Commit Graph

8648 Commits

Author SHA1 Message Date
Simon Zünd
93f59deef8 [array] Throw TypeError for read-only properties on fast-path
This CL changes the NumberDictionary fast-path for Array.p.sort to
throw a TypeError when trying to write to a read-only property.

Previously, the fast-path simply bailed to the slow-path which could
swallow the TypeError by accident. I.e. because the fast-path could
leave the array in an inconsistent state that is already sorted.

Example:

let arr = new Array(10);
Object.defineProperty(arr, 0, {value: 2, writable: false});
Object.defineProperty(arr, 2, {value: 1, writable: false});
arr.sort();

The pre-processing step will move the value 1 to index 1: {0: 2, 1: 1}
When trying to swap those 2 values, the fast-path will write the 2 at
index 1, then try to write the 1 at index 0 and fail, bailing to the
slow-path. As the array looks like {0: 2, 1: 2} its already sorted
and the TypeError will not be thrown.

R=jgruber@chromium.org

Bug: v8:7382, v8:7907
Change-Id: I5d2f2d73478fdca066ce1048dcb2b8301751cb1f
Reviewed-on: https://chromium-review.googlesource.com/1122120
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54150}
2018-07-03 06:38:00 +00:00
Jakob Kummerow
34225a6afb Fix overzealous assert in CallOrConstructVarArgs
For spread calls with arrays with double elements but zero length,
we skip the box-as-heapnumber step; so in this corner case the
Call builtin sees a FixedDoubleArray, which is fine because it
doesn't read any of the raw double values from it.
This patch doesn't change the implementation, it only updates the
assert to match reality.

Bug: chromium:856095
Change-Id: I0227f4ccbc6c61c8f5f7669a266ef7a64c6a9a43
Reviewed-on: https://chromium-review.googlesource.com/1117922
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54149}
2018-07-03 03:42:20 +00:00
Michael Starzinger
406f4ffaca [wasm] Fix serialization of {WasmCode} with jump tables.
This correctly serializes {RelocInfo::INTERNAL_REFERENCE} addresses in a
position-independent form, so that they can be properly relocated when
the code is deserialized again. We store the offset within the code in
the serialized stream.

R=clemensh@chromium.org
TEST=mjsunit/wasm/compiled-module-serialization
BUG=chromium:857049

Change-Id: Ie8c84ee67bdfc17a65faa159a21cc1f2a78ac924
Reviewed-on: https://chromium-review.googlesource.com/1122414
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54140}
2018-07-02 14:41:13 +00:00
Gergely Nagy
d683fd7dd6 [asmjs] Fix parsing hex numeric literals ending with 'e'.
When parsing a numeric literal in a line like "a=0x0e+b|0;",
currently the scanner consumes the "e+" part (as it thinks
it's the start of an exponent).
In the ECMAScript lexical grammar HexIntegerLiteral cannot
contain exponents, which means the '+' character should be
parsed as a binary operator.

R=bradnelson@chromium.org
BUG=v8:7893

Change-Id: I97a0d4ea2ee1d38a3462efbfaef5eb87b8ea704b
Reviewed-on: https://chromium-review.googlesource.com/1116551
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54132}
2018-07-02 11:52:18 +00:00
Michael Starzinger
870e81a273 [wasm] Fix direct call tag computation during serialization.
This makes sure the reverse tag translation of direct call targets to
respective call tags is properly performed. Otherwise all direct call
end up being deserialized to call the function with index '0'. Ooops!

R=clemensh@chromium.org
TEST=mjsunit/wasm/compiled-module-serialization
BUG=chromium:857049

Change-Id: I37c1ee72b000daec87efdeed08d60a067b1a1b0c
Reviewed-on: https://chromium-review.googlesource.com/1120256
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54124}
2018-07-02 08:07:28 +00:00
Simon Zünd
327668d544 [array] Fix read-only property in NumberDictionary fast-path
This CL fixes the NumberDictionary fast-path in Array.p.sort, when
storing to a read-only property that was never read from.

R=jgruber@chromium.org

Bug: v8:7907
Change-Id: I2b772fb5b1619a94a7d239ba4417ecb7902a167c
Reviewed-on: https://chromium-review.googlesource.com/1119910
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54109}
2018-06-29 10:40:35 +00:00
Caitlin Potter
6c585ef0e8 [runtime] perform type conversion earlier in IntegerIndexedElementSet
When storing an indexed property in a typed array, it's necessary to
convert the value to a Number (or to a Bigint) before performing the
bounds check, per
https://tc39.github.io/ecma262/#sec-integerindexedelementset.

This CL adds appropriate type conversions in
Object::SetPropertyInternal (which technically is reached after the
bounds check has already occurred, but this isn't observable yet ---
In the future, once OOB accesses on TypedArrays actually throw, this
will need to be refactored again), and in StoreFastElementStub, and
ElementsTransitionAndStoreStub (via CSA::EmitElementStore).

The change was not necessary in TurboFan, as
JSNativeContextSpecialization already performs the value conversion
before the boundscheck.

The result is some fixed test262 tests, and some new test coverage
for this behaviour in mjsunit.

BUG=v8:7896, v8:5327
R=neis@chromium.org, jkummerow@chromium.org, gsathya@chromium.org

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ibe6bec24c72ef6a4fd3e77d5bcafa03737f4c5e3
Reviewed-on: https://chromium-review.googlesource.com/1117372
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54096}
2018-06-28 18:28:33 +00:00
Ben Smith
c9b4f805a3 [wasm] postMessage of WebAssembly.Module in d8
Supporting postMessage from WebAssembly.Module requires implementing
some logic in the ValueSerializer and ValueDeserializer delegates. This
change implements some simple logic for d8.

This change also fixes a DCHECK that occurs when sending a shared
WebAssembly.Memory object to two Workers.

Bug: chromium:857049
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Idddb23a48175c7175967af3fbc03d8572452a069
Reviewed-on: https://chromium-review.googlesource.com/1117871
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54093}
2018-06-28 16:54:06 +00:00
Georg Neis
41454fdb3c [test] Skip two tests in debug mode.
When run locally, one times out and the other runs out of stack space.

R=sigurds@chromium.org

Change-Id: I7cc1aa9bb0857f12ac46baf80de18a2c5175b8b9
Reviewed-on: https://chromium-review.googlesource.com/1118231
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54087}
2018-06-28 13:22:31 +00:00
Clemens Hammacher
15428f19f2 [wasm] Register protected instructions after deserialization
R=mstarzinger@chromium.org

Bug: chromium:856938
Change-Id: I57699de23b5c35a531c7601fd14a91f075abb0da
Reviewed-on: https://chromium-review.googlesource.com/1117182
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54085}
2018-06-28 13:06:45 +00:00
Michael Starzinger
6d20218ed1 [wasm] Remove {WasmCompiledModule} object type.
R=clemensh@chromium.org

Change-Id: I01b0b4948973ebbe0386ae8ae08e722ad16bcab8
Reviewed-on: https://chromium-review.googlesource.com/1114616
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54058}
2018-06-27 14:02:51 +00:00
Caitlin Potter
97f71cdf2a [bootstrapper] set constructor property of %AsyncGeneratorPrototype%
For some reason, the property wasn't already added. Oops!

BUG=v8:7815
R=gsathya@chromium.org, neis@chromium.org

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I71898ca1e84ce930f5d0ed75e44c75071f152904
Reviewed-on: https://chromium-review.googlesource.com/1114327
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54032}
2018-06-26 13:01:14 +00:00
Georg Neis
e3d4dd0805 Add missing deopt-trigger to invalidation of some protector cells.
R=bmeurer@chromium.org

Change-Id: Idd9c45f733e2e5d518c69a6ead2b56f6433ca30e
Reviewed-on: https://chromium-review.googlesource.com/1114598
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54020}
2018-06-26 09:38:20 +00:00
Yang Guo
b8626ca445 Skip long-running tests on gc-stress.
TBR=machenbach@chromium.org

Bug: v8:7881
Change-Id: I1fe6a64e3d64532411bdcbb95cd4dd36cbe234e0
Reviewed-on: https://chromium-review.googlesource.com/1111699
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54010}
2018-06-25 18:28:32 +00:00
Camillo Bruni
6ad42e8503 [proxies][keys] Do not filter ownKeys when defaulting to the target
Previously the KeyAccumulator incorrectly reused the filter properties when
collecting the keys of a proxy target. This led to incorect behavior where for
instance non-enumerable properties were filtered too early.


Bug: v8:7818
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I9b43b65be168ef0975fea9245d433a54338d228e
Reviewed-on: https://chromium-review.googlesource.com/1113743
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54008}
2018-06-25 16:40:01 +00:00
Mathias Bynens
75f14dbffc [regexp] Remove exhaustive Script_Extensions tests
The upstream test suite for Unicode property escapes [1] is exhaustive
and is updated soon after every new release of the Unicode Standard.
It is then upstreamed into Test262.

This patch simplifies our own Script_Extensions tests and the script
used to generate them. Now, only a few code points are tested for each
Script_Extension. This avoids unnecessary friction every time ICU
is updated based on a new Unicode version.

[1] https://github.com/mathiasbynens/unicode-property-escapes-tests
[2] https://github.com/tc39/test262/tree/master/test/built-ins/RegExp/property-escapes

Bug: chromium:850334, v8:7825
Change-Id: I792d6848ef48b41ea5e9db18b777040d019822f3
Reviewed-on: https://chromium-review.googlesource.com/1112250
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54003}
2018-06-25 13:42:59 +00:00
Clemens Hammacher
7f851cd42c Reland "[Liftoff] Fix register use count"
This is a reland of ada648006b, fixed
for 32 bit architectures (register pairs).

Original change's description:
> [Liftoff] Fix register use count
>
> In {SetLocalFromStackSlot}, we decrement the use count of the register
> in the target slot without updating this slot, and then call
> {GetUnusedRegister}. At that point, the register use counts do not
> match the cache state, which leads to errors later on.
> This CL fixes this by marking the target slot as a stack slot after
> reducing the register use count.
>
> It also adds a Validation which helped to find that error and will
> catch similar errors earlier.
>
> R=titzer@chromium.org
>
> Bug: chromium:854050, v8:6600
> Change-Id: I74d3a5aa947ec4247d7b4557567f642bf4082316
> Reviewed-on: https://chromium-review.googlesource.com/1111958
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53976}

TBR=titzer@chromium.org

Bug: chromium:854050, v8:6600
Change-Id: Ibc8801737e9604a8490382c569b0378585625376
Reviewed-on: https://chromium-review.googlesource.com/1112238
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53981}
2018-06-22 17:41:21 +00:00
Clemens Hammacher
cf2f6a57b5 Revert "[Liftoff] Fix register use count"
This reverts commit ada648006b.

Reason for revert: Failure with slow dchecks: https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20-%20debug/20982

Original change's description:
> [Liftoff] Fix register use count
> 
> In {SetLocalFromStackSlot}, we decrement the use count of the register
> in the target slot without updating this slot, and then call
> {GetUnusedRegister}. At that point, the register use counts do not
> match the cache state, which leads to errors later on.
> This CL fixes this by marking the target slot as a stack slot after
> reducing the register use count.
> 
> It also adds a Validation which helped to find that error and will
> catch similar errors earlier.
> 
> R=​titzer@chromium.org
> 
> Bug: chromium:854050, v8:6600
> Change-Id: I74d3a5aa947ec4247d7b4557567f642bf4082316
> Reviewed-on: https://chromium-review.googlesource.com/1111958
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53976}

TBR=titzer@chromium.org,clemensh@chromium.org

Change-Id: I5b8d8d405dcd7f82ee431cba290419425b9859a1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:854050, v8:6600
Reviewed-on: https://chromium-review.googlesource.com/1112277
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53979}
2018-06-22 16:26:20 +00:00
Clemens Hammacher
ada648006b [Liftoff] Fix register use count
In {SetLocalFromStackSlot}, we decrement the use count of the register
in the target slot without updating this slot, and then call
{GetUnusedRegister}. At that point, the register use counts do not
match the cache state, which leads to errors later on.
This CL fixes this by marking the target slot as a stack slot after
reducing the register use count.

It also adds a Validation which helped to find that error and will
catch similar errors earlier.

R=titzer@chromium.org

Bug: chromium:854050, v8:6600
Change-Id: I74d3a5aa947ec4247d7b4557567f642bf4082316
Reviewed-on: https://chromium-review.googlesource.com/1111958
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53976}
2018-06-22 15:40:52 +00:00
Deepti Gandluri
f2b90bd4dc [wasm] Catch invalid flags correctly
Cleanup decoding of flags so that invalid flags for sections other than
memory are caught correctly.

Bug: chromium:853453
Change-Id: Ia347d5f7672eee93ca3f6a743f06fba629f55cb5
Reviewed-on: https://chromium-review.googlesource.com/1104976
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53972}
2018-06-22 15:06:39 +00:00
Clemens Hammacher
76ac6372fa [wasm] Prepare enabling liftoff by default on ia32 and x64
Before flipping the flag, some tests need to be adapted. This CL
prepares these tests, such that the flag flip CL really just flips a
flag.

R=titzer@chromium.org, hablich@chromium.org

Bug: v8:6600, chromium:787421
Change-Id: I8030df69cda5f3fb81354350a37f65c0d1c669bd
Reviewed-on: https://chromium-review.googlesource.com/1110363
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53959}
2018-06-22 11:06:26 +00:00
Yang Guo
bea2dc3a71 Skip flaky wasm regress-827806 test
TBR=clemensh@chromium.org

Bug: v8:7872


Change-Id: I1f61e1ec7ffd86c7e8f74821fa0c4cd59bef57b2
Reviewed-on: https://chromium-review.googlesource.com/1110134
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53940}
2018-06-21 16:09:46 +00:00
Georg Neis
a2e9a19edd [turbofan] Add a test for lowering Object.create
Also add a DCHECK to a branch that can only be taken for the null
prototype.

R=sigurds@chromium.org

Change-Id: Ib94fe8f25ecfd1a4baa576915e6edfa60bcd771b
Reviewed-on: https://chromium-review.googlesource.com/1109961
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53939}
2018-06-21 15:54:21 +00:00
Peter Marshall
bededee46e [typedarray] Use slow case more aggressively in CopyElementsHandleImpl
Change-Id: If133fe47a086ed273446ee7e8f8af85bf9fc8389
Reviewed-on: https://chromium-review.googlesource.com/1108203
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53921}
2018-06-21 12:14:18 +00:00
Michael Achenbach
d31e031514 Revert "Reland "[async] Expose async hooks to d8""
This reverts commit 8e0f67be3f.

Reason for revert:
https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20-%20debug/20949

Original change's description:
> Reland "[async] Expose async hooks to d8"
> 
> This is a reland of 3c4d0316e4
> 
> Original change's description:
> > [async] Expose async hooks to d8
> >
> > This implementation follows the Node.js API as a guideline.
> >
> > Change-Id: I09274ea25ccdbb9794a7440d6c14f26b9febb4f4
> > Reviewed-on: https://chromium-review.googlesource.com/1065818
> > Commit-Queue: Maya Lekova <mslekova@chromium.org>
> > Reviewed-by: Ali Ijaz Sheikh <ofrobots@google.com>
> > Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> > Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#53551}
> 
> Change-Id: If2114db2ff179c6b07a40bc0c2dac3a41f37aea9
> Bug: chromium:850530
> Reviewed-on: https://chromium-review.googlesource.com/1088890
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53901}

TBR=ofrobots@google.com,sergiyb@chromium.org,gsathya@chromium.org,bmeurer@chromium.org,mslekova@chromium.org

Change-Id: Id55809a46bc5118103391fdbdfb52415182d3fd4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:850530
Reviewed-on: https://chromium-review.googlesource.com/1109038
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53902}
2018-06-21 06:28:30 +00:00
Maya Lekova
8e0f67be3f Reland "[async] Expose async hooks to d8"
This is a reland of 3c4d0316e4

Original change's description:
> [async] Expose async hooks to d8
>
> This implementation follows the Node.js API as a guideline.
>
> Change-Id: I09274ea25ccdbb9794a7440d6c14f26b9febb4f4
> Reviewed-on: https://chromium-review.googlesource.com/1065818
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Ali Ijaz Sheikh <ofrobots@google.com>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53551}

Change-Id: If2114db2ff179c6b07a40bc0c2dac3a41f37aea9
Bug: chromium:850530
Reviewed-on: https://chromium-review.googlesource.com/1088890
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53901}
2018-06-21 04:11:17 +00:00
Maya Lekova
ef8c18613a Reland "[async] Optimize await and AsyncFromSyncIterator"
This is a reland of 21c0d77e15

Original change's description:
> [async] Optimize await and AsyncFromSyncIterator
> 
> Simplify the promise wrapping in await and
> %AsyncFromSyncIteratorPrototype%.next/return/throw to reuse the PromiseResolve
> primitive. Now await takes 1 tick instead of 3 on the microtask queue.
> 
> Change-Id: I7e99b8689eb8fcb09c48915b11c1e06684dc0f1a
> Reviewed-on: https://chromium-review.googlesource.com/1090272
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Mathias Bynens <mathias@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53853}

Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ifa5b2fb8b2fb84b635b2dc1b6455d6aaf154cbfd
Reviewed-on: https://chromium-review.googlesource.com/1106977
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53900}
2018-06-20 23:08:36 +00:00
Simon Zünd
3bcf2b83eb [array] Change Array.p.sort bailout behavior from fast- to slow-path
This CL fixes a bug where execution would continue on a fast-path
even though a previous recursion step bailed to the slow path. This
would allow possibly illegal loads that could leak to JS.

Drive-by change: Instead of bailing to the slow-path on each recursion
step, we now bail completely and start the slow-path afterwards.

R=cbruni@chromium.org, jgruber@chromium.org

Bug: chromium:854299, v8:7382
Change-Id: Ib2fd5d85dbd0c3894d7775c4f62e053c31b5e5d1
Reviewed-on: https://chromium-review.googlesource.com/1107702
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53892}
2018-06-20 15:38:18 +00:00
Bill Budge
81835bf03d Revert "[async] Optimize await and AsyncFromSyncIterator"
This reverts commit 21c0d77e15.

Reason for revert: Compile failure in bootstrapper.cc

Original change's description:
> [async] Optimize await and AsyncFromSyncIterator
> 
> Simplify the promise wrapping in await and
> %AsyncFromSyncIteratorPrototype%.next/return/throw to reuse the PromiseResolve
> primitive. Now await takes 1 tick instead of 3 on the microtask queue.
> 
> Change-Id: I7e99b8689eb8fcb09c48915b11c1e06684dc0f1a
> Reviewed-on: https://chromium-review.googlesource.com/1090272
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Mathias Bynens <mathias@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53853}

TBR=kozyatinskiy@chromium.org,littledan@chromium.org,gsathya@chromium.org,bmeurer@chromium.org,domenic@chromium.org,mathias@chromium.org,mslekova@chromium.org

Change-Id: Ia631acdfcd5c1f9c28c1540c8da16cdf076abf87
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/1106566
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53855}
2018-06-19 20:22:20 +00:00
Maya Lekova
21c0d77e15 [async] Optimize await and AsyncFromSyncIterator
Simplify the promise wrapping in await and
%AsyncFromSyncIteratorPrototype%.next/return/throw to reuse the PromiseResolve
primitive. Now await takes 1 tick instead of 3 on the microtask queue.

Change-Id: I7e99b8689eb8fcb09c48915b11c1e06684dc0f1a
Reviewed-on: https://chromium-review.googlesource.com/1090272
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53853}
2018-06-19 19:55:52 +00:00
Peter Marshall
2ebd3ed2fa [typedarray] Fix incorrect optimization in IterableToList
Bug: chromium:854066
Change-Id: Icabd9bf5e00868822b9debfb9bbb5d3932726465
Reviewed-on: https://chromium-review.googlesource.com/1105774
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53840}
2018-06-19 13:01:08 +00:00
Simon Zünd
ce3c0064cd [array] Fix OOB load/stores when underlying FixedArray changed
This CL fixes a bug that allowed OOB read/stores on fastpaths when
a comparison function caused the underlying FixedArray to change
while keeping the elements kinds and size property on the original
JSArray the same.

R=jgruber@chromium.org

Bug: chromium:852592
Change-Id: I09af357d10e7f41e75241e4c87430fc9aa806f8c
Reviewed-on: https://chromium-review.googlesource.com/1104158
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53811}
2018-06-19 05:19:44 +00:00
Sigurd Schneider
8f8c53ba75 [mjsunit] Improve long-running test
Reading up on the bug description, this is a test
that is triggered by TurboFan execution. This can
be done with natives and does not need excessive
loop iterations. Additionally, we have a more specific
regression test for the original issue in the repo:
http://crrev.com/c/584837

Bug: v8:7783
Change-Id: Id022b515b663e6fb897acb29f43ef92b70b547b8
Reviewed-on: https://chromium-review.googlesource.com/1101018
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53799}
2018-06-18 14:45:23 +00:00
Igor Sheludko
412ec7539d [builtins] Relax type check in a slow path of Object.assign.
Bug: chromium:851393
Change-Id: I53cbf16068efbf24a2bd233c0b4c56e8361f9931
Reviewed-on: https://chromium-review.googlesource.com/1104317
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53798}
2018-06-18 14:37:38 +00:00
Igor Sheludko
e602c90abc Properly set enumeration order for accessor properties in class literals.
Bug: chromium:848165
Change-Id: I1ec18bf12f53c24f388dbd529fe62e990fbc8783
Reviewed-on: https://chromium-review.googlesource.com/1104175
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53793}
2018-06-18 12:45:02 +00:00
Sigurd Schneider
feef6195a2 [mjsunit] Improve speed with OptimizeOsr
Bug: v8:7783
Change-Id: I3c6a229b5a1a30ea089ffeef920bf48b27bc86ab
Reviewed-on: https://chromium-review.googlesource.com/1101030
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53790}
2018-06-18 12:13:02 +00:00
Sergiy Byelozyorov
f1462b59c4 Disable allocation-site-info to unblock LKGR
R=clemensh@chromium.org

No-Try: true
Bug: v8:7775
Change-Id: I5f248b84bcb5467b7e53951dbd70c5af4614caf2
Reviewed-on: https://chromium-review.googlesource.com/1102512
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53767}
2018-06-15 15:09:17 +00:00
Théotime Grohens
5b4e8db550 [dataview] Move DataView BigInt getters to Torque
This CL moves the remaining runtime DataView getters to Torque,
namely DataViewGetBigInt64/BigUint64, and removes the associated
runtime code that is now unneeded.

All of the DataView getters are now implemented in Torque, which brings
a nice performance improvement over the former C++ builtin code.

Change-Id: I35cf2eabce3c79cc0d3200e7f24dbe0c3e5c2804
Reviewed-on: https://chromium-review.googlesource.com/1092736
Commit-Queue: Théotime Grohens <theotime@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53765}
2018-06-15 13:07:56 +00:00
Peter Marshall
d69df91c27 [typedarray] Fix incorrect access to typed array byte offset.
Byte offset can be outside of Smi range and must be loaded as a Number
rather than a Smi.

Bug: chromium:852258
Change-Id: Ida6e07ba68a050d4f5a9f28500986cc67c619b4c
Reviewed-on: https://chromium-review.googlesource.com/1100886
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53748}
2018-06-15 08:26:41 +00:00
Sigurd Schneider
cf885c6c46 [mjsunit] Speed up array constructor test
Bug: v8:7783
Change-Id: Ieb29bcbd7400a84619aaf08ad86f8847e8bd78c3
Reviewed-on: https://chromium-review.googlesource.com/1101023
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53742}
2018-06-14 16:45:23 +00:00
Sigurd Schneider
f85023570d [mjsunit] Speed up test by using const
Bug: v8:7783
Change-Id: I0399d20c990e40b1a6dad8a7c12eb6fbce022d12
Reviewed-on: https://chromium-review.googlesource.com/1101028
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53739}
2018-06-14 15:56:03 +00:00
Sigurd Schneider
95bc6c7b87 [mjsunit] Use OptimizeOsr to speed up test
Bug: v8:7783
Change-Id: I878e8dd8bcfb7b797515b44bbe4333a7d85e8cc4
Reviewed-on: https://chromium-review.googlesource.com/1101024
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53738}
2018-06-14 15:54:53 +00:00
Junliang Yan
0fe56b84d5 s390: skip slow tests on s390
Change-Id: Iefcee48e44b6eb6c00923500be03056e723d8550
Reviewed-on: https://chromium-review.googlesource.com/1095841
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#53711}
2018-06-13 16:20:12 +00:00
Clemens Hammacher
e0dc3d2962 [wasm] Reject an exception in the start function on the promise
We assumed that if the ErrorThrower is empty after instantiation, then
instantiation succeeded and an instance exists which we can return.
However, if the start function throws, no instance exists, which caused
a crash. With this CL we handle execeptions thrown by the start
function correctly.


R=clemensh@chromium.org

Bug: chromium:848966
Change-Id: I51dc94e6bc563aa4a4b88c44a14e831af913fbd8
Reviewed-on: https://chromium-review.googlesource.com/1092234
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53687}
2018-06-13 09:01:48 +00:00
Ben Smith
7ce76fbc34 [wasm] Enable mutable-global by default
Mutable globals are now included in the wasm v1 spec.

Bug: v8:7625
Change-Id: Ib9b92d8348102f99a3b92820d0057b2c11a1e49a
Reviewed-on: https://chromium-review.googlesource.com/1095650
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53683}
2018-06-12 23:08:48 +00:00
Joyee Cheung
f892a76f4c Reland "[builtins] set DataView.length to 1"
This is a reland of a229e12101

The original commit broke a layout test in Blink. The test in Blink
has been marked to be skipped and will be updated once this patch
lands.

See https://chromium-review.googlesource.com/c/chromium/src/+/1097455

Original change's description:
> [builtins] set DataView.length to 1
>
> Refs: https://github.com/tc39/ecma262/pull/1131
> Test: test262/built-ins/DataView/length
> Bug: v8:7816
> Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: I66a06734bd32cd2043a8d04728b2185f6093bd69
> Reviewed-on: https://chromium-review.googlesource.com/1094980
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53649}

Bug: v8:7816
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: If63be80523a68d3a2b515fe1d55a243d2dd2a9b2
Reviewed-on: https://chromium-review.googlesource.com/1097568
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53682}
2018-06-12 21:54:47 +00:00
Ben Smith
da03262e4c [wasm] Fix for exporting imported mutable globals
Mutable globals are stored in the instance differently, so they must be
exported differently as well.

Also fix a counting bug that occurred when a module contained a global
and an imported mutable global (CalculateGlobalOffsets is called
twice).

Bug: v8:7625
Change-Id: I1cd7ef5d6ff7cb7e09239035f89d7b36d0436063
Reviewed-on: https://chromium-review.googlesource.com/1096673
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53681}
2018-06-12 21:26:27 +00:00
Clemens Hammacher
68bec6c3f7 [wasm] Fix serialization of lazily compiled modules
R=mstarzinger@chromium.org

Change-Id: If72df4425633cac8e98f0dd6adb80512e226f251
Reviewed-on: https://chromium-review.googlesource.com/1097323
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53677}
2018-06-12 17:07:36 +00:00
Michael Achenbach
9dd58b05e1 Revert "[builtins] set DataView.length to 1"
This reverts commit a229e12101.

Reason for revert: Breaks a layout test:
https://ci.chromium.org/buildbot/client.v8.fyi/V8-Blink%20Linux%2064/24021
fast/js/constructor-length.html

See also:
https://github.com/v8/v8/wiki/Blink-layout-tests

Original change's description:
> [builtins] set DataView.length to 1
> 
> Refs: https://github.com/tc39/ecma262/pull/1131
> Test: test262/built-ins/DataView/length
> Bug: v8:7816
> Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: I66a06734bd32cd2043a8d04728b2185f6093bd69
> Reviewed-on: https://chromium-review.googlesource.com/1094980
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53649}

TBR=gsathya@chromium.org,joyee@igalia.com

Change-Id: Iaa602a40bd09dec6884f5f56b1f010b59c19b32a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7816
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1097275
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53669}
2018-06-12 14:01:47 +00:00
Simon Zünd
964f11b6ac Re-enable regress-2185
This CL re-enables a mjsunit test for some simulator configurations
after Array.p.sort pivot selection improvements have landed.

R=jgruber@chromium.org

Bug: v8:7795
Change-Id: I03599c34e34a0bafd5f276b03aa4f059a8078026
Reviewed-on: https://chromium-review.googlesource.com/1096764
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#53660}
2018-06-12 09:55:43 +00:00