Commit Graph

10048 Commits

Author SHA1 Message Date
Michael Starzinger
7f00bb5ad6 [wasm] Add support to construct 'exnref' type globals.
R=ahaas@chromium.org
TEST=mjsunit/wasm/exceptions-global
BUG=v8:8091

Change-Id: I9eb4c92cca087719afda2da5d11c206aaed28c95
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771788
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63414}
2019-08-27 14:29:16 +00:00
Toon Verwaest
864cacd65a [json] Don't consume sibling feedback from objects with detached maps
By marking maps detached from the transition tree as prototypes, we'll
automatically stop tracking transitions from those detached fast maps. That
allows us to quickly check whether a map is detached (or the initial map
anyway); and saves memory. We can use this information to ignore sibling type
feedback when parsing a JSON array with many distinctly shaped json objects.

Bug: chromium:993980
Change-Id: I86d493ac2cabec2c31c6e322ad5c5a7ace059dfc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771778
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63403}
2019-08-26 15:57:52 +00:00
Leszek Swirski
7e1fbe8f34 [ic] Check Double representation on store
For stores with Double feedback, StoreIC needs to check that the
representation is still Double before doing the store, in case it
accidentally tries to write to an object or worse, mutate a non-mutable
HeapNumber.

Bug: v8:9606
Bug: chromium:997485
Change-Id: I51e0953b40f752648c5e86b8644c23baf636367e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768373
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63402}
2019-08-26 15:40:12 +00:00
Joshua Litt
1fcbe01a04 Revert "[regexp] Implement the match indices proposal"
This reverts commit 9460101cdb.

Reason for revert: Causes confusion on Blink side, as it introduces
an object with >=2 internal fields that is not a wrapper (see bug).

Bug: chromium:996681
Change-Id: I275b5a064a4ee8c73c05f97be322924a3bc5370e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769148
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63386}
2019-08-23 17:39:38 +00:00
Georg Schmid
7fd1922823 [turbofan] Relax double const store invariant in load elim. for literals
Even when a field is marked const, we may emit multiple consecutive in-literal stores to that field. That is, in 'JSNativeContextSpecialization::BuildPropertyStore', when the access mode is 'kStoreInLiteral' and we are accessing a const field, we may produce a StoreField node, even though another StoreField (that stores something other than 'Uninitialized') to the same const field dominates it. This appears to be sound, since earlier stores to literals cannot be observed anyways.

Unfortunately this behavior conflicts with the double const store invariant in load elimination: Roughly speaking, we assume that load elimination may never observe two consecutive const stores to the same field on the same object.

The apparent solution would be to treat 'kStoreInLiteral' accesses like regular 'kStore' accesses: For consecutive stores to const properties we don't emit StoreField, but instead emit code that checks whether the value about to be written is equivalent to the previously written one, and otherwise deopt ('DeoptimizeReason::kWrongValue'). Unfortunately this turns out impractical, since for 'kStoreInLiteral' accesses we can't easily decide whether we're dealing with the first such store or one of the consecutive ones. Also see this abandoned CL: https://chromium-review.googlesource.com/c/v8/v8/+/1762020.

This CL instead adds an exception to the invariant in load elimination. We track whether a store arose from a 'kStoreInLiteral' access, and use this information when visiting StoreField nodes in load elimination.

R=neis@chromium.org, tebbi@chromium.org

Bug: chromium:987205
Change-Id: I8829752aa0637e9599677d20aad2d706d40d7fe6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763535
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#63385}
2019-08-23 17:10:48 +00:00
Andreas Haas
585943d4e2 Reland "[regexp] Only append to JSRegExpResult's initial map if we add descriptor"
This reverts commit 5db04cc0dd.

Reason for revert: <INSERT REASONING HERE>

Original change's description:
> Revert "[regexp] Only append to JSRegExpResult's initial map if we add descriptor"
> 
> This reverts commit dc1cc2232b.
> 
> Revert "[regexp] Implement the match indices proposal"
> 
> This reverts commit 9460101cdb.
> 
> Reason for revert: Causes confusion on Blink side, as it introduces
> an object with >=2 internal fields that is not a wrapper (see bug).
> 
> Bug: chromium:996681
> Change-Id: I5c167e9e15bfbec2aa6b843e3063ead5d52fb26c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768897
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63376}

TBR=yangguo@chromium.org,sigurds@chromium.org,joshualitt@chromium.org

Change-Id: Ic58fc3fc83faaf86bd895da29eacb7d51c443beb
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:996681
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768584
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63379}
2019-08-23 16:14:52 +00:00
Sigurd Schneider
bad6116e85 [mjsunit] Harden %GetOptimizationStatus against races
With this Cl, a function that has been marked for deoptimization will
not be reported as optimized. This protects against potential races
where an mjsunit tests assertUnoptimized, and the optimized code for
the function has been marked for deoptimization, but not been disposed
of yet.

The potential for this race has been discovered in the context of bug
v8:9563, but this CL is not a fix for that bug.

Change-Id: I89d8aa85f19033e6b823324b3307b95d61367147
Bug: v8:9563
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763543
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63377}
2019-08-23 15:57:21 +00:00
Joshua Litt
5db04cc0dd Revert "[regexp] Only append to JSRegExpResult's initial map if we add descriptor"
This reverts commit dc1cc2232b.

Revert "[regexp] Implement the match indices proposal"

This reverts commit 9460101cdb.

Reason for revert: Causes confusion on Blink side, as it introduces
an object with >=2 internal fields that is not a wrapper (see bug).

Bug: chromium:996681
Change-Id: I5c167e9e15bfbec2aa6b843e3063ead5d52fb26c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768897
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63376}
2019-08-23 15:28:21 +00:00
Joshua Litt
48c9ca4462 [names] Fix some test262 name tests to conform with spec changes
In order to reflect web reality, TC39 has made some slight changes to
name descriptors, see https://github.com/tc39/ecma262/pull/1490 for
details. V8 was mostly already in compliance with these changes, but
ThrowTypeError and anonymous classes needed some slight changes.

Bug: v8:9646
Change-Id: I163238954938f0c005e3adbc61b90498e01436da
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1764622
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63373}
2019-08-23 15:04:31 +00:00
Maya Lekova
f16a3a7436 [turbofan] Fix memory corruption
Bug: chromium:997057
Change-Id: I821b91ff51f82e6325dae5719e1669142c82b05e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768579
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63369}
2019-08-23 14:03:01 +00:00
Georg Neis
450128c79e [turbofan] Fix stability checks in InferHasInPrototypeChain
While we only need to check stability of the receiver map if its
inference was "unreliable", we must check stability of each prototype's
map unconditionally.

Bug: chromium:997100
Change-Id: I20071ac9eb74c810ad2ab1d78abfb54a1a006c29
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768576
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63364}
2019-08-23 11:29:30 +00:00
Ana Peško
c317f606bd [regexp] Print correct kind of regexp code (native/bytecode) when tier-up
is enabled.

Change-Id: Iab87b9c7a0d0600782b02537844338ff065622ab
Bug: chromium:996234
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1765531
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Ana Pesko <anapesko@google.com>
Cr-Commit-Position: refs/heads/master@{#63360}
2019-08-23 09:24:22 +00:00
Michael Starzinger
e16775163a [wasm] Preserve identity on {WasmJSFunction} re-export.
This preserves the object identity of a {WebAssembly.Function} instance
that is being re-exported by a module. Such functions are considered to
have an internal [[FunctionAddress]] slot and hence require their object
identity to be preserved (similar to {WasmExportedFunction} already).

R=jkummerow@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: I88ba75fcd91ce04440008467f3b218a1ac3047db
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763545
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63346}
2019-08-22 15:00:22 +00:00
Andreas Haas
73010d22dd [wasm][bigint] Fix calls to imports with I64 in their signature
For import wrappers, we add a special "callable" parameter as the last
parameter. This parameter is not set in the TurboFan graph but in the
code generator. Therefore this parameter has to be allocated in a
special register and cannot be lowered generically. With this CL we
detect in the CallDescriptor lowering if the last parameter is this
special "callable" parameter. If so, we preserve it in the lowered
CallDescriptor in the same register.

R=jkummerow@chromium.org

Bug: v8:7741
Change-Id: I884baa41813011c811612ec84f4e3cfe86a0e83a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762014
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63344}
2019-08-22 14:22:06 +00:00
Sigurd Schneider
6d9b7988f7 [testing] Prevent heuristics from triggering optimization in tests
This CL adds a mechanism that prevents the RuntimeProfiler from
triggering optimization of a function after
%PrepareFunctionForOptimization has been called. This is useful to
prevent flakiness in tests, as sometimes a function that already
got deoptimized would receive a new code object from a concurrent
compile that was triggered by a heuristic just in the right moment
for the assertUnoptimized test to fail. For example, the following
was happening:

PrepareFunctionForOptimization
[marking `testAdd` for optimized recompilation, reason: small function]
[concurrently compiling method `testAdd` using TurboFan]
[manually marking `testAdd` for non-concurrent optimization]
[synchonously compiling method `testAdd` using TurboFan]
[synchonously optimizing `testAdd` produced code object 0xAAAA - took 1.638 ms]
Runtime_GetOptimizationStatus OPTIMIZED `testAdd` (code object 0xAAAA)
DeoptimizeFunction `testAdd` with Code Object 0xAAAA
[concurrently optimizing `testAdd` produced code object 0xBBBB - took 3.377 ms]
Runtime_GetOptimizationStatus OPTIMIZED `testAdd` (code object 0xBBBB)

Bug: v8:9563
Change-Id: Ia4c846aba95281589317d43b82383e70fe0a35f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763546
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63343}
2019-08-22 13:51:36 +00:00
Andreas Haas
12c009dee7 [wasm] 32-bit support WebAssembly's i64<>JavaScript's BigInt conversions
This CL was reviewed originally in https://crrev.com/c/1518181.

Bug: v8:7741
Change-Id: Iddb139a24c4b9aee6694e20cb5d04e9f9887160c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752859
Auto-Submit: Sven Sauleau <sven@cloudflare.com>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63321}
2019-08-21 17:03:51 +00:00
Joshua Litt
3ec1036526 [nullish] Add support for nullish operator
This CL implements the nullish operator in bytecode as defined by:
https://github.com/tc39/proposal-nullish-coalescing. It can be
enabled by passing '--harmony-nullish'.

Nullish is similar to logical operators, but instead of truthy/falsey
values, it short circuits when it evaluates a null or undefined value.


Bug: v8:9547
Change-Id: Ia0f55877fc2714482b5547942baef9733537d1b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1738568
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63317}
2019-08-21 15:48:34 +00:00
Michael Starzinger
fd8fe87387 [wasm] Add WebAssembly.Module type reflection of memories.
This adds type reflection support to the {WebAssembly.Module.exports} as
well as {WebAssembly.Module.imports} method. It also refactors existing
reflective code to use the internal instead of the public embedder API,
which is slightly more efficient anyways.

R=ahaas@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: I88a6c7e9236a549808707c72e40a63302b7747a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763527
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63312}
2019-08-21 14:45:14 +00:00
Michael Starzinger
df76f1e55a [wasm] Add test case for {WebAssembly.Function} re-export.
This just adds a test case checking against the current behavior, but
expectations might change once the proposal is clarified. For details
see: https://github.com/WebAssembly/js-types/issues/11

R=ahaas@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: I2fc502460c0a8094a414d138703b75497b2d1c6f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762517
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63311}
2019-08-21 14:43:03 +00:00
Michael Starzinger
431cfbc4e8 [wasm] Add WebAssembly.Module type reflection of tables.
This adds type reflection support to the {WebAssembly.Module.exports} as
well as {WebAssembly.Module.imports} method. It also refactors existing
reflective code to use the internal instead of the public embedder API,
which is slightly more efficient anyways.

R=ahaas@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: Ic51b7b4744f7b3ad056a778aecfc4614ca8d6e75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762019
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63299}
2019-08-21 08:40:56 +00:00
Leszek Swirski
489e7deb7e [object] Remove MutableHeapNumber
Since the mutability of HeapNumbers is determined by their owning
object's descriptor array, we can remove the MutableHeapNumber type
entirely, at the cost of a few fewer DCHECKs and a couple of TODOs
to use the descriptor array information.

This is a necessary step towards a follow-up which allows in-place
Double -> Tagged transitions

Design doc: https://docs.google.com/document/d/1VeKIskAakxQFnUBNkhBmVswgR7Vk6T1kAyKRLhqerb4/

Bug: v8:9606
Change-Id: I13209f9c86f1f204088f6fd80089e17d956b4a50
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743972
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63294}
2019-08-20 19:04:04 +00:00
Joyee Cheung
77d50cd8e7 [class] implement private accessor declarations
This patch implements the declaration of private accessors.
When iterating over the class properties, we track private
accessors associated with the same name in a ZoneHashMap.
Once we get to all the necessary components for a private name
(we know statically whether we should expect only a setter,
only a getter, or both), we emit a call to a runtime function
`CreatePrivateAccessors` that creates an AccessorPair, and
store the components in it. The AccessorPair is then associated
with the private name variable and stored in the context
for later retrieval when the private accessors are accessed.

Design doc: https://docs.google.com/document/d/10W4begYfs7lmldSqBoQBBt_BKamgT8igqxF9u50RGrI/edit

Bug: v8:8330
Change-Id: Ie6d3882507d143b1f645d7ae82b21b7358656e89
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1725670
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63284}
2019-08-20 15:32:34 +00:00
Dan Elphick
dd54736795 [parser] Fix bytecode mismatch for this
Fixes bytecode mismatch between lazy and non-lazy where "this" was
marked as maybe assigned in constructors that called the super
constructor. Since this will return the hole in cases where it was not
yet initialized by super (and the hole is explicitly handled by
JSContextSpecialization::ReduceJSLoadContext), it's safe to treat it as
a constant in all cases. In the case of lazy compilation case, "this"
is never added to the ScopeInfo so is never seen as mutable.

Bug: chromium:994719
Change-Id: I43478fbc626b19eb1533aa9dec61b7f276ae140b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762025
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63283}
2019-08-20 15:21:24 +00:00
Michael Starzinger
f2bb20f6c5 [wasm] Add WebAssembly.Module type reflection of functions.
This adds type reflection support to the {WebAssembly.Module.exports} as
well as {WebAssembly.Module.imports} method. It also refactors existing
reflective code to use the internal instead of the public embedder API,
which is slightly more efficient anyways.

R=ahaas@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: I168741d382373ec47ebe0517ce7803732cbb3b24
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762011
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63276}
2019-08-20 13:49:05 +00:00
Michael Starzinger
017a68c0ee [wasm] Add WebAssembly.Module type reflection of globals.
This adds type reflection support to the {WebAssembly.Module.exports} as
well as {WebAssembly.Module.imports} method. It also refactors existing
reflective code to use the internal instead of the public embedder API,
which is slightly more efficient anyways.

R=ahaas@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: I5f20ea57261f6433b8d86f55054216bf96b41382
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760826
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63273}
2019-08-20 12:48:43 +00:00
Joshua Litt
9460101cdb [regexp] Implement the match indices proposal
Implements match indices for regexp, as specified by
https://github.com/tc39/proposal-regexp-match-indices,
a stage 3 TC39 proposal. This implementation is hidden
behind the '--harmony-regexp-match-indices' flag.

Regexp match indices extends the JSRegExpResult object
with an array of indices of matches, as well as a
dictionary of capture names to match indices.

Bug: v8:9548
Change-Id: I9866a2d1f5af6a507de710357cb5e74c694e7558
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1734937
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63272}
2019-08-20 12:32:43 +00:00
Georg Neis
7a253510c8 [turbofan] Try to insert soft deopt for exponentiation
This brings the graph builder in sync with the serializer (and
exponentiation in sync with the other binary operators).

Bug: chromium:995430, v8:7790
Change-Id: I809b6f3756f75392cdc6747f8bcee8cdf0ee0f74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762013
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63269}
2019-08-20 11:55:46 +00:00
Georg Neis
4ec75d8409 [turbofan] Fix JSStoreDataPropertyInLiteral reduction
... by making the operator have a control output, since we could deopt
after my last change.

Bug: chromium:995562, v8:7790
Change-Id: Ibc8c44708b4d43c4b2c3dfab2fd8fdf79c7ea671
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762010
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63268}
2019-08-20 11:37:16 +00:00
Santiago Aboy Solanes
761addecef [arm64][ptr-compr] Mark some Arm64 sim pointer compression tests as slow
They were timeouting, e.g
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20-%20arm64%20-%20sim%20-%20pointer%20compression/2193

Change-Id: Icf3fcde15510cbdefcd2da8e66530c589f4423f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762008
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63267}
2019-08-20 10:46:57 +00:00
Z Nguyen-Huu
bc1c36ee56 Reland "[builtins] Port RegExpTest to Torque"
This is a reland of f54f92dda1.

Fix IsFastRegExpPermissive to call BranchIfFastRegExp_Permissive.

Original change's description:
> [builtins] Port RegExpTest to Torque
>
> Bug: v8:8976
> Change-Id: Ia4dc120a31eb363599b47b22b749a3146a9c7c73
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1746083
> Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63211}

Bug: v8:8976, chromium:994041
Change-Id: I86c9c66b060f47164515e29f914b95456c233d30
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1756390
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63255}
2019-08-19 16:44:55 +00:00
Gus Caplan
5d4ca7ba86 fix delete + optional chain jump condition
The optional chaining bytecode in delete expressions was
unconditionally jumping if the receiver was nullish, instead
of just when the property was an actual optional chain link.
This change adds the missing check around the jump.

Change-Id: Ic7bed58be4ae62d157e63e4f77666b1abd1f802d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755264
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63251}
2019-08-19 15:21:20 +00:00
Patrick Thier
098f85a464 Skip jitless tests on builds without embedded builtins
Test mjsunit/regress/regress-992389 explicitly sets the jitless flag
when run.
Skip this test when run on builds without embedded-builtins.

Bug: v8:9632, chromium:992389
Change-Id: Ieb52a33006b1104080d8f5adb8c4f2c36e4413af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758317
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63240}
2019-08-19 12:02:19 +00:00
Georg Schmid
f85826eaf2 [turbofan] Track field owner maps during load elimination
This CL adds additional information in PropertyAccessInfos and FieldAccesses about the map that introduced the accessed field. We use this information to prevent load elimination from incorrectly optimizing certain accesses marked const.

Prior to this CL, load elimination simply stored information about eliminatable field accesses based on objects (identified by nodes in the graph) and offsets (i.e., statically known ones). In the presence of const stores and loads this is insufficient, since a single object (in the above sense) may contain distinct *const* properties at the same offset throughout its lifetime. As an example, consider the following piece of code:

    let obj = {};
    obj.a = 0;
    obj[1024] = 1;  // An offset of >=1024 forces an elements-kind transition
    delete obj.a;
    obj.b = 2;
    assertEquals(obj.b, 2);

In this scenario, *both* the first ('obj.a = 0') and the second ('obj.b = 2') store to a field will be marked const by the runtime. The reason that storing to 'a' above ends up being marked const, is that 'a' before and after the elements-kind transition is encoded in separate transition trees. Removing 'a' ('delete obj.a') only invalidates const-ness in the dictionary-elements transition tree; not the holey-elements one used at the time of 'obj.a = 0'.

The above situation on its own violates an invariant in load elimination. Namely, we assume that for the same object and offset, we will never encounter two const stores. One can extend the above snippet to coax load-elimination into producing incorrect results. For instance, by "hiding" 'obj.b = 2' in an unoptimized function call, the consecutive load from 'b' will incorrectly produce 0, violating the assert.

R=neis@chromium.org, tebbi@chromium.org

Bug: chromium:980183, chromium:983764
Change-Id: I576a9c7efd416fa9db6daff1f42d483e4bd369b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751346
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63226}
2019-08-16 16:08:45 +00:00
Dan Elphick
cfe6ceae3f Fix crash Code::DropStackFrameCacheCommon
Fixes DCHECK failure in DropStackFrameCacheCommon by returning early if
the source_position_table is Exception.

Bug: chromium:990582, v8:8510
Change-Id: I671f3e0cdc9f880dedf8ecd2fffb1083229dc6dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752856
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63209}
2019-08-14 15:03:27 +00:00
Ross McIlroy
8c4609fdee [Parser] Don't mark receiver as MaybeAssigned since it can't be assigned.
Otherwise there is a mismatch between eager parsing (where the reciever
is marked as MaybeAssigned) and lazy parsing (where the receiver is
deserialized and not marked MaybeAssigned) for arrow functions that
have an inner scope that calls eval.

BUG=chromium:989914

Change-Id: I8b8b78140858985a75a971b0e0a95bd61463457b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752851
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63206}
2019-08-14 11:15:11 +00:00
Patrick Thier
52c7565de8 [regexp] Fix dirty read in regexp interpreter.
When GC triggered while an exception is pending, a read to
memory that was no longer valid could happen while backtracking in the
regexp interpreter (introduced with commit fb0df2c).
This CL prevents this dirty read, that could have been a security issue.

Bug: chromium:992389, v8:9575
Change-Id: Ie1acd6faa16665e211666c6a8dcf2a9d74e0c886
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751342
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63195}
2019-08-13 16:08:18 +00:00
Ross McIlroy
69b1f07229 [Parsing] Fix a bug in UpdateBufferPointers where it incorrectly updated the buffer range.
When a RelocatingCharacterStream is Seeked, it's buffer_pos_ could be set a non-zero value.
However, UpdateBufferPointers was assuming the position was zero to relocate the buffer_start_
and buffer_end_, which would lead to the stream becoming misaligned. Fix this and add a
unittest and the clusterfuzz script which highlighted the issue.

BUG=chromium:991133

Change-Id: I20dd510b3dcc5df6df058b7e06d2c8a838aef855
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751782
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63190}
2019-08-13 14:20:17 +00:00
Georg Neis
6b7146df6c [turbofan] Teach serializer about new JumpIfUndefinedOrNull bytecodes
R=mvstanton@chromium.org

Bug: chromium:992684, v8:7790
Change-Id: Ia5e77873f4b96d9f6d9a1468a83a64206f1498ee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748692
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63180}
2019-08-13 07:36:49 +00:00
Santiago Aboy Solanes
28db971387 Revert "Reland "[ptr-compr][arm64] Temporarily enable pointer compression on arm64""
This reverts commit d1a4706af9.

Reason for revert: Experiment over.

Original change's description:
> Reland "[ptr-compr][arm64] Temporarily enable pointer compression on arm64"
> 
> This is a reland of f5611402f7
> 
> Original change's description:
> > [ptr-compr][arm64] Temporarily enable pointer compression on arm64
> >
> > ... and make sure that the arm64 ptr-compr bots proceed testing V8 without
> > pointer compression in order to keep testing the other config.
> >
> > Commented out the 'extra' variant since it was crashing. Opened a bug
> > regarding that: https://bugs.chromium.org/p/v8/issues/detail?id=9568
> >
> > Similar to x64's https://chromium-review.googlesource.com/c/v8/v8/+/1607654
> >
> > Bug: v8:7703
> > Change-Id: Ifd46b029bab34524f9f536dcdbd1574f2ddcbf37
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1724216
> > Reviewed-by: Tamer Tas <tmrts@chromium.org>
> > Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> > Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#63019}
> 
> Cq-Include-Trybots: luci.v8.try:v8_android_arm64_n5x_rel_ng
> Bug: v8:7703
> Change-Id: I1a82b87bf6db4e6d100aeffc29dae60ba73d8119
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1730998
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Tamer Tas <tmrts@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63043}

TBR=machenbach@chromium.org,tmrts@chromium.org,solanes@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:7703
Change-Id: I86a801d44ad4ea14b1388ad8ca6109cc8a57a7d7
Cq-Include-Trybots: luci.v8.try:v8_android_arm64_n5x_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1746470
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63148}
2019-08-09 15:55:05 +00:00
Peter Marshall
5577c69d27 [debug] Report line numbers for Function constructor functions correctly
The spec says we have to insert some wrapper code with extra line breaks
in it, but this confuses users when they see stack traces as the line
numbers come from the code with the wrapper, instead of the original.

This CL sets line_offset on the script to indicate that line numbers
should be offset by the 2 extra line breaks when reading them out e.g.
for the purpose of stack traces.

Bug: chromium:109362
Change-Id: Ib608e1043c38b595b1466766f7592e993ee3b996
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741660
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63127}
2019-08-08 13:49:17 +00:00
Mythri A
7c0e200373 Reset optimization markers on OSR if function has insufficient feedback
With lazy feedback allocation, we don't have feedback vectors when function
starts executing. If we mark the function on the first execution we would
be missing feedback for the initial part of the function and hence the
optimized code will not be useful.

This cl resets the optimization markers on OSR if the invocation count of
the function is less than 1. We may still do wasted optimizations if the
function is hot enough for optimizing but not for OSRing. In the long term
we may want to fix it differently. This fix covers the most common cases
in benchmarks.

Bug: chromium:987523
Change-Id: I1cfe82e6b9f95278b77c99b77d4b981828b5c0ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1739373
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63124}
2019-08-08 11:55:54 +00:00
Gus Caplan
ceb7bd5943 Initial implementation of optional chaining
Each LHS expression that contains an optional chain of some form is
wrapped in an OptionalChain node. This root node allows us to use a
single jump location for every individual item in the chain,
improving the performance and simplifying the implementation.

Bug: v8:9553
Change-Id: I678563928b2dbfd6200bff55801919d4fd816962
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1723359
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63120}
2019-08-07 21:46:01 +00:00
Joyee Cheung
919ee633a7 [class] fix super access in private methods
This patch stores the home objects in private methods that
access super properties.

Bug: v8:8330
Change-Id: I2507fda0bd70183f02d162ec50a5be76c248f0ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1724900
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#63113}
2019-08-07 10:56:43 +00:00
Thibaud Michaud
179ed98857 [wasm] Support multi-return WASM function calls from JS
Calling a multi-return WASM function from JS creates an array filled
with the returned values.

See: https://github.com/WebAssembly/multi-value

R=ahaas@chromium.org

Bug: v8:9492
Change-Id: I3151212b6784782c8f89908befab9d26b32e5a8b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1739372
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63110}
2019-08-07 10:15:39 +00:00
Peter Marshall
6a143fd030 [cleanup] Rename uses of 'neuter' to 'detach'
Ongoing cleanup to use the same term everywhere.

Bug: chromium:913887
Change-Id: Ifc4d4de0c2dfd9f1150e61d64cf7f91cf923aa24
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1738865
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63101}
2019-08-06 14:24:05 +00:00
Joshua Litt
211340de17 [atomics] Make IsLockFree handle 8 bytes
This cl makes IsLockFree return true for 8 bytes on x64 platforms.
The standard is unfortunately a bit vague on what exactly 'lock free' means.
As a result, we err on the side of caution. We can revisit this, but first
we need the specification to nail down exactly what 'lock free' in this
context.

Bug: v8:8100
Change-Id: I0a6099c6cb95a5581f3e71d0267857b88b4a2f0a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1735592
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63099}
2019-08-06 13:03:47 +00:00
Michael Achenbach
b19b90d698 [test] Skip slow tests
NOTRY=true

Bug: v8:7783
Change-Id: I90226a16744388149993380399f1c6ee577b7c11
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1738861
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63094}
2019-08-06 12:16:20 +00:00
Mythri A
2999cea522 Reland "[ic] Don't transition to premonomorphic state"
This is a reland of 159df2488c

Original change's description:
> [ic] Don't transition to premonomorphic state
> 
> We used to use premonomorphic state to delay initializing the ICs.
> This optimization was to avoid the cost of setting up handlers if the
> code executed only once. With lazy feedback allocation we no longer
> need this.
> 
> This cl also renames LoadIC_Uninitialized to LoadIC_Nofeedback and
> StoreIC_Uninitialized to StoreIC_Nofeedback since we now miss to
> runtime in the uninitialized state and use the builtin when there
> is no feedback.
> 
> 
> Change-Id: I1633e61ea74664da51348e362c34c47a017a264a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1683525
> Commit-Queue: Mythri Alle <mythria@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63020}

Change-Id: Ica7eb65649615c2f8410d5b815a98b55cb1cfc4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731000
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63082}
2019-08-05 15:51:47 +00:00
Ulan Degenbaev
8fdb23873b Revert ""Reland x4 [arraybuffer] Rearchitect backing store ownership""
This reverts commit 5611f70b3d.

Reason for revert: flaky tests: v8:9588, v8:9587

Original change's description:
> "Reland x4 [arraybuffer] Rearchitect backing store ownership"
> 
> This is a reland of bc33f5aeba
> 
> Contributed by titzer@chromium.org
> 
> Original change's description:
> > [arraybuffer] Rearchitect backing store ownership
> >
> > This CL completely rearchitects the ownership of array buffer backing stores,
> > consolidating ownership into a {BackingStore} C++ object that is tracked
> > throughout V8 using unique_ptr and shared_ptr where appropriate.
> >
> > Overall, lifetime management is simpler and more explicit. The numerous
> > ways that array buffers were initialized have been streamlined to one
> > Attach() method on JSArrayBuffer. The array buffer tracker in the
> > GC implementation now manages std::shared_ptr<BackingStore> pointers,
> > and the construction and destruction of the BackingStore object itself
> > handles the underlying page or embedder-allocated memory.
> >
> > The embedder API remains unchanged for now. We use the
> > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> > keep the backing store alive properly, even in the case of aliases
> > from live heap objects. Thus the embedder has a lower chance of making
> > a mistake. Long-term, we should move the embedder to a model where they
> > manage backing stores using shared_ptr to an opaque backing store object.
> 
> TBR=yangguo@chromium.org
> 
> BUG=v8:9380,v8:9221,chromium:986318
> 
> Change-Id: If671a4a9ca0476e8f084efae46e0d2bf99ed99ef
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731005
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63041}

TBR=ulan@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,clemensh@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9380, v8:9221, chromium:986318
Change-Id: Ic7381239f4e90d0c437b7e47a5ac6e8bce60f882
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1736747
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63081}
2019-08-05 15:33:47 +00:00
Joshua Litt
b6731abef0 [turbofan] Revert algorithm simplification in Math.hypot
When a fast path was added for Math.hypot, the algorithm was also
simplified. This simplification turns out to be incorrect in some rare
edge cases. This cl reverts back to the original algorithm and converts it to torque.

Original cl: https://chromium-review.googlesource.com/c/v8/v8/+/1684178

Bug: v8:9546
Change-Id: If4e21504732f46081a8de823f50f499917f1a20c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1725200
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63070}
2019-08-05 11:12:58 +00:00
Leszek Swirski
9cf089e968 [scopes] Skip dynamic vars in eval scopes during lookup
For variable proxies in a function inside an eval scope that point to
a dynamic variable in the eval scope, the current scope resolution will
find this variable only when the function is eagerly compiled, as the
eval scope only exists during top-level eval compilation. This causes
a mismatch between lazy- and eager- compiled functions.

With this patch, we skip these dynamic variables during lookup, so that
the lookup for the variable proxy always finds a kDynamicLocal or
kDynamicGlobal, both when compiled lazily and eagerly. This is a minor
pessimisation of performance (as we know that the lookup has to be
dynamic), but unblocks other improvements which require idempotent
bytecode generation (such as lazy source positions).

Note that the alternative, of simply not tracking dynamic variables on
the eval scope at all, is not viable due to needing this information
during conflict detection.

Bug: v8:8510
Bug: v8:9511
Change-Id: Ifa72ec05e9a97b7be418912340081b9656765fd4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1733077
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63051}
2019-08-02 14:55:13 +00:00
Michael Starzinger
d335cb6a11 [wasm] Make {WebAssembly.Function} work on any iterable.
This makes sure the "parameters" and "results" properties of the passed
FunctionType object can be arbitrary iterable objects, not just plain
JavaScript arrays.

R=clemensh@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: Icba18c418e549deba9fff1855be4956813b1a953
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1733071
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63049}
2019-08-02 13:47:19 +00:00
Leszek Swirski
475b35f92a [test] Skip regress-331444 on full_debug
It's too slow and flakes on "V8 Linux - full debug"

Change-Id: I2a83a7a2de6a3865d230edb847a658b1b8b23bec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1733076
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63047}
2019-08-02 13:23:54 +00:00
Santiago Aboy Solanes
d1a4706af9 Reland "[ptr-compr][arm64] Temporarily enable pointer compression on arm64"
This is a reland of f5611402f7

Original change's description:
> [ptr-compr][arm64] Temporarily enable pointer compression on arm64
>
> ... and make sure that the arm64 ptr-compr bots proceed testing V8 without
> pointer compression in order to keep testing the other config.
>
> Commented out the 'extra' variant since it was crashing. Opened a bug
> regarding that: https://bugs.chromium.org/p/v8/issues/detail?id=9568
>
> Similar to x64's https://chromium-review.googlesource.com/c/v8/v8/+/1607654
>
> Bug: v8:7703
> Change-Id: Ifd46b029bab34524f9f536dcdbd1574f2ddcbf37
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1724216
> Reviewed-by: Tamer Tas <tmrts@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63019}

Cq-Include-Trybots: luci.v8.try:v8_android_arm64_n5x_rel_ng
Bug: v8:7703
Change-Id: I1a82b87bf6db4e6d100aeffc29dae60ba73d8119
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1730998
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63043}
2019-08-02 11:37:35 +00:00
Ulan Degenbaev
5611f70b3d "Reland x4 [arraybuffer] Rearchitect backing store ownership"
This is a reland of bc33f5aeba

Contributed by titzer@chromium.org

Original change's description:
> [arraybuffer] Rearchitect backing store ownership
>
> This CL completely rearchitects the ownership of array buffer backing stores,
> consolidating ownership into a {BackingStore} C++ object that is tracked
> throughout V8 using unique_ptr and shared_ptr where appropriate.
>
> Overall, lifetime management is simpler and more explicit. The numerous
> ways that array buffers were initialized have been streamlined to one
> Attach() method on JSArrayBuffer. The array buffer tracker in the
> GC implementation now manages std::shared_ptr<BackingStore> pointers,
> and the construction and destruction of the BackingStore object itself
> handles the underlying page or embedder-allocated memory.
>
> The embedder API remains unchanged for now. We use the
> v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> keep the backing store alive properly, even in the case of aliases
> from live heap objects. Thus the embedder has a lower chance of making
> a mistake. Long-term, we should move the embedder to a model where they
> manage backing stores using shared_ptr to an opaque backing store object.

TBR=yangguo@chromium.org

BUG=v8:9380,v8:9221,chromium:986318

Change-Id: If671a4a9ca0476e8f084efae46e0d2bf99ed99ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731005
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63041}
2019-08-02 10:40:43 +00:00
Maya Lekova
5a624dc465 [turbofan] Fix crash with --trace-turbo-inlining
When the flag is on and some of the functions don't have bytecode,
we should gracefully print "no bytecode" instead of crashing.

Bug: chromium:983267
Change-Id: Id4e3385cd871a2dd5bead38c29a41b38319cc8d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731003
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63031}
2019-08-01 12:56:05 +00:00
Joshua Litt
b8ddc84e0d [harmony-numeric-separator] remove flag
now that we are shipping this by default, we can remove the flag.

Change-Id: I298691df3eec934a5add1aa2a2748a0f3a884ab6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1726452
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63026}
2019-08-01 10:10:24 +00:00
Leszek Swirski
7677b2efd0 Revert "[ic] Don't transition to premonomorphic state"
This reverts commit 159df2488c.

Reason for revert: Breaks large-classes-properties test (https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket.appspot.com/8906338563361079200/+/steps/Bisect_159df248/0/steps/Retry_-_isolates/0/logs/large-classes-properties/0)

Original change's description:
> [ic] Don't transition to premonomorphic state
> 
> We used to use premonomorphic state to delay initializing the ICs.
> This optimization was to avoid the cost of setting up handlers if the
> code executed only once. With lazy feedback allocation we no longer
> need this.
> 
> This cl also renames LoadIC_Uninitialized to LoadIC_Nofeedback and
> StoreIC_Uninitialized to StoreIC_Nofeedback since we now miss to
> runtime in the uninitialized state and use the builtin when there
> is no feedback.
> 
> 
> Change-Id: I1633e61ea74664da51348e362c34c47a017a264a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1683525
> Commit-Queue: Mythri Alle <mythria@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63020}

TBR=mythria@chromium.org,verwaest@chromium.org

Change-Id: I4fad4e8b881d4a3f8d12149e1797b217a317eaee
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1730995
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63023}
2019-08-01 09:42:56 +00:00
Leszek Swirski
33b93f3d88 Revert "[ptr-compr][arm64] Temporarily enable pointer compression on arm64"
This reverts commit f5611402f7.

Reason for revert: arm64 sim MSAN failures (https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/28059)

Original change's description:
> [ptr-compr][arm64] Temporarily enable pointer compression on arm64
> 
> ... and make sure that the arm64 ptr-compr bots proceed testing V8 without
> pointer compression in order to keep testing the other config.
> 
> Commented out the 'extra' variant since it was crashing. Opened a bug
> regarding that: https://bugs.chromium.org/p/v8/issues/detail?id=9568
> 
> Similar to x64's https://chromium-review.googlesource.com/c/v8/v8/+/1607654
> 
> Bug: v8:7703
> Change-Id: Ifd46b029bab34524f9f536dcdbd1574f2ddcbf37
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1724216
> Reviewed-by: Tamer Tas <tmrts@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63019}

TBR=machenbach@chromium.org,tmrts@chromium.org,solanes@chromium.org

Change-Id: I7d96c8aa83fcabff7e9a82e0556811398fedc34c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7703
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1730994
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63022}
2019-08-01 09:26:54 +00:00
Mythri A
159df2488c [ic] Don't transition to premonomorphic state
We used to use premonomorphic state to delay initializing the ICs.
This optimization was to avoid the cost of setting up handlers if the
code executed only once. With lazy feedback allocation we no longer
need this.

This cl also renames LoadIC_Uninitialized to LoadIC_Nofeedback and
StoreIC_Uninitialized to StoreIC_Nofeedback since we now miss to
runtime in the uninitialized state and use the builtin when there
is no feedback.


Change-Id: I1633e61ea74664da51348e362c34c47a017a264a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1683525
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63020}
2019-08-01 08:57:38 +00:00
Santiago Aboy Solanes
f5611402f7 [ptr-compr][arm64] Temporarily enable pointer compression on arm64
... and make sure that the arm64 ptr-compr bots proceed testing V8 without
pointer compression in order to keep testing the other config.

Commented out the 'extra' variant since it was crashing. Opened a bug
regarding that: https://bugs.chromium.org/p/v8/issues/detail?id=9568

Similar to x64's https://chromium-review.googlesource.com/c/v8/v8/+/1607654

Bug: v8:7703
Change-Id: Ifd46b029bab34524f9f536dcdbd1574f2ddcbf37
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1724216
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63019}
2019-08-01 08:43:17 +00:00
Francis McCabe
195679de3f Revert ""Reland x3 [arraybuffer] Rearchitect backing store ownership""
This reverts commit df8e617772.

Reason for revert: Multiple flakes in apparently related areas:

https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket.appspot.com/8906409837768155568/+/steps/Check__flakes_/0/logs/BackingStoreTest.RacyGrowWasmMem.../0

Original change's description:
> "Reland x3 [arraybuffer] Rearchitect backing store ownership"
> 
> This is a reland of bc33f5aeba
> 
> Original change's description:
> > [arraybuffer] Rearchitect backing store ownership
> >
> > This CL completely rearchitects the ownership of array buffer backing stores,
> > consolidating ownership into a {BackingStore} C++ object that is tracked
> > throughout V8 using unique_ptr and shared_ptr where appropriate.
> >
> > Overall, lifetime management is simpler and more explicit. The numerous
> > ways that array buffers were initialized have been streamlined to one
> > Attach() method on JSArrayBuffer. The array buffer tracker in the
> > GC implementation now manages std::shared_ptr<BackingStore> pointers,
> > and the construction and destruction of the BackingStore object itself
> > handles the underlying page or embedder-allocated memory.
> >
> > The embedder API remains unchanged for now. We use the
> > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> > keep the backing store alive properly, even in the case of aliases
> > from live heap objects. Thus the embedder has a lower chance of making
> > a mistake. Long-term, we should move the embedder to a model where they
> > manage backing stores using shared_ptr to an opaque backing store object.
> 
> R=​mlippautz@chromium.org
> BUG=v8:9380,v8:9221,chromium:986318
> TBR=ulan@chromium.org
> 
> Change-Id: I6c49e2425029b5664ef1c68dab8b5146f4ed0ff2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719191
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63007}

TBR=mstarzinger@chromium.org,titzer@chromium.org,mlippautz@chromium.org

Change-Id: If0266e5893b1325a332d5986337fa7ece2cb6943
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9380, v8:9221, chromium:986318
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1729549
Reviewed-by: Francis McCabe <fgm@chromium.org>
Commit-Queue: Francis McCabe <fgm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63011}
2019-07-31 15:50:56 +00:00
Seth Brenith
bea0ffd0dd Reland "[regexp] Better quick checks on loop entry nodes"
This is a reland of 4b15b984ad

Updates since original: fix an arithmetic overflow bug, remove an invalid
DCHECK, add a unit test that would trigger that DCHECK.

Original change's description:
> [regexp] Better quick checks on loop entry nodes
>
> Like the predecessor change https://crrev.com/c/v8/v8/+/1702125 , this
> change is inspired by attempting to exit earlier from generated RegExp
> code, when no further matches are possible because any match would be
> too long. The motivating example this time is the following expression,
> which tests whether a string of Unicode playing cards has five of the
> same suit in a row:
>
> /([🂡-🂮]{5})|([🂱-🂾]{5})|([🃁-🃎]{5})|([🃑-🃞]{5})/u
>
> A human reading this expression can readily see that any match requires
> at least 10 characters (5 surrogate pairs), but the LoopChoiceNode for
> each repeated option reports its minimum distance to the end of a match
> as zero. This is correct, because the LoopChoiceNode's behavior depends
> on additional state (the loop counter). However, the preceding node, a
> SET_REGISTER action that initializes the loop counter, could confidently
> state that it consumes at least 10 characters. Furthermore, when we try
> to emit a quick check for that action, we could follow only paths from
> the LoopChoiceNode that are possible based on the minimum iteration
> count. This change implements both of those "could"s.
>
> I expect this improvement to apply pretty broadly to expressions that
> use minimum repetition counts and that don't meet the criteria for
> unrolling. In this particular case, I get about 12% improvement on the
> overall UniPoker test, due to reducing the execution time of this
> expression by 85% and the execution time of another similar expression
> that checks for n-of-a-kind by 20%.
>
> Bug: v8:9305
>
> Change-Id: I319e381743967bdf83324be75bae943fbb5dd496
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1704941
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62963}

Bug: v8:9305
Change-Id: I992070d383009013881bf778242254c27134b650
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1726674
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#63009}
2019-07-31 14:34:20 +00:00
Ben L. Titzer
df8e617772 "Reland x3 [arraybuffer] Rearchitect backing store ownership"
This is a reland of bc33f5aeba

Original change's description:
> [arraybuffer] Rearchitect backing store ownership
>
> This CL completely rearchitects the ownership of array buffer backing stores,
> consolidating ownership into a {BackingStore} C++ object that is tracked
> throughout V8 using unique_ptr and shared_ptr where appropriate.
>
> Overall, lifetime management is simpler and more explicit. The numerous
> ways that array buffers were initialized have been streamlined to one
> Attach() method on JSArrayBuffer. The array buffer tracker in the
> GC implementation now manages std::shared_ptr<BackingStore> pointers,
> and the construction and destruction of the BackingStore object itself
> handles the underlying page or embedder-allocated memory.
>
> The embedder API remains unchanged for now. We use the
> v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> keep the backing store alive properly, even in the case of aliases
> from live heap objects. Thus the embedder has a lower chance of making
> a mistake. Long-term, we should move the embedder to a model where they
> manage backing stores using shared_ptr to an opaque backing store object.

R=mlippautz@chromium.org
BUG=v8:9380,v8:9221,chromium:986318
TBR=ulan@chromium.org

Change-Id: I6c49e2425029b5664ef1c68dab8b5146f4ed0ff2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719191
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63007}
2019-07-31 14:13:59 +00:00
Joshua Litt
af4a7dc312 [scanner] fix edge case for parsing numeric separators
Numeric separators are not allowed in NonOctalDecimalIntegerLiterals.

Bug: v8:9437
Change-Id: Ic62b35b361de36fc622e207c140c365665021029
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722194
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62994}
2019-07-30 17:06:29 +00:00
Toon Verwaest
19810c489c [ic] Remove broken DCHECK and clean up naming
The DCHECK related to a time when dictionary mode prototypes were the payload
of complex data driven handlers. Now the additional data is used to hold
entirely different kinds of objects. The DCHECK made no sense anymore. Cleaning
up the names makes this clearer.

Bug: chromium:986187
Change-Id: I7173d7d2824396c04c01acb4ceb74693ee9ce6b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1724215
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62993}
2019-07-30 16:22:08 +00:00
Clemens Hammacher
20655a20cd [wasm][test] Add method to create signed LEB values
This method will be used for a test with multiple code spaces, to
encode large function indexes. The current implementation in
{wasmI32Const} just always uses 5 bytes for encoding the LEB value.
This CL adds a {wasmSignedLeb} function which properly encodes the
value, and adds tests for that.

Drive-by: Clean up the rest of {test-wasm-module-builder.js}.

R=mstarzinger@chromium.org

Bug: v8:9477
Change-Id: Ide2d90eed9d40aa28df680fbb413275346d9c0b6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1725623
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62990}
2019-07-30 14:18:52 +00:00
Joyee Cheung
a6dd7f1c98 [class] parse private accessors
This patch adds:

- VariableMode::kPrivateMethod
- VariableMode::kPrivateSetterOnly
- VariableMode::kPrivateGetterOnly
- VariableMode::kPrivateGetterAndSetter

And replace the previous RequiresBrandCheckFlag by inferring
whether the brand check is required from these VariableModes.
It is then possible to check duplicate non-complementary
accessors in the parsers and throw early errors, and allow
complementary accessors to be associated with the same
private name variable.

This patch also adds the following AssignType:

- PRIVATE_METHOD
- PRIVATE_GETTER_ONLY
- PRIVATE_SETTER_ONLY
- PRIVATE_GETTER_AND_SETTER

corresponding to the new VariableModes so that it's possible
to generate specialized code for different type of
private accessor declarations.

Design doc: https://docs.google.com/document/d/10W4begYfs7lmldSqBoQBBt_BKamgT8igqxF9u50RGrI/edit

Bug: v8:8330
Change-Id: I0fb61b1be248630d1eadd74fb16d7d64a421f4c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1695204
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62988}
2019-07-30 13:26:01 +00:00
Leszek Swirski
6c3cb32e07 [d8] Disable worker shutdown test on predictable
The tests rely too much on OS state (thread allocation) to be
predictable.

Change-Id: I9a562369a3c72522630a23ee47e3e819b9411c65
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1725626
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62987}
2019-07-30 12:43:09 +00:00
Sathya Gunasekaran
743ce7726d [WeakRefs] Make cleanup callback run as a task
Previously, this was run as a microtask and this CL changes it to run
as a separate task as mandated by the current WeakRef spec.

This CL also introduces a FinalizationGroup type to the V8 API
representing the JSFinalizationGroup. This has a `Cleanup`
function that runs the cleanup callback associated with it.

SetHostCleanupFinalizationGroupCallback is added to set
the embedder defined HostCleanupFinalizationGroupCallback.

ClearKeptObject is exposed on the v8::Isolate to reset the strongly
held set of objects.

The general workflow is the following:

(a) When the GC notices that a given finalization group has dirty
    cells, it calls HostCleanupFinalizationGroupCallback with the given
    finalization group.

(b) As part of HostCleanupFinalizationGroupCallback, the embedder
    enqueues a task that at some point later calls
    FinalizationGroup::Cleanup.

(c) At some point in the future, FinalizationGroup::Cleanup is called,
    which runs the cleanup callback of the finalization group.

This patch also includes d8 changes to use these new APIs. Currently,
d8 cycles through the enqueued finalization groups after a synchronous
turn (and it's microtask checkpoint) and runs the cleanup callbacks.

Change-Id: I06eb4da2c103b2792a9c62bc4b98fd4e5c4892fc
Bug: v8:8179
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655655
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62984}
2019-07-30 12:19:39 +00:00
Toon Verwaest
a4dd93bf29 [parser] Validate the target of property access assignment as expression
This drops possible remaining pattern errors from the access target. This is
necessary since sub patterns with default values (assignment expression) aren't
otherwise identifiable as being property accesses.

Bug: v8:9560
Change-Id: Ie6781c0d161e00790268f7d9db81377d045f93b6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1725624
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62982}
2019-07-30 11:41:59 +00:00
Leszek Swirski
51afbd1a46 Revert "[regexp] Better quick checks on loop entry nodes"
This reverts commit 4b15b984ad.

Reason for revert: UBSan failure (https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket.appspot.com/8906578530303352544/+/steps/Check/0/logs/regress-126412/0).

Original change's description:
> [regexp] Better quick checks on loop entry nodes
> 
> Like the predecessor change https://crrev.com/c/v8/v8/+/1702125 , this
> change is inspired by attempting to exit earlier from generated RegExp
> code, when no further matches are possible because any match would be
> too long. The motivating example this time is the following expression,
> which tests whether a string of Unicode playing cards has five of the
> same suit in a row:
> 
> /([🂡-🂮]{5})|([🂱-🂾]{5})|([🃁-🃎]{5})|([🃑-🃞]{5})/u
> 
> A human reading this expression can readily see that any match requires
> at least 10 characters (5 surrogate pairs), but the LoopChoiceNode for
> each repeated option reports its minimum distance to the end of a match
> as zero. This is correct, because the LoopChoiceNode's behavior depends
> on additional state (the loop counter). However, the preceding node, a
> SET_REGISTER action that initializes the loop counter, could confidently
> state that it consumes at least 10 characters. Furthermore, when we try
> to emit a quick check for that action, we could follow only paths from
> the LoopChoiceNode that are possible based on the minimum iteration
> count. This change implements both of those "could"s.
> 
> I expect this improvement to apply pretty broadly to expressions that
> use minimum repetition counts and that don't meet the criteria for
> unrolling. In this particular case, I get about 12% improvement on the
> overall UniPoker test, due to reducing the execution time of this
> expression by 85% and the execution time of another similar expression
> that checks for n-of-a-kind by 20%.
> 
> Bug: v8:9305
> 
> Change-Id: I319e381743967bdf83324be75bae943fbb5dd496
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1704941
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62963}

TBR=jgruber@chromium.org,seth.brenith@microsoft.com

Change-Id: Iac085b75e054fdf0d218987cfe449be1f1630545
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9305
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1725621
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62977}
2019-07-30 09:48:31 +00:00
Ben L. Titzer
e0b18b9022 Reland "[d8] Remove maximum workers limitation"
This is a reland of a0728e869b

Original change's description:
> [d8] Remove maximum workers limitation
> 
> This CL refactors the lifetime management of the v8::Worker C++ object
> and in the process lifts the 100 maximum worker limitation. To do this,
> it uses a Managed<v8::Worker> heap object and attaches the managed to
> the API worker object.
> 
> R=mstarzinger@chromium.org
> BUG=v8:9524
> 
> Change-Id: I279b7aeb6645a87f9108ee6f572105739721cef4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715453
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62932}

Bug: v8:9524
Change-Id: I7d903fb12ddb00909a9429455f46c55db2fd02de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722562
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62974}
2019-07-30 07:56:17 +00:00
Maya Lekova
d978b5c00c [turbofan] Fix wrong serialization for Function.bind
Bug: v8:7790
Change-Id: I31502a8023564e88e0a28a421e3c7fb3404847dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722566
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62973}
2019-07-30 07:55:12 +00:00
Georg Neis
6636420fce [turbofan] Second part of brokerization/serialization for instanceof
Serialize for all cases of JSNativeContextSpecialization::ReduceJSInstanceOf.

Bug: v8:7790
Change-Id: I147991353b86619808257a92961b7051105511f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722558
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62965}
2019-07-29 18:19:35 +00:00
Seth Brenith
4b15b984ad [regexp] Better quick checks on loop entry nodes
Like the predecessor change https://crrev.com/c/v8/v8/+/1702125 , this
change is inspired by attempting to exit earlier from generated RegExp
code, when no further matches are possible because any match would be
too long. The motivating example this time is the following expression,
which tests whether a string of Unicode playing cards has five of the
same suit in a row:

/([🂡-🂮]{5})|([🂱-🂾]{5})|([🃁-🃎]{5})|([🃑-🃞]{5})/u

A human reading this expression can readily see that any match requires
at least 10 characters (5 surrogate pairs), but the LoopChoiceNode for
each repeated option reports its minimum distance to the end of a match
as zero. This is correct, because the LoopChoiceNode's behavior depends
on additional state (the loop counter). However, the preceding node, a
SET_REGISTER action that initializes the loop counter, could confidently
state that it consumes at least 10 characters. Furthermore, when we try
to emit a quick check for that action, we could follow only paths from
the LoopChoiceNode that are possible based on the minimum iteration
count. This change implements both of those "could"s.

I expect this improvement to apply pretty broadly to expressions that
use minimum repetition counts and that don't meet the criteria for
unrolling. In this particular case, I get about 12% improvement on the
overall UniPoker test, due to reducing the execution time of this
expression by 85% and the execution time of another similar expression
that checks for n-of-a-kind by 20%.

Bug: v8:9305

Change-Id: I319e381743967bdf83324be75bae943fbb5dd496
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1704941
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62963}
2019-07-29 17:36:45 +00:00
Dan Elphick
4189da7b0e [parsing] Fix bytecode mismatch for arrow funcs
Fixes a bytecode mismatch for arrow functions with default arguments
between eager and lazy compilation. In the former case, parameters with
default values are marked as assigned even if the value never changes
within the function because the parser does not know it's an
arrow-function at the point it sees the assignment.

So this changes ArrowHeadParsingScope::ValidateAndCreateScope to clear
the is_assigned flag on its parameter VariableProxies before it binds
them.

Bug: chromium:988304, v8:8510
Change-Id: I68bf205c73471386181e5fdcec6c8c3b2e527c8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1724384
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62962}
2019-07-29 16:30:10 +00:00
Michael Starzinger
ba77172be1 [wasm] Make constructed {WebAssembly.Function} callable.
This makes function objects constructed via the {WebAssembly.Function}
constructor callable directly from JavaScript (not just from within
WebAssembly modules). Semantics are as if the function performed the
transition JS-to-Wasm and then Wasm-to-JS in sequence.

R=clemensh@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: Ic7dcf36ccfda1b473f2541e49419f4d2ee38bc2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1720809
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62953}
2019-07-29 11:29:32 +00:00
Ng Zhi An
66c6f68be3 Skip opt-elements-kind test on gc_fuzzer
Bug: v8:9557
Change-Id: Iff790b82a362b3919a63485011745dcb7d2061c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1721203
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62944}
2019-07-26 22:48:42 +00:00
Maya Lekova
e25fcd26b2 Revert "[d8] Remove maximum workers limitation"
This reverts commit a0728e869b.

Reason for revert: Times out on Windows & debug builds - https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20nosnap%20-%20shared/34484

Original change's description:
> [d8] Remove maximum workers limitation
> 
> This CL refactors the lifetime management of the v8::Worker C++ object
> and in the process lifts the 100 maximum worker limitation. To do this,
> it uses a Managed<v8::Worker> heap object and attaches the managed to
> the API worker object.
> 
> R=​mstarzinger@chromium.org
> BUG=v8:9524
> 
> Change-Id: I279b7aeb6645a87f9108ee6f572105739721cef4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715453
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62932}

TBR=mstarzinger@chromium.org,titzer@chromium.org,clemensh@chromium.org

Change-Id: I3a27937cba13b5413390f49268a107c184515153
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9524
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1720590
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62937}
2019-07-26 12:38:26 +00:00
Dan Elphick
f47cbb28ab [parsing] Improve elision of hole checks for default parameters
Use the position of commas in arrow expressions to mark the initializer
position of any parameters that might have been set in the preceding
parameter.

To enable this, this makes variable_list_ in ExpressionParsingScope a
ScopedList<pair<VariableProxy*, int>> and changes ScopedList::at to
return references so its elements can be modified in place.

This fixes a source of bytecode mismatches when collecting source
positions lazily and is a second attempt at fixing this after
https://chromium-review.googlesource.com/c/v8/v8/+/1683267 introduced
problems due to destructuring.

Bug: chromium:980422, chromium:981701, v8:8510
Change-Id: I948f89f34fb75d7463a13183e363f7f96ad09d13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710671
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62936}
2019-07-26 12:15:31 +00:00
Mythri A
b62a7166c7 Fix flaky failure in mjsunit/regress/regress-unlink-closures-on-deopt
This is short-term fix for flaky failures on GC fuzzer. The closures
g1 and g2 have the same SFI and pending optimzed table treats them as
a single entry. This cl, adds %PrepareFunctionForOptimize after one of
them is optimized.

Bug: v8:9556
Change-Id: I1fd72da1baa5de2f7650e080f9b6d04b69dd6a16
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719188
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62934}
2019-07-26 12:00:11 +00:00
Ben L. Titzer
a0728e869b [d8] Remove maximum workers limitation
This CL refactors the lifetime management of the v8::Worker C++ object
and in the process lifts the 100 maximum worker limitation. To do this,
it uses a Managed<v8::Worker> heap object and attaches the managed to
the API worker object.

R=mstarzinger@chromium.org
BUG=v8:9524

Change-Id: I279b7aeb6645a87f9108ee6f572105739721cef4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715453
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62932}
2019-07-26 11:50:51 +00:00
Georg Neis
f95124821e [turbofan] First part of brokerization/serialization for instanceof
- Move SerializePrototype out of DependOnStablePrototypes into
  ComputePropertyAccessInfo.
- Brokerize JSNativeContextSpecialization::InferHasInPrototypeChain.
- Brokerize JSNativeContextSpecialization::ReduceJSOrdinaryHasInstance
  (modulo the call to ReduceJSInstanceOf).
- Brokerize JSNativeContextSpecialization::ReduceJSHasInPrototypeChain.
- Serialize for JSCallReducer::ReduceObjectPrototypeIsPrototypeOf.
- Serialize for JSNativeContextSpecialization::ReduceJSInstanceOf. This
  is still incomplete.

Bug: v8:7790
Change-Id: Ic56eab5ddd8d725a13d2980e5b55db53ae82e822
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709408
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62920}
2019-07-25 14:39:54 +00:00
Mythri A
21f796df44 [ic] Pass the converted value to the runtime when storing to a typed array
Preparing the value for storing into a typed array is user visible
operation in some cases (for ex: calling ToNumber). To avoid doing this
conversion twice pass the converted to the runtime when bailing out
from the handlers.

Bug: chromium:981236
Change-Id: I3de23d317d22cd6c201fe8a4db30014f4cf76251
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1692932
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62879}
2019-07-23 15:53:56 +00:00
Maya Lekova
62c9ad5b0f Revert "[d8] Cleanup message queues"
This reverts commit 26dad80ff5.

Reason for revert: Breaks d8, see https://ci.chromium.org/p/v8/builders/ci/V8%20Win32/22272

Original change's description:
> [d8] Cleanup message queues
> 
> Simplifies some of the logic of message queues in d8 and makes sure
> to delete any in-flight messages upon worker termination. Drive-by
> cleanups of some other small d8 vestiges.
> 
> R=​clemensh@chromium.org
> BUG=v8:9524
> 
> Change-Id: I587c0cb3eeed88107e7dba552389057f07c15c43
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710673
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62873}

TBR=titzer@chromium.org,clemensh@chromium.org

Change-Id: Ibc15d9fb76698a2bad51e3842392634fb2f0246b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9524
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714877
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62875}
2019-07-23 14:25:38 +00:00
Ben L. Titzer
26dad80ff5 [d8] Cleanup message queues
Simplifies some of the logic of message queues in d8 and makes sure
to delete any in-flight messages upon worker termination. Drive-by
cleanups of some other small d8 vestiges.

R=clemensh@chromium.org
BUG=v8:9524

Change-Id: I587c0cb3eeed88107e7dba552389057f07c15c43
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710673
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62873}
2019-07-23 14:01:26 +00:00
Ben L. Titzer
845b47a1d2 Revert "Reland "Reland "[arraybuffer] Rearchitect backing store ownership"""
This reverts commit 306cf40344.

Reason for revert: performance regressions / too near branch point

TBR=mslekova@chromium.org
BUG=v8:9380

Change-Id: If77630b73eafbf1190c823199fe2a34361da303f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714867
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62867}
2019-07-23 12:25:16 +00:00
Ben L. Titzer
9f1a7d3aa0 [arraybuffer] Use relaxed load/store for bitfield
A benign datarace can occur between the array buffer tracker and
using an arraybuffer as an asm.js memory. The former reads the
{is_shared} bit, which should never change, and the latter writes
the {is_asmjs_memory} bit, but no other bits. Since these bits are
packed into a single word, TSAN reports a race.

R=ulan@chromium.org
BUG=v8:9531

Change-Id: Icceff211368e13794b6678b5fd7748fb5b3235bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714647
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62866}
2019-07-23 10:12:26 +00:00
Mythri A
2c95484ae7 Reland [cleanup][test] split es6/classes.js into different tests
Reland after splitting large classes further.

es6/classes.js is large and causes timeouts and OOM on some of the
configurations.

Bug: v8:9246
Change-Id: I51952447eb6a6b46d78410d5d3798292f5a8d87d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1706061
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62864}
2019-07-23 09:13:26 +00:00
Maya Lekova
b9d3651e3c [turbofan] Fix wrong expectation when serializing API calls
Bug: v8:7790, chromium:985660
Change-Id: I4e931a4a23421982f05e16c8ffa2ccc68fb34b63
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709423
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62862}
2019-07-23 08:54:54 +00:00
Adam Klein
40624b5b41 [runtime] Always throw when asked to make an array's length configurable
Previously, if the new length was less than the current length, we ignored
the "configurable" value and set the length as requested. We already threw
if the new length was greater than or equal to the current length.

New behavior matches the spec and other implementations.

Bug: v8:9460
Change-Id: Idb92fd121bdaa707f6abd2d2082628bbf3541b83
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709336
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62855}
2019-07-22 17:16:10 +00:00
Ben L. Titzer
fc8e9b82a4 [mjsunit] Disable shared-memory-worker-gc-stress on TSAN
TBR=clemensh@chromium.org

No-Try: true
Change-Id: I993955063432cceedc6ef6fc1a999c8f2256279f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710668
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62848}
2019-07-22 11:07:16 +00:00
Ben L. Titzer
306cf40344 Reland "Reland "[arraybuffer] Rearchitect backing store ownership""
This is a reland of bc33f5aeba

Original change's description:
> Reland "[arraybuffer] Rearchitect backing store ownership"
> 
> This is a reland of 31cd5d83d3
> 
> Original change's description:
> > [arraybuffer] Rearchitect backing store ownership
> > 
> > This CL completely rearchitects the ownership of array buffer backing stores,
> > consolidating ownership into a {BackingStore} C++ object that is tracked
> > throughout V8 using unique_ptr and shared_ptr where appropriate.
> > 
> > Overall, lifetime management is simpler and more explicit. The numerous
> > ways that array buffers were initialized have been streamlined to one
> > Attach() method on JSArrayBuffer. The array buffer tracker in the
> > GC implementation now manages std::shared_ptr<BackingStore> pointers,
> > and the construction and destruction of the BackingStore object itself
> > handles the underlying page or embedder-allocated memory.
> > 
> > The embedder API remains unchanged for now. We use the
> > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> > keep the backing store alive properly, even in the case of aliases
> > from live heap objects. Thus the embedder has a lower chance of making
> > a mistake. Long-term, we should move the embedder to a model where they
> > manage backing stores using shared_ptr to an opaque backing store object.
> > 
> > R=mlippautz@chromium.org
> > BUG=v8:9380,v8:9221
> > 
> > Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
> > Commit-Queue: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> > Reviewed-by: Yang Guo <yangguo@chromium.org>
> > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#62572}
> 
> Bug: v8:9380, v8:9221
> Change-Id: If3f72967a8ebeb067c0edcfc16ed631e36829dbc
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691906
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62809}

Bug: v8:9380, v8:9221
Change-Id: I9a2525753ae2424108d074fa81df5f25d945c824
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709409
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62847}
2019-07-22 10:33:26 +00:00
Toon Verwaest
9c766330e0 Reland "[runtime] Fix protector invalidation"
This is a reland of e55e0aa5bd

Original change's description:
> [runtime] Fix protector invalidation
>
> Protectors trigger when special properties are modified or masked. Previously
> we would check whether the property stored on the holder would invalidate the
> protector. Stores to to the receiver rather than the holder, however, so this
> CL changes holder for receiver, and adds additional checks that were missing.
>
> Bug: v8:9466
> Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62805}

Tbr: leszeks@chromium.org
Bug: v8:9466
Change-Id: I693c73577ca9a35a271f509770cc1c87e5cc4b73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709420
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62829}
2019-07-19 13:32:25 +00:00
Michael Starzinger
224ca74ae4 [asm.js] Propagate language mode to exported functions.
This makes sure the language mode of the module is correctly propagated
through the WebAssembly module, so that exported functions are allocated
with the correct language mode. It extends the existing {ModuleOrigin}
enum to consist of three values now.

R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-985154
BUG=chromium:985154

Change-Id: Id7b566738b1e710cc5001b894022bcd0f2c01bc3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708484
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62826}
2019-07-19 11:47:48 +00:00
Clemens Hammacher
6e0473f343 Revert "Reland "[arraybuffer] Rearchitect backing store ownership""
This reverts commit bc33f5aeba.

Reason for revert: Still failing (OOM on win32): https://ci.chromium.org/p/v8/builders/ci/V8%20Win32/22210

Original change's description:
> Reland "[arraybuffer] Rearchitect backing store ownership"
> 
> This is a reland of 31cd5d83d3
> 
> Original change's description:
> > [arraybuffer] Rearchitect backing store ownership
> > 
> > This CL completely rearchitects the ownership of array buffer backing stores,
> > consolidating ownership into a {BackingStore} C++ object that is tracked
> > throughout V8 using unique_ptr and shared_ptr where appropriate.
> > 
> > Overall, lifetime management is simpler and more explicit. The numerous
> > ways that array buffers were initialized have been streamlined to one
> > Attach() method on JSArrayBuffer. The array buffer tracker in the
> > GC implementation now manages std::shared_ptr<BackingStore> pointers,
> > and the construction and destruction of the BackingStore object itself
> > handles the underlying page or embedder-allocated memory.
> > 
> > The embedder API remains unchanged for now. We use the
> > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> > keep the backing store alive properly, even in the case of aliases
> > from live heap objects. Thus the embedder has a lower chance of making
> > a mistake. Long-term, we should move the embedder to a model where they
> > manage backing stores using shared_ptr to an opaque backing store object.
> > 
> > R=mlippautz@chromium.org
> > BUG=v8:9380,v8:9221
> > 
> > Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
> > Commit-Queue: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> > Reviewed-by: Yang Guo <yangguo@chromium.org>
> > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#62572}
> 
> Bug: v8:9380, v8:9221
> Change-Id: If3f72967a8ebeb067c0edcfc16ed631e36829dbc
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691906
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62809}

TBR=ulan@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,titzer@chromium.org,gdeepti@chromium.org,mlippautz@chromium.org

Change-Id: Iea755df9aaa1e95d284135bd0a6681b1340b6832
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9380, v8:9221
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708487
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62811}
2019-07-18 15:56:45 +00:00
Ben L. Titzer
bc33f5aeba Reland "[arraybuffer] Rearchitect backing store ownership"
This is a reland of 31cd5d83d3

Original change's description:
> [arraybuffer] Rearchitect backing store ownership
> 
> This CL completely rearchitects the ownership of array buffer backing stores,
> consolidating ownership into a {BackingStore} C++ object that is tracked
> throughout V8 using unique_ptr and shared_ptr where appropriate.
> 
> Overall, lifetime management is simpler and more explicit. The numerous
> ways that array buffers were initialized have been streamlined to one
> Attach() method on JSArrayBuffer. The array buffer tracker in the
> GC implementation now manages std::shared_ptr<BackingStore> pointers,
> and the construction and destruction of the BackingStore object itself
> handles the underlying page or embedder-allocated memory.
> 
> The embedder API remains unchanged for now. We use the
> v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> keep the backing store alive properly, even in the case of aliases
> from live heap objects. Thus the embedder has a lower chance of making
> a mistake. Long-term, we should move the embedder to a model where they
> manage backing stores using shared_ptr to an opaque backing store object.
> 
> R=mlippautz@chromium.org
> BUG=v8:9380,v8:9221
> 
> Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62572}

Bug: v8:9380, v8:9221
Change-Id: If3f72967a8ebeb067c0edcfc16ed631e36829dbc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691906
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62809}
2019-07-18 15:30:52 +00:00
Sathya Gunasekaran
050ad1d840 Revert "[runtime] Fix protector invalidation"
This reverts commit e55e0aa5bd.

Reason for revert: speculative revert for tsan breakage
https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket.appspot.com/8907588363297935904/+/steps/Check__flakes_/0/logs/regress-437713/0

Original change's description:
> [runtime] Fix protector invalidation
> 
> Protectors trigger when special properties are modified or masked. Previously
> we would check whether the property stored on the holder would invalidate the
> protector. Stores to to the receiver rather than the holder, however, so this
> CL changes holder for receiver, and adds additional checks that were missing.
> 
> Bug: v8:9466
> Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62805}

TBR=leszeks@chromium.org,verwaest@chromium.org

Change-Id: Id8fc36525b7c5631589a67073ad1fd5815ea2775
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9466
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708482
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62807}
2019-07-18 14:51:03 +00:00
Toon Verwaest
e55e0aa5bd [runtime] Fix protector invalidation
Protectors trigger when special properties are modified or masked. Previously
we would check whether the property stored on the holder would invalidate the
protector. Stores to to the receiver rather than the holder, however, so this
CL changes holder for receiver, and adds additional checks that were missing.

Bug: v8:9466
Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62805}
2019-07-18 13:48:52 +00:00