port 588e15c034 (r37345)
original commit message:
The opcodes for 'cmpw r/m16, r16' and 'cmpw r16, r/m16' were swapped, causing a few issues when less than/greater than comparison were performed.
Adds a regression test.
BUG=
Review-Url: https://codereview.chromium.org/2119793002
Cr-Commit-Position: refs/heads/master@{#37469}
port e607e12ea0 (r37323)
original commit message:
Introduce a new machine operator Float64Pow that for now is backed by
the existing MathPowStub to start the unification of Math.pow, and at
the same time address the main performance issue that TurboFan still has
with the imaging-darkroom benchmark in Kraken.
Also migrate the Math.pow builtin itself to a TurboFan builtin and
remove a few hundred lines of hand-written platform code for special
handling of the fullcodegen Math.pow version.
BUG=
Review-Url: https://codereview.chromium.org/2119773003
Cr-Commit-Position: refs/heads/master@{#37468}
Rolling v8/build to c80c063b314ab9cc6c3c5955c7444c2fa514bcec
Rolling v8/buildtools to 454e53abae6e4d68ee992b0a93a4174b75519393
Rolling v8/tools/mb to ea4154b4daca60a5f5c04ef764b7eaf50362250c
TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org
Review-Url: https://codereview.chromium.org/2113243002
Cr-Commit-Position: refs/heads/master@{#37467}
port 5e05854019 (r37325)
original commit message:
The reason for reverting is: This breaks gc-stress bot:
https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot
Abortion of compaction could cause duplicate entries in the typed-old-to-new remembered set. These duplicates could cause a DCHECK to trigger which checks that slots recorded in the remembered set neve
Original issue's description:
Cells were needed originally because there was no typed remembered set to
record direct pointers from code space to new space. A previous
CL (https://codereview.chromium.org/2003553002/) already introduced
the remembered set, this CL uses it.
This CL
* stores direct pointers in code objects, even if the target is in new space,
* records the slot of the pointer in typed-old-to-new remembered set,
* adds a list which stores weak code-to-new-space references,
* adds a test to test-heap.cc for weak code-to-new-space references,
* removes prints in tail-call-megatest.js
BUG=
Review-Url: https://codereview.chromium.org/2112193002
Cr-Commit-Position: refs/heads/master@{#37466}
Reason for revert:
Fuzzer claims `try { \"\" ; } catch(x) { let x1 = [1,,], x = x; }` causes a crash.
Original issue's description:
> Add errors for declarations which conflict with catch parameters.
>
> Catch parameters are largely treated as lexical declarations in the
> block which contains their body for the purposes of early syntax errors,
> with some exceptions outlined in B.3.5. This patch introduces most of
> those errors, except those from `eval('for (var e of ...);')` inside of
> a catch with a simple parameter named 'e'.
>
> Note that annex B.3.5 allows var declarations to conflict with simple
> catch parameters, except when the variable declaration is the init of a
> for-of statement.
>
> BUG=v8:5112,v8:4231
>
> Committed: https://crrev.com/2907c726b2bb5cf20b2bec639ca9e6a521585406
> Cr-Commit-Position: refs/heads/master@{#37462}
TBR=littledan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5112,v8:4231
Review-Url: https://codereview.chromium.org/2112223002
Cr-Commit-Position: refs/heads/master@{#37464}
- Uses byte_width() to determine if spill ranges can be merged.
- Modifies InstructionOperand canonicalization to ignore representation for stack slots.
LOG=N
BUG=v8:4124
Review-Url: https://codereview.chromium.org/2074323002
Cr-Commit-Position: refs/heads/master@{#37463}
Catch parameters are largely treated as lexical declarations in the
block which contains their body for the purposes of early syntax errors,
with some exceptions outlined in B.3.5. This patch introduces most of
those errors, except those from `eval('for (var e of ...);')` inside of
a catch with a simple parameter named 'e'.
Note that annex B.3.5 allows var declarations to conflict with simple
catch parameters, except when the variable declaration is the init of a
for-of statement.
BUG=v8:5112,v8:4231
Review-Url: https://codereview.chromium.org/2109733003
Cr-Commit-Position: refs/heads/master@{#37462}
AddBoundMethod, in i18n.js, returns functions all of which share the
same backing SharedFunctionInfo, which means that its calls to
InstallGetter were causing all such functions to have a single name
(that of the last caller, "get breakType").
This patch skips calling InstallGetter and instead directly calls
%DefineGetterPropertyUnchecked, which itself sets the name property
on the JSFunction instance (it knows how to do this in order to handle
getters that have computed property names).
Also takes care of a TODO having to do with the inner boundMethod:
its name is now made empty, by using a new macro that gets around
ES2015's function name inference.
Finally, removes a redundant %FunctionRemovePrototype: arrow functions
have no prototypes to begin with.
R=littledan@chromium.org
BUG=v8:4778
Review-Url: https://codereview.chromium.org/2109223002
Cr-Commit-Position: refs/heads/master@{#37459}
Reason for revert:
By request from ishell, plan is to leave this in master for awhile longer
Original issue's description:
> Revert of Add crash instrumentation for crbug.com/621147 (patchset #5 id:80001 of https://codereview.chromium.org/2100313002/ )
>
> Reason for revert:
> Instrumentation not needed on master branch
>
> Original issue's description:
> > Add crash instrumentation for crbug.com/621147
> >
> > BUG=chromium:621147
> > LOG=N
> > R=ishell@chromium.org,cbruni@chromium.org
> >
> > Committed: https://crrev.com/5ff508a82299f20a0d9828cf73072a4f4772fab8
> > Cr-Commit-Position: refs/heads/master@{#37328}
>
> TBR=verwaest@chromium.org,cbruni@chromium.org,ishell@chromium.org,mlippautz@chromium.org
> # Not skipping CQ checks because original CL landed more than 1 days ago.
> BUG=chromium:621147, chromium:624764
>
> Committed: https://crrev.com/b324850900e531ccee03f1712333f13dfcf15427
> Cr-Commit-Position: refs/heads/master@{#37456}
TBR=verwaest@chromium.org,cbruni@chromium.org,ishell@chromium.org,mlippautz@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:621147, chromium:624764
Review-Url: https://codereview.chromium.org/2114743002
Cr-Commit-Position: refs/heads/master@{#37458}
Added missing GetExtraICState() function for CompareICStub. Without it,
code->extra_ic_state() in IC::StateFromCode was returning zero, which was
causing some performance regressions, as the TypeFeedbackInfo was not updated
correctly, resulting in the runtime profiler choosing not to optimise some
functions that we previously would.
BUG=
Review-Url: https://codereview.chromium.org/2116523002
Cr-Commit-Position: refs/heads/master@{#37457}
Reason for revert:
Instrumentation not needed on master branch
Original issue's description:
> Add crash instrumentation for crbug.com/621147
>
> BUG=chromium:621147
> LOG=N
> R=ishell@chromium.org,cbruni@chromium.org
>
> Committed: https://crrev.com/5ff508a82299f20a0d9828cf73072a4f4772fab8
> Cr-Commit-Position: refs/heads/master@{#37328}
TBR=verwaest@chromium.org,cbruni@chromium.org,ishell@chromium.org,mlippautz@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:621147, chromium:624764
Review-Url: https://codereview.chromium.org/2118493002
Cr-Commit-Position: refs/heads/master@{#37456}
Currently only property queries are supported.
This CL also factores out prototype chain iteration logic.
GetPropertyStub is not used yet.
BUG=v8:4911
LOG=Y
Review-Url: https://codereview.chromium.org/2087863002
Cr-Commit-Position: refs/heads/master@{#37455}
This turns the blacklist back into a white-list adding all binary operations as allowed operations. The one known fix is that it forces canonicalization of the double-hole as double constant.
BUG=chromium:621147
Review-Url: https://codereview.chromium.org/2106393002
Cr-Commit-Position: refs/heads/master@{#37452}
This removes the need to thread through frame states for eager bailout
points from the call-site into the reduction helper. The node under
reduction is known to JSBinopReduction, frame states are loaded late.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2112643006
Cr-Commit-Position: refs/heads/master@{#37450}
Reason for revert:
Found to break SAP Web IDE, and these semantics are not shipped in any other browser.
Revert to legacy semantics while assessing web compatibility.
BUG=chromium:624318
Original issue's description:
> Put RegExp js code in strict mode
>
> src/js/regexp.js was one of the few files that was left in sloppy
> mode. The ES2017 draft specification requires that writes to
> lastIndex throw when the property is non-writable, and test262
> tests enforce this behavior. This patch puts that file in strict
> mode.
>
> BUG=v8:4504
> R=yangguo@chromium.org
> LOG=Y
>
> Committed: https://crrev.com/80b1b2a45bbd9bf3d08e4e6516acfaaa8f438213
> Cr-Commit-Position: refs/heads/master@{#34801}
TBR=yangguo@chromium.org,adamk@chromium.org
Review-Url: https://codereview.chromium.org/2112713003
Cr-Commit-Position: refs/heads/master@{#37449}
In the current implementation of wasm an unrepresentable input of the
float32-to-int32 conversion is detected by first truncating the input, then
converting the truncated input to int32 and back to float32, and then checking
whether the result is the same as the truncated input.
This input check does not work on arm and arm64 for an input of (INT32_MAX + 1)
because on these platforms the float32-to-int32 conversion results in INT32_MAX
if the input is greater than INT32_MAX. When INT32_MAX is converted back to
float32, then the result is (INT32_MAX + 1) again because INT32_MAX cannot be
represented precisely as float32, and rounding-to-nearest results in (INT32_MAX
+ 1). Since (INT32_MAX + 1) equals the truncated input value, the input appears
to be representable.
With the changes in this CL, the result of the float32-to-int32 conversion is
incremented by 1 if the original result was INT32_MAX. Thereby the detection of
unrepresenable inputs in wasm works. Note that since INT32_MAX cannot be
represented precisely in float32, it can also never be a valid result of the
float32-to-int32 conversion.
@v8-mips-ports, can you do a similar implementation for mips?
R=titzer@chromium.org, Rodolph.Perfetta@arm.com
Review-Url: https://codereview.chromium.org/2105313002
Cr-Commit-Position: refs/heads/master@{#37448}
Having presubmit called from within the test runner often
requires logic to remove the call again.
After the GN transition it would be better if presubmit is
called by a wrapper script if needed at all. It is run
on upload and on the tryservers anyways.
BUG=chromium:474921
Review-Url: https://codereview.chromium.org/2114653002
Cr-Commit-Position: refs/heads/master@{#37447}
This executes an action as part of the build, writing a json
configuration that includes all build flags relevant to v8
testing.
The test runner will derive all build-dependent flags from
the file if it detects it.
BUG=chromium:474921
Review-Url: https://codereview.chromium.org/2106423002
Cr-Commit-Position: refs/heads/master@{#37446}
The functions related to code statistics are a part of spaces currently.
This is not very intutive and hence refactored these functions to a new
CodeStatistics class.
BUG=
LOG=N
Review-Url: https://codereview.chromium.org/2082863003
Cr-Commit-Position: refs/heads/master@{#37440}
-Defines SIMD128_REGISTERS for all platforms.
-Adds Simd128 register information to RegisterConfiguration, and implements
aliasing calculations.
LOG=N
BUG=v8:4124
Review-Url: https://codereview.chromium.org/2092103004
Cr-Commit-Position: refs/heads/master@{#37437}
Like the other Math builtins, Math.abs() is now a TurboFan builtin.
It uses RawMachineAssembler::Float64Abs().
R=bmeurer@chromium.org
BUG=v8:5163, v8:5086
LOG=N
Review-Url: https://codereview.chromium.org/2115493002
Cr-Commit-Position: refs/heads/master@{#37433}
This stores the wasm object and the function index in the script, and
adds functions to get the disassembled wasm code as well as the offset
table mapping from byte position to line and column in the disassembly
solely from the script.
This will be used to show "ui source code" in DevTools, and map raw
locations from the stack trace into this code view.
R=yangguo@chromium.org, ahaas@chromium.org, titzer@chromium.org
BUG=chromium:613110
patch from issue 2063013004 at patchset 80001 (http://crrev.com/2063013004#ps80001)
Review-Url: https://codereview.chromium.org/2105303002
Cr-Commit-Position: refs/heads/master@{#37430}
Converts FastNewClosureStub from a Hydrogen to a TurboFan code stub.
The plan is to start using this in the Interpreter CreateClosure
bytecode handler (in a follow-up CL).
BUG=v8:4280
Review-Url: https://codereview.chromium.org/2100883003
Cr-Commit-Position: refs/heads/master@{#37429}
This adds a new CheckIf operator and changes all direct uses of
DeoptimizeIf and DeoptimizeUnless on the JavaScript level to use
CheckIf (or one of the more concrete check operators) instead.
This way we do not depend on particular frame states, but the
effect/control linearizer will assign an appropriate frame
state instead.
R=jarin@chromium.org
BUG=v8:5141
Review-Url: https://codereview.chromium.org/2115513002
Cr-Commit-Position: refs/heads/master@{#37423}
The call to String::Flatten can cause garbage collection and in general adds
complexity to the code generation. It also blocks the way to run code generation on worker threads.
The call to String::Flatten in Constant::ToHeapObject() seems not to be necessary
for correctness. If removing this call affects performance negatively, we can revert
this CL.
Review-Url: https://codereview.chromium.org/2107243002
Cr-Commit-Position: refs/heads/master@{#37422}
This adds verification of bailout IDs to {PrepareFrameState} to ensure
all bailout points used for lazy deoptimization have been prepared by
full codegen. This will catch bailout ID abuse during graph building
instead of late in the deoptimizer. Similar verification for all eager
deoptimization points is already present.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2105023003
Cr-Commit-Position: refs/heads/master@{#37421}