Commit Graph

32772 Commits

Author SHA1 Message Date
mstarzinger
0c8e3cea4b [turbofan] Remove eager frame state from bitwise ops.
This removes the frame state input representing the before-state from
nodes having any int32 bitwise operator. Lowering that inserts number
conversions of the inputs has to be disabled when deoptimization is
enabled, because the frame state layout is no longer known.

R=epertoso@chromium.org
BUG=v8:5021,v8:4746

Review-Url: https://codereview.chromium.org/2194383004
Cr-Commit-Position: refs/heads/master@{#38280}
2016-08-03 08:38:51 +00:00
cbruni
60f9e60be0 [api] Fix IsSimpleInstantion check in InstantiatObject
We have a simple instantiation at hand if the new.target is from the same
context, not the other way around.

BUG=chromium:630217

Review-Url: https://codereview.chromium.org/2201113002
Cr-Commit-Position: refs/heads/master@{#38279}
2016-08-03 07:52:39 +00:00
yangguo
25c0501c8f [inspector] fix GYP/MSVS build warnings.
R=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2206943002
Cr-Commit-Position: refs/heads/master@{#38278}
2016-08-03 07:46:56 +00:00
jochen
2f8d4f4425 Do an access check before compiling code via eval()
Similarly to how we check whether the entered context has access to the target
context when invoking the function constructor, we should check the involved
contexts before invoking eval().

I forgot to add this in the initial CL that adds the check for the function
constructor. Move the code to a common location, and use it for the GlobalEval
builtin as well.

BUG=chromium:541703
R=verwaest@chromium.org

Review-Url: https://codereview.chromium.org/2199343002
Cr-Commit-Position: refs/heads/master@{#38277}
2016-08-03 07:42:53 +00:00
jgruber
8592c450a6 Fix an OOB read through CallSite.GetFunctionName
The func_index parameter passed to GetWasmFunctionNameFromTable can be
user-controlled through the CallSite constructor. Catch out-of-bounds
reads and return null as the function name in such cases.

This applies to the 5.3 branch and will be reverted on TOT in a bit.

BUG=632965

Review-Url: https://codereview.chromium.org/2199333002
Cr-Commit-Position: refs/heads/master@{#38276}
2016-08-03 07:35:24 +00:00
yangguo
26b30e4007 Revert of [Tracing] Embed V8 runtime call stats into tracing. (patchset #6 id:100001 of https://codereview.chromium.org/2187693002/ )
Reason for revert:
Sanitizer failures:

https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/10989/
https://build.chromium.org/p/client.v8/builders/V8%20Mac64%20ASAN/builds/7786/

Original issue's description:
> [Tracing] Embed V8 runtime call stats into tracing.
>
> Currently we have V8 RuntimeCallStats that is independently from tracing when
> running d8 with flag --runtime_call_stats. This patch embeds V8 runtime call
> stats into tracing, by having a global table of runtime call counters each
> isolate, resetting the table each time we enter a top level trace event, and
> dumping the table for each top level trace event. This will make trace file more
> compat, as well as enable runtime call stats in tracing system.
>
> This patch adds ~5% overhead to V8 when the category is enabled, we measure the
> overhead by running a script when category is enabled.
>
> BUG=v8:5089
>
> Committed: https://crrev.com/d014866173eaa2b548c566217b2c94b1d49385fa
> Cr-Commit-Position: refs/heads/master@{#38270}

TBR=cbruni@chromium.org,fmeawad@chromium.org,machenbach@chromium.org,bmeurer@chromium.org,adamk@chromium.org,rmcilroy@chromium.org,lpy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5089

Review-Url: https://codereview.chromium.org/2203913004
Cr-Commit-Position: refs/heads/master@{#38275}
2016-08-03 07:28:02 +00:00
zhengxing.li
b412b789d3 X87: [turbofan] Fix invalid comparison operator narrowing.
port a758144329 (r38231)

  original commit message:
  When we narrow a signed32 comparison to uint8 or uint16 representation,
  we also need to change the condition to unsigned comparisons otherwise
  the comparison will be done on int16/int8 which interprets the narrowed
  bits wrong.

BUG=

Review-Url: https://codereview.chromium.org/2206913002
Cr-Commit-Position: refs/heads/master@{#38274}
2016-08-03 07:13:11 +00:00
yangguo
c7e9a8dc60 [inspector] include additional outputs from protocol handler generator.
The protocol handler generator generates these files into a default location if
not specified by flag as output. We should account for these files and
explicitly set its output location.

R=machenbach@chromium.org

Committed: https://crrev.com/ac1d077db39dcabb74e36ad5d4bc7ea9fad96ed9
Review-Url: https://codereview.chromium.org/2199253002
Cr-Original-Commit-Position: refs/heads/master@{#38268}
Cr-Commit-Position: refs/heads/master@{#38273}
2016-08-03 06:50:50 +00:00
yangguo
dfcaaeb720 Revert of [inspector] include additional outputs from protocol handler generator. (patchset #2 id:20001 of https://codereview.chromium.org/2199253002/ )
Reason for revert:
Compile warnings: https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20clang/builds/1901/steps/compile/logs/stdio

Original issue's description:
> [inspector] include additional outputs from protocol handler generator.
>
> The protocol handler generator generates these files into a default location if
> not specified by flag as output. We should account for these files and
> explicitly set its output location.
>
> R=machenbach@chromium.org
>
> Committed: https://crrev.com/ac1d077db39dcabb74e36ad5d4bc7ea9fad96ed9
> Cr-Commit-Position: refs/heads/master@{#38268}

TBR=machenbach@chromium.org,faith4roy16@gmail.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2206573004
Cr-Commit-Position: refs/heads/master@{#38272}
2016-08-03 06:35:42 +00:00
zhengxing.li
57fc9a7906 X87: Make FastNewFunctionContextStub take slots parameter.
port 5bc2439783 (r38219)

  original commit message:
  This will enable the interpreter to add a bytecode and use the stub.

BUG=

Review-Url: https://codereview.chromium.org/2205813002
Cr-Commit-Position: refs/heads/master@{#38271}
2016-08-03 06:28:13 +00:00
lpy
d014866173 [Tracing] Embed V8 runtime call stats into tracing.
Currently we have V8 RuntimeCallStats that is independently from tracing when
running d8 with flag --runtime_call_stats. This patch embeds V8 runtime call
stats into tracing, by having a global table of runtime call counters each
isolate, resetting the table each time we enter a top level trace event, and
dumping the table for each top level trace event. This will make trace file more
compat, as well as enable runtime call stats in tracing system.

This patch adds ~5% overhead to V8 when the category is enabled, we measure the
overhead by running a script when category is enabled.

BUG=5089

Review-Url: https://codereview.chromium.org/2187693002
Cr-Commit-Position: refs/heads/master@{#38270}
2016-08-03 06:13:30 +00:00
zhengxing.li
e0f6fdb36d X87: [heap] Reland "Remove black pages and use black areas instead.".
port 205457b1aa (r38195)

  original commit message:

BUG=

Review-Url: https://codereview.chromium.org/2206543002
Cr-Commit-Position: refs/heads/master@{#38269}
2016-08-03 06:13:29 +00:00
yangguo
ac1d077db3 [inspector] include additional outputs from protocol handler generator.
The protocol handler generator generates these files into a default location if
not specified by flag as output. We should account for these files and
explicitly set its output location.

R=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2199253002
Cr-Commit-Position: refs/heads/master@{#38268}
2016-08-03 06:02:17 +00:00
bmeurer
17a7f58396 [turbofan] Improve typing rule for modulus.
Infer a more precise type even in case where NaN and/or -0 is a possible
outcome of the operation, and use this more precise type to improve code
generation for the modulus itself by trying harder to stick to Word32
operations instead of going to Float64, and also optimize the pattern
where we compare the output of x % y to some non-zero integer constant
K, in which case we can truncate the output of x % y to Word32 if the
type of x % y is Signed32/Unsigned32 \/ NaN \/ MinusZero, as NaN and
MinusZero will both be truncated to zero, which cannot match the non
zero constant K.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2202413002
Cr-Commit-Position: refs/heads/master@{#38267}
2016-08-03 04:41:36 +00:00
caitp
0c76b0ae85 Reland [builtins] implement Array.prototype.includes in TurboFan
BUG=v8:5162
R=bmeurer@chromium.org, cbruni@chromium.org

Review-Url: https://codereview.chromium.org/2205883003
Cr-Commit-Position: refs/heads/master@{#38266}
2016-08-03 03:27:43 +00:00
v8-autoroll
2eb75b6287 Update V8 DEPS.
Rolling v8/build to 957253ade4c8b5125afa41102ca41a0b19985e4e

Rolling v8/buildtools to c3a780dcb63ff053439315f761190ffab0480ad4

Rolling v8/third_party/WebKit/Source/platform/inspector_protocol to 7d2a29d289d54b8ff9c330efc5145158f1191af2

Rolling v8/tools/mb to e100ad0410f9de1e859a143fe20a9b58f8f8d420

Rolling v8/tools/swarming_client to e4288c3040a32f2e7ad92f957668f2ee3d36e5a6

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review-Url: https://codereview.chromium.org/2201303002
Cr-Commit-Position: refs/heads/master@{#38265}
2016-08-03 03:23:55 +00:00
bjaideep
bb2fd5d29d PPC/s390: Make FastNewFunctionContextStub take slots parameter
Port 5bc2439783

Original commit message:

    This will enable the interpreter to add a bytecode and use the stub.

R=klaasb@google.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/2200263003
Cr-Commit-Position: refs/heads/master@{#38264}
2016-08-03 01:03:21 +00:00
mtrofin
c0dfc8d8f9 Heap::CopyCode does not correctly handle references into NEW_SPACE.
A fix would be to walk the reloc info and RecordWriteIntoCode. Doing
so, however, upsets a scavenger DCHECK.

We stumbled upon this issue because we were placing wasm objects
(fixed arrays) in NEW_SPACE, rather than OLD_SPACE. These fixed
arrays were subsequently referenced from Code objects, which were
then cloned.

The current CL ensures wasm constructs are allocated in OLD_SPACE,
by pre-tenuring them (consistent with other wasm allocations). In
addition, it adds a DCHECK for CopyCode clarifying its lack of support
for references to NEW_SPACE.

We can investigate in a subsequent CL making CopyCode more robust,
pending understanding of the Scavenger's assumptions.

BUG=

Review-Url: https://codereview.chromium.org/2201663003
Cr-Commit-Position: refs/heads/master@{#38263}
2016-08-02 22:55:40 +00:00
titzer
d4392107fa [wasm] Make LoadGlobal/StoreGlobal opcodes match what is coming in binary 0xC.
R=ahaas@chromium.org,bradnelson@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2209433002
Cr-Commit-Position: refs/heads/master@{#38262}
2016-08-02 22:40:50 +00:00
adamk
bb97d27abc Replace BindingFlags enum with InitializationFlag enum
They may have once been different, but they're now redundant with
each other. This simplifies both Context::Lookup and its callers.

Review-Url: https://codereview.chromium.org/2200303002
Cr-Commit-Position: refs/heads/master@{#38261}
2016-08-02 20:37:18 +00:00
adamk
83b63c308a Sloppy eval declarations should not shadow lexical function declarations
This was being allowed due to the use of BindingFlags instead of VariableMode
to determine whether a looked-up binding was lexical. Because function
declarations are hoisted, they never need hole checks, and so were being
miscategorized as non-lexical.

This patch augments Context::Lookup with a VariableMode out param, which
allows this check to determine precisely whether the binding is lexical.

BUG=v8:4454, v8:5256

Review-Url: https://codereview.chromium.org/2206483004
Cr-Commit-Position: refs/heads/master@{#38260}
2016-08-02 20:27:38 +00:00
jpp
3fa56f2bb2 [wasm] asm.js. Adds support for clz32 in asm.js.
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203

Review-Url: https://codereview.chromium.org/2200213002
Cr-Commit-Position: refs/heads/master@{#38259}
2016-08-02 18:36:52 +00:00
marja
51685002a6 Revert of Put Scopes into temporary Zone (patchset #12 id:220001 of https://codereview.chromium.org/2193793002/ )
Reason for revert:
Broke Node.js tests (test-require-dot etc.)

Original issue's description:
> Put Scopes into temporary Zone
>
> When parsing a eagerly-parsed-but-lazily-compiled function, we
> used to put some of its AST nodes into a discardable Zone. This
> CL puts the function Scope, its inner Scopes and the related AST
> nodes (Declarations, VariableProxys) into the temporary Zone
> too. This reduces peak memory usage and enables future work to
> keep the temporary Zone around for later compilation.
>
> BUG=
>
> Committed: https://crrev.com/eaebdd858b466057ccc39894a172c9b66868e8f7
> Cr-Commit-Position: refs/heads/master@{#38232}

TBR=adamk@chromium.org,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2205013002
Cr-Commit-Position: refs/heads/master@{#38258}
2016-08-02 18:16:14 +00:00
machenbach
3eab4e87da [test] Update testing-variant stages
This prepares for adding the ignition_staging variant to the
default variant set.

BUG=v8:5238

Review-Url: https://codereview.chromium.org/2205883002
Cr-Commit-Position: refs/heads/master@{#38257}
2016-08-02 17:25:39 +00:00
adamk
56f9754387 Remove --harmony-exponentiation-operator flag
It's shipped in M52.

R=caitp@igalia.com, littledan@chromium.org

Review-Url: https://codereview.chromium.org/2203843002
Cr-Commit-Position: refs/heads/master@{#38256}
2016-08-02 17:17:35 +00:00
rskang
9a6a56d21f Add args and copy support to V8 tracing controller.
BUG=v8:4561

Review-Url: https://codereview.chromium.org/2190973003
Cr-Commit-Position: refs/heads/master@{#38255}
2016-08-02 17:13:13 +00:00
machenbach
a63b3e51ab [test] Remove deprecated ignition-test-suite alias
This is not referenced anymore by the infrastructure after:
https://codereview.chromium.org/2202113003/

BUG=v8:5238

Review-Url: https://codereview.chromium.org/2203023003
Cr-Commit-Position: refs/heads/master@{#38254}
2016-08-02 16:45:34 +00:00
machenbach
4289c28fb9 [build] Conditionally print to stdout on Android
This adds a gyp/gn variable to control printing to stdout
on Android. This is false by default and true for all
v8 stand-alone android bots.

BUG=chromium:629806

Review-Url: https://codereview.chromium.org/2183063002
Cr-Commit-Position: refs/heads/master@{#38253}
2016-08-02 15:38:04 +00:00
alph
99460bc441 Do not mark prototype transitions as weak container in heap snapshot.
Review-Url: https://codereview.chromium.org/2203573004
Cr-Commit-Position: refs/heads/master@{#38252}
2016-08-02 15:25:12 +00:00
alph
f7249cd9f4 Do not mark dependent_code arrays as weak in heap snapshot.
Review-Url: https://codereview.chromium.org/2197393003
Cr-Commit-Position: refs/heads/master@{#38251}
2016-08-02 15:20:44 +00:00
mstarzinger
a4743baec1 [turbofan] Remove IfExceptionHint from exception projections.
This completely removes translation of exception handler predictions
from the graph IR. We now rely on the runtime using deoptimization
infomation via {FrameSummary} for predictions in optimized code.

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2207533002
Cr-Commit-Position: refs/heads/master@{#38250}
2016-08-02 14:49:10 +00:00
cbruni
7e51190458 [api] Remove NeanderObject
We no longer need NeanderObject, the only user left was the message listener
machanism which could be replace by direct uses of FixedArrays.

BUG=chromium:630217

Review-Url: https://codereview.chromium.org/2195243003
Cr-Commit-Position: refs/heads/master@{#38249}
2016-08-02 14:41:09 +00:00
machenbach
0e988e4737 [test] Remove some deprecated test-runner variant shortcuts
It should be enough to specify --variants=... with the
desired set of variants. The stress/nostress shortcuts
might get confusing soon, as we intend to move the stress
option out of the developer default set.

BUG=v8:5238

Review-Url: https://codereview.chromium.org/2195373002
Cr-Commit-Position: refs/heads/master@{#38248}
2016-08-02 14:03:50 +00:00
yangguo
1515ddd8f1 [debugger] use handler table on unoptimized code for exception prediction.
R=mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2197183002
Cr-Commit-Position: refs/heads/master@{#38247}
2016-08-02 13:47:49 +00:00
epertoso
524abd76b7 [turbofan] Adds speculative operator for bitwise and, or and xor.
BUG=

Review-Url: https://codereview.chromium.org/2201073002
Cr-Commit-Position: refs/heads/master@{#38246}
2016-08-02 13:43:58 +00:00
alph
aba8a8151e Add WeakCell support to heap profiler.
Review-Url: https://codereview.chromium.org/2204873003
Cr-Commit-Position: refs/heads/master@{#38245}
2016-08-02 13:43:57 +00:00
alph
0a920f607f Add Map::weak_cell_cache internal link to heap snapshot.
Review-Url: https://codereview.chromium.org/2204893002
Cr-Commit-Position: refs/heads/master@{#38244}
2016-08-02 13:06:19 +00:00
hpayer
682c4e448e Revert of [heap] Re-enable black allocation when finalizing marking. (patchset #1 id:1 of https://codereview.chromium.org/2202993002/ )
Reason for revert:
Crashes on tree.

Original issue's description:
> [heap] Re-enable black allocation when finalizing marking.
>
> BUG=chromium:630386
> LOG=n
>
> Committed: https://crrev.com/2c75cfd731e11daa649faf2e91cbb84767b11f8e
> Cr-Commit-Position: refs/heads/master@{#38240}

TBR=ulan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:630386

Review-Url: https://codereview.chromium.org/2204593005
Cr-Commit-Position: refs/heads/master@{#38243}
2016-08-02 12:29:33 +00:00
bmeurer
6bd7bd4bc6 [turbofan] Use CheckMaps in JSGlobalObjectSpecialization.
This is a simple cleanup to use the recently added CheckMaps operator
instead of the hand-crafted map check sequence.

R=epertoso@chromium.org

Review-Url: https://codereview.chromium.org/2199263002
Cr-Commit-Position: refs/heads/master@{#38242}
2016-08-02 12:14:54 +00:00
bmeurer
c9324fe6c5 [turbofan] Fix invalid representation selection for Phis/Selects.
We cannot just blindly make a representation selection for Phi or Select
based on the truncations, but we also need to consider the type of the
inputs (or actually of the Phi/Select node itself). We can only use
Word32 representation based on Word32 truncation if the inputs are
Number or Oddball, same for Float64.

R=epertoso@chromium.org
BUG=v8:5255

Review-Url: https://codereview.chromium.org/2206553002
Cr-Commit-Position: refs/heads/master@{#38241}
2016-08-02 12:11:09 +00:00
hpayer
2c75cfd731 [heap] Re-enable black allocation when finalizing marking.
BUG=chromium:630386
LOG=n

Review-Url: https://codereview.chromium.org/2202993002
Cr-Commit-Position: refs/heads/master@{#38240}
2016-08-02 11:59:42 +00:00
hpayer
db7c4f43cd [heap] MarkCompactCollector::EmptyMarkingDeque never expects filler objects.
BUG=

Review-Url: https://codereview.chromium.org/2205853002
Cr-Commit-Position: refs/heads/master@{#38239}
2016-08-02 11:55:48 +00:00
machenbach
8552e68223 [test] Fix joining FAIL expectations in status files
Without this fix, two rules [PASS, MODIFIER] and [FAIL]
would be joined as [PASS, MODIFIER, FAIL], undermining the
intention of the second rule to mark a test as failing.

BUG=v8:4680,v8:4900

Review-Url: https://codereview.chromium.org/2201033002
Cr-Commit-Position: refs/heads/master@{#38238}
2016-08-02 11:52:03 +00:00
mstarzinger
f4316f1604 [interpreter] Enable test that no longer fails.
R=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2207503002
Cr-Commit-Position: refs/heads/master@{#38237}
2016-08-02 10:26:10 +00:00
alph
d25e45df73 Deprecate CpuProfileNode::GetCallUid
The client can use scriptId + lineNumber + columnNumber
to uniquelly identify the call site.

Review-Url: https://codereview.chromium.org/2199003003
Cr-Commit-Position: refs/heads/master@{#38236}
2016-08-02 09:45:00 +00:00
bmeurer
66f2d3bd66 [turbofan] Introduce initial support for TypedArrays.
This adds support for lowering keyed access to JSTypedArray objects to
element loads and stores instead of IC calls. There's still a lot of
room for improvement, but the improvements can be done incrementally
later.

We add a dedicated UnsafePointerAdd operator, which sits in the effect
chain, and does the (GC invisible) computation of addresses that are
potentially inside HeapObjects. Also there's now a dedicated Retain
operator, which ensures that we retain a certain tagged value, which is
necessary to ensure that we keep a JSArrayBuffer alive as long as we
might still potentially access elements in its backing store.

R=epertoso@chromium.org

Review-Url: https://codereview.chromium.org/2203693002
Cr-Commit-Position: refs/heads/master@{#38235}
2016-08-02 09:41:01 +00:00
jgruber
8135caef32 Make CallSite constructor inaccessible from JS
This type is not supposed to be constructable by users. Internally, we
use CallSiteUtils::Construct to create CallSite objects; and we simply
map a thrower builtin as the public CallSite constructor.

R=yangguo@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2201823002
Cr-Commit-Position: refs/heads/master@{#38234}
2016-08-02 09:33:38 +00:00
mstarzinger
962fd4ae4b [interpreter] Elide OSR polling from fake loops.
This makes sure we are not inserting {OsrPoll} instructions for any
statements that are not actually loops and have no back edges. Without
back edges the {BytecodeGraphBuilder} is unable to deduce loop ranges
and hence cannot construct a graph for OSR entry.

R=neis@chromium.org
TEST=mjsunit/regress/regress-5252
BUG=v8:5252

Review-Url: https://codereview.chromium.org/2200733002
Cr-Commit-Position: refs/heads/master@{#38233}
2016-08-02 09:16:59 +00:00
marja
eaebdd858b Put Scopes into temporary Zone
When parsing a eagerly-parsed-but-lazily-compiled function, we
used to put some of its AST nodes into a discardable Zone. This
CL puts the function Scope, its inner Scopes and the related AST
nodes (Declarations, VariableProxys) into the temporary Zone
too. This reduces peak memory usage and enables future work to
keep the temporary Zone around for later compilation.

BUG=

Review-Url: https://codereview.chromium.org/2193793002
Cr-Commit-Position: refs/heads/master@{#38232}
2016-08-02 08:08:35 +00:00
bmeurer
a758144329 [turbofan] Fix invalid comparison operator narrowing.
When we narrow a signed32 comparison to uint8 or uint16 representation,
we also need to change the condition to unsigned comparisons otherwise
the comparison will be done on int16/int8 which interprets the narrowed
bits wrong.

R=epertoso@chromium.org
BUG=v8:5254

Review-Url: https://codereview.chromium.org/2202803003
Cr-Commit-Position: refs/heads/master@{#38231}
2016-08-02 07:46:15 +00:00