#ps80001

Original issue's description:
> [compiler] Make feedback vector cope with flag changes.
>
> This fixes corner cases where the layout of feedback vectors baked into
> the snapshot is different from the expected layout, depending on some
> runtime flags. We make sure the feedback vector is regenereated for
> functions that are not compiled. Flag changes of this kind are only
> allowed when code is not serialized.
>
> An alternative solution would be to not serialize the feedback vector
> for such cases in the first place. That solution however would have a
> higher overhead, as it would required the serializer to be able to
> recognize feedback vectors while generating a snapshot.
>
> R=mvstanton@chromium.org
> TEST=mjsunit/regress/regress-crbug-600995
> BUG=chromium:600995
> LOG=n
>
> Committed: https://crrev.com/460bff5fb6af2bd79e610f89afdf6da9dba3cf0c
> Cr-Commit-Position: refs/heads/master@{#35339}

TBR=mvstanton@chromium.org,mstarzinger@chromium.org

BUG=chromium:600995
LOG=N
NOTRY=true

Review URL: https://codereview.chromium.org/1876103002

Cr-Commit-Position: refs/heads/master@{#35392}
2016-04-11 15:36:30 +00:00
ishell
26c480d13c [deoptimizer] Extend assert to also expect kTailCallerFunction as bottommost frame when accessing arguments for inlined function.
BUG=chromium:601617, v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1876753002

Cr-Commit-Position: refs/heads/master@{#35385}
2016-04-11 12:20:37 +00:00
mythria
8982cb5c70 [Interpreter] Handles legacy constants in strict mode.
Function bindings are the only variables in LEGACY_CONST mode.
(https://codereview.chromium.org/1819123002/). Since these variables
can also be accessed in strict mode functions we should support
handling such variables. Assigning to a legacy constant throws
a TypeError in strict mode. Also fixes hydrogen.cc to throw a
TypeError for legacy constants.

BUG=v8:4280,chromium:599068
LOG=N
TBR=rmcilroy@chromium.org

Review URL: https://codereview.chromium.org/1845223006

Cr-Commit-Position: refs/heads/master@{#35383}
2016-04-11 12:04:01 +00:00
adamk
a0a8ecd078 Remove runtime flags for sloppy mode block scoping features
These were all on by default in M49 without complaint.

R=littledan@chromium.org

Review URL: https://codereview.chromium.org/1858943002

Cr-Commit-Position: refs/heads/master@{#35342}
2016-04-08 00:30:20 +00:00
mstarzinger
460bff5fb6 [compiler] Make feedback vector cope with flag changes.
This fixes corner cases where the layout of feedback vectors baked into
the snapshot is different from the expected layout, depending on some
runtime flags. We make sure the feedback vector is regenereated for
functions that are not compiled. Flag changes of this kind are only
allowed when code is not serialized.

An alternative solution would be to not serialize the feedback vector
for such cases in the first place. That solution however would have a
higher overhead, as it would required the serializer to be able to
recognize feedback vectors while generating a snapshot.

R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-600995
BUG=chromium:600995
LOG=n

Review URL: https://codereview.chromium.org/1869693003

Cr-Commit-Position: refs/heads/master@{#35339}
2016-04-07 15:35:03 +00:00
cbruni
9478356ed3 Fix representation issue in FastArrayPushStub
Pushing undefined onto a FAST_DOUBLE_ARRAY does not enforce the right representation checks.

BUG=chromuim:599089
LOG=n

Review URL: https://codereview.chromium.org/1868973002

Cr-Commit-Position: refs/heads/master@{#35332}
2016-04-07 12:46:08 +00:00
mvstanton
ce1fe78d7e Bugfix: assert in lithium compile for LMaybeGrowElements
BUG=chromium:585041
LOG=N

Review URL: https://codereview.chromium.org/1854423003

Cr-Commit-Position: refs/heads/master@{#35331}
2016-04-07 11:41:39 +00:00
jarin
3df0a8c1f2 [crankshaft] Make infinite loops preserve control flow.
We have to preserve control flow so that the liveness analysis is less
confused. This CL fixes loops to preserve teh original control flow.

BUG=chromium:599710
LOG=n

Review URL: https://codereview.chromium.org/1863123002

Cr-Commit-Position: refs/heads/master@{#35318}
2016-04-07 05:36:44 +00:00
titzer
77a8c2ea86 [asm.js] Fix typing bug for non-literals in heap access.
R=bradnelson@chromium.org
BUG=chromium:599825
LOG=Y

Review URL: https://codereview.chromium.org/1858263002

Cr-Commit-Position: refs/heads/master@{#35273}
2016-04-05 17:24:03 +00:00
littledan
7a38462e8b Ensure CreateDataProperty works correctly on TypedArrays
Previously, CreateDataProperty would fail a DCHECK when used to create
an integer indexed property on a TypedArray. This patch makes it throw
a TypeError instead. The issue came up when Array.prototype.concat
was repaired to use CreateDataProperty rather than SetElement; concat
can be tricked into making a new TypedArray if it is given an Array
whose prototype is a TypedArray. This patch prevents the issue.

R=adamk
LOG=Y
BUG=chromium:596394

Review URL: https://codereview.chromium.org/1821723004

Cr-Commit-Position: refs/heads/master@{#35271}
2016-04-05 16:56:12 +00:00
cbruni
823224f3ee [elements] Fix length bounds precheck for Array.prototype.concat
BUG=chromium:599414
LOG=n

Review URL: https://codereview.chromium.org/1863553003

Cr-Commit-Position: refs/heads/master@{#35269}
2016-04-05 15:35:27 +00:00
jarin
4142bc6bc1 [turbofan] Restrict types in load elimination.
In simplified numbering, we make sanity checks based on types (e.g.,
NumberSubtract should take numbers as inputs), but this can be
violated if optimization passes make types less precise.

In this CL, we fix load elimination to make sure that types are
smaller in the store -> load elimination by taking an intersection
of the load's type with the store value's type and inserting a guard
with that type. Note that the load type comes from type feedback, so
it can be disjoint from the stored value type (in that case, this
must be dead code because the map chack for the load should prevent
us from using the stored value).

BUG=chromium:599412
LOG=n

Review URL: https://codereview.chromium.org/1857133003

Cr-Commit-Position: refs/heads/master@{#35259}
2016-04-05 12:30:14 +00:00
ishell
792bf2a093 [crankshaft] Fix environment handling after leaving inlined tail call.
BUG=chromium:537444, v8:4698
LOG=N
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1859763005

Cr-Commit-Position: refs/heads/master@{#35253}
2016-04-05 09:43:56 +00:00
bmeurer
e5724d958b [frames] Also properly deal with TF builtins in OptimizedFrame::GetFunctions().
This was missing from the previous fix.

R=ishell@chromium.org
BUG=chromium:599714
LOG=n

Review URL: https://codereview.chromium.org/1861583002

Cr-Commit-Position: refs/heads/master@{#35249}
2016-04-05 06:41:20 +00:00
mstarzinger
6ab9c1850f Fix resuming generator marked for optimization.
This fixes a corner case where the generator function of a suspended
generator has been marked for optimization. We assume the optimization
approach will cause a bailout because generators are not optimized. But
resuming is more resilient by always activating the unoptimized code.

R=neis@chromium.org,bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-513471
BUG=chromium:513471
LOG=n

Review URL: https://codereview.chromium.org/1856683002

Cr-Commit-Position: refs/heads/master@{#35234}
2016-04-04 11:52:09 +00:00
ishell
4598356f17 Properly complete in-object slack tracking.
BUG=chromium:599003
LOG=N

Review URL: https://codereview.chromium.org/1856653002

Cr-Commit-Position: refs/heads/master@{#35232}
2016-04-04 10:00:44 +00:00
ishell
c7ff5766cf Display a meaningfull error message when trying to capture a stack trace to a proxy.
... instead of RUNTIME_ASSERT pointing to V8 guts.

BUG=chromium:599067
LOG=N

Review URL: https://codereview.chromium.org/1844223004

Cr-Commit-Position: refs/heads/master@{#35227}
2016-04-04 08:37:30 +00:00
ishell
ecb8fcfcca [crankshaft] [turbofan] Fix environment handling when generating a tail call from inlined function.
This CL ensures that we build environments/frame states so that tail caller frame will never become topmost.

BUG=chromium:598998, v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1849503002

Cr-Commit-Position: refs/heads/master@{#35188}
2016-04-01 07:22:47 +00:00
bmeurer
6df9a22c3f [ic] Use the CallFunction builtin to invoke accessors.
The HandlerCompiler did not properly handle the weird edge case when a
sloppy mode function was installed as an accessor on one of the value
wrapper prototypes and then accessed via a load from a primitive value.
In this case we just passed the primitive value untouched instead of
properly wrapping it first. The CallFunction builtin properly deals with
all the funny edge cases, so we use it instead of duplicating almost all
of the logic here (the performance difference is neglible).

R=verwaest@chromium.org
BUG=chromium:599073, v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1845243005

Cr-Commit-Position: refs/heads/master@{#35187}
2016-04-01 06:37:57 +00:00
yangguo
297daf6c37 [debugger] allow debug-evaluate to change stack and context values.
R=bmeurer@chromium.org, cbruni@chromium.org, ulan@chromium.org
BUG=chromium:124206,chromium:569811
LOG=N

Review URL: https://codereview.chromium.org/1834633003

Cr-Commit-Position: refs/heads/master@{#35145}
2016-03-31 06:00:21 +00:00
bmeurer
978ad03b92 [crankshaft] Address the deoptimization loops of Math.floor, Math.round and Math.ceil.
Fix and re-enable the flexible representation for Math.floor (which is used to
implement Math.ceil) and Math.round, which allows Math.floor and Math.round to
return double results instead of int32, and therefore allows values outside
the int32 range, especially -0 is now a valid result, which doesn't deopt.

Also port this feature to x64 and ia32 when the CPU supports the SSE4.1
extension.

This addresses all the known deoptimization loops related to Math.round
in the Kraken benchmark suite, and seems to also address most of the
deoptimization loops related to Math.floor in the Oort Online benchmark.

Drive-by-fix: Import the regression tests for the broken HMathFloorOfDiv
optimization that caused the initial revert of the feature (for arm64 only
back then).

BUG=chromium:476477,v8:2890,v8:4059
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1841513003

Cr-Commit-Position: refs/heads/master@{#35094}
2016-03-29 10:24:54 +00:00
adamk
06403470e3 Remove --harmony-regexps flag
It's been on since M49. Also moved tests from harmony -> es6,
one of which was merged with another test of the same name.

While moving stuff over to regexp.js, I also noticed that there
were unused calls to %FunctionSetName and %SetNativeFlag (those
calls are already handled by InstallGetter()).

Review URL: https://codereview.chromium.org/1838563003

Cr-Commit-Position: refs/heads/master@{#35076}
2016-03-25 23:02:11 +00:00
binji
88724ec4cb [Atomics] Fix atomic access index validation
BUG=v8:4737
LOG=n
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1676613002

Cr-Commit-Position: refs/heads/master@{#35074}
2016-03-25 21:52:52 +00:00
littledan
97fce6214e Check for proper types from error handling code
A bug in error printing meant that we failed to do proper type checks
before calling into C++ code, which could lead to RUNTIME_ASSERT
failures if methods are called on alternative receivers. This patch
adds the right type checks.

BUG=chromium:596718
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1831053003

Cr-Commit-Position: refs/heads/master@{#35069}
2016-03-25 02:10:02 +00:00
adamk
ed18aa65ea Remove support for legacy const, part 1
Now that ES2015 const has shipped, in Chrome 49, legacy const declarations
are no more. This lets us remove a bunch of code from many parts of the
codebase.

In this patch, I remove parser support for generating legacy const variables
from const declarations. This also removes the special "illegal declaration"
bit from Scope, which has ripples into all compiler backends.

Also gone are any tests which relied on legacy const declarations.

Note that we do still generate a Variable in mode CONST_LEGACY in one case:
function name bindings in sloppy mode. The likely fix there is to add a new
Variable::Kind for this case and handle it appropriately for stores in each
backend, but I leave that for a later patch to make this one completely
subtractive.

Review URL: https://codereview.chromium.org/1819123002

Cr-Commit-Position: refs/heads/master@{#35002}
2016-03-22 17:52:13 +00:00
adamk
249bf75e0c Remove runtime flags for Proxy and Reflect
Both of them shipped in Chrome 49 without incident.

Also move relevant tests from harmony/ to es6/.

Review URL: https://codereview.chromium.org/1815773002

Cr-Commit-Position: refs/heads/master@{#34964}
2016-03-21 19:40:02 +00:00
ishell
e6dca379b6 [crankshaft] Check if the function is callable before generating a tail call via Call builtin.
This is necessary to ensure that "Called non callable" exception will get a proper message and stack trace even for calls at tail position.

BUG=chromium:595615, v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1818003002

Cr-Commit-Position: refs/heads/master@{#34962}
2016-03-21 19:24:28 +00:00
bmeurer
cc04776632 [json] Allow any callable object for toJSON.
Previously only JSFunctions seemed to be valid for toJSON, which doesn't
match the ES6 specification that allows any object with [[Call]]
internal method (i.e. any Callable in V8 terminology), including bound
functions and proxies.

BUG=chromium:595738, chromium:535408
R=yangguo@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1824533002

Cr-Commit-Position: refs/heads/master@{#34913}
2016-03-20 19:35:28 +00:00
adamk
6a8de15322 Several mjsunit cleanups
- Move default parameters tests from harmony/ to es6/ and remove
    non-existent --harmony-default-parameters flag.
  - Remove some non-existent tests from mjsunit.status

Review URL: https://codereview.chromium.org/1812313002

Cr-Commit-Position: refs/heads/master@{#34908}
2016-03-18 23:20:44 +00:00
yangguo
1e2d0e1136 [regexp] catch stack overflow when parsing back references.
R=jkummerow@chromium.org
BUG=chromium:595657
LOG=N

Review URL: https://codereview.chromium.org/1811913006

Cr-Commit-Position: refs/heads/master@{#34894}
2016-03-18 14:52:41 +00:00
verwaest
c6f9883d53 Remove oob elements collected from the prototype chain by trimming in GetArrayKeys
BUG=chromium:594953
LOG=n

Review URL: https://codereview.chromium.org/1817443003

Cr-Commit-Position: refs/heads/master@{#34893}
2016-03-18 14:37:36 +00:00
littledan
7acee1ef61 Throw the right exceptions from setting elements in Array.prototype.concat
This patch fixes two bugs in Array.prototype.concat in conjunction with
subclassing Arrays:
- Create a new property rather than calling Set when adding elements to
  the output array. This means setters are not called.
- If there is an exception thrown from DefineProperty, propagate it
  outwards properly, rather than swallowing it. This can occur, e.g., with
  a Proxy as the new output array.

R=adamk
LOG=Y
BUG=chromium:595319

Review URL: https://codereview.chromium.org/1814933002

Cr-Commit-Position: refs/heads/master@{#34876}
2016-03-17 22:42:00 +00:00
mvstanton
2aa070be4f InstanceOfStub incorrectly interprets the hole as a prototype.
Repair this to match what the runtime correctly does, by first checking if the
function is a constructor before we access the prototype.

R=verwaest@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1810953002

Cr-Commit-Position: refs/heads/master@{#34863}
2016-03-17 14:32:23 +00:00
jarin
c2e82d6e82 [crankshaft] Fix inlining to always connect both branches of test context.
BUG=v8:4839
LOG=n

Review URL: https://codereview.chromium.org/1811693002

Cr-Commit-Position: refs/heads/master@{#34848}
2016-03-17 10:00:21 +00:00
littledan
f9db79ebdb Ship ES2015 restrictions on function declaration locations
Function declarations were previously permitted by V8 in many locations
which no ECMAScript specification allowed; the ECMAScript 2015 spec
enumerates a few locations (in blocks, as well as after labels and in
conditionals when in sloppy mode). This patch ships the flag to restrict
the usage of function declarations to those contexts.

R=adamk
LOG=Y
BUG=v8:4824
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1799233003

Cr-Commit-Position: refs/heads/master@{#34828}
2016-03-16 16:39:23 +00:00
jkummerow
84dd29bb3c Fix polymorphic keyed load handler selection for string elements
The monomorphic case already carefully ensures that we don't try to use
a regular elements load stub on string wrapper elements. The polymorphic
path must perform an equivalent check.

BUG=chromium:594955
LOG=n
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1806543002

Cr-Commit-Position: refs/heads/master@{#34807}
2016-03-16 10:56:16 +00:00
adamk
108efd7f54 Remove Scope::scope_contains_with_ bit
This part of Scope has existed since V8's initial check in, but from what
I can tell it's not required to implement "with". The only tests that
depend upon it are tests of the debugger and the Scope mirrors, but the
resulting test behavior after removing the bit still seems perfectly
reasonable to me. In fact, with the included fix for scope name collection,
the scope mirror is actually improved with this change.

As a bi-product, this fixes the attached bug, about the contains_with
bit having inconsistent values in some arrow function compilation
scenarios.

BUG=chromium:592353
LOG=n
CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1804783002

Cr-Commit-Position: refs/heads/master@{#34802}
2016-03-15 22:41:59 +00:00
cbruni
96a2bd8ae8 [builtins] Fix Array.prototype.concat bug
Array.prototype.concat did not work correct with complex elements on the
receiver or the prototype chain.

BUG=chromium:594574
LOG=y

Review URL: https://codereview.chromium.org/1804963002

Cr-Commit-Position: refs/heads/master@{#34798}
2016-03-15 20:29:28 +00:00
caitpotter88
3088979d5c [runtime] fix getting element keys from SLOW_SLOPPY_ARGUMENTS_ELEMENTS
BUG=v8:4825
LOG=N
R=jkummerow@chromium.org, cbruni@chromium.org

Review URL: https://codereview.chromium.org/1778023004

Cr-Commit-Position: refs/heads/master@{#34754}
2016-03-14 17:10:50 +00:00
jarin
4d4bd54f0a [turbofan] Fix operand calculation for constant materialization from frame.
BUG=chromium:582702
LOG=N

Review URL: https://codereview.chromium.org/1781393002

Cr-Commit-Position: refs/heads/master@{#34736}
2016-03-13 20:21:41 +00:00
ishell
690c7a854a [turbofan] Avoid dereferencing empty handle when inlining a tail call.
BUG=chromium:593697,v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1781303002

Cr-Commit-Position: refs/heads/master@{#34716}
2016-03-11 11:41:29 +00:00
adamk
dea9559457 Remove destructuring and default arguments runtime flags
These flags have been on by default since version 4.9, which has been
in stable Chrome for over a week now, demonstrating that they're
here to stay.

Also moved the tests out of harmony/ and into es6/.

Review URL: https://codereview.chromium.org/1776683003

Cr-Commit-Position: refs/heads/master@{#34692}
2016-03-10 23:22:30 +00:00
rossberg
4614c7caaf [strong] Remove all remainders of strong mode
R=mstarzinger@chromium.org,bmeurer@chromium.org,adamk@chromium.org
BUG=v8:3956
LOG=Y

Review URL: https://codereview.chromium.org/1773653002

Cr-Commit-Position: refs/heads/master@{#34669}
2016-03-10 12:45:42 +00:00
littledan
ca5deb1ff8 Ensure appropriate bounds checking for Array subclass concat
When an Array subclass is used as the receiver for concat, or with
certain usages of @@species, the output that's constructed is of
a different type with new slow path logic. This slow path still
made references to elements, so it's important that bounds checking
for a too-long result still be done. This patch repairs that bounds
checking.

R=cbruni
LOG=Y
BUG=chromium:592340

Review URL: https://codereview.chromium.org/1782443002

Cr-Commit-Position: refs/heads/master@{#34636}
2016-03-09 18:54:44 +00:00
jkummerow
32b3d3e931 [arm/arm64][stubs] Fix d16-d31 preservation on stub failure
Reading the registers' values back from the FrameDescription
should use the same offset computation as storing them into it.
The offsets must also match what the deoptimizer expects, which
is rx at offset rx.code() * kDoubleSize, even if some registers
are not saved (leaving gaps).

BUG=v8:4800
LOG=n
R=danno@chromium.org

Review URL: https://codereview.chromium.org/1769833006

Cr-Commit-Position: refs/heads/master@{#34633}
2016-03-09 17:36:07 +00:00
yangguo
d1f68f776e [regexp] fix bogus assertion in CharacterRange constructor.
The CharacterRange constructor checks the input for validity. However,
CharacterRange::Singleton also uses the constructor and may have
kEndMarker as input, causing the check to fail.

The solution is to move the check to CharacterRange::Range and
consistently use it across the code base.

R=jkummerow@chromium.org
BUG=chromium:593282
LOG=N

Review URL: https://codereview.chromium.org/1776013003

Cr-Commit-Position: refs/heads/master@{#34626}
2016-03-09 15:55:38 +00:00
jarin
69c84fe460 [turbofan] Fix deoptimization stack layout for fast literal comparisons.
BUG=chromium:592341
LOG=n

Review URL: https://codereview.chromium.org/1776013002

Cr-Commit-Position: refs/heads/master@{#34615}
2016-03-09 12:36:09 +00:00
jarin
9867a8a26e [turbofan] Fix register constraint for memory barrier.
After fixing the memory barrier for maps (https://codereview.chromium.org/1714513003), we are using a temp register for the map case. The temp register should not be aliased with the stored value (otherwise we perform the mem barrier check with a wrong value). This CL makes sure it is not aliased.

BUG=chromium:590074
LOG=n

Review URL: https://codereview.chromium.org/1775083002

Cr-Commit-Position: refs/heads/master@{#34607}
2016-03-09 09:39:51 +00:00
titzer
5c1c98e829 [wasm] Rename _WASMEXP_ object to Wasm.
R=ahaas@chromium.org,binji@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1770383002

Cr-Commit-Position: refs/heads/master@{#34587}
2016-03-08 14:48:27 +00:00
mstarzinger
2669224274 [compiler] Remove support for concurrent OSR.
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1773593002

Cr-Commit-Position: refs/heads/master@{#34572}
2016-03-08 09:02:44 +00:00
yangguo
9113402b53 [debugger] break at each initialization in a multiple var declaration.
R=rossberg@chromium.org
BUG=v8:4807
LOG=N

Committed: https://crrev.com/ee98147ea0d994bcfb0d14d43f490ee828d2426f
Cr-Commit-Position: refs/heads/master@{#34531}

Review URL: https://codereview.chromium.org/1768973002

Cr-Commit-Position: refs/heads/master@{#34540}
2016-03-07 13:41:18 +00:00
machenbach
c6dbb071a3 Revert of [debugger] break at each initialization in a multiple var declaration. (patchset #1 id:1 of https://codereview.chromium.org/1768973002/ )
Reason for revert:
[Sheriff] Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/5160

Original issue's description:
> [debugger] break at each initialization in a multiple var declaration.
>
> R=rossberg@chromium.org
> BUG=v8:4807
> LOG=N
>
> Committed: https://crrev.com/ee98147ea0d994bcfb0d14d43f490ee828d2426f
> Cr-Commit-Position: refs/heads/master@{#34531}

TBR=rossberg@chromium.org,yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4807

Review URL: https://codereview.chromium.org/1770783003

Cr-Commit-Position: refs/heads/master@{#34538}
2016-03-07 12:53:55 +00:00
yangguo
ee98147ea0 [debugger] break at each initialization in a multiple var declaration.
R=rossberg@chromium.org
BUG=v8:4807
LOG=N

Review URL: https://codereview.chromium.org/1768973002

Cr-Commit-Position: refs/heads/master@{#34531}
2016-03-07 12:00:16 +00:00
yangguo
f9d7c711af [regexp] Fix off-by-one in CharacterRange::Negate.
Character ranges starting at 1 are not correctly negated.

R=jkummerow@chromium.org
BUG=chromium:592343
LOG=Y

Review URL: https://codereview.chromium.org/1768093002

Cr-Commit-Position: refs/heads/master@{#34528}
2016-03-07 11:00:01 +00:00
bmeurer
0c35579093 [crankshaft] Fix invalid ToNumber optimization.
We cannot optimize away ToNumber conversions based on the Type that we
see in Crankshaft, as this might be the (unchecked or even pretruncated)
lower bound. We can only use the HType, which is based on the definition.

R=jkummerow@chromium.org
BUG=chromium:590989
LOG=n

Review URL: https://codereview.chromium.org/1757013002

Cr-Commit-Position: refs/heads/master@{#34445}
2016-03-02 19:28:04 +00:00
yangguo
d9fe836dd4 [debugger] fix break locations for assignments and return.
We used to emit debug break location on block entry. This cannot be
ported to the interpreted as we do not emit bytecode for block entry.
This made no sense to begin with though, but accidentally added
break locations for var declarations.

With this change, the debugger no longer breaks at var declarations
without initialization. This is in accordance with the fact that the
interpreter does not emit bytecode for uninitialized var declarations.

Also fix the bytecode to match full-codegen's behavior wrt return
positions:
- there is a break location before the return statement, with the source
  position of the return statement.
- right before the actual return, there is another break location. The
  source position points to the end of the function.

R=rmcilroy@chromium.org, vogelheim@chromium.org
TBR=rossberg@chromium.org
BUG=v8:4690
LOG=N

Review URL: https://codereview.chromium.org/1744123003

Cr-Commit-Position: refs/heads/master@{#34388}
2016-03-01 12:47:55 +00:00
neis
0ad44590e0 [json] Fix iteration over object keys in InternalizeJSONProperty.
We must not use for-of since that could be observed.

R=yangguo@chromium.org
BUG=v8:4769
LOG=n

Review URL: https://codereview.chromium.org/1748633002

Cr-Commit-Position: refs/heads/master@{#34387}
2016-03-01 11:53:28 +00:00
bmeurer
d00da47b61 [turbofan] Don't use the CompareIC in JSGenericLowering.
The CompareICStub produces an untagged raw word value, which has to be
translated to true or false manually in the TurboFan code. But for lazy
bailout after the CompareIC, we immediately go back to fullcodegen or
Ignition with the raw value, to a location where both fullcodegen and
Ignition expect a boolean value, which might crash or in the worst case
(depending on the exact computation inside the CompareIC) could lead to
arbitrary memory access.

Short-term fix is to use the proper runtime functions (unified with the
interpreter now) for comparisons. Next task is to provide optimized
versions of these based on the CodeStubAssembler, which can then be used
via code stubs in TurboFan or directly in handlers in the interpreter.

R=mstarzinger@chromium.org
BUG=v8:4788
LOG=n

Review URL: https://codereview.chromium.org/1738153002

Cr-Commit-Position: refs/heads/master@{#34335}
2016-02-26 18:41:35 +00:00
bmeurer
58ab990aa8 [turbofan] Bailout if LoadBuffer typing assumption doesn't hold.
The LoadBuffer operator that is used for asm.js heap access claims to
return only the appropriate typed array type, but out of bounds access
could make it return undefined. So far we tried to "repair" the graph
later if we see that our assumption was wrong, and for various reasons
that worked for some time. But now that wrong type information that is
propagated earlier is picked up appropriately and thus we generate wrong
code, i.e. we in the repro case we feed NaN into ChangeFloat64Uint32 and
thus get 2147483648 instead of 0 (with proper JS truncation).

This was always considered a temporary hack until we have a proper
asm.js pipeline, but since we still run asm.js through the generic
JavaScript pipeline, we have to address this now. Quickfix is to just
bailout from the pipeline when we see that the LoadBuffer type was
wrong, i.e. the result of LoadBuffer is not properly truncated and thus
undefined or NaN would be observable.

R=mstarzinger@chromium.org, jarin@chromium.org
BUG=chromium:589792
LOG=y

Review URL: https://codereview.chromium.org/1740123002

Cr-Commit-Position: refs/heads/master@{#34322}
2016-02-26 11:06:30 +00:00
mstarzinger
3baa290264 [fullcodegen] Fix assert for operand stack depth tracking.
This fixes a corner case that triggered an assert in full-codegens
operand stack depth tracking. We stop pushing operands if we overflow
the C-stack while iterating the AST. This makes the tracking go out of
sync before we fully returned from the tree traversal, at which point
the thrown RangeError will abort compilation.

R=ishell@chromium.org
TEST=mjsunit/regress/regress-crbug-589472
BUG=chromium:589472
LOG=n

Review URL: https://codereview.chromium.org/1732903002

Cr-Commit-Position: refs/heads/master@{#34255}
2016-02-24 16:29:47 +00:00
bmeurer
6cc5c601b6 [crankshaft] Fix deopt loop in String.fromCharCode on non-int32 inputs.
The Crankshaft fast case for String.fromCharCode() unconditionally
deoptimizes on all non-int32 inputs, even tho it would be perfectly
valid to just truncate the index to an int32.

R=ishell@chromium.org
BUG=chromium:587068
LOG=n

Review URL: https://codereview.chromium.org/1727873003

Cr-Commit-Position: refs/heads/master@{#34243}
2016-02-24 10:59:55 +00:00
littledan
b22b258874 ES2015 web compat workaround: RegExp.prototype.flags => ""
It turns out that some old polyfill library uses
RegExp.prototype.flags as a way of feature testing. It's not clear
how widespread this is. For now, as a minimal workaround, we can
return undefined from getters like RegExp.prototype.global when
the receiver is RegExp.prototype. This patch implements that strategy
but omits a UseCounter to make backports easier.

R=adamk
CC=yangguo@chromium.org
BUG=chromium:581577
LOG=Y
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1640803003

Cr-Commit-Position: refs/heads/master@{#34201}
2016-02-23 01:49:03 +00:00
adamk
cdec6d2bc5 Return undefined from RegExp.prototype.compile
This was changed to match Annex B.2.5.1 of ES2015 and Firefox in
https://chromium.googlesource.com/v8/v8/+/469d9bfa, but website
breakage was seen in M49 Beta. JSC still returns undefined here.

BUG=chromium:585775
LOG=y
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1714903004

Cr-Commit-Position: refs/heads/master@{#34172}
2016-02-20 00:35:57 +00:00
bmeurer
8f87c0acb7 [builtins] Move the Boolean constructor to C++.
Drive-by-fix: Remove the (now) unused %_SetValueOf and %_JSValueGetValue
intrinsics from the various compilers and the runtime.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1698343002

Cr-Commit-Position: refs/heads/master@{#34037}
2016-02-16 14:03:07 +00:00
jkummerow
0d59772b2b [crankshaft][arm][mips][mips64] Fix Math.min(0, 0)
for the special case where the same register is used as both left and
right input.

Review URL: https://codereview.chromium.org/1695283002

Cr-Commit-Position: refs/heads/master@{#33996}
2016-02-15 14:43:02 +00:00
bmeurer
98aec4a719 [runtime] Kill %Arguments and %ArgumentsLength.
This removes support for the %Arguments and %ArgumentsLength runtime
entries and their intrinsic counterparts. If you need variable arguments
in any builtin, either use (strict) arguments object or rest parameters,
which are both compositional across inlining (in TurboFan), and not that
much slower compared to the %_Arguments hackery.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1688163004

Cr-Commit-Position: refs/heads/master@{#33943}
2016-02-12 12:25:23 +00:00
adamk
58a9bc5b53 Force SharedFunctionInfo::name() to be a flat string
This fact is depended upon by, at least, Parser::ParseLazy, and quite
likely by other code. There was already code in %FunctionSetName
enforcing this invariant. This patch adds similar code to
Factory::NewSharedFunctionInfo().

BUG=v8:4659
LOG=n

Review URL: https://codereview.chromium.org/1686193003

Cr-Commit-Position: refs/heads/master@{#33914}
2016-02-11 18:53:02 +00:00
littledan
e1de522afa Extend subarray web compatibility fix to --harmony-species
ES2016 TypedArray subclassing semantics break the Node.js Buffer module,
also used on the web. I wrote a pull request against the web and Node
versions to fix the issue, but the pull request has not yet been granted,
and this is blocking shipping the change. For now, this patch extends the
web compatibility workaround to the --harmony-species flag, so that
Symbol.species and associated subclassing semantics can ship independently.

R=cbruni
BUG=v8:4665
LOG=Y

Review URL: https://codereview.chromium.org/1678123002

Cr-Commit-Position: refs/heads/master@{#33826}
2016-02-08 21:16:49 +00:00
jkummerow
5d2c09a829 Fix Array.prototype.sort for *_STRING_WRAPPER_ELEMENTS
Trying to sort a string should throw a TypeError, proper handling
of elements just needs to get out of the way.

BUG=chromium:584188
LOG=n
R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1670153002

Cr-Commit-Position: refs/heads/master@{#33777}
2016-02-05 13:36:51 +00:00
adamk
8a4a5bf9e0 Remove flags for ES2015 features shipped in M48
This removes --harmony-completion, --harmony-concat-spreadable, and
--harmony-tolength and moves the appropriate tests from harmony/ to es6/.

Review URL: https://codereview.chromium.org/1667453002

Cr-Commit-Position: refs/heads/master@{#33712}
2016-02-03 20:51:46 +00:00
kozyatinskiy
3c3d7e7be8 Revert "Removed support deprecated (//@|/*@) source(URL|MappingURL)="
A lot of deverlopers use deprecated sourceURL syntax. We should add console warning message before removing this.
Original CL: https://codereview.chromium.org/1495633002/

BUG=chromium:558998
LOG=Y
R=yangguo@chromium.org,hablich@chromium.org,adamk@chromium.org

Review URL: https://codereview.chromium.org/1654223003

Cr-Commit-Position: refs/heads/master@{#33709}
2016-02-03 18:45:36 +00:00
verwaest
158cd5cb5e [runtime] Remove receiver==holder check in IntegerIndexedExotic lookup
This was inconsistent in the spec in case of has vs get, set. Removing
receiver==holder simplifies the lookup; so tentatively removing this
additional check which was broken until yesterday anyway. See
https://github.com/tc39/ecma262/issues/347 for more information.

Review URL: https://codereview.chromium.org/1660903002

Cr-Commit-Position: refs/heads/master@{#33701}
2016-02-03 10:30:40 +00:00
bradnelson
255f4507ec Drop the compileRun + asmCompileRun methods from wasm.
Now that we have full fledged module instantiation,
keeping alive a second interface seems clunky.

Droping it and switching the tests.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=test-asm-validator,asm-wasm,other wasm
R=titzer@chromium.org,aseemgarg@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/1660083002

Cr-Commit-Position: refs/heads/master@{#33700}
2016-02-03 10:16:22 +00:00
neis
a973f73465 Expect JSReceiver in Runtime_DeleteLookupSlot, not just JSObject.
BUG=chromium:583260
LOG=n

Review URL: https://codereview.chromium.org/1664683002

Cr-Commit-Position: refs/heads/master@{#33697}
2016-02-03 09:49:22 +00:00
bmeurer
e4e418f3ef [runtime] Make %FunctionGetScript and %FunctionGetSourceCode robust.
R=jarin@chromium.org
BUG=chromium:582703
LOG=n

Review URL: https://codereview.chromium.org/1664483003

Cr-Commit-Position: refs/heads/master@{#33693}
2016-02-03 06:01:19 +00:00
verwaest
621bdd642c [runtime] Fix integer indexed property handling
This includes 2 fixes:
1) We didn't properly advance the holder when checking whether
Receiver==Holder, so we'd inadvertently block loading the property if
the first property we find is on the typed array.
2) Reflect.get may cause any object on the prototype chain of the holder
to be the receiver; so we need to recheck for this special state for
each object we perform lookup on.

Review URL: https://codereview.chromium.org/1651913005

Cr-Commit-Position: refs/heads/master@{#33689}
2016-02-02 17:02:23 +00:00
jkummerow
d582d2bb2a More *_STRING_WRAPPER_ELEMENTS fixes
BUG=chromium:583257
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1651253003

Cr-Commit-Position: refs/heads/master@{#33683}
2016-02-02 13:51:00 +00:00
littledan
11e8c03f94 Add UseCounters for some nonstandard JavaScript features
This patch adds a UseCounter for each of the following:
- Allowing duplicate sloppy-mode block-scoped function declarations
  in the exact same scope
- for-in loops with an initializer

The patch also refactors some of the declaration code to clean it up and
enable the first counter, and adds additional unit tests to nail down
the semantics of edge cases of sloppy-mode block-scoped function declarations.

BUG=v8:4693,chromium:579395
LOG=N
R=adamk

Review URL: https://codereview.chromium.org/1633743003

Cr-Commit-Position: refs/heads/master@{#33650}
2016-02-01 23:01:59 +00:00
yangguo
835b038331 [debugger] correctly find function context.
In the debugger we are interested in getting the context for the
current frame, which is usually a function context. To do that,
we used to call Context::declaration_context, which may also
return a block context. This is wrong and can lead to crashes.
Instead, we now use a newly introduced Context::closure_context,
which skips block contexts. This works fine for the debugger,
since we have other means to find and materialize block contexts.

R=rossberg@chromium.org
BUG=chromium:582051
LOG=N

Review URL: https://codereview.chromium.org/1648263002

Cr-Commit-Position: refs/heads/master@{#33627}
2016-02-01 07:03:44 +00:00
littledan
f3e41d96dd Fix Unicode string normalization with null bytes
Previously, String.prototype.normalize constructed its ICU input
string as a null-terminated string. This creates a bug for strings
which contain a null byte, which is allowed in ECMAScript. This
patch constructs the ICU string based on its length so that the
entire string is normalized.

R=jshin@chromium.org
BUG=v8:4654
LOG=Y

Review URL: https://codereview.chromium.org/1645223003

Cr-Commit-Position: refs/heads/master@{#33614}
2016-01-29 17:00:46 +00:00
bmeurer
5a7bb33e3f [crankshaft] Fix another deopt loop in slow mode for-in.
The for-in slow mode implementation in Crankshaft unconditionally
deoptimizes when %ForInFilter returns undefined instead of just
skipping the item. Even worse, there's nothing we can learn from
that deopt, so we will eventually optimize again and hit exactly
the same problem again once we get back to optimized code.

R=mvstanton@chromium.org
BUG=v8:3650
LOG=n

Review URL: https://codereview.chromium.org/1647093002

Cr-Commit-Position: refs/heads/master@{#33609}
2016-01-29 11:00:05 +00:00
bmeurer
3251a03e81 [crankshaft] Make the for-in slow path compatible with the other compilers.
So far the for-in slow path in Crankshaft unconditionally called
%ForInFilter for every iteration of the for-in loop, without paying
attention to the possible enum cache equipped receiver map. So even
though we iterate the enum cache FixedArray associated with the map
we don't check the map, but always go to %ForInFilter. This would be
perfectly fine if the enum cache FixedArray would be immutable, but
due to some funny GC/runtime interaction kicking in, the enum cache
can be right trimmed while we are iterating it, and the only way to
detect this is to ensure that we check the map when accessing the
enum cache.

BUG=v8:3650,v8:4715
LOG=n

Review URL: https://codereview.chromium.org/1650493002

Cr-Commit-Position: refs/heads/master@{#33599}
2016-01-29 07:50:51 +00:00
verwaest
997cd3d987 [api] Default native data property setter to replace the setter if the property is writable.
BUG=chromium:580584
LOG=y

Review URL: https://codereview.chromium.org/1632603002

Cr-Commit-Position: refs/heads/master@{#33551}
2016-01-27 13:22:18 +00:00
adamk
953bb416a3 Ensure arrow functions can close over lexically-scoped variables
ParseArrowFunctionLiteral was erroneously checking AllowsLazyCompilation
rather than AllowsLazyParsing when deciding whether to parse lazily.
This meant that lexically-scoped variables that had no other referents
wouldn't get closed over properly.

BUG=chromium:580934, v8:4255
LOG=y

Review URL: https://codereview.chromium.org/1630823006

Cr-Commit-Position: refs/heads/master@{#33530}
2016-01-26 23:11:10 +00:00
ishell
ac03ef02d6 Also check new_target_is_base() bit when comparing two maps for equivalence.
BUG=chromium:580506
LOG=N

Review URL: https://codereview.chromium.org/1631673002

Cr-Commit-Position: refs/heads/master@{#33497}
2016-01-25 16:44:01 +00:00
adamk
8aeb6080e1 Sloppy mode webcompat: allow conflicting function declarations in blocks
The web appears to depend on being able to redeclare functions-in-blocks
in sloppy mode (examples seen so far tend to redeclare identical functions,
most likely accidentally).

This patch opens a minimal hole: two same-named function declarations
in the same scope are allowed, only in sloppy mode.

BUG=v8:4693, chromium:579395
LOG=y

Review URL: https://codereview.chromium.org/1622723003

Cr-Commit-Position: refs/heads/master@{#33478}
2016-01-23 00:40:53 +00:00
bmeurer
56e1b13ea1 [runtime] Make sure %ForInPrepare returns the correct length.
In case the receiver map has an enum cache, %ForInPrepare returns the
length of the actual enum cache, which might include properties that
are further down the transition tree tho.

R=jarin@chromium.org
BUG=v8:3650
LOG=n

Review URL: https://codereview.chromium.org/1619353002

Cr-Commit-Position: refs/heads/master@{#33469}
2016-01-22 14:52:20 +00:00
ishell
ed2be747ad Array length reduction should throw in strict mode if it can't delete an element.
When accessor getter callback is called the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, since according to ES6 there's no difference between strict and non-strict property loads. For the setter case the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true if the property is set in strict context.

Interceptors follow same idea: for getter, enumerator and query callbacks the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, and for setter and deleter callback the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true in strict context.

This CL also cleans up the CallApiGetterStub and removes bogus asserts from [arm] Push(reg1, reg2, ..., regN) that prevented from pushing a set of registers containing duplicates.

BUG=v8:4267
LOG=Y

Committed: https://crrev.com/1d3e837fcbbd9d9fd5e72dfe85dfd47c025f3c9f
Cr-Commit-Position: refs/heads/master@{#33438}

Review URL: https://codereview.chromium.org/1587073003

Cr-Commit-Position: refs/heads/master@{#33461}
2016-01-22 09:53:51 +00:00
cbruni
1c523a444b Revert of [runtime] Do not use the enum-cache for non-prototype objects. (patchset #1 id:1 of https://codereview.chromium.org/1612413003/ )
Reason for revert:
let me quickly revert the revert, wut?
Goal: my CL should not be in the tree!

Original issue's description:
> Reland of [runtime] Do not use the enum-cache for non-prototype objects. (patchset #1 id:1 of https://codereview.chromium.org/1619803003/ )
>
> Reason for revert:
> the deopt issues have been taken care of by benedikt
>
> Original issue's description:
> > Revert of [runtime] Do not use the enum-cache for non-prototype objects. (patchset #10 id:180001 of https://codereview.chromium.org/1608523002/ )
> >
> > Reason for revert:
> > tanks for-in significantly
> >
> > Original issue's description:
> > > [runtime] Do not use the enum-cache for keys retrieval.
> > >
> > > Currently we fail to properly handle shadowed properties. If the
> > > receiver defines a non-enumerable property that reappears on the
> > > prototype as enumerable it incorrectly shows up in [[Enumerate]].
> > > By extending the KeyAccumulator to track non-enumerable properties
> > > we can now properly filter them out when seeing them further up in
> > > the prototype-chain.
> > >
> > > BUG=v8:705
> > > LOG=y
> > >
> > > Committed: https://crrev.com/ed24dfe80d1da0827b8571839ee52c03ad09c9c7
> > > Cr-Commit-Position: refs/heads/master@{#33405}
> >
> > TBR=jkummerow@chromium.org,bmeurer@chromium.org
> > # Not skipping CQ checks because original CL landed more than 1 days ago.
> > BUG=v8:705
> > LOG=n
> >
> > Committed: https://crrev.com/6e0573c6fff1c3041bab106d1197ab1b64aa9a6a
> > Cr-Commit-Position: refs/heads/master@{#33443}
>
> TBR=jkummerow@chromium.org,bmeurer@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:705
>
> Committed: https://crrev.com/5569e270eda517b5ea74e3a7676b3230cbe2f7a9
> Cr-Commit-Position: refs/heads/master@{#33458}

TBR=jkummerow@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:705

Review URL: https://codereview.chromium.org/1614313003

Cr-Commit-Position: refs/heads/master@{#33459}
2016-01-22 09:12:10 +00:00
cbruni
5569e270ed Reland of [runtime] Do not use the enum-cache for non-prototype objects. (patchset #1 id:1 of https://codereview.chromium.org/1619803003/ )
Reason for revert:
the deopt issues have been taken care of by benedikt

Original issue's description:
> Revert of [runtime] Do not use the enum-cache for non-prototype objects. (patchset #10 id:180001 of https://codereview.chromium.org/1608523002/ )
>
> Reason for revert:
> tanks for-in significantly
>
> Original issue's description:
> > [runtime] Do not use the enum-cache for keys retrieval.
> >
> > Currently we fail to properly handle shadowed properties. If the
> > receiver defines a non-enumerable property that reappears on the
> > prototype as enumerable it incorrectly shows up in [[Enumerate]].
> > By extending the KeyAccumulator to track non-enumerable properties
> > we can now properly filter them out when seeing them further up in
> > the prototype-chain.
> >
> > BUG=v8:705
> > LOG=y
> >
> > Committed: https://crrev.com/ed24dfe80d1da0827b8571839ee52c03ad09c9c7
> > Cr-Commit-Position: refs/heads/master@{#33405}
>
> TBR=jkummerow@chromium.org,bmeurer@chromium.org
> # Not skipping CQ checks because original CL landed more than 1 days ago.
> BUG=v8:705
> LOG=n
>
> Committed: https://crrev.com/6e0573c6fff1c3041bab106d1197ab1b64aa9a6a
> Cr-Commit-Position: refs/heads/master@{#33443}

TBR=jkummerow@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:705

Review URL: https://codereview.chromium.org/1612413003

Cr-Commit-Position: refs/heads/master@{#33458}
2016-01-22 09:06:56 +00:00
bmeurer
c7d2adc0a2 [crankshaft] For-in index increment cannot overflow.
The internal index used to implement for-in can never leave the
valid smi range, so there's no need to actually check for overflow
in Crankshaft. In fact the overflow only triggered a false alert
in the deopt fuzzer.

R=jarin@chromium.org
BUG=v8:3650
LOG=n

Review URL: https://codereview.chromium.org/1621623002

Cr-Commit-Position: refs/heads/master@{#33456}
2016-01-22 07:55:11 +00:00
machenbach
575e90c1d0 Revert of Array length reduction should throw in strict mode if it can't delete an element. (patchset #7 id:220001 of https://codereview.chromium.org/1587073003/ )
Reason for revert:
[Sheriff] Breaks layout tests. Please fix upstream.
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/4077

Original issue's description:
> Array length reduction should throw in strict mode if it can't delete an element.
>
> When accessor getter callback is called the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, since according to ES6 there's no difference between strict and non-strict property loads. For the setter case the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true if the property is set in strict context.
>
> Interceptors follow same idea: for getter, enumerator and query callbacks the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, and for setter and deleter callback the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true in strict context.
>
> This CL also cleans up the CallApiGetterStub and removes bogus asserts from [arm] Push(reg1, reg2, ..., regN) that prevented from pushing a set of registers containing duplicates.
>
> BUG=v8:4267
> LOG=Y
>
> Committed: https://crrev.com/1d3e837fcbbd9d9fd5e72dfe85dfd47c025f3c9f
> Cr-Commit-Position: refs/heads/master@{#33438}

TBR=verwaest@chromium.org,ishell@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4267

Review URL: https://codereview.chromium.org/1611313003

Cr-Commit-Position: refs/heads/master@{#33444}
2016-01-21 18:54:28 +00:00
cbruni
6e0573c6ff Revert of [runtime] Do not use the enum-cache for non-prototype objects. (patchset #10 id:180001 of https://codereview.chromium.org/1608523002/ )
Reason for revert:
tanks for-in significantly

Original issue's description:
> [runtime] Do not use the enum-cache for keys retrieval.
>
> Currently we fail to properly handle shadowed properties. If the
> receiver defines a non-enumerable property that reappears on the
> prototype as enumerable it incorrectly shows up in [[Enumerate]].
> By extending the KeyAccumulator to track non-enumerable properties
> we can now properly filter them out when seeing them further up in
> the prototype-chain.
>
> BUG=v8:705
> LOG=y
>
> Committed: https://crrev.com/ed24dfe80d1da0827b8571839ee52c03ad09c9c7
> Cr-Commit-Position: refs/heads/master@{#33405}

TBR=jkummerow@chromium.org,bmeurer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:705
LOG=n

Review URL: https://codereview.chromium.org/1619803003

Cr-Commit-Position: refs/heads/master@{#33443}
2016-01-21 17:48:12 +00:00
ishell
1d3e837fcb Array length reduction should throw in strict mode if it can't delete an element.
When accessor getter callback is called the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, since according to ES6 there's no difference between strict and non-strict property loads. For the setter case the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true if the property is set in strict context.

Interceptors follow same idea: for getter, enumerator and query callbacks the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, and for setter and deleter callback the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true in strict context.

This CL also cleans up the CallApiGetterStub and removes bogus asserts from [arm] Push(reg1, reg2, ..., regN) that prevented from pushing a set of registers containing duplicates.

BUG=v8:4267
LOG=Y

Review URL: https://codereview.chromium.org/1587073003

Cr-Commit-Position: refs/heads/master@{#33438}
2016-01-21 14:23:09 +00:00
cbruni
ed24dfe80d [runtime] Do not use the enum-cache for keys retrieval.
Currently we fail to properly handle shadowed properties. If the
receiver defines a non-enumerable property that reappears on the
prototype as enumerable it incorrectly shows up in [[Enumerate]].
By extending the KeyAccumulator to track non-enumerable properties
we can now properly filter them out when seeing them further up in
the prototype-chain.

BUG=v8:705
LOG=y

Review URL: https://codereview.chromium.org/1608523002

Cr-Commit-Position: refs/heads/master@{#33405}
2016-01-20 12:37:18 +00:00
cbruni
ec30425a77 [proxy] Reload the initial map after prototype lookup on constructable
Proxy.

If a constructable Proxy changes the target's prototype during the
prototype lookup the target's initial map stays uninitialized half-way
during object construction.

LOG=n
BUG=chromium:578039

Review URL: https://codereview.chromium.org/1586203003

Cr-Commit-Position: refs/heads/master@{#33359}
2016-01-18 12:49:29 +00:00
neis
107db2ca8c Remove premature crankshaft optimization of HasInPrototypeChain.
R=bmeurer@chromium.org
BUG=chromium:578775
LOG=n

Review URL: https://codereview.chromium.org/1605483002

Cr-Commit-Position: refs/heads/master@{#33356}
2016-01-18 12:12:32 +00:00
cbruni
c86f1897ac [runtime] Throw exception for derived constructors in correct context.
When derived constructors return a non-object (or not undefined) we
currently throw an exception directly in the callee context. This was
achieved by desugaring the return statement for derived classes. To
be spec compliamnt a separate ConstructStubForDerived is introduced.
Instead of trowing directly, the desugared return statement inside
a derived constructor only returns an integer to indicate an incompatible
result.

BUG=v8:4509
LOG=n

Review URL: https://codereview.chromium.org/1593553002

Cr-Commit-Position: refs/heads/master@{#33336}
2016-01-15 15:31:28 +00:00
ishell
1bb7cfda7f [crankshaft] Don't inline array indexOf operations if receiver's proto is not a JSObject.
BUG=chromium:577112
LOG=N

Review URL: https://codereview.chromium.org/1584303002

Cr-Commit-Position: refs/heads/master@{#33320}
2016-01-15 10:19:59 +00:00
littledan
e13f2ff40b Construct instances of base class from TypedArray.prototype.subarray
Previous changes with subclassable builtins and @@species were a bit
aggressive in making TypedArray.prototype.subarray act like the
ES2016 specification in terms of returning an instance of the
subclass as a result. It turns out that Node.js, and extracted
libraries for the web, subclass TypedArrays but don't expect the
subclass constructor to be called by subarray. @@species will provide
an escape hatch, but it has not shipped yet, and will take some time
for uptake by libraries.

For now, this patch makes TypedArray.prototype.subarray fall back to
constructing an instance of the parent TypedArray class, such as
Uint8Array.

R=adamk
LOG=Y
BUG=v8:4665

Review URL: https://codereview.chromium.org/1583773005

Cr-Commit-Position: refs/heads/master@{#33312}
2016-01-14 19:23:26 +00:00
adamk
bcde4e271e Propagate the "calls eval" bit from ScopeInfo to lazily-compiled arrow functions
This avoids generating different scopes on the two compilation passes, which
results in various delirious side-effects.

There's some cleanup to be done in lazy arrow function parsing, but I'd
rather do that in a separate patch, with this one targeted at fixing the
particular crash.

BUG=chromium:572589
LOG=n

Review URL: https://codereview.chromium.org/1575333004

Cr-Commit-Position: refs/heads/master@{#33311}
2016-01-14 19:21:24 +00:00
jkummerow
b40a22dc87 Robustify NewNumberFromSize against int-overflow on cast
As luck would have it, there doesn't seem to be a way to trigger
observable misbehavior currently (only with special flags).

BUG=chromium:380671
LOG=n
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1588013002

Cr-Commit-Position: refs/heads/master@{#33305}
2016-01-14 17:24:07 +00:00
ishell
405c7a68ab Generalize all representations when reconfiguring a property of a strict Function subclass.
BUG=chromium:575080
LOG=N

Review URL: https://codereview.chromium.org/1579603002

Cr-Commit-Position: refs/heads/master@{#33288}
2016-01-14 10:45:34 +00:00
titzer
995c9fe3dc [wasm] Rename the WASM object to _WASMEXP_.
R=ahaas@chromium.org,bradnelson@chromium.org
LOG=Y
BUG=chromium:575167

Review URL: https://codereview.chromium.org/1577803002

Cr-Commit-Position: refs/heads/master@{#33251}
2016-01-12 20:16:46 +00:00
bmeurer
9e217ee490 [builtins] Refactor the remaining Date builtins.
This migrates the remaining Date builtins to C++ and removes obsolete
intrinsics and JavaScript wrappers. This reduces the overhead imposed
by the Date builtins, and will allow us to optimize them later in the
TurboFan compiler, while the interpreter doesn't need to worry about
them.

R=yangguo@chromium.org
BUG=chromium:576574
LOG=n

Committed: https://crrev.com/1e51af1a5c80b1650de47dd4bc8f846fa2d85281
Cr-Commit-Position: refs/heads/master@{#33228}

Review URL: https://codereview.chromium.org/1579613002

Cr-Commit-Position: refs/heads/master@{#33231}
2016-01-12 10:48:26 +00:00
machenbach
405ee3aad5 Revert of [builtins] Refactor the remaining Date builtins. (patchset #2 id:20001 of https://codereview.chromium.org/1579613002/ )
Reason for revert:
[Sheriff] Breaks https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20noi18n%20-%20debug/builds/5711

Original issue's description:
> [builtins] Refactor the remaining Date builtins.
>
> This migrates the remaining Date builtins to C++ and removes obsolete
> intrinsics and JavaScript wrappers. This reduces the overhead imposed
> by the Date builtins, and will allow us to optimize them later in the
> TurboFan compiler, while the interpreter doesn't need to worry about
> them.
>
> R=yangguo@chromium.org
> BUG=chromium:576574
> LOG=n
>
> Committed: https://crrev.com/1e51af1a5c80b1650de47dd4bc8f846fa2d85281
> Cr-Commit-Position: refs/heads/master@{#33228}

TBR=yangguo@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:576574

Review URL: https://codereview.chromium.org/1574223002

Cr-Commit-Position: refs/heads/master@{#33230}
2016-01-12 10:15:25 +00:00
bmeurer
1e51af1a5c [builtins] Refactor the remaining Date builtins.
This migrates the remaining Date builtins to C++ and removes obsolete
intrinsics and JavaScript wrappers. This reduces the overhead imposed
by the Date builtins, and will allow us to optimize them later in the
TurboFan compiler, while the interpreter doesn't need to worry about
them.

R=yangguo@chromium.org
BUG=chromium:576574
LOG=n

Review URL: https://codereview.chromium.org/1579613002

Cr-Commit-Position: refs/heads/master@{#33228}
2016-01-12 09:12:55 +00:00
littledan
2bd9bdbe62 TypedArray and ArrayBuffer support for @@species
This patch improves ArrayBuffer and TypedArray subclassing by adding
support for @@species and constructing outputs to certain methods
by creating an instance of the constructor determined by the
SpeciesConstructor algorithm, rather than fixed to a superclass or
naively the constructor. The new behavior is enabled by the
--harmony-species flag. Care is taken to not significantly change the
observable behavior when the flag is off. Previously, TypedArrays
already supported subclassing by reading the constructor of the
receiver, but ArrayBuffers did not, and this old behavior is
preserved and tested for, to avoid a multi-stage upgrade path and keep
things simple for users.

R=adamk
BUG=v8:4093
LOG=Y

Review URL: https://codereview.chromium.org/1574903004

Cr-Commit-Position: refs/heads/master@{#33223}
2016-01-12 06:07:59 +00:00
littledan
95145fa826 Ship ES2015 sloppy-mode const semantics
This patch moves the semantics of 'const' in sloppy mode to match those
in strict mode, that is, const makes lexical (let-like) bindings, must
have an initializer, and does not create properties of the global object.

R=adamk
LOG=Y
BUG=v8:3305
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1571873004

Cr-Commit-Position: refs/heads/master@{#33218}
2016-01-11 23:09:59 +00:00
littledan
ee9d7acafc Partial rollback of Promise error checking
As V8 becomes more and more spec-compliant, Promise polyfill libraries
like core.js expect fully correct. However, our Promises do not yet
support Symbol.species. Therefore, a case like

```
var test = new Promise(function(){});
test.constructor = function(){};
Promise.resolve(test)
```

would lead to an unhandled Promise rejection, whereas it should not
because test.constructor[Symbol.species] is undefined, so test.then
should end up constructing %Promise% as a fallback, rather than
calling test.constructor as if it were a constructor, which leads
this error checking code to throw.

For now, this patch removes the error checking code (which was not
present until recently). In an interactive test using core.js, the
error message on the console goes away with this patch. When @@species
support is in place, this patch can be reverted. A regression test
is added which checks for the same thing.

Partially reverted patch was originally out for review at
https://codereview.chromium.org/1531073004

BUG=v8:4633
LOG=Y
R=adamk,caitp88@gmail.com

Review URL: https://codereview.chromium.org/1578893002

Cr-Commit-Position: refs/heads/master@{#33217}
2016-01-11 22:42:11 +00:00
littledan
23235b5fdb Reland of Ship ES2015 sloppy-mode function hoisting, let, class (patchset #1 id:1 of https://codereview.chromium.org/1565263002/ )
Reason for revert:
Crash fixed by https://codereview.chromium.org/1564923007

Original issue's description:
> Revert of Ship ES2015 sloppy-mode function hoisting, let, class (patchset #7 id:120001 of https://codereview.chromium.org/1551443002/ )
>
> Reason for revert:
> Causes frequent crashes in Canary: chromium:537816
>
> Original issue's description:
> > Ship ES2015 sloppy-mode function hoisting, let, class
> >
> > This patch doesn't ship all features of ES2015 variable/scoping
> > changes, notably omitting the removal of legacy const. I think
> > function hoisting, let and class in sloppy mode can stand to
> > themselves as a package, and the legacy const change is much
> > riskier and more likely to be reverted, so my intention is to
> > pursue those as a separate, follow-on patch.
> >
> > R=adamk@chromium.org
> > BUG=v8:4285,v8:3305
> > LOG=Y
> > CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
> >
> > Committed: https://crrev.com/fcff8588a5a01587643d6c2507c7b882c78a2957
> > Cr-Commit-Position: refs/heads/master@{#33133}
>
> TBR=adamk@chromium.org
> # Not skipping CQ checks because original CL landed more than 1 days ago.
> BUG=v8:4285,v8:3305,chromium:537816
> LOG=Y
>
> Committed: https://crrev.com/adac5956c6216056a211cfaa460a00ac1500d8f8
> Cr-Commit-Position: refs/heads/master@{#33162}

TBR=adamk@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4285,v8:3305,chromium:537816

Review URL: https://codereview.chromium.org/1571793002

Cr-Commit-Position: refs/heads/master@{#33189}
2016-01-08 17:34:59 +00:00
titzer
cad2294e42 [wasm] Fix validation error for missing return statement in asm.js module.
R=mstarzinger@chromium.org,bradnelson@chromium.org
LOG=Y
BUG=chromium:575364

Review URL: https://codereview.chromium.org/1564313003

Cr-Commit-Position: refs/heads/master@{#33175}
2016-01-08 12:50:07 +00:00
littledan
adac5956c6 Revert of Ship ES2015 sloppy-mode function hoisting, let, class (patchset #7 id:120001 of https://codereview.chromium.org/1551443002/ )
Reason for revert:
Causes frequent crashes in Canary: chromium:537816

Original issue's description:
> Ship ES2015 sloppy-mode function hoisting, let, class
>
> This patch doesn't ship all features of ES2015 variable/scoping
> changes, notably omitting the removal of legacy const. I think
> function hoisting, let and class in sloppy mode can stand to
> themselves as a package, and the legacy const change is much
> riskier and more likely to be reverted, so my intention is to
> pursue those as a separate, follow-on patch.
>
> R=adamk@chromium.org
> BUG=v8:4285,v8:3305
> LOG=Y
> CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
>
> Committed: https://crrev.com/fcff8588a5a01587643d6c2507c7b882c78a2957
> Cr-Commit-Position: refs/heads/master@{#33133}

TBR=adamk@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:4285,v8:3305,chromium:537816
LOG=Y

Review URL: https://codereview.chromium.org/1565263002

Cr-Commit-Position: refs/heads/master@{#33162}
2016-01-07 20:23:21 +00:00
neis
837900ef24 [tests] Fix bogus uses of assertThrows.
Some tests passed a string as second argument to assertThrows, expecting it to
be matched against the exception.  However, assertThrows simply ignored these.
(Some other tests actually seem to use that argument as a comment ...)

This CL
- changes assertThrows to fail if the second argument is not a function,
- adds assertThrowsEquals which compares the exception to a given value using
  assertEquals
- fixes some bogus tests that got exposed by this.

R=jarin@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1544793002

Cr-Commit-Position: refs/heads/master@{#33159}
2016-01-07 14:49:21 +00:00
jkummerow
a0d03d729a Fix^3 cast in HasEnumerableElements
Empty FixedDoubleArrays aren't FixedDoubleArrays.

BUG=chromium:569534
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1568863002

Cr-Commit-Position: refs/heads/master@{#33158}
2016-01-07 14:47:27 +00:00
bmeurer
b0d0d57d2b [date] Date parser says true even for wrong dates, check twice.
R=yangguo@chromium.org
BUG=chromium:575082
LOG=n

Review URL: https://codereview.chromium.org/1566973002

Cr-Commit-Position: refs/heads/master@{#33149}
2016-01-07 09:30:46 +00:00
littledan
fcff8588a5 Ship ES2015 sloppy-mode function hoisting, let, class
This patch doesn't ship all features of ES2015 variable/scoping
changes, notably omitting the removal of legacy const. I think
function hoisting, let and class in sloppy mode can stand to
themselves as a package, and the legacy const change is much
riskier and more likely to be reverted, so my intention is to
pursue those as a separate, follow-on patch.

R=adamk@chromium.org
BUG=v8:4285,v8:3305
LOG=Y
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1551443002

Cr-Commit-Position: refs/heads/master@{#33133}
2016-01-06 02:03:07 +00:00
jkummerow
b4583c0444 [prototype user tracking] Don't skip JSGlobalProxies
For a prototype chain foo -> global_proxy -> global_object, we used to
register a dependency from foo -> global_object. This is incorrect when
the global_proxy/global_object pairing is modified, e.g. when navigating
in iframes. With this patch, we properly register foo -> global_proxy and
global_proxy -> global_object dependencies.
Additionally, when a prototype's prototype changes from null to something
else, this new usage relation must be registered if there are other users
further down on the prototype chain that might expect a complete chain of
registrations to exist (which was the case before, and must be preserved).

BUG=chromium:571517
LOG=n
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1559323002

Cr-Commit-Position: refs/heads/master@{#33119}
2016-01-05 16:15:48 +00:00
littledan
acbd64be36 Accept time zones like GMT-8 in the legacy date parser
In the Date constructor or Date.parse, other browsers will accept time
zones like GMT-8, but before this patch, Chrome would interpret 8 as
8 minutes. This patch interprets GMT-+ a one or two digit number as hours,
not minutes.

R=adamk,jshin@chromium.org
LOG=Y
BUG=chromium:422858

Review URL: https://codereview.chromium.org/1557053002

Cr-Commit-Position: refs/heads/master@{#33100}
2016-01-04 23:25:57 +00:00
jshin
4e18190e69 Timezone name check fix
1. Location names with more than one underscores (e.g. Ho_Chi_Minh)
   didn't work because of the way capturing works with repeated patterns
   in RE. It's now supported by changing the RE to capture the whole string
   and splitting on '_' in the next step.

2. Adds support for location names with a hyphen

3. Adds support for timezone ids with three parts (e.g.
   American/Argentina/Buenos_Aires)

4. Adds special handling of 'au', 'es' and 'of' in zone ids. They need to be kept in lowercase. (see the full list at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones )

5. Adds regression tests for all the above and make the existing tests
   more robust against future ICU changes. ICU canonicalizes zone names to
   deprecated names, but it may change. (
   http://bugs.icu-project.org/trac/ticket/12044 )

BUG=364374
LOG=Y

Review URL: https://codereview.chromium.org/1529363005

Cr-Commit-Position: refs/heads/master@{#33097}
2016-01-04 21:48:04 +00:00
bmeurer
fed2c416df Use JSObjectVerify instead of trying to reimplement parts of it.
R=verwaest@chromium.org
BUG=chromium:573857
LOG=n

Review URL: https://codereview.chromium.org/1551333002

Cr-Commit-Position: refs/heads/master@{#33083}
2016-01-04 13:50:06 +00:00
verwaest
09c41d9bfd ThrowTypeError should not be constructable, so shouldn't have a prototype.
In addition to ThrowTypeError not being a constructor, it was invalidly set up by simply swapping the map. Swapping the map is insufficient since NewFunction* actually set up the function depending on the used map.

BUG=chromium:573858
LOG=n

Review URL: https://codereview.chromium.org/1552223002

Cr-Commit-Position: refs/heads/master@{#33082}
2016-01-04 13:33:09 +00:00
bmeurer
70c4bf1331 [builtins] Migrate a bunch of Object builtins to C++.
The Object.freeze, Object.isExtensible, Object.isFrozen,
Object.isSealed, Object.preventExtensions and Object.seal builtins were
already implemented in C++, but they still had some funny JavaScript
wrappers that just called into the C++ implementation on every
(interesting) execution path.

Review URL: https://codereview.chromium.org/1553043002

Cr-Commit-Position: refs/heads/master@{#33074}
2016-01-04 08:11:07 +00:00
bmeurer
cb21144baf [es6] Unify ArrayBuffer and SharedArrayBuffer constructors.
Unify the constructors and isView methods for ArrayBuffer and
SharedArrayBuffer, moving them to C++ because there's no point
in having the JavaScript wrappers for them.

We choose to deliberately violate the ES2015 specification and
implement the ArrayBuffer constructor in a way that matches
Firefox and Safari instead.

CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel
BUG=chromium:565917, v8:4592
TBR=hpayer@chromium.org
R=cbruni@chromium.org
LOG=n

Committed: https://crrev.com/3235ccbb7826ceec2188f6ebab98fc851b54f60e
Cr-Commit-Position: refs/heads/master@{#32590}

Review URL: https://codereview.chromium.org/1500543002

Cr-Commit-Position: refs/heads/master@{#33072}
2016-01-01 07:13:16 +00:00
littledan
a9c791009b Fix 'illegal access' in Date constructor edge case
In a rare edge case, a difference in checks between C++ and
JavaScript lead to an 'illegal access' being thrown by the Date
constructor. This patch harmonizes the checks from both sides.
It's possible that slightly larger dates could be permitted,
as the ECMAScript 2015 specification indicates that +287396-10-12
would be a permissible date in the note in
http://tc39.github.io/ecma262/#sec-extended-years
This patch does not revisit the limit, only clears up the
inconsistency.

BUG=v8:4640
R=cbruni
LOG=Y

Review URL: https://codereview.chromium.org/1545883003

Cr-Commit-Position: refs/heads/master@{#33068}
2015-12-30 23:54:59 +00:00
littledan
e549c7a356 Reland of Use ES2015-style TypedArray prototype chain (patchset #1 id:1 of https://codereview.chromium.org/1554523002/ )
Reason for revert:
Should be fixed again with this Blink change to add NeedsManualRebaseline

Original issue's description:
> Revert of Use ES2015-style TypedArray prototype chain (patchset #5 id:80001 of https://codereview.chromium.org/1541233002/ )
>
> Reason for revert:
> [Sheriff] Changes layout tests. Please fix upstream first if intended.
>
> https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/3689
>
> Original issue's description:
> > Use ES2015-style TypedArray prototype chain
> >
> > This patch switches TypedArrays to use the prototype chain described
> > in the ES2015 specification, which adds a %TypedArray% superclass above
> > all individual TypedArray types. Most methods are defined on the
> > superclass rather than the subclasses.
> >
> > In order to prevent a performance regression, a few methods are
> > marked as inline. Inlining might prevent code which was previously
> > monomorphic from becoming polymorphic, and it was specifically
> > applied in places where methods became more polymorphic than before.
> > Tests with realistic workloads would be nice to do before this
> > ships in stable.
> >
> > This patch does not bring TypedArrays up to full spec compliance. In
> > particular, @@species is not yet supported.
> >
> > R=cbruni
> > BUG=v8:4085
> > LOG=Y
> >
> > Committed: https://crrev.com/07c91dccbe55c7be3ec75857dee5ad59873330b7
> > Cr-Commit-Position: refs/heads/master@{#33050}
>
> TBR=caitpotter88@gmail.com,cbruni@chromium.org,littledan@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:4085
>
> Committed: https://crrev.com/28b55ffd1e32e09aaf42b8bbb407944d4808e07c
> Cr-Commit-Position: refs/heads/master@{#33053}

TBR=caitpotter88@gmail.com,cbruni@chromium.org,machenbach@chromium.org
BUG=v8:4085
LOG=Y

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1558663002

Cr-Commit-Position: refs/heads/master@{#33067}
2015-12-30 22:14:16 +00:00
littledan
797d1090ae Reland "Clean up promises and fix an edge case bug (patchset #4 id:60001 of https://codereview.chromium.org/1488783002/ )"
This patch relands a change to ES2015 Promises which brings us closer to
spec compliance. In this new version, a bug which would lose async callstack
data was fixed.

R=adamk
CC=rossberg,caitp
LOG=Y
BUG=v8:3641
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1538663002

Cr-Commit-Position: refs/heads/master@{#33065}
2015-12-30 20:47:37 +00:00
ishell
bae0d6c8dc [crankshaft] Don't inline array resize operations if receiver's proto is not a JSObject.
BUG=chromium:571064
LOG=Y
TBR=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1548363003

Cr-Commit-Position: refs/heads/master@{#33058}
2015-12-29 14:35:18 +00:00
ishell
c1aded3c4b [ic] Fixed receiver_map register trashing in KeyedStoreIC megamorphic.
BUG=chromium:571370
LOG=Y

Review URL: https://codereview.chromium.org/1546323002

Cr-Commit-Position: refs/heads/master@{#33057}
2015-12-29 12:52:13 +00:00
bmeurer
2fcf3aa62c Only verify in-object fields in fast properties case.
This matches the behavior of JSObject::JSObjectVerify() and seems to be
the current contract for --verify-heap.

BUG=chromium:572590
LOG=n

Review URL: https://codereview.chromium.org/1553463002

Cr-Commit-Position: refs/heads/master@{#33056}
2015-12-29 11:20:52 +00:00
machenbach
28b55ffd1e Revert of Use ES2015-style TypedArray prototype chain (patchset #5 id:80001 of https://codereview.chromium.org/1541233002/ )
Reason for revert:
[Sheriff] Changes layout tests. Please fix upstream first if intended.

https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/3689

Original issue's description:
> Use ES2015-style TypedArray prototype chain
>
> This patch switches TypedArrays to use the prototype chain described
> in the ES2015 specification, which adds a %TypedArray% superclass above
> all individual TypedArray types. Most methods are defined on the
> superclass rather than the subclasses.
>
> In order to prevent a performance regression, a few methods are
> marked as inline. Inlining might prevent code which was previously
> monomorphic from becoming polymorphic, and it was specifically
> applied in places where methods became more polymorphic than before.
> Tests with realistic workloads would be nice to do before this
> ships in stable.
>
> This patch does not bring TypedArrays up to full spec compliance. In
> particular, @@species is not yet supported.
>
> R=cbruni
> BUG=v8:4085
> LOG=Y
>
> Committed: https://crrev.com/07c91dccbe55c7be3ec75857dee5ad59873330b7
> Cr-Commit-Position: refs/heads/master@{#33050}

TBR=caitpotter88@gmail.com,cbruni@chromium.org,littledan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4085

Review URL: https://codereview.chromium.org/1554523002

Cr-Commit-Position: refs/heads/master@{#33053}
2015-12-29 08:43:29 +00:00
littledan
07c91dccbe Use ES2015-style TypedArray prototype chain
This patch switches TypedArrays to use the prototype chain described
in the ES2015 specification, which adds a %TypedArray% superclass above
all individual TypedArray types. Most methods are defined on the
superclass rather than the subclasses.

In order to prevent a performance regression, a few methods are
marked as inline. Inlining might prevent code which was previously
monomorphic from becoming polymorphic, and it was specifically
applied in places where methods became more polymorphic than before.
Tests with realistic workloads would be nice to do before this
ships in stable.

This patch does not bring TypedArrays up to full spec compliance. In
particular, @@species is not yet supported.

R=cbruni
BUG=v8:4085
LOG=Y

Review URL: https://codereview.chromium.org/1541233002

Cr-Commit-Position: refs/heads/master@{#33050}
2015-12-28 17:28:54 +00:00
bmeurer
97def8070c [runtime] Introduce dedicated JSBoundFunction to represent bound functions.
According to the ES2015 specification, bound functions are exotic
objects, and thus don't need to be implemented as JSFunctions. So
we introduce a new JSBoundFunction type to represent bound functions
and make them optimizable. This already improves the performance of
calling or constructing bound functions by 10-100x depending on the
use case because we avoid the crazy dance between JavaScript and C++
that was implemented in v8natives.js previously.

There's still room for improvement in the performance of actually
creating bound functions, which is also relevant in practice, but
we already have a plan how to accomplish that later.

The mips/mips64 ports were contributed by akos.palfi@imgtec.com.

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
BUG=chromium:535408, chromium:571299, v8:4629
LOG=n

Committed: https://crrev.com/ca8623eaa468cba65a5adafcdfb4615966f43ce2
Cr-Commit-Position: refs/heads/master@{#33042}

Review URL: https://codereview.chromium.org/1542963002

Cr-Commit-Position: refs/heads/master@{#33044}
2015-12-27 06:31:44 +00:00
bmeurer
1cf8b105d6 Revert of [runtime] Introduce dedicated JSBoundFunction to represent bound functions. (patchset #14 id:260001 of https://codereview.chromium.org/1542963002/ )
Reason for revert:
Breaks arm64 sim nosnap: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug/builds/805/steps/Check/logs/function-bind

Original issue's description:
> [runtime] Introduce dedicated JSBoundFunction to represent bound functions.
>
> According to the ES2015 specification, bound functions are exotic
> objects, and thus don't need to be implemented as JSFunctions. So
> we introduce a new JSBoundFunction type to represent bound functions
> and make them optimizable. This already improves the performance of
> calling or constructing bound functions by 10-100x depending on the
> use case because we avoid the crazy dance between JavaScript and C++
> that was implemented in v8natives.js previously.
>
> There's still room for improvement in the performance of actually
> creating bound functions, which is also relevant in practice, but
> we already have a plan how to accomplish that later.
>
> The mips/mips64 ports were contributed by akos.palfi@imgtec.com.
>
> CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
> BUG=chromium:535408, chromium:571299, v8:4629
> LOG=n
>
> Committed: https://crrev.com/ca8623eaa468cba65a5adafcdfb4615966f43ce2
> Cr-Commit-Position: refs/heads/master@{#33042}

TBR=cbruni@chromium.org,hpayer@chromium.org,yangguo@chromium.org,akos.palfi@imgtec.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:535408, chromium:571299, v8:4629

Review URL: https://codereview.chromium.org/1552473002

Cr-Commit-Position: refs/heads/master@{#33043}
2015-12-27 04:42:13 +00:00
bmeurer
ca8623eaa4 [runtime] Introduce dedicated JSBoundFunction to represent bound functions.
According to the ES2015 specification, bound functions are exotic
objects, and thus don't need to be implemented as JSFunctions. So
we introduce a new JSBoundFunction type to represent bound functions
and make them optimizable. This already improves the performance of
calling or constructing bound functions by 10-100x depending on the
use case because we avoid the crazy dance between JavaScript and C++
that was implemented in v8natives.js previously.

There's still room for improvement in the performance of actually
creating bound functions, which is also relevant in practice, but
we already have a plan how to accomplish that later.

The mips/mips64 ports were contributed by akos.palfi@imgtec.com.

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
BUG=chromium:535408, chromium:571299, v8:4629
LOG=n

Review URL: https://codereview.chromium.org/1542963002

Cr-Commit-Position: refs/heads/master@{#33042}
2015-12-26 20:28:17 +00:00
bmeurer
d1d4fa20b0 [runtime] Also migrate the Function and GeneratorFunction constructors to C++.
These constructors always go through C++ at least twice anyway, so
there's not really a point in trying to implement them in JavaScript.

R=yangguo@chromium.org
BUG=chromium:535408
LOG=n

Review URL: https://codereview.chromium.org/1548623002

Cr-Commit-Position: refs/heads/master@{#33012}
2015-12-22 14:15:53 +00:00
ishell
37b5ebc31d Fix UTC offset computation in date parser.
BUG=chromium:561973
LOG=N

Review URL: https://codereview.chromium.org/1532573003

Cr-Commit-Position: refs/heads/master@{#32956}
2015-12-17 16:29:33 +00:00
verwaest
d64dc800db Return CallSite numbers as Number rather than Smi
BUG=chromium:570651
LOG=n

Review URL: https://codereview.chromium.org/1532083002

Cr-Commit-Position: refs/heads/master@{#32947}
2015-12-17 13:17:42 +00:00