Commit Graph

39531 Commits

Author SHA1 Message Date
bjaideep
cfdffe2be3 Reland of PPC/s390: SmiUntag only for 32bit
R=joransiu@ca.ibm.com, jyan@ca.ibm.com
BUG=
LOG=n

Review-Url: https://codereview.chromium.org/2839343003
Cr-Commit-Position: refs/heads/master@{#44939}
2017-04-27 14:47:13 +00:00
Michael Starzinger
f6296b344e [asm.js] Fix heap buffer checking during instantiation.
This makes sure that asm.js modules can only be instantiated with a
valid {ArrayBuffer} as the underlying heap buffer for all cases where
accepting anything else would be observably different from JavaScript
proper.

R=clemensh@chromium.org
TEST=mjsunit/asm/asm-memory
BUG=chromium:715505,chromium:715748

Change-Id: I355686200151c5667bf836824de922d657a8d943
Reviewed-on: https://chromium-review.googlesource.com/488521
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44938}
2017-04-27 14:47:03 +00:00
Andreas Haas
d9b8e463c9 [wasm] Skip skip-stack-guard-page test for x64 and ia32
R=machenbach@chromium.org
BUG=v8:6318
NOTRY=true
NOTREECHECKS=true

Change-Id: If57bc5bab8d2544519f140ee4a19aa89b1125fd7
Reviewed-on: https://chromium-review.googlesource.com/488603
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44937}
2017-04-27 14:20:46 +00:00
bjaideep
cef9effe66 Revert of PPC/s390: SmiUntag only for 32bit (patchset id:1 of https://codereview.chromium.org/2842843005/ )
Reason for revert:
few tests are failing with stack overflow, will reland with the fix.

Original issue's description:
> PPC/s390: SmiUntag only for 32bit
>
> R=joransiu@ca.ibm.com, jyan@ca.ibm.com
> BUG=
> LOG=n
>
> Review-Url: https://codereview.chromium.org/2842843005
> Cr-Commit-Position: refs/heads/master@{#44908}
> Committed: 76dfdb7a32

TBR=joransiu@ca.ibm.com,jyan@ca.ibm.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2852433002
Cr-Commit-Position: refs/heads/master@{#44936}
2017-04-27 13:47:43 +00:00
Clemens Hammacher
90e1ebeef4 Revert "[base] Introduce RoundUpToPowerOfTwo64"
This reverts commit 9ceaf21272.

Reason for revert: Fails on arm: http://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/2950/steps/Check/logs/Bits.RoundUpToPowerOf..

Original change's description:
> [base] Introduce RoundUpToPowerOfTwo64
> 
> And fix RoundUpToPowerOfTwo32 to return 1 for the input 0.
> 0 is no power of two.
> Beside being the correct value, this also avoids a special case in the
> (new) fast path using the number of leading zeros.
> 
> R=​jochen@chromium.org, ahaas@chromium.org
> 
> Change-Id: I87173495e13b334954bcebbb55724fb666dfa809
> Reviewed-on: https://chromium-review.googlesource.com/488143
> Reviewed-by: Jochen Eisinger <jochen@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44925}

TBR=ahaas@chromium.org,jochen@chromium.org,clemensh@chromium.org,v8-reviews@googlegroups.com,wasm-v8@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: Ib353ee0a944316da6f919bac3bb88d4f95d98ea0
Reviewed-on: https://chromium-review.googlesource.com/488365
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44935}
2017-04-27 13:43:12 +00:00
Clemens Hammacher
a9f4288730 Revert "[wasm] [cleanup] Remove unused parameter from SyncValidate"
This reverts commit 33b0b710b1.

Reason for revert: Fails on arm: http://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/2950/steps/Check/logs/Bits.RoundUpToPowerOf..

Original change's description:
> [wasm] [cleanup] Remove unused parameter from SyncValidate
> 
> R=​ahaas@chromium.org
> 
> Change-Id: I952c5461ef44d4b01e99390e668bfc0d7f7ba25b
> Reviewed-on: https://chromium-review.googlesource.com/488341
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44931}

TBR=ahaas@chromium.org,clemensh@chromium.org,v8-reviews@googlegroups.com,wasm-v8@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: Ie5f28109b86d7810b95053cbca563dea96bd13b2
Reviewed-on: https://chromium-review.googlesource.com/488364
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44934}
2017-04-27 13:41:13 +00:00
Andreas Haas
e177068e5c [wasm] Add wasm spec tests to the v8 test runner
The spec tests are stored on a mirror and are downloaded with the DEPS
file. The test files on the mirror are updated with a script which has
to be executed manually.

This CL contains the following changes:

* A script which updates the spec tests and uploads the generated files
  to the mirror.
* Changes to the DEPS file to download the files from the mirror.
* Changes so that tools/run-tests.py can run the spec tests.

R=machenbach@chromium.org, rossberg@chromium.org

Change-Id: Ia50d09bb1501c0c0f1d1506aa3657a3aa69c2864
Reviewed-on: https://chromium-review.googlesource.com/488083
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44933}
2017-04-27 13:00:13 +00:00
Miran.Karic
de14ba9fd2 MIPS: Fix Subu and add optimization
For int16 imm values Subu would emit addiu with -imm value, but doing
this with min_int16 would overflow and produce incorrect result. This is
fixed by checking if -imm is int16. A test for this case is created.

An optimization is also added for values imm where we cannot just emit
addiu and loading -imm to a register takes one instruction using ori.
Then instead of loading imm with lui;ori and subtracting with subu, we
can load -imm with ori and add with addu.

BUG=
TEST=cctest/test-assembler-mips/Subu

Review-Url: https://codereview.chromium.org/2845043002
Cr-Commit-Position: refs/heads/master@{#44932}
2017-04-27 12:56:50 +00:00
Clemens Hammacher
33b0b710b1 [wasm] [cleanup] Remove unused parameter from SyncValidate
R=ahaas@chromium.org

Change-Id: I952c5461ef44d4b01e99390e668bfc0d7f7ba25b
Reviewed-on: https://chromium-review.googlesource.com/488341
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44931}
2017-04-27 12:36:23 +00:00
yangguo
2920ea59a4 [debug] fix case of GC-unsafe access in Debug::HandleDebugBreak.
BUG=v8:6311
R=jkummerow@chromium.org

Review-Url: https://codereview.chromium.org/2845853003
Cr-Commit-Position: refs/heads/master@{#44930}
2017-04-27 12:26:54 +00:00
Andreas Haas
34ae5a09b3 [gm] Adjust the script to support mips64el
R=jkummerow@chromium.org

Change-Id: I6fc3817410df4f070675051397a30cc1b0ca7dfe
Reviewed-on: https://chromium-review.googlesource.com/488030
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44929}
2017-04-27 12:16:56 +00:00
Michael Achenbach
4e85f8180c Revert "[ic] Handle JSArray::length in CodeStubAssembler::CallGetterIfAccessor."
This reverts commit 0322be817d.

Reason for revert: Breaks:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug/builds/4612

Original change's description:
> [ic] Handle JSArray::length in CodeStubAssembler::CallGetterIfAccessor.
> 
> When accessing JSArray::length property from GenericPropertyLoad
> (i.e. via a megamorphic KEYED_LOAD_IC), we'd always go to the runtime
> at this point, because the CallGetterIfAccessor method didn't support
> AccessorInfos at all. Now there's initial support for JSArray::length,
> which reduces the number of %KeyedGetProperty calls we see in the
> Speedometer/EmberJS test by 5000.
> 
> Also-By: ishell@chromium.org
> BUG=v8:5269
> R=​ishell@chromium.org
> 
> Change-Id: I44ce7966f9b7257808110a24d95a8167ab035df9
> Reviewed-on: https://chromium-review.googlesource.com/488224
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44915}

TBR=ishell@chromium.org,bmeurer@chromium.org,v8-reviews@googlegroups.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5269

Change-Id: Ib32e87c4ec4fd746abe3cdea3ec1cd96aabb4cff
Reviewed-on: https://chromium-review.googlesource.com/488362
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44928}
2017-04-27 12:10:37 +00:00
Jochen Eisinger
4fdf9fd481 Add documentation for FunctionCallbackInfo
R=verwaest@chromium.org,haraken@chromium.org,yukishiino@chromium.org
BUG=

Change-Id: I273f5ce305f80b2aa5e9c8c42a6e8e5afc51a0a7
Reviewed-on: https://chromium-review.googlesource.com/484422
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44927}
2017-04-27 11:51:25 +00:00
jarin
ff2109d53e [turbofan] Fix impossible type handling for TypeGuard and BooleanNot.
This also fixes incorrect type for fixed array accesses.

BUG=chromium:715651,v8:6309,chromium:715204

Review-Url: https://codereview.chromium.org/2848583002
Cr-Commit-Position: refs/heads/master@{#44926}
2017-04-27 11:35:15 +00:00
Clemens Hammacher
9ceaf21272 [base] Introduce RoundUpToPowerOfTwo64
And fix RoundUpToPowerOfTwo32 to return 1 for the input 0.
0 is no power of two.
Beside being the correct value, this also avoids a special case in the
(new) fast path using the number of leading zeros.

R=jochen@chromium.org, ahaas@chromium.org

Change-Id: I87173495e13b334954bcebbb55724fb666dfa809
Reviewed-on: https://chromium-review.googlesource.com/488143
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44925}
2017-04-27 11:22:11 +00:00
Mythri
51a5b23331 [Interpreter] Fix compare bytecodehandler benchmarks for equals.
Bug:v8:4280

Change-Id: I83dfd26b47d554406d3ede633bbefc92db6a4faf
Reviewed-on: https://chromium-review.googlesource.com/487964
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44924}
2017-04-27 11:14:21 +00:00
Jochen Eisinger
4e78b5a70c Add missing early-bailouts in ast traversal visitors
Instructions after an unconditional jump can be omitted.

BUG=chromium:715582
R=bradnelson@chromium.org,verwaest@chromium.org
TBR=bradnelson@chromium.org

Change-Id: Ie4f4041ed836f328955a0ff396e2dfd6adc01513
Reviewed-on: https://chromium-review.googlesource.com/487983
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44923}
2017-04-27 10:47:37 +00:00
Michael Starzinger
3a9e4d8018 [asm.js] Cleanup asm.js instantiation API.
This refactors the {AsmJs} methods used for instantiating an asm.js
module to only use one single entry point. It is in preparation to
validate the "memory" argument as well.

R=clemensh@chromium.org
BUG=chromium:715505

Change-Id: I5e26fcf46f98c053080c70b26c0f562afc7f794a
Reviewed-on: https://chromium-review.googlesource.com/488226
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44922}
2017-04-27 10:45:37 +00:00
bmeurer
216e677a0c Revert of [tickprocessor] Consider top of the stack as pc if it points to a code object. (patchset id:1 of https://codereview.chromium.org/2822433002/ )
Reason for revert:
Seems to lead to more (completely) misattributed ticks

Original issue's description:
> [tickprocessor] Consider top of the stack as pc if it points to a code object.
>
> Previously, we would only consider it if it pointed to a full-code JS function.
> Thus we could miss both optimized functions and bytecode handlers if they
> called frame-less code.
>
> Review-Url: https://codereview.chromium.org/2822433002
> Cr-Commit-Position: refs/heads/master@{#44640}
> Committed: 4433ac299e

TBR=jarin@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.

Review-Url: https://codereview.chromium.org/2844053003
Cr-Commit-Position: refs/heads/master@{#44921}
2017-04-27 10:07:13 +00:00
ulan
3737501075 Remove ulan@ from heap watchlist.
NOTRY=true

Review-Url: https://codereview.chromium.org/2843393002
Cr-Commit-Position: refs/heads/master@{#44920}
2017-04-27 09:36:43 +00:00
Mythri
f0756b5cc5 [Interpreter] Inline the collection of feedback for StrictEqual bytecode handler.
The feedback collection was decoupled from the actual comparison in the
compare bytecode handlers. This involves checks on the type of operands both
when collecting the feedback and when performing the operation. To avoid this
the type feedback is collected inline with the actual comparison.

This cl inlines the type feedback collection for the StrictEqual bytecode
handler. The other compare operations will be handled in subsequent cls.

Bug:

Change-Id: I429ed3c58b344c1c492e743c190bf16ab991ce6e
Reviewed-on: https://chromium-review.googlesource.com/483399
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44919}
2017-04-27 09:30:48 +00:00
mlippautz
6cc6672fde [heap] Verify that new space objects are in to space after evacuation
BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2846683003
Cr-Commit-Position: refs/heads/master@{#44918}
2017-04-27 09:23:51 +00:00
jl
c9ab660ebd [inspector] Add some context scopes to inspector code
Currently, the external API (e.g. v8::Object::Get()) will enter the
context passed to it automatically. This is incorrect and causes some
trouble for Blink, so we want to change that.

It then becomes a potential problem to call the external API without
first entering a context, which the inspector code does in some
places. This patch aims to correct this.

BUG=v8:6307

Review-Url: https://codereview.chromium.org/2841053002
Cr-Commit-Position: refs/heads/master@{#44917}
2017-04-27 08:48:39 +00:00
Peter Marshall
7b26234c74 [tests] Allow filtering of benchmarks in run_perf.py.
This is a highly requested feature!

Bug: v8:6276
Change-Id: I17b606ae0ff8fa9dfdd0fa74fd1f7ad0dd3fc4f8
Reviewed-on: https://chromium-review.googlesource.com/488044
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44916}
2017-04-27 08:24:36 +00:00
Benedikt Meurer
0322be817d [ic] Handle JSArray::length in CodeStubAssembler::CallGetterIfAccessor.
When accessing JSArray::length property from GenericPropertyLoad
(i.e. via a megamorphic KEYED_LOAD_IC), we'd always go to the runtime
at this point, because the CallGetterIfAccessor method didn't support
AccessorInfos at all. Now there's initial support for JSArray::length,
which reduces the number of %KeyedGetProperty calls we see in the
Speedometer/EmberJS test by 5000.

Also-By: ishell@chromium.org
BUG=v8:5269
R=ishell@chromium.org

Change-Id: I44ce7966f9b7257808110a24d95a8167ab035df9
Reviewed-on: https://chromium-review.googlesource.com/488224
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44915}
2017-04-27 08:22:53 +00:00
Benedikt Meurer
0991f9d291 [ic] Properly handle handler misses in GenericPropertyLoad.
The AccessorAssembler::GenericPropertyLoad case went to
%KeyedGetProperty when the actual handler that we found
in the stub cache would miss. In this case we would always
fall into the same trap all the time, since no one updates
the stub cache.

BUG=v8:5269
R=ishell@chromium.org

Change-Id: I90fd83337c320f194dc31a69716627d047a6b070
Also-By: ishell@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/488147
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44914}
2017-04-27 07:51:39 +00:00
Peter Marshall
c1699fdeef [builtins] Copy TypedArray elements with the elements accessor in Set.
Performance regressed for this with the I+TF switch. This speeds up
the simple case by using optimizations in the elements accessor.

Bug: chromium:700835
Change-Id: Iaba30951b93daefa0fb32acd6656ac705cdc73ed
Reviewed-on: https://chromium-review.googlesource.com/483341
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44913}
2017-04-27 07:37:44 +00:00
yangguo
b5de6719da [serializer] correctly output statistics.
kNumberOfSpaces includes map and large object spaces,
kNumberOfPreallocatedSpaces does not. Therefore we need
to output both separately.

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2843353002
Cr-Commit-Position: refs/heads/master@{#44912}
2017-04-27 07:31:51 +00:00
bmeurer
10980eb56e [cleanup] Drop some dead code from Crankshaft.
This code was confusing, as it wasn't immediately obvious that this is
dead and doesn't need to updated anymore.

R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2844993002
Cr-Commit-Position: refs/heads/master@{#44911}
2017-04-27 06:15:23 +00:00
v8-autoroll
255518fa6a Update V8 DEPS.
Rolling v8/build: 95c219b..8ed22b4

Rolling v8/third_party/android_tools: https://chromium.googlesource.com/android_tools/+log/b65c477..cb6bc21

Rolling v8/third_party/catapult: 380124f..8062a57

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: Iae759fb661433fb664e2ed1c9b48beddaee0cc96
Reviewed-on: https://chromium-review.googlesource.com/488325
Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44910}
2017-04-27 03:25:06 +00:00
Adam Klein
8808c21713 Skip mjsunit/regress/regress-430201{,b} on ASAN builds due to flakiness
TBR=machenbach@chromium.org
Bug: v8:6305

Change-Id: I1cc18597b9bbf4b140008228306c169d653b907a
Reviewed-on: https://chromium-review.googlesource.com/488105
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44909}
2017-04-27 00:40:50 +00:00
bjaideep
76dfdb7a32 PPC/s390: SmiUntag only for 32bit
R=joransiu@ca.ibm.com, jyan@ca.ibm.com
BUG=
LOG=n

Review-Url: https://codereview.chromium.org/2842843005
Cr-Commit-Position: refs/heads/master@{#44908}
2017-04-26 21:59:56 +00:00
Eric Holk
54be464fe4 Revert "[wasm] Add guard pages before Wasm Memory"
This reverts commit d7cdea6fa2.

Reason for revert: Flakiness on bots

Original change's description:
> [wasm] Add guard pages before Wasm Memory
> 
> Although Wasm memory indices are all unsigned, they sometimes get assembled
> as 32-bit signed immediates. Values in the top half of the Wasm memory space
> will then get sign extended, causing Wasm to access in front of its memory
> buffer.
> 
> Usually this region is not mapped anyway, so faults still happen as they are
> supposed to. This change protects this region with guard pages so we are
> guaranteed to always fault when this happens.
> 
> Bug: v8:5277
> Change-Id: Id791fbe2a5ac1b1d75460e65c72b5b9db2a47ee7
> Reviewed-on: https://chromium-review.googlesource.com/484747
> Commit-Queue: Eric Holk <eholk@chromium.org>
> Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44905}

TBR=bradnelson@chromium.org,gdeepti@chromium.org,mtrofin@chromium.org,eholk@chromium.org,mseaborn@chromium.org,adamk@chromium.org,v8-reviews@googlegroups.com,wasm-v8@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: Ia1d3e5dbf4f518815a9fd4197047077bc8e42816
Reviewed-on: https://chromium-review.googlesource.com/487828
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44907}
2017-04-26 20:57:35 +00:00
Adam Klein
86aa7960cc Revert behavioral part of 84dc8ed4c3
Clearing out the constructor field is invalid in the case where the
function's map has transitioned since the last SetPrototype call.

Bug: chromium:714972
Change-Id: Ie918702a128219c4995b805f7c9a53b41cc4e4b6
Reviewed-on: https://chromium-review.googlesource.com/486130
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44906}
2017-04-26 20:56:30 +00:00
Eric Holk
d7cdea6fa2 [wasm] Add guard pages before Wasm Memory
Although Wasm memory indices are all unsigned, they sometimes get assembled
as 32-bit signed immediates. Values in the top half of the Wasm memory space
will then get sign extended, causing Wasm to access in front of its memory
buffer.

Usually this region is not mapped anyway, so faults still happen as they are
supposed to. This change protects this region with guard pages so we are
guaranteed to always fault when this happens.

Bug: v8:5277
Change-Id: Id791fbe2a5ac1b1d75460e65c72b5b9db2a47ee7
Reviewed-on: https://chromium-review.googlesource.com/484747
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44905}
2017-04-26 20:09:47 +00:00
Adam Klein
a711f281fa Make Object::ToObject() output more useful error messages
This allows us to avoid a separate receiver typecheck in a few places
without regressing the error messages generated.

As more Array methods move to C++, this will get more usage.

Bug: v8:3577
Change-Id: Ibdd17c781548520172ce62442bc3a800e5c09e99
Reviewed-on: https://chromium-review.googlesource.com/486103
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44904}
2017-04-26 19:34:04 +00:00
Adam Klein
6058b4471d [ESNext] Stage --harmony-strict-legacy-accessor-builtins
R=littledan@chromium.org

Bug: v8:5070
Change-Id: I15d26410eafca47eec7ecd0b3ca58d608f4ae0cc
Reviewed-on: https://chromium-review.googlesource.com/487029
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44903}
2017-04-26 18:31:13 +00:00
Clemens Hammacher
213d1fa6be [wasm] [interpreter] Avoid redundant stack limit checks
The interpreter used a ZoneVector<WasmVal> to model the value stack.
Thus, at each single pop to the stack, a bounds check was performed,
and the storage was potentially extended.
This CL changes this to pre-allocate enough space for the stack of a
function when a new frame is entered. This avoids any checks for pushs
and pops.
Instead of storing a ZoneVector<WasmVal>, we store WasmVal* directly.
The maximum value stack size is precomputed together with the control
transfer side table.

This CL speeds up interpreted execution by 15% on average (measured
locally on a Z840).

R=ahaas@chromium.org
BUG=v8:5822

Change-Id: If949f7ee5233d874cd6a04b7dde2d7b4a95e45ea
Reviewed-on: https://chromium-review.googlesource.com/488061
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44902}
2017-04-26 18:05:53 +00:00
bmeurer
23bb8fa9c0 [test] Increase test coverage for Array constructor inlining.
This still doesn't cover all the paths yet, since some paths are
impossible to trigger at this point due to the way the CanInlineCall
predicate works on the AllocationSite, which says multiple things:

 - In case of Array(len), the len was always a Smi so far.
 - In case of Array(...args), storing the args didn't change the
   elements kind.
 - In case of Array(len), the len was always less than the initial
   maximum fast element array size.

These conditions are tailored towards Crankshaft and don't really
make a lot of sense in the TurboFan world. We'd need more fine
grained protections, which we will achieve by refactoring the Array
constructor.

BUG=chromium:715404,v8:6262
TBR=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2843033002
Cr-Commit-Position: refs/heads/master@{#44901}
2017-04-26 17:36:32 +00:00
kozyatinskiy
a1a3090479 [builtins] Builtins::CallableFor(): generate CPP case for ConsoleAssert only.
To reduce size of Builtins::CallableFor function we can add only case which we actually use.

BUG=chromium:714893
R=ishell@chromium.org

Review-Url: https://codereview.chromium.org/2839933003
Cr-Commit-Position: refs/heads/master@{#44900}
2017-04-26 15:40:42 +00:00
Peter Marshall
e855e514d1 [builtins] Add a fast path to construct TypedArrays from holey arrays.
For holey Smi and double source arrays, we would go to the general
case, which is much slower than before. We already check that there
are no prototype chain changes in IterableToListCanBeElided, and
there is no JS-code run between that check and the copying of the
elements, so we can safely check for the hole and convert it to
undefined, which is then converted to 0/NaN appropriately for the
given TypedArray.

Bug: chromium:713570,chromium:711275
Change-Id: I5b21c915907d71eebb73b7b1eea8eb58b4a5436d
Reviewed-on: https://chromium-review.googlesource.com/485520
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44899}
2017-04-26 15:36:36 +00:00
jgruber
397ebb765c Revert of [turbofan] Fix impossible type handling for TypeGuard and BooleanNot. (patchset id:1 of https://codereview.chromium.org/2836203004/ )
Reason for revert:
Tentative revert for https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/14886

Original issue's description:
> [turbofan] Fix impossible type handling for TypeGuard and BooleanNot.
>
> BUG=chromium:715204
>
> Review-Url: https://codereview.chromium.org/2836203004
> Cr-Commit-Position: refs/heads/master@{#44883}
> Committed: 9c47a061cf

TBR=bmeurer@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:715204

Review-Url: https://codereview.chromium.org/2842793004
Cr-Commit-Position: refs/heads/master@{#44898}
2017-04-26 15:24:52 +00:00
yangguo
aaaaa80f02 [inspector] always include user scripts in the snapshot.
V8 can bundle user scripts in the start up snapshot. These are
shared across contexts, and do not work well context groups.

R=kozyatinskiy@chromium.org
BUG=v8:6274

Review-Url: https://codereview.chromium.org/2836623002
Cr-Original-Commit-Position: refs/heads/master@{#44847}
Committed: 9685cfd310
Review-Url: https://codereview.chromium.org/2836623002
Cr-Commit-Position: refs/heads/master@{#44897}
2017-04-26 15:13:14 +00:00
Andreas Haas
af1a309146 [wasm] Delete the AsyncCompileJob object just before ResolvePromise
At the moment the AsyncCompileJob object is deallocated after one of its
task functions return false. This mechanism is, however, not documented,
potentially error-prone, and I think there are already some cases where
I think that we got it wrong.

This CL moves the deallocation of the AsyncCompileJob object to the
place where the promise which belongs to the AsyncCompileJob is either
resolved or rejected. This is a more appropriate place to deallocate the
object, because conceptionally, at the end of every an AsyncCompileJob
its promise should either be resolved or rejected.

R=clemensh@chromium.org, mtrofin@chromium.org

Change-Id: I87618c5619a3ac923645d1c3f6acaee9b0b14a83
Reviewed-on: https://chromium-review.googlesource.com/486884
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44896}
2017-04-26 15:06:25 +00:00
jyan
f39b49df15 s390: fix debug failures
R=joransiu@ca.ibm.com, bjaideep@ca.ibm.com
BUG=

Review-Url: https://codereview.chromium.org/2842833002
Cr-Commit-Position: refs/heads/master@{#44895}
2017-04-26 15:04:50 +00:00
neis
86d2545f77 [cleanup] Minor cleanups concerning assemblers and code generation.
- Use Assembler in a few places that unneccessarily used MacroAssembler before.
- Fix some comments.

R=jarin@chromium.org
BUG=v8:6048

Review-Url: https://codereview.chromium.org/2843933002
Cr-Commit-Position: refs/heads/master@{#44894}
2017-04-26 14:54:33 +00:00
cbruni
6b4b062489 Revert of [turbofan] Set proper representation for initial arguments length. (patchset id:1 of https://codereview.chromium.org/2810333004/ )
Reason for revert:
Field representation is not preserved

Original issue's description:
> [turbofan] Set proper representation for initial arguments length.
>
> The JSArgumentsObject::length representation is initially Smi, so we can
> record that on the initial map and use it to optimize the accesses in
> TurboFan based on that. Similar for JSSloppyArgumentsObject::caller.
>
> BUG=v8:6262
> R=yangguo@chromium.org
>
> Review-Url: https://codereview.chromium.org/2810333004
> Cr-Commit-Position: refs/heads/master@{#44644}
> Committed: 5eec7df9b3

TBR=yangguo@chromium.org,bmeurer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:6262

Review-Url: https://codereview.chromium.org/2825323002
Cr-Commit-Position: refs/heads/master@{#44893}
2017-04-26 14:53:21 +00:00
Michael Starzinger
8952aef167 [asm.js] Fix numeric literal negation in multiplication.
R=clemensh@chromium.org
TEST=mjsunit/asm/int32-mul
BUG=chromium:715482

Change-Id: I525e901fd6ade101999694a53d5147b6e4ccc2e5
Reviewed-on: https://chromium-review.googlesource.com/488024
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44892}
2017-04-26 14:53:09 +00:00
Michael Starzinger
c5bfc27df2 [asm.js] Maintain insertion order of exports.
This makes sure that the observable property order of the module export
maintains insertion order. Now that properties are configurable, we no
longer need to reverse the export processing.

R=clemensh@chromium.org
TEST=mjsunit/asm/asm-validation
BUG=chromium:715420

Change-Id: Ib2024254c07bdad7fee1cf2fa0bd3e847721f5b5
Reviewed-on: https://chromium-review.googlesource.com/488022
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44891}
2017-04-26 14:15:54 +00:00
Michael Starzinger
e2accb425c [asm.js] Fix numeric literal bounds checking.
This fixes the bounds checking of "unsigned" numeric literals (those
that do not contains dots) by the parser. In particular this fixes a
bogus truncation to 32-bit in the scanner. It also makes the scanner
more robust by limiting the range of those numeric literals, hence
completely avoiding rounding loss or truncation errors.

R=clemensh@chromium.org
TEST=unittests/AsmJsScannerTest.UnsignedNumbers
BUG=v8:6298

Change-Id: Id31ab3c652e99fa8d3d6663315768e1bfaf3b773
Reviewed-on: https://chromium-review.googlesource.com/486881
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44890}
2017-04-26 13:45:45 +00:00