Even though we were generating additional arguments with default value
in the case that the caller was not providing enough, we then passed
the original pointer, leading to potential out-of-bounds accesses.
R=ahaas@chromium.org
Bug: chromium:763294,chromium:763297
Change-Id: Id18622d0d40e0408e26a5fc6f97494b5f9e18d17
Reviewed-on: https://chromium-review.googlesource.com/657699
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47930}
TSAN finds data races in generated JavaScript code that use
access the SharedArrayBuffer backing store racily. These are races, but
they are OK in the sense that the JavaScript memory model allows for the
potential bad behavior they could introduce (e.g. potentially tearing
reads). Relaxed atomics could be used here instead, but that could
introduce performance regressions.
This change adds TSAN annotations to the TypedArray reads/writes to
prevent TSAN from warning about them.
Bug: chromium:722871
Change-Id: I0776475f02a352b678ade7d32ed6bd4a6be98c36
Reviewed-on: https://chromium-review.googlesource.com/656509
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47929}
The previous %StringCharCodeAt runtime entry (and the inlined intrinsic)
are obsolete and not used anymore (except in dedicated tests for this
runtime function), so remove it. And rename the %StringCharCodeAtRT
function, which is actually used to %StringCharCodeAt instead to have
a consistent naming scheme for runtime fallbacks.
Bug: v8:5049
Change-Id: I619429ef54f6efea61fc51ab9ed1d5cfe4417f99
Reviewed-on: https://chromium-review.googlesource.com/657719
Commit-Queue: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47928}
This can be useful when there may be multiple callbacks attached by
code that's not directly tied to a single isolate, e.g. working
on a per-context basis.
This also allows rephrasing the global non-isolate APIs in terms
of this new API, rather than working around it inside `src/heap`.
TBR=hpayer@chromium.org
Bug:
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I2e490ec40d1a34ea812f25f41ef9741d2116d965
Reviewed-on: https://chromium-review.googlesource.com/647548
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47923}
The advantage of an explicit Abort that the interpreter and the compiler know
that aborting cannot continue or throw or deopt. As a result we generate less
code and we do not confuse the compiler if the environment is not set up for
throwing (as in the generator dispatch that fails validation in
crbug.com/762057).
Bug: chromium:762057
Change-Id: I3e88f78be32f31ac49b1845595255f802c405ed7
Reviewed-on: https://chromium-review.googlesource.com/657025
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47922}
JavaScript is a dynamically typed language. But most code is
written with fixed types in mind. When debugging JavaScript,
it is helpful to know the types of variables and parameters
at runtime. It is often hard to infer types for complex code.
Type profiling provides this information at runtime.
Node.js uses the inspector protocol. This CL allows Node.js users
to access and analyse type profile for via Node modules or the
in-procress api. Type Profile helps developers to analyze
their code for correctness and performance.
Design doc: https://docs.google.com/a/google.com/document/d/1O1uepXZXBI6IwiawTrYC3ohhiNgzkyTdjn3R8ysbYgk/edit?usp=sharing
Add `takeTypeProfile` to the inspector protocol. It returns a list
of TypeProfileForScripts, which in turn contains the type profile for
each function. We can use TypeProfile data to annotate JavaScript code.
Sample script with data from TypeProfile:
function f(/*Object, number, undefined*/a,
/*Array, number, null*/b,
/*boolean, Object, symbol*/c) {
return 'bye';
/*string*/};
f({}, [], true);
f(3, 2.3, {a: 42});
f(undefined, null, Symbol('hello'));/*string*/
Bug: v8:5933
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I626bfb886b752f90b9c86cc6953601558b18b60d
Reviewed-on: https://chromium-review.googlesource.com/508588
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47920}
Map::kBitFieldOffset should be loaded as a byte data. This patch
fixes the loading instruction of Map::kBitFieldOffset in lazy
accessors.
Bug: v8:6795, v8:6156
Change-Id: I8fbc88ed44fb43a24335fc81f75b7199ca80212c
Reviewed-on: https://chromium-review.googlesource.com/656862
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47918}
This removes logic related to healing of the optimized code slot within
the feedback vector from the {FastNewClosure} builtin. The underlying
code will by now self-heal making it obsolete during closure creation.
It will also simplify future inline allocation of closures.
R=jarin@chromium.org
BUG=v8:6563
Change-Id: If57fe00e3a98c2af423a833c98a465a669b8f3bc
Reviewed-on: https://chromium-review.googlesource.com/649551
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47917}
This removes the ability to create a copy of a code-stub with a given
replacement pattern applied. It is in preparation of having the ability
to write-protect code objects.
R=ishell@chromium.org
BUG=v8:6409
Change-Id: Id7528b3bfc53ece73d8c58b0ac96c6e5702a9d45
Reviewed-on: https://chromium-review.googlesource.com/654605
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47914}
Add support to the JSCallReducer to recognize JSConstruct nodes where
the target is the Object constructor, and reduce them to JSCreate
nodes if either
(a) no value is passed to the Object constructor, or
(b) the target and new.target are definitely not identical, by checking
whether both target and new.target are different HeapConstants
(if they are not, then the JSCreateLowering will not be able to
do a lot with the JSCreate anyways).
This should cover the relevant cases for subclassing appropriately. It
fixes the 3-4x slowdown on the micro-benchmark mentioned in the linked
bug,
baseNoExtends: 752 ms.
baseExtendsObject: 752 ms.
baseExtendsViaFactory: 751 ms.
and thus removes the performance cliff.
R=jarin@chromium.org
Bug: v8:6801
Change-Id: Id265fd1399302a67b5790a6d0156679920c58bdd
Reviewed-on: https://chromium-review.googlesource.com/657019
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47913}
This is revert of commit aee1e1fb8d with the fix for A1 and N6 jetstream failure.
R=bradnelson@chromium.org,mtrofin@chromium.org,clemensh@chromium.org
Bug: chromium:750828
Change-Id: Id38896af51315f76a0667ace32c77a2ba7287eec
Reviewed-on: https://chromium-review.googlesource.com/607092
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47910}
The previous design assumed we can't possibly have a cycle involving
an instance, however, we can. For example: a script can reference
an instance, which ends up referencing the native context because
of how we generate wasm-to-js wrappers; that references the global
object, which then references the script. A global handle to the
indirect function table can then root such a cycle. That means
the instance is never collected, which never deletes the global
handle.
This change addresses that by making the handles weak.
Bug:
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ief7263af83974bf96505a4fba65d162474fe7c7c
Reviewed-on: https://chromium-review.googlesource.com/653852
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Aseem Garg <aseemgarg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47909}
Port e67420cbc2
Original Commit Message:
There are two main reasons to move DeserializeLazy to ASM:
1. We avoid complications around the distinction between Call/Construct
cases by making sure relevant registers (e.g. new_target) remain
unclobbered.
2. We can avoid the tail-call through CodeFactory::Call/Construct by
jumping directly to the deserialized code object.
R=jgruber@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:6624
LOG=N
Change-Id: Idd9f1fd967d64e952f48e5b35d2d4b49a9c28007
Reviewed-on: https://chromium-review.googlesource.com/656502
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Jaideep Bajwa <bjaideep@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#47908}
This is a reland of a2ed05144c
Original change's description:
> [debug] Add test for promise finally
>
> As of v8:6536, we no longer have to mark builtins explicitly.
>
> Also remove test whitelist for promise finally
> builtins.
>
> Bug: v8:6088, v8:5967
> Change-Id: I7f98dfe7708678653e944ac76ba9938205490b16
> Reviewed-on: https://chromium-review.googlesource.com/654067
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47896}
TBR=jgruber@chromium.org
Bug: v8:6088, v8:5967
Change-Id: I25a1820e04596a44769fc8ded80678f3663bbcd5
Reviewed-on: https://chromium-review.googlesource.com/655740
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47906}
When the bailout triggered, we assumed we're generating data (i.e., we're inside
a non-arrow function). This is not true; it's possible that we're already inside
an arrow function and not generating data anyway.
BUG=v8:5516,chromium:761980
Change-Id: Iad9c8dde283031630953ef9a46c1e68bc0cee048
Reviewed-on: https://chromium-review.googlesource.com/655081
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47905}
Tracking labels for most of these statements made no difference: only
try-statements require the special treatment of being wrapped in a
block. The previous code existed to support strong mode, which is
long gone.
This also results in a tiny regression of the error message for
a labelled `continue` statement targeting itself, but I'm not
convinced that anyone would ever intend to label a continue
statement (and Chakra and SpiderMonkey give similarly inaccurate
error messages for this case).
This is effectively a revert of d8bccfe974.
Bug: v8:6092
Change-Id: I25b62e10f6a20597e9686f08df76ba9724249618
Reviewed-on: https://chromium-review.googlesource.com/653380
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47904}
This is in preparation for BigInt, since for BigInt operands the desugared
operations will no longer be equivalent.
Future CLs can move the handling of these operations further down the
pipeline; this is merely a start to get the Parser out of this business.
Bug: v8:6791
Change-Id: I9df89e03d3ca2bf627c75fc5efb10463c3ed8cf9
Reviewed-on: https://chromium-review.googlesource.com/653433
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47902}
The spec calls out to Promise.prototype.then and also passes around
the constructor of the receiver to Promise.prototype.finally.
Adds a new constructor slot to PromiseFinallyContext enum and this is
used to create a new promise in the thenFinally/catchFinally callbacks.
Created a new PromiseResolve TFS builtin refactored from
the existing PromiseResolve builtin. PromiseResolveWrapper
calls out to this TFS Builtin and is now exposed as Promise.resolve.
The thenFinally and catchFinally callbacks also call out to the
PromiseResolve TFS builtin.
Spec -- https://tc39.github.io/proposal-promise-finally/
Bug: v8:5967
Change-Id: I2ce89f14d3b149619d11e424b6e37062e466c4d5
Reviewed-on: https://chromium-review.googlesource.com/652026
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47898}
As of v8:6536, we no longer have to mark builtins explicitly.
Also remove test whitelist for promise finally
builtins.
Bug: v8:6088, v8:5967
Change-Id: I7f98dfe7708678653e944ac76ba9938205490b16
Reviewed-on: https://chromium-review.googlesource.com/654067
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47896}
Runtime.CallFrame has url already. It allows to show stack traces on pause
without tacking all parsed scripts.
R=alph@chromium.org,pfeldman@chromium.org
Bug: chromium:762982
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ic4f096ade1cb6c9de42fec77280dcc3007c6a5cf
Reviewed-on: https://chromium-review.googlesource.com/648068
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47895}
Flip the flag for one day to determine impact and flush out bugs.
Please add crashes and regressions to https://crbug.com/v8/6796.
Bug: v8:6624,v8:6796
Change-Id: I8b0581c40d956e01f94e9098ff935fdd5af36156
Reviewed-on: https://chromium-review.googlesource.com/651408
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47893}
Use operator== and operator!= instead.
Implemented for x64, ia32, arm, arm64, mips and mips64.
R=mstarzinger@chromium.org,ishell@chromium.org,jgruber@chromium.org
Change-Id: Iad0f03f7f442709dcaa12d6a49a8bc4b03b9cdae
Reviewed-on: https://chromium-review.googlesource.com/654857
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47889}
This speeds up the baseline performance of Object by 20%.
With this change, the callViaObject when run with --noopt
goes from 10718ms to 8577ms on the benchmark from:
http://benediktmeurer.de/2017/08/31/object-constructor-calls-in-webpack-bundles
Bug: v8:6772
Change-Id: Id0e54ba44204a1700885185ec360e1c56834fb73
Reviewed-on: https://chromium-review.googlesource.com/654900
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47888}
Lazy deserialization requires a fully set-up isolate (in particular, we
need Isolate::snapshot_blob). This CL disables lazy deserialization in
affected tests. This should be fixed at some point by setting up the
isolate as needed.
Bug: v8:6624
Change-Id: I94f792d9dcc8a3ba2d91fdeadd9e04ebb0bb50cf
Reviewed-on: https://chromium-review.googlesource.com/655162
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47887}
When setting up an isolate for serialization, we need to disable lazy
deserialization to avoid replacing lazy builtins with DeserializeLazy.
Bug: v8:6624
Change-Id: I3e10e262f6dd856f92fd83e5e475127e8ca3f3bf
Reviewed-on: https://chromium-review.googlesource.com/655161
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47885}
This is a reland of 9b35364c51
Original change's description:
> [cleanup] Replace more instances of List with std::vector.
>
> Bug: v8:6333
> Change-Id: Ic1956d3dcfc0309fe2b65344e5af7235d5b804a2
> Reviewed-on: https://chromium-review.googlesource.com/651413
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Peter Marshall <petermarshall@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47854}
Bug: v8:6333
Change-Id: I5d9482b061f26b57550a421ea4099372dc80767f
Reviewed-on: https://chromium-review.googlesource.com/654898
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47884}
debug::GetBuiltin creates a new JSFunction and constructs a new SFI at
runtime. Ensure that this SFI has the correct builtin_id set.
Bug: v8:6624,v8:6788
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I25da2ad5e69478f81042d3e3bf7e7e2644e7050d
Reviewed-on: https://chromium-review.googlesource.com/654643
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47883}
