Commit Graph

6632 Commits

Author SHA1 Message Date
littledan
8c1397e4a0 [intl] Fix build for noi18n mode
Fix issue created by patch https://codereview.chromium.org/2582993002/

CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux_noi18n_rel_ng
TBR=yangguo@chromium.org
BUG=v8:4360

Review-Url: https://codereview.chromium.org/2599973002
Cr-Commit-Position: refs/heads/master@{#41945}
2016-12-23 17:10:30 +00:00
littledan
b0a09d7809 [intl] Add new semantics + compat fallback to Intl constructor
ECMA 402 v2 made Intl constructors more strict in terms of how they would
initialize objects, refusing to initialize objects which have already
been constructed. However, when Chrome tried to ship these semantics,
we ran into web compatibility issues.

This patch tries to square the circle and implement the simpler v2 object
semantics while including a compatibility workaround to allow objects to
sort of be initialized later, storing the real underlying Intl object
in a symbol-named property.

The new semantics are described in this PR against the ECMA 402 spec:
https://github.com/tc39/ecma402/pull/84

BUG=v8:4360, v8:4870
LOG=Y

Review-Url: https://codereview.chromium.org/2582993002
Cr-Commit-Position: refs/heads/master@{#41943}
2016-12-23 14:32:16 +00:00
jarin
e92118bbc2 [turbofan] Optimize store to typed arrays only if the value is plain primitive.
BUG=v8:5756

Review-Url: https://codereview.chromium.org/2596843002
Cr-Commit-Position: refs/heads/master@{#41942}
2016-12-23 14:29:00 +00:00
adamk
57e8acbbb3 Align __lookupGetter__/__lookupSetter__ behavior with the spec
These methods now return undefined upon finding a data property in the
prototype chain which shadows an accessor property, and when hitting
a Proxy, call the appropriate proxy traps.

R=cbruni@chromium.org, littledan@chromium.org
BUG=v8:5130

Review-Url: https://codereview.chromium.org/2592013003
Cr-Commit-Position: refs/heads/master@{#41929}
2016-12-22 19:24:47 +00:00
cbruni
f73973092c [ic] Always use generic ICs for growing element stores on arguments
In certain corner-cases we would grow a FAST_ELEMENTS packed backing store of a
JS_ARGUMENTS_TYPE object without converting to holey elements kinds. As a side
effect you could then read out the_hole.

BUG=v8:5772

Review-Url: https://codereview.chromium.org/2597013004
Cr-Commit-Position: refs/heads/master@{#41921}
2016-12-22 14:10:51 +00:00
hablich
aa8a208a47 Revert of [TypeFeedbackVector] Root literal arrays in function literals slots (patchset #11 id:370001 of https://codereview.chromium.org/2504153002/ )
Reason for revert:
Speculative revert because of blocked roll: https://codereview.chromium.org/2596013002/

Original issue's description:
> [TypeFeedbackVector] Root literal arrays in function literals slots
>
> Literal arrays and feedback vectors for a function can be garbage
> collected if we don't have a rooted closure for the function, which
> happens often. It's expensive to come back from this (recreating
> boilerplates and gathering feedback again), and the cost is
> disproportionate if the function was inlined into optimized code.
>
> To guard against losing these arrays when we need them, we'll now
> create literal arrays when creating the feedback vector for the outer
> closure, and root them strongly in that vector.
>
> BUG=v8:5456
>
> Review-Url: https://codereview.chromium.org/2504153002
> Cr-Commit-Position: refs/heads/master@{#41893}
> Committed: 93df094081

TBR=bmeurer@chromium.org,mlippautz@chromium.org,mvstanton@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5456

Review-Url: https://codereview.chromium.org/2597163002
Cr-Commit-Position: refs/heads/master@{#41917}
2016-12-22 10:26:36 +00:00
hablich
1e994192d6 Revert of [regexp] Remove IsRegExp intrinsic (patchset #1 id:1 of https://codereview.chromium.org/2591923003/ )
Reason for revert:
speculative revert: https://codereview.chromium.org/2596013002/

Original issue's description:
> [regexp] Remove IsRegExp intrinsic
>
> The two remaining uses of this intrinsic in debug.js and mirrors.js now
> simply rely on the runtime function.
>
> BUG=v8:5339
>
> Review-Url: https://codereview.chromium.org/2591923003
> Cr-Commit-Position: refs/heads/master@{#41892}
> Committed: c9cb94a06f

TBR=bmeurer@chromium.org,jgruber@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5339

Review-Url: https://codereview.chromium.org/2592383002
Cr-Commit-Position: refs/heads/master@{#41915}
2016-12-22 09:39:37 +00:00
yangguo
546152e754 Fix DoubleToRadixCString wrt Number.MIN_VALUE.
R=bmeurer@chromium.org
BUG=v8:5767

Review-Url: https://codereview.chromium.org/2599693002
Cr-Commit-Position: refs/heads/master@{#41910}
2016-12-22 06:57:01 +00:00
gsathya
2041c50402 [promises] Move Promise.prototype.catch to TF
This patch also refactors most of PromiseThen into InternalPromiseThen to
be reused with PromiseCatch and also changes InternalResolvePromise to
return and not branch.

BUG=v8:5343

Review-Url: https://codereview.chromium.org/2596553002
Cr-Commit-Position: refs/heads/master@{#41902}
2016-12-21 18:12:09 +00:00
mvstanton
93df094081 [TypeFeedbackVector] Root literal arrays in function literals slots
Literal arrays and feedback vectors for a function can be garbage
collected if we don't have a rooted closure for the function, which
happens often. It's expensive to come back from this (recreating
boilerplates and gathering feedback again), and the cost is
disproportionate if the function was inlined into optimized code.

To guard against losing these arrays when we need them, we'll now
create literal arrays when creating the feedback vector for the outer
closure, and root them strongly in that vector.

BUG=v8:5456

Review-Url: https://codereview.chromium.org/2504153002
Cr-Commit-Position: refs/heads/master@{#41893}
2016-12-21 14:06:29 +00:00
jgruber
c9cb94a06f [regexp] Remove IsRegExp intrinsic
The two remaining uses of this intrinsic in debug.js and mirrors.js now
simply rely on the runtime function.

BUG=v8:5339

Review-Url: https://codereview.chromium.org/2591923003
Cr-Commit-Position: refs/heads/master@{#41892}
2016-12-21 13:55:27 +00:00
titzer
55fc5c0c32 [wasm] Rename wasm::LocalType to wasm::ValueType and kAst* to kWasm*
This is more renaming work to comply with the naming in the public
design repository. E.g. types are called "value types" and we no longer
refer to ASTs.

R=clemensh@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2594993002
Cr-Commit-Position: refs/heads/master@{#41891}
2016-12-21 13:43:00 +00:00
titzer
01c464a5af [wasm] Set JS API names and function lengths appropriately.
R=clemensh@chromium.org
BUG=chromium:575167

Review-Url: https://codereview.chromium.org/2590243003
Cr-Commit-Position: refs/heads/master@{#41885}
2016-12-21 09:03:35 +00:00
adamk
b0c05f4ab3 [test] Avoid stack space exhaustion in test by passing --no-lazy
The test depends on tricky stack space requirements, so it stopped
working in some configurations win FLAG_min_preparse_length was removed
in commit 4a5b7e32c4.

As a workaround, pass --no-lazy until the test can be refined to work
on all configurations.

BUG=v8:5729
TBR=marja@chromium.org

Review-Url: https://codereview.chromium.org/2596673002
Cr-Commit-Position: refs/heads/master@{#41878}
2016-12-21 00:08:46 +00:00
Adam Klein
75586d3d9b Skip regress-trap-allocation-memento in gc_stress
This test requires its objects to live in new space, so running it
through gc stress runs just makes it susceptible to flakiness, as
was recently seen when turning on the --harmony-string-padding
flag (which just adds an extra JS file to the bootstrapper sequence).

TBR=ishell@chromium.org, jkummerow@chromium.org

Review-Url: https://codereview.chromium.org/2597543002 .
Cr-Commit-Position: refs/heads/master@{#41876}
2016-12-20 23:09:16 +00:00
littledan
53fdf9d192 Use a different map to distinguish eval contexts
eval() may introduce a scope which needs to be represented as a context at
runtime, e.g.,

  eval('var x; let y; ()=>y')

introduces a variable y which needs to have a context allocated for it. However,
when traversing upwards to find the declaration context for a variable which leaks,
as the declaration of x does above, this context has to be understood to not be
a declaration context in sloppy mode.

This patch makes that distinction by introducing a different map for eval-introduced
contexts. A dynamic search for the appropriate context will continue past an eval
context to find the appropriate context. Marking contexts as eval contexts rather
than function contexts required updates in each compiler backend.

BUG=v8:5295, chromium:648719

Review-Url: https://codereview.chromium.org/2435023002
Cr-Commit-Position: refs/heads/master@{#41869}
2016-12-20 16:23:19 +00:00
bmeurer
3d9c77d812 [es6] Fix the %TypedArray% constructor.
The %TypedArray% constructor must not ever try to construct an instance,
but rather throw a TypeError instead.

R=jarin@chromium.org
BUG=v8:5763

Review-Url: https://codereview.chromium.org/2587413002
Cr-Commit-Position: refs/heads/master@{#41868}
2016-12-20 16:14:08 +00:00
titzer
6e8338865a [wasm] Implement correct 2-level namespace for imports.
R=clemensh@chromium.org
CC=rossberg@chromium.org
BUG=chromium:575167

Review-Url: https://codereview.chromium.org/2591753002
Cr-Commit-Position: refs/heads/master@{#41866}
2016-12-20 15:32:56 +00:00
cbruni
c1402cbde3 [builtins] Fix String.prototype.indexOf with negative positions
BUG=chromium:674889

Review-Url: https://codereview.chromium.org/2593593002
Cr-Commit-Position: refs/heads/master@{#41858}
2016-12-20 12:40:57 +00:00
titzer
e797e0ea6d [wasm] Add test for reexport of the same import twice.
R=clemensh@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2592563003
Cr-Commit-Position: refs/heads/master@{#41850}
2016-12-20 10:43:54 +00:00
titzer
cbd3b3d0fe Implement header size calculation for array iterators.
R=bmeurer@chromium.org
BUG=chromium:674232

Review-Url: https://codereview.chromium.org/2592633002
Cr-Commit-Position: refs/heads/master@{#41849}
2016-12-20 10:38:17 +00:00
tebbi
abd63018d7 [turbofan] fixed escape analysis bug: missing copy of virtual state
R=jarin@chromium.org

BUG=chromium:673243

Review-Url: https://codereview.chromium.org/2578133002
Cr-Commit-Position: refs/heads/master@{#41848}
2016-12-20 10:30:52 +00:00
ishell
faf80b4ec0 [crankshaft] Ensure that we use inlined Array.prototype.shift only when there's no elements in the prototype chain.
BUG=chromium:663340

Review-Url: https://codereview.chromium.org/2593553002
Cr-Commit-Position: refs/heads/master@{#41846}
2016-12-20 10:18:02 +00:00
ishell
576a46f520 [crankshaft] Properly handle OOB string accesses.
BUG=chromium:665793

Review-Url: https://codereview.chromium.org/2589823003
Cr-Commit-Position: refs/heads/master@{#41842}
2016-12-20 10:01:59 +00:00
littledan
48a36c7df7 [intl] Avoid modifying options bag from constructor
Previously, the Intl.DateTimeFormat constructor and other related paths had
a bug where the options bag passed in would be modified in place. This patch
makes V8's Intl implementation follow the specification's logic to avoid
such a modification.

BUG=v8:4219

Review-Url: https://codereview.chromium.org/2587703002
Cr-Commit-Position: refs/heads/master@{#41826}
2016-12-19 21:36:16 +00:00
clemensh
5cbc4a9674 [wasm] Freeze exports object
We were not conforming to the spec before.

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2587913005
Cr-Commit-Position: refs/heads/master@{#41822}
2016-12-19 18:45:07 +00:00
titzer
b6a57e6ff5 [wasm] Add js-api test and fix property details for some functions.
R=clemensh@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2585193004
Cr-Commit-Position: refs/heads/master@{#41817}
2016-12-19 17:19:56 +00:00
yangguo
d5566b9e77 [inspector] gracefully handle stack overflows in the inspector.
Hopefully we can avoid going through JS at all, so we can avoid this issue.

R=jgruber@chromium.org, kozyatinskiy@chromium.org
BUG=v8:5654

Review-Url: https://codereview.chromium.org/2510093002
Cr-Original-Commit-Position: refs/heads/master@{#41802}
Committed: 3ab3b6261a
Review-Url: https://codereview.chromium.org/2510093002
Cr-Commit-Position: refs/heads/master@{#41807}
2016-12-19 14:07:55 +00:00
yangguo
a680b260ed Revert of [inspector] gracefully handle stack overflows in the inspector. (patchset #13 id:240001 of https://codereview.chromium.org/2510093002/ )
Reason for revert:
asan failure: https://build.chromium.org/p/client.v8/builders/V8%20Mac64%20ASAN/builds/10047/steps/Ignition%20-%20turbofan/logs/regress-2318

Original issue's description:
> [inspector] gracefully handle stack overflows in the inspector.
>
> Hopefully we can avoid going through JS at all, so we can avoid this issue.
>
> R=jgruber@chromium.org, kozyatinskiy@chromium.org
> BUG=v8:5654
>
> Review-Url: https://codereview.chromium.org/2510093002
> Cr-Commit-Position: refs/heads/master@{#41802}
> Committed: 3ab3b6261a

TBR=jgruber@chromium.org,kozyatinskiy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5654

Review-Url: https://codereview.chromium.org/2583173002
Cr-Commit-Position: refs/heads/master@{#41805}
2016-12-19 13:28:10 +00:00
cbruni
99a5aa1b95 [crankshaft] Fix IsClassOfTest helper method
Drive-by-fix: Add AstNode::Print() and improve printing of CallRuntime
              Expression.

BUG=v8:5749

Review-Url: https://codereview.chromium.org/2586933002
Cr-Commit-Position: refs/heads/master@{#41803}
2016-12-19 12:49:21 +00:00
yangguo
3ab3b6261a [inspector] gracefully handle stack overflows in the inspector.
Hopefully we can avoid going through JS at all, so we can avoid this issue.

R=jgruber@chromium.org, kozyatinskiy@chromium.org
BUG=v8:5654

Review-Url: https://codereview.chromium.org/2510093002
Cr-Commit-Position: refs/heads/master@{#41802}
2016-12-19 12:24:57 +00:00
cbruni
1c1465f124 [runtime] Add PositiveNumberToUint32 helper to avoid double to uint roundtrip
BUG=

Review-Url: https://codereview.chromium.org/2577143002
Cr-Commit-Position: refs/heads/master@{#41801}
2016-12-19 12:06:58 +00:00
machenbach
81dd9847cf Revert of [crankshaft] Fix IsClassOfTest helper method (patchset #1 id:1 of https://codereview.chromium.org/2586933002/ )
Reason for revert:
Breaks vtune:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20vtunejit/builds/15379

Original issue's description:
> [crankshaft] Fix IsClassOfTest helper method
>
> Drive-by-fix: Add AstNode::Print() and improve printing of CallRuntime
>               Expression.
>
> BUG=v8:5749
>
> Review-Url: https://codereview.chromium.org/2586933002
> Cr-Commit-Position: refs/heads/master@{#41792}
> Committed: d4493222b9

TBR=bmeurer@chromium.org,cbruni@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5749

Review-Url: https://codereview.chromium.org/2587973002
Cr-Commit-Position: refs/heads/master@{#41795}
2016-12-19 11:22:36 +00:00
yangguo
07fa0f4967 [serializer] do not serialize script wrappers.
The scenario here: the asm function fails asm validation,
so we emit a message. In doing so, we create a JSValue wrapper for
the script object that we cache on the script object. This wrapper
is context-dependent and causes the code serializer to choke.

R=mtrofin@chromium.org, titzer@chromium.org
BUG=chromium:674446,chromium:673321

Review-Url: https://codereview.chromium.org/2586943003
Cr-Commit-Position: refs/heads/master@{#41794}
2016-12-19 10:53:02 +00:00
cbruni
d4493222b9 [crankshaft] Fix IsClassOfTest helper method
Drive-by-fix: Add AstNode::Print() and improve printing of CallRuntime
              Expression.

BUG=v8:5749

Review-Url: https://codereview.chromium.org/2586933002
Cr-Commit-Position: refs/heads/master@{#41792}
2016-12-19 10:45:48 +00:00
yangguo
1296dd1f5a [debug-wrapper] remove last uses of --expose-debug-as
The inspector cannot deal with breaking inside of debug-evaluate.
There is therefore no point in supporting that in the debugger.
The optional additional context parameter for debug-evaluate also
can be removed since it's not being used.

R=jgruber@chromium.org
BUG=v8:5530

Review-Url: https://codereview.chromium.org/2580323002
Cr-Commit-Position: refs/heads/master@{#41791}
2016-12-19 10:44:34 +00:00
yangguo
bcb73f6219 [inspector] add scope type for modules.
R=jgruber@chromium.org, kozyatinskiy@chromium.org
BUG=v8:5530

Review-Url: https://codereview.chromium.org/2568083002
Cr-Commit-Position: refs/heads/master@{#41765}
2016-12-16 14:28:56 +00:00
rossberg
16fe426320 Implement LinkError; import tweaks
- Implement new WebAssembly.LinkError exception
- Implement stricter checks for glboal imports
- Add tests
- Refactor handling of import names
- Add TODOs for empty import names

R=titzer@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2584843002
Cr-Commit-Position: refs/heads/master@{#41764}
2016-12-16 14:23:35 +00:00
cbruni
89f159b042 [runtime] Port simple String.prototype.indexOf cases to TF Builtin
Many websites use simple calls to String.prototype.indexOf with either a
one character ASCII needle or needles bigger than the search string. This
CL adds a TFJ builtin for these simple cases, giving up to factor 5 speedup.

Drive-by-fix: Add default Object type to Arguments.at

BUG=

Review-Url: https://codereview.chromium.org/2539093002
Cr-Commit-Position: refs/heads/master@{#41760}
2016-12-16 13:24:07 +00:00
rmcilroy
cb9d0fe7f4 [Complier] Only optimize a function marked for tier-up if it is compiled.
When mark-shared-funtion-for-tier-up is enabled, a function could be marked for
optimization, then the baseline (FCG) code is flushed by the GC. The next time
the function is executed, we shouldn't optimize the code if there isn't
baseline code.

BUG=chromium:673242

Review-Url: https://codereview.chromium.org/2575333003
Cr-Commit-Position: refs/heads/master@{#41751}
2016-12-16 10:44:50 +00:00
neis
e3ad4f131b [modules] Remove @@iterator on namespace objects.
TC39 decided at their last meeting to remove this feature.

R=adamk@chromium.org
TBR=ulan@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2578053003
Cr-Commit-Position: refs/heads/master@{#41745}
2016-12-16 08:57:29 +00:00
marja
ed080e6966 Disable lazy parsing inside eval (see bug).
If the eval contains a let, we need to know whether an inner function
refers to the variable to be able to decide its context allocation
status.

The added test needs https://codereview.chromium.org/2435023002/ too
in order to pass.

BUG=v8:5736

Review-Url: https://codereview.chromium.org/2574753002
Cr-Commit-Position: refs/heads/master@{#41723}
2016-12-15 14:26:58 +00:00
ahaas
7bd61b601c [wasm] Introduce the TrapIf and TrapUnless operators to generate trap code.
Some instructions in WebAssembly trap for some inputs, which means that the
execution is terminated and (at least at the moment) a JavaScript exception is
thrown. Examples for traps are out-of-bounds memory accesses, or integer
divisions by zero.

Without the TrapIf and TrapUnless operators trap check in WebAssembly introduces 5
TurboFan nodes (branch, if_true, if_false, trap-reason constant, trap-position
constant), in addition to the trap condition itself. Additionally, each
WebAssembly function has four TurboFan nodes (merge, effect_phi, 2 phis) whose
number of inputs is linear to the number of trap checks in the function.
Especially for functions with high numbers of trap checks we observe a
significant slowdown in compilation time, down to 0.22 MiB/s in the sqlite
benchmark instead of the average of 3 MiB/s in other benchmarks. By introducing
a TrapIf common operator only a single node is necessary per trap check, in
addition to the trap condition. Also the nodes which are shared between trap
checks (merge, effect_phi, 2 phis) would disappear. First measurements suggest a
speedup of 30-50% on average.

This CL only implements TrapIf and TrapUnless on x64. The implementation is also
hidden behind the --wasm-trap-if flag.

Please take a special look at how the source position is transfered from the
instruction selector to the code generator, and at the context that is used for
the runtime call.

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2562393002
Cr-Commit-Position: refs/heads/master@{#41720}
2016-12-15 13:31:29 +00:00
jarin
01de216fd7 [turbofan] Handle the impossible value representation mismatch in instruction selector.
Review-Url: https://codereview.chromium.org/2579743002
Cr-Commit-Position: refs/heads/master@{#41718}
2016-12-15 12:13:06 +00:00
rmcilroy
ae741d042c [Interpreter] Allocate registers used as call arguments on-demand.
Allocate the registers used as arguments to a call on-demand after visiting the
argument (or reciever). This means that the visited expression can use registers
that would otherwise have been allocated for arguments which haven't been
visited yet.

The reason for doing this is to avoid keeping things live in registers
unecessarily for chained function calls, which avoids a memory leak for
functions which chain a large number of calls with large temporary arguments /
recievers.

BUG=chromium:672027

Review-Url: https://codereview.chromium.org/2557173004
Cr-Commit-Position: refs/heads/master@{#41714}
2016-12-15 10:59:57 +00:00
mstarzinger
6c620e5312 Fix usage of literal cloning for large double arrays.
This fixes a corner case where the {FastCloneShallowArrayStub} was used
for literals that are backed by a double backing store and would exceed
limits for new-space allocations on 32-bit architectures. The stub in
question does not support such literals, callers must use the runtime.
Note that this fix is for Ignition as well as FullCodeGenerator.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-672792
BUG=chromium:672792

Review-Url: https://codereview.chromium.org/2570843002
Cr-Commit-Position: refs/heads/master@{#41713}
2016-12-15 10:29:47 +00:00
jgruber
f3b9d570cb [regexp] Let RegExp.prototype.compile return this
ES6 requires the compile method to return this:
www.ecma-international.org/ecma-262/6.0/#sec-regexp.prototype.compile

BUG=v8:5722,chromium:585775

Review-Url: https://codereview.chromium.org/2577653002
Cr-Commit-Position: refs/heads/master@{#41705}
2016-12-15 07:29:39 +00:00
mtrofin
77b50a8e12 [wasm] disable serialization for asm-wasm
Determine if the scope of the function to be serialized includes asm-
wasm, and if so, bypass serialization, since we do not support it in
that scenario.

In this change, we do so regardless of whether the asm-wasm path was
successful. This is so we keep the design simple, since the guidance
to developers, moving forward, is to use wasm.

BUG=643595

Review-Url: https://codereview.chromium.org/2573193002
Cr-Commit-Position: refs/heads/master@{#41704}
2016-12-15 05:06:54 +00:00
nikolaos
f39665e360 [parser] Fix bug with non-static name method/property
Without this patch, the tests on lines 410, 414, 418 and 422 in
function testNonStaticName of test/mjsunit/es6/function-name.js
would all fail.  The bug caused non-static "name" methods and
properties to be mistaken for static ones.

R=adamk@chromium.org, verwaest@chromium.org
BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2567343004
Cr-Commit-Position: refs/heads/master@{#41692}
2016-12-14 12:12:01 +00:00
titzer
576abe14c6 [runtime] Add instance size check for CheckEquivalent().
WASM exported functions have additional internal fields which change the instance
size. Adding a getter or setter to such an exported function results in its map
becoming normalized. The normalized map cache, however, finds a different map
with a different instance size, and thus BOOM.

R=verwaest@chromium.org,cbruni@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2554343002
Cr-Commit-Position: refs/heads/master@{#41691}
2016-12-14 11:59:56 +00:00