Commit Graph

2353 Commits

Author SHA1 Message Date
ahaas
a2081b2d7c [wasm] The exports property of a wasm instance should always exist
R=clemensh@chromium.org
BUG=chromium:663994

Review-Url: https://codereview.chromium.org/2622563002
Cr-Commit-Position: refs/heads/master@{#42163}
2017-01-10 09:55:10 +00:00
littledan
788c96a955 [intl] Remove redundant type checking system
Previously, the Intl implementation tracked types two ways:
 - In the intl_initialized_marker_symbol
 - In various named properties of the intl_impl_object_symbol value

As far as I can tell, these will never disagree with each other,
modulo bugs in Intl itself. This patch removes the second type
checking system.

This reland includes a fixed type check for
Intl.DateTimeFormat.prototype.formatToParts , which is the only Intl
method which is not bound. All future methods will follow this
pattern.

The second reland ensures that a newly inserted test is only run
if Intl is present.

BUG=v8:5751,chromium:677055, v8:4962
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux_noi18n_rel_ng

TBR=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2623683002
Cr-Commit-Position: refs/heads/master@{#42152}
2017-01-09 22:24:57 +00:00
titzer
7ed3c4d791 [wasm] Remove non-standard kExprI8Const bytecode
R=clemensh@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2595733003
Cr-Commit-Position: refs/heads/master@{#42141}
2017-01-09 13:57:26 +00:00
clemensh
fc327e2308 [asm.js] [wasm] Store function start position for stack check
We did not associate any position to the stack check in the wasm
function prologue, hence a check failed later when trying to map the
non-existent position to the asm.js source position.

With this CL, we add a mapping to the source position table, mapping
the stack check call to byte offset 0 (which is distinct from any valid
instruction position). Also, we add another entry to the asm.js source
position sidetable, mapping byte offset 0 to the start source position
of the function body.

R=titzer@chromium.org, ahaas@chromium.org
BUG=chromium:677685

Review-Url: https://codereview.chromium.org/2609363004
Cr-Commit-Position: refs/heads/master@{#42130}
2017-01-09 09:43:04 +00:00
bmeurer
5f418c8a2d [crankshaft] Properly deal with null prototype.
Don't assume that the prototype of an object is always a JSObject when
inlining the known receiver map case for abstract relational comparison.

BUG=chromium:679202
R=ishell@chromium.org

Review-Url: https://codereview.chromium.org/2621583002
Cr-Commit-Position: refs/heads/master@{#42123}
2017-01-09 08:47:43 +00:00
machenbach
b1e4f79e66 Revert of [intl] Remove redundant type checking system (patchset #4 id:60001 of https://codereview.chromium.org/2600913002/ )
Reason for revert:
Breaks noi18n.

Original issue's description:
> [intl] Remove redundant type checking system
>
> Previously, the Intl implementation tracked types two ways:
>  - In the intl_initialized_marker_symbol
>  - In various named properties of the intl_impl_object_symbol value
>
> As far as I can tell, these will never disagree with each other,
> modulo bugs in Intl itself. This patch removes the second type
> checking system.
>
> This reland includes a fixed type check for
> Intl.DateTimeFormat.prototype.formatToParts , which is the only Intl
> method which is not bound. All future methods will follow this
> pattern.
>
> BUG=v8:5751,chromium:677055, v8:4962
> CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux_noi18n_rel_ng
>
> Review-Url: https://codereview.chromium.org/2600913002
> Cr-Commit-Position: refs/heads/master@{#42118}
> Committed: aa8a2d2789

TBR=yangguo@chromium.org,adamk@chromium.org,littledan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5751,chromium:677055, v8:4962

Review-Url: https://codereview.chromium.org/2617323002
Cr-Commit-Position: refs/heads/master@{#42119}
2017-01-07 06:50:45 +00:00
littledan
aa8a2d2789 [intl] Remove redundant type checking system
Previously, the Intl implementation tracked types two ways:
 - In the intl_initialized_marker_symbol
 - In various named properties of the intl_impl_object_symbol value

As far as I can tell, these will never disagree with each other,
modulo bugs in Intl itself. This patch removes the second type
checking system.

This reland includes a fixed type check for
Intl.DateTimeFormat.prototype.formatToParts , which is the only Intl
method which is not bound. All future methods will follow this
pattern.

BUG=v8:5751,chromium:677055, v8:4962
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux_noi18n_rel_ng

Review-Url: https://codereview.chromium.org/2600913002
Cr-Commit-Position: refs/heads/master@{#42118}
2017-01-07 02:54:48 +00:00
bmeurer
0957241060 [crankshaft] Fix abstract equality for receivers.
We need to check both sides for abstract equality of receivers in optimized
code, otherwise we don't handle implicit conversions and undetectable
objects correctly.

R=jarin@chromium.org
BUG=v8:5802

Review-Url: https://codereview.chromium.org/2612213002
Cr-Commit-Position: refs/heads/master@{#42085}
2017-01-05 09:26:30 +00:00
tebbi
5662f99b99 [turbofan] Teach escape analysis about StringCharAt
R=bmeurer@chromium.org
BUG=chromium:677757

Review-Url: https://codereview.chromium.org/2606383005
Cr-Commit-Position: refs/heads/master@{#42066}
2017-01-04 12:01:38 +00:00
danno
fcffcba725 Fix empty push bug in Array.push
BUG=chromium:670981
LOG=N
R=ishell@chromium.org

Review-Url: https://codereview.chromium.org/2609973002
Cr-Commit-Position: refs/heads/master@{#42064}
2017-01-04 10:57:26 +00:00
marja
e87e82b8e7 Force ctxt allocation in eval scopes.
This is another attempt at solving v8:5736; the previous one (r 41723)
regressed code load.

BUG=v8:5736
R=adamk@chromium.org

Review-Url: https://codereview.chromium.org/2583163002
Cr-Commit-Position: refs/heads/master@{#42049}
2017-01-03 20:27:20 +00:00
bmeurer
380a0207db [crankshaft] Don't bailout on uninitialized access to arguments object.
When Crankshaft compiles a keyed load to arguments, it disabled
optimization unless the KEYED_LOAD_IC for the access was monomorphic.
But that's too restrictive, since it will also disable optimization
for this function when the access is on a path that was never executed
so far.

This was spotted in the Node.js core function EventEmitter.prototype.emit,
which was no longer optimizable with Crankshaft using latest V8.

R=jarin@chromium.org
BUG=v8:5790

Review-Url: https://codereview.chromium.org/2607303002
Cr-Commit-Position: refs/heads/master@{#42005}
2017-01-02 06:52:04 +00:00
adamk
24547376a9 Fix SealHandleScope usage in runtime-classes.cc
R=gsathya@chromium.org
BUG=v8:5783

Review-Url: https://codereview.chromium.org/2603783003
Cr-Commit-Position: refs/heads/master@{#41963}
2016-12-27 18:55:16 +00:00
adamk
23019c4ec0 Object.prototype.toString must reflect mutated @@toStringTag values for primitives
The TF version of this operation was missing a ToObject coercion, so failed to do
@@toStringTag lookups when passed primitive values.

R=franzih@chromium.org
BUG=v8:5780

Review-Url: https://codereview.chromium.org/2597323002
Cr-Commit-Position: refs/heads/master@{#41961}
2016-12-27 17:57:38 +00:00
littledan
8c1397e4a0 [intl] Fix build for noi18n mode
Fix issue created by patch https://codereview.chromium.org/2582993002/

CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux_noi18n_rel_ng
TBR=yangguo@chromium.org
BUG=v8:4360

Review-Url: https://codereview.chromium.org/2599973002
Cr-Commit-Position: refs/heads/master@{#41945}
2016-12-23 17:10:30 +00:00
littledan
b0a09d7809 [intl] Add new semantics + compat fallback to Intl constructor
ECMA 402 v2 made Intl constructors more strict in terms of how they would
initialize objects, refusing to initialize objects which have already
been constructed. However, when Chrome tried to ship these semantics,
we ran into web compatibility issues.

This patch tries to square the circle and implement the simpler v2 object
semantics while including a compatibility workaround to allow objects to
sort of be initialized later, storing the real underlying Intl object
in a symbol-named property.

The new semantics are described in this PR against the ECMA 402 spec:
https://github.com/tc39/ecma402/pull/84

BUG=v8:4360, v8:4870
LOG=Y

Review-Url: https://codereview.chromium.org/2582993002
Cr-Commit-Position: refs/heads/master@{#41943}
2016-12-23 14:32:16 +00:00
cbruni
f73973092c [ic] Always use generic ICs for growing element stores on arguments
In certain corner-cases we would grow a FAST_ELEMENTS packed backing store of a
JS_ARGUMENTS_TYPE object without converting to holey elements kinds. As a side
effect you could then read out the_hole.

BUG=v8:5772

Review-Url: https://codereview.chromium.org/2597013004
Cr-Commit-Position: refs/heads/master@{#41921}
2016-12-22 14:10:51 +00:00
yangguo
546152e754 Fix DoubleToRadixCString wrt Number.MIN_VALUE.
R=bmeurer@chromium.org
BUG=v8:5767

Review-Url: https://codereview.chromium.org/2599693002
Cr-Commit-Position: refs/heads/master@{#41910}
2016-12-22 06:57:01 +00:00
littledan
53fdf9d192 Use a different map to distinguish eval contexts
eval() may introduce a scope which needs to be represented as a context at
runtime, e.g.,

  eval('var x; let y; ()=>y')

introduces a variable y which needs to have a context allocated for it. However,
when traversing upwards to find the declaration context for a variable which leaks,
as the declaration of x does above, this context has to be understood to not be
a declaration context in sloppy mode.

This patch makes that distinction by introducing a different map for eval-introduced
contexts. A dynamic search for the appropriate context will continue past an eval
context to find the appropriate context. Marking contexts as eval contexts rather
than function contexts required updates in each compiler backend.

BUG=v8:5295, chromium:648719

Review-Url: https://codereview.chromium.org/2435023002
Cr-Commit-Position: refs/heads/master@{#41869}
2016-12-20 16:23:19 +00:00
bmeurer
3d9c77d812 [es6] Fix the %TypedArray% constructor.
The %TypedArray% constructor must not ever try to construct an instance,
but rather throw a TypeError instead.

R=jarin@chromium.org
BUG=v8:5763

Review-Url: https://codereview.chromium.org/2587413002
Cr-Commit-Position: refs/heads/master@{#41868}
2016-12-20 16:14:08 +00:00
titzer
cbd3b3d0fe Implement header size calculation for array iterators.
R=bmeurer@chromium.org
BUG=chromium:674232

Review-Url: https://codereview.chromium.org/2592633002
Cr-Commit-Position: refs/heads/master@{#41849}
2016-12-20 10:38:17 +00:00
ishell
faf80b4ec0 [crankshaft] Ensure that we use inlined Array.prototype.shift only when there's no elements in the prototype chain.
BUG=chromium:663340

Review-Url: https://codereview.chromium.org/2593553002
Cr-Commit-Position: refs/heads/master@{#41846}
2016-12-20 10:18:02 +00:00
ishell
576a46f520 [crankshaft] Properly handle OOB string accesses.
BUG=chromium:665793

Review-Url: https://codereview.chromium.org/2589823003
Cr-Commit-Position: refs/heads/master@{#41842}
2016-12-20 10:01:59 +00:00
littledan
48a36c7df7 [intl] Avoid modifying options bag from constructor
Previously, the Intl.DateTimeFormat constructor and other related paths had
a bug where the options bag passed in would be modified in place. This patch
makes V8's Intl implementation follow the specification's logic to avoid
such a modification.

BUG=v8:4219

Review-Url: https://codereview.chromium.org/2587703002
Cr-Commit-Position: refs/heads/master@{#41826}
2016-12-19 21:36:16 +00:00
yangguo
d5566b9e77 [inspector] gracefully handle stack overflows in the inspector.
Hopefully we can avoid going through JS at all, so we can avoid this issue.

R=jgruber@chromium.org, kozyatinskiy@chromium.org
BUG=v8:5654

Review-Url: https://codereview.chromium.org/2510093002
Cr-Original-Commit-Position: refs/heads/master@{#41802}
Committed: 3ab3b6261a
Review-Url: https://codereview.chromium.org/2510093002
Cr-Commit-Position: refs/heads/master@{#41807}
2016-12-19 14:07:55 +00:00
yangguo
a680b260ed Revert of [inspector] gracefully handle stack overflows in the inspector. (patchset #13 id:240001 of https://codereview.chromium.org/2510093002/ )
Reason for revert:
asan failure: https://build.chromium.org/p/client.v8/builders/V8%20Mac64%20ASAN/builds/10047/steps/Ignition%20-%20turbofan/logs/regress-2318

Original issue's description:
> [inspector] gracefully handle stack overflows in the inspector.
>
> Hopefully we can avoid going through JS at all, so we can avoid this issue.
>
> R=jgruber@chromium.org, kozyatinskiy@chromium.org
> BUG=v8:5654
>
> Review-Url: https://codereview.chromium.org/2510093002
> Cr-Commit-Position: refs/heads/master@{#41802}
> Committed: 3ab3b6261a

TBR=jgruber@chromium.org,kozyatinskiy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5654

Review-Url: https://codereview.chromium.org/2583173002
Cr-Commit-Position: refs/heads/master@{#41805}
2016-12-19 13:28:10 +00:00
cbruni
99a5aa1b95 [crankshaft] Fix IsClassOfTest helper method
Drive-by-fix: Add AstNode::Print() and improve printing of CallRuntime
              Expression.

BUG=v8:5749

Review-Url: https://codereview.chromium.org/2586933002
Cr-Commit-Position: refs/heads/master@{#41803}
2016-12-19 12:49:21 +00:00
yangguo
3ab3b6261a [inspector] gracefully handle stack overflows in the inspector.
Hopefully we can avoid going through JS at all, so we can avoid this issue.

R=jgruber@chromium.org, kozyatinskiy@chromium.org
BUG=v8:5654

Review-Url: https://codereview.chromium.org/2510093002
Cr-Commit-Position: refs/heads/master@{#41802}
2016-12-19 12:24:57 +00:00
machenbach
81dd9847cf Revert of [crankshaft] Fix IsClassOfTest helper method (patchset #1 id:1 of https://codereview.chromium.org/2586933002/ )
Reason for revert:
Breaks vtune:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20vtunejit/builds/15379

Original issue's description:
> [crankshaft] Fix IsClassOfTest helper method
>
> Drive-by-fix: Add AstNode::Print() and improve printing of CallRuntime
>               Expression.
>
> BUG=v8:5749
>
> Review-Url: https://codereview.chromium.org/2586933002
> Cr-Commit-Position: refs/heads/master@{#41792}
> Committed: d4493222b9

TBR=bmeurer@chromium.org,cbruni@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5749

Review-Url: https://codereview.chromium.org/2587973002
Cr-Commit-Position: refs/heads/master@{#41795}
2016-12-19 11:22:36 +00:00
yangguo
07fa0f4967 [serializer] do not serialize script wrappers.
The scenario here: the asm function fails asm validation,
so we emit a message. In doing so, we create a JSValue wrapper for
the script object that we cache on the script object. This wrapper
is context-dependent and causes the code serializer to choke.

R=mtrofin@chromium.org, titzer@chromium.org
BUG=chromium:674446,chromium:673321

Review-Url: https://codereview.chromium.org/2586943003
Cr-Commit-Position: refs/heads/master@{#41794}
2016-12-19 10:53:02 +00:00
cbruni
d4493222b9 [crankshaft] Fix IsClassOfTest helper method
Drive-by-fix: Add AstNode::Print() and improve printing of CallRuntime
              Expression.

BUG=v8:5749

Review-Url: https://codereview.chromium.org/2586933002
Cr-Commit-Position: refs/heads/master@{#41792}
2016-12-19 10:45:48 +00:00
yangguo
1296dd1f5a [debug-wrapper] remove last uses of --expose-debug-as
The inspector cannot deal with breaking inside of debug-evaluate.
There is therefore no point in supporting that in the debugger.
The optional additional context parameter for debug-evaluate also
can be removed since it's not being used.

R=jgruber@chromium.org
BUG=v8:5530

Review-Url: https://codereview.chromium.org/2580323002
Cr-Commit-Position: refs/heads/master@{#41791}
2016-12-19 10:44:34 +00:00
rmcilroy
cb9d0fe7f4 [Complier] Only optimize a function marked for tier-up if it is compiled.
When mark-shared-funtion-for-tier-up is enabled, a function could be marked for
optimization, then the baseline (FCG) code is flushed by the GC. The next time
the function is executed, we shouldn't optimize the code if there isn't
baseline code.

BUG=chromium:673242

Review-Url: https://codereview.chromium.org/2575333003
Cr-Commit-Position: refs/heads/master@{#41751}
2016-12-16 10:44:50 +00:00
marja
ed080e6966 Disable lazy parsing inside eval (see bug).
If the eval contains a let, we need to know whether an inner function
refers to the variable to be able to decide its context allocation
status.

The added test needs https://codereview.chromium.org/2435023002/ too
in order to pass.

BUG=v8:5736

Review-Url: https://codereview.chromium.org/2574753002
Cr-Commit-Position: refs/heads/master@{#41723}
2016-12-15 14:26:58 +00:00
mstarzinger
6c620e5312 Fix usage of literal cloning for large double arrays.
This fixes a corner case where the {FastCloneShallowArrayStub} was used
for literals that are backed by a double backing store and would exceed
limits for new-space allocations on 32-bit architectures. The stub in
question does not support such literals, callers must use the runtime.
Note that this fix is for Ignition as well as FullCodeGenerator.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-672792
BUG=chromium:672792

Review-Url: https://codereview.chromium.org/2570843002
Cr-Commit-Position: refs/heads/master@{#41713}
2016-12-15 10:29:47 +00:00
jgruber
f3b9d570cb [regexp] Let RegExp.prototype.compile return this
ES6 requires the compile method to return this:
www.ecma-international.org/ecma-262/6.0/#sec-regexp.prototype.compile

BUG=v8:5722,chromium:585775

Review-Url: https://codereview.chromium.org/2577653002
Cr-Commit-Position: refs/heads/master@{#41705}
2016-12-15 07:29:39 +00:00
mtrofin
77b50a8e12 [wasm] disable serialization for asm-wasm
Determine if the scope of the function to be serialized includes asm-
wasm, and if so, bypass serialization, since we do not support it in
that scenario.

In this change, we do so regardless of whether the asm-wasm path was
successful. This is so we keep the design simple, since the guidance
to developers, moving forward, is to use wasm.

BUG=643595

Review-Url: https://codereview.chromium.org/2573193002
Cr-Commit-Position: refs/heads/master@{#41704}
2016-12-15 05:06:54 +00:00
yangguo
341b39f9d0 [debug-wrapper] migrate some scope related tests
R=jgruber@chromium.org
BUG=v8:5530

Review-Url: https://codereview.chromium.org/2566093002
Cr-Commit-Position: refs/heads/master@{#41688}
2016-12-14 07:20:33 +00:00
jgruber
bbf3c697ae [heap] Initialize the owner on each page after lospace allocation
The least two bits of the owner field of a Page are used to determine
whether the Page is part of a large object. If these bits are not equal
to 0x11, the page is part of a large object and needs special handling
e.g. in MemoryChunk::FromAnyPointerAddress to determine which chunk it
belongs to.

This CL fixes an issue in which the store buffer overflows after
a large object space allocation but before the object has been fully
initialized. Store buffer overflow handling attempts to look up the
chunk of a page, but fails to do so correctly since the page's owner
field has not yet been initialized.

This CL ensures that the owner field of all pages belonging to a large
object allocation are initialized to a value that is interpreted
correctly.

BUG=chromium:672041

Committed: https://crrev.com/9b6808bfb5366beebe3af30a06f9851edb2039d4
Review-Url: https://codereview.chromium.org/2565713002
Cr-Original-Commit-Position: refs/heads/master@{#41641}
Cr-Commit-Position: refs/heads/master@{#41687}
2016-12-14 06:45:35 +00:00
yangguo
825dd8a904 [debug-wrappers] remove mirror tests.
Debug mirrors will no longer be supported in the near future.
It will now only be tested by being used by the v8-inspector.

R=jgruber@chromium.org
BUG=v8:5530

Review-Url: https://codereview.chromium.org/2566103002
Cr-Commit-Position: refs/heads/master@{#41686}
2016-12-14 06:37:07 +00:00
leszeks
f6ee3b5ff3 [ignition] Fix hole check for dynamic local variables
The fast-path for dynamic local variables was previously checking the
lookup variable rather than the shadowed variable when deciding whether
to add a hole check.

BUG=669540

Review-Url: https://codereview.chromium.org/2551023004
Cr-Commit-Position: refs/heads/master@{#41677}
2016-12-13 14:29:07 +00:00
jkummerow
bb753b6dd7 [stubs] Fix negative index lookup in hasOwnProperty
...and HasProperty, for dictionary-elements receivers.

BUG=chromium:673008

Review-Url: https://codereview.chromium.org/2568943002
Cr-Commit-Position: refs/heads/master@{#41656}
2016-12-12 20:13:07 +00:00
hablich
1e70454f73 Revert of [heap] Initialize the owner on each page after lospace allocation (patchset #2 id:20001 of https://codereview.chromium.org/2565713002/ )
Reason for revert:
Tree closer: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/12409

Original issue's description:
> [heap] Initialize the owner on each page after lospace allocation
>
> The least two bits of the owner field of a Page are used to determine
> whether the Page is part of a large object. If these bits are not equal
> to 0x11, the page is part of a large object and needs special handling
> e.g. in MemoryChunk::FromAnyPointerAddress to determine which chunk it
> belongs to.
>
> This CL fixes an issue in which the store buffer overflows after
> a large object space allocation but before the object has been fully
> initialized. Store buffer overflow handling attempts to look up the
> chunk of a page, but fails to do so correctly since the page's owner
> field has not yet been initialized.
>
> This CL ensures that the owner field of all pages belonging to a large
> object allocation are initialized to a value that is interpreted
> correctly.
>
> BUG=chromium:672041
>
> Committed: https://crrev.com/9b6808bfb5366beebe3af30a06f9851edb2039d4
> Cr-Commit-Position: refs/heads/master@{#41641}

TBR=mlippautz@chromium.org,jgruber@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:672041

Review-Url: https://codereview.chromium.org/2562273004
Cr-Commit-Position: refs/heads/master@{#41644}
2016-12-12 14:37:44 +00:00
jgruber
9b6808bfb5 [heap] Initialize the owner on each page after lospace allocation
The least two bits of the owner field of a Page are used to determine
whether the Page is part of a large object. If these bits are not equal
to 0x11, the page is part of a large object and needs special handling
e.g. in MemoryChunk::FromAnyPointerAddress to determine which chunk it
belongs to.

This CL fixes an issue in which the store buffer overflows after
a large object space allocation but before the object has been fully
initialized. Store buffer overflow handling attempts to look up the
chunk of a page, but fails to do so correctly since the page's owner
field has not yet been initialized.

This CL ensures that the owner field of all pages belonging to a large
object allocation are initialized to a value that is interpreted
correctly.

BUG=chromium:672041

Review-Url: https://codereview.chromium.org/2565713002
Cr-Commit-Position: refs/heads/master@{#41641}
2016-12-12 13:19:07 +00:00
clemensh
c69b48adc4 [wasm] Handle potentially null callee-pc
This only happens if there is a asm.js-wasm-frame on top of the stack
trace, which was not covered by our tests so far. The regression test
create a stack overflow in asm.js code, triggering this case.

R=mstarzinger@chromium.org
CC=titzer@chromium.org, bradnelson@chromium.org
BUG=chromium:673241

Review-Url: https://codereview.chromium.org/2562333002
Cr-Commit-Position: refs/heads/master@{#41639}
2016-12-12 12:30:39 +00:00
mstarzinger
75128636f3 [wasm] Remove obsolete %IsNotAsmWasmCode predicate.
By now the predicate in question is an exact negation of %IsAsmWasmCode
as the name intuitively implies. The need for two separate test methods
no longer exists and one of the two can be removed.

R=bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2562003002
Cr-Commit-Position: refs/heads/master@{#41616}
2016-12-09 11:56:05 +00:00
gdeepti
0061089aa0 [wasm] Update WasmMemoryObject correctly when module memory is exported.
BUG=chromium:670683

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2548223002
Cr-Commit-Position: refs/heads/master@{#41603}
2016-12-08 20:30:54 +00:00
jgruber
9c9c8d7bb5 [stubs] Add option to allow LO space allocation
Passing kAllowLargeObjectAllocation now allocates in LOS if necessary.
Allow such allocations when growing fixed arrays in RegExp's @@match
and @@split operations.

BUG=chromium:670671

Review-Url: https://codereview.chromium.org/2555703003
Cr-Commit-Position: refs/heads/master@{#41526}
2016-12-06 14:08:57 +00:00
yangguo
a610155c8c Fix assertion failure in JSBuiltinReducer::ReduceArrayIterator.
TBR=bmeurer@chromium.org
BUG=chromium:671576

Review-Url: https://codereview.chromium.org/2550143004
Cr-Commit-Position: refs/heads/master@{#41518}
2016-12-06 13:10:22 +00:00
bmeurer
7869136716 [compiler] Improve let+const decision in AstNumbering.
Incooperate suggestion from adamk@ to only sent lexical variables to
I+TF that require explicit initialization, i.e. don't send named
function expressions to I+TF. This should recover most of the regression
now.

Also introduce a regression test for the original let issue.

BUG=chromium:670691,v8:5666
R=adamk@chromium.org,yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2556663002
Cr-Commit-Position: refs/heads/master@{#41507}
2016-12-06 06:13:16 +00:00
clemensh
6a8dccb197 [wasm] Implement location from stack trace for asm.js frames
This avoids the crash which ClusterFuzz found, but still does not
report the same position as without validate.asm.
For calls like "foo()|0", we report the position of the call instead of
the position of the "|" if ToNumber throws an error.

After this CL, the correctness-fuzzer for validate-asm will probably
find mismatches there.

R=titzer@chromium.org
BUG=chromium:670808

Review-Url: https://codereview.chromium.org/2548323002
Cr-Commit-Position: refs/heads/master@{#41500}
2016-12-05 19:30:16 +00:00
mvstanton
3e46a3b754 Remove FLAG_flush_optimized_code_cache
It's no longer necessary, and has been off for a year.

BUG=

Review-Url: https://codereview.chromium.org/2553643002
Cr-Commit-Position: refs/heads/master@{#41499}
2016-12-05 18:28:29 +00:00
ishell
e7a51fff24 [ic] Ensure state of load/store ICs always progresses.
... even when a receiver is not an object.

BUG=v8:5697

Review-Url: https://codereview.chromium.org/2548753003
Cr-Commit-Position: refs/heads/master@{#41458}
2016-12-02 15:07:31 +00:00
mstarzinger
651c1b86a2 [compiler] Make --debug-code the default in debug builds.
This enables {FLAG_debug_code} by default in debug builds. The advantage
is that generated code contained within the snapshot will contain such
debug code. Before we would only get coverage for these pieces with the
no-snapshot builds, which have a meager coverage. One can still pass the
inverse --no-debug-code flag to ensure generated code remains readable
within debug builds as well.

R=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2528913002
Cr-Commit-Position: refs/heads/master@{#41451}
2016-12-02 11:36:55 +00:00
ishell
39e6f2ca4a [ic] Use validity cells to protect keyed element stores against object's prototype chain modifications.
... instead of clearing of all the KeyedStoreICs which didn't always work.

BUG=chromium:662907, chromium:669411, v8:5561
TBR=verwaest@chromium.org, bmeurer@chromium.org

Committed: https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf
Review-Url: https://codereview.chromium.org/2534613002
Cr-Original-Commit-Position: refs/heads/master@{#41332}
Cr-Commit-Position: refs/heads/master@{#41449}
2016-12-02 10:03:33 +00:00
mstarzinger
f8fec66f0b [turbofan] Workaround for unknown array literal length.
This fixes the existing workaround in {BytecodeGraphBuilder} where the
number of elements in an array literal is unknown just from the bytecode
alone and needs to be deduced from the constant elements.

Note that this is just a quick fix to prevent calling the fast-clone
stub for boilerplates that are too big to fit on a regular page. In the
long run we need something more solid here.

R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-669850
BUG=chromium:669850

Review-Url: https://codereview.chromium.org/2542633002
Cr-Commit-Position: refs/heads/master@{#41420}
2016-12-01 12:01:00 +00:00
jarin
e19f43df61 [crankshaft] Disable escape analysis of nested objects.
BUG=chromium:669024

Review-Url: https://codereview.chromium.org/2531163006
Cr-Commit-Position: refs/heads/master@{#41389}
2016-11-30 15:07:16 +00:00
vogelheim
b1b7d19610 Cleanup: Move mjsunit/regress-*.js into mjsunit/regress/.
R=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2531983004
Cr-Commit-Position: refs/heads/master@{#41362}
2016-11-29 14:20:53 +00:00
bmeurer
d6752d94a8 [turbofan] Teach escape analysis about ConvertTaggedHoleToUndefined.
The EscapeStatusAnalysis didn't know anything about the simplified
operator ConvertTaggedHoleToUndefined, thus leading to a crash. We
now just handled it by pretending that any allocation that goes into
such a node escapes.

BUG=chromium:669451
R=tebbi@chromium.org

Review-Url: https://codereview.chromium.org/2533263002
Cr-Commit-Position: refs/heads/master@{#41359}
2016-11-29 13:13:55 +00:00
verwaest
73a2d63df8 [scopes] Propagate inner-scope-calls-eval to make sure we context allocate in inserted scopes
BUG=v8:5664

Review-Url: https://codereview.chromium.org/2536153002
Cr-Commit-Position: refs/heads/master@{#41353}
2016-11-29 12:01:34 +00:00
mstarzinger
204babf5a0 [deoptimizer] Fix deoptimization in {TranslatedState}.
This ensures the deoptimization triggered due to materialization of
objects by the {TranslatedState} works in conjunction with OSR. The
optimized code used for OSR is not installed on the function, hence
needs to be specified explicitly when requesting deoptimization for
specific stack frames.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-668795
BUG=chromium:668795

Review-Url: https://codereview.chromium.org/2534143002
Cr-Commit-Position: refs/heads/master@{#41348}
2016-11-29 11:34:22 +00:00
machenbach
9c0e2a6723 Revert of [ic] Use validity cells to protect keyed element stores against object's prototype chain modificati… (patchset #2 id:40001 of https://codereview.chromium.org/2534613002/ )
Reason for revert:
Layout test crashes:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/11691

Original issue's description:
> [ic] Use validity cells to protect keyed element stores against object's prototype chain modifications.
>
> ... instead of clearing of all the KeyedStoreICs which didn't always work.
>
> BUG=chromium:662907, v8:5561
> TBR=verwaest@chromium.org, bmeurer@chromium.org
>
> Committed: https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf
> Cr-Commit-Position: refs/heads/master@{#41332}

TBR=jkummerow@chromium.org,ishell@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:662907, v8:5561

Review-Url: https://codereview.chromium.org/2538693002
Cr-Commit-Position: refs/heads/master@{#41337}
2016-11-29 08:49:48 +00:00
ishell
a39522f44f [ic] Use validity cells to protect keyed element stores against object's prototype chain modifications.
... instead of clearing of all the KeyedStoreICs which didn't always work.

BUG=chromium:662907, v8:5561
TBR=verwaest@chromium.org, bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2534613002
Cr-Commit-Position: refs/heads/master@{#41332}
2016-11-28 22:56:52 +00:00
ishell
a814b8aeaf [heap] Clear recorded slots for inobject properties when migrating fast object to slow mode.
BUG=chromium:666046

Review-Url: https://codereview.chromium.org/2539493002
Cr-Commit-Position: refs/heads/master@{#41327}
2016-11-28 20:11:30 +00:00
yangguo
ee84d9f7f9 [debug] remove debug command processor from regress tests.
BUG=v8:5510
R=jgruber@chromium.org

Review-Url: https://codereview.chromium.org/2535733002
Cr-Commit-Position: refs/heads/master@{#41312}
2016-11-28 12:02:44 +00:00
ahaas
5d5ccb6e45 [mjsunit] Change assertThrows such that it can check the exception message.
Up until now assertThrows allows to check the type field of an
exception, which is, however, a custom field introduced in a single
regression test. With the change assertThrows allows to check the
message field of an exception, which is set for standard V8 exceptions
by default.

I use the new assertThrows to refactor test/mjsunit/wasm/divrem-trap.js

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2525313003
Cr-Commit-Position: refs/heads/master@{#41302}
2016-11-28 10:26:44 +00:00
cbruni
a09e5eda26 [runtime] Add missing @@IsConcatSpreadable check for FAST_DOUBLE_ELEMENTS
A missing @@IsConcatSpreadable check caused the fast path inside the slow path
to be incorrect and follow the default concat strategy when the arguments
arrays contain only doubles.

BUG=chromium:668414

Review-Url: https://codereview.chromium.org/2527173002
Cr-Commit-Position: refs/heads/master@{#41301}
2016-11-28 10:06:17 +00:00
jkummerow
9be747666c Reland^2 of [stubs] KeyedStoreGeneric: inline dictionary property stores
For dictionary-mode receivers, the KeyedStoreGeneric stub can store
properties directly in most cases. Doing so avoids the need to have
an entry in the stub cache for every map/property combination.

Original review: https://codereview.chromium.org/2504403005/

Review-Url: https://codereview.chromium.org/2528883003
Cr-Commit-Position: refs/heads/master@{#41272}
2016-11-24 16:23:12 +00:00
neis
b481afd893 [parser] Fix scopes in rewriting of for-of and destructuring assignments.
The catch scopes were created with the wrong parent scope.

R=littledan@chromium.org
BUG=v8:5648

Committed: https://crrev.com/f385268d11d6da9508e481202b39f75f4b56afdd
Review-Url: https://codereview.chromium.org/2520883002
Cr-Original-Commit-Position: refs/heads/master@{#41222}
Cr-Commit-Position: refs/heads/master@{#41253}
2016-11-24 09:48:21 +00:00
hablich
474bbec73d Revert of [stubs] KeyedStoreGeneric: inline dictionary property stores (patchset #2 id:10002 of https://codereview.chromium.org/2524943002/ )
Reason for revert:
Blocks current roll:
https://codereview.chromium.org/2526753003/

Bisect results:
https://codereview.chromium.org/2531483002

Original issue's description:
> Reland of [stubs] KeyedStoreGeneric: inline dictionary property stores
>
> For dictionary-mode receivers, the KeyedStoreGeneric stub can store
> properties directly in most cases. Doing so avoids the need to have
> an entry in the stub cache for every map/property combination.
>
> Original review: https://codereview.chromium.org/2504403005/
>
> Committed: https://crrev.com/7a963deb85a0cc04623947a759534c48e2871901
> Cr-Commit-Position: refs/heads/master@{#41218}

TBR=ishell@chromium.org,machenbach@chromium.org,jkummerow@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2522393002
Cr-Commit-Position: refs/heads/master@{#41251}
2016-11-24 08:43:22 +00:00
hablich
e461facff2 Revert of [stubs] Fix AccessorInfo mixup in KeyedStoreGeneric (patchset #1 id:1 of https://codereview.chromium.org/2525913002/ )
Reason for revert:
Needed to revert 2661b3e8a5

Original issue's description:
> [stubs] Fix AccessorInfo mixup in KeyedStoreGeneric
>
> BUG=chromium:668101
>
> Committed: https://crrev.com/2661b3e8a5447773a23a219ba085454c459b654b
> Cr-Commit-Position: refs/heads/master@{#41223}

TBR=ishell@chromium.org,jkummerow@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:668101

Review-Url: https://codereview.chromium.org/2525253002
Cr-Commit-Position: refs/heads/master@{#41250}
2016-11-24 08:41:29 +00:00
machenbach
7edbd535a9 Revert of [parser] Fix scopes in rewriting of for-of and destructuring assignments. (patchset #6 id:100001 of https://codereview.chromium.org/2520883002/ )
Reason for revert:
Speculative revert: Seems to break jsfunfuzz:
https://build.chromium.org/p/client.v8/builders/V8%20Fuzzer/builds/14385

Original issue's description:
> [parser] Fix scopes in rewriting of for-of and destructuring assignments.
>
> The catch scopes were created with the wrong parent scope.
>
> R=littledan@chromium.org
> BUG=v8:5648
>
> Committed: https://crrev.com/f385268d11d6da9508e481202b39f75f4b56afdd
> Cr-Commit-Position: refs/heads/master@{#41222}

TBR=littledan@chromium.org,verwaest@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5648

Review-Url: https://codereview.chromium.org/2519333005
Cr-Commit-Position: refs/heads/master@{#41228}
2016-11-23 15:23:17 +00:00
jkummerow
2661b3e8a5 [stubs] Fix AccessorInfo mixup in KeyedStoreGeneric
BUG=chromium:668101

Review-Url: https://codereview.chromium.org/2525913002
Cr-Commit-Position: refs/heads/master@{#41223}
2016-11-23 13:27:22 +00:00
neis
f385268d11 [parser] Fix scopes in rewriting of for-of and destructuring assignments.
The catch scopes were created with the wrong parent scope.

R=littledan@chromium.org
BUG=v8:5648

Review-Url: https://codereview.chromium.org/2520883002
Cr-Commit-Position: refs/heads/master@{#41222}
2016-11-23 13:25:35 +00:00
jkummerow
7a963deb85 Reland of [stubs] KeyedStoreGeneric: inline dictionary property stores
For dictionary-mode receivers, the KeyedStoreGeneric stub can store
properties directly in most cases. Doing so avoids the need to have
an entry in the stub cache for every map/property combination.

Original review: https://codereview.chromium.org/2504403005/

Review-Url: https://codereview.chromium.org/2524943002
Cr-Commit-Position: refs/heads/master@{#41218}
2016-11-23 12:43:48 +00:00
jgruber
0dcc7a0e20 [debug] Add Eval scope type to inspector protocol
BUG=v8:5530,chromium:667218

Review-Url: https://codereview.chromium.org/2519773003
Cr-Commit-Position: refs/heads/master@{#41205}
2016-11-23 07:30:23 +00:00
mtrofin
7a1ad0c581 [turbofan] Regalloc validator: support same block pending assessment
Previous fuzzer fix broke the case when the pending assessment came from the same
block. In that case, the assessments table does not have an entry yet for the block,
because we register only when we're done processing a block.

BUG=667745

Review-Url: https://codereview.chromium.org/2519973004
Cr-Commit-Position: refs/heads/master@{#41193}
2016-11-22 17:31:06 +00:00
jgruber
facd6b9a4a [debug-wrapper] Migrate more tests
* Fix setting script-scope variables through inspector by internalizing
  their names.
* Reconstruct values of Number, String, and Boolean classes.
* Adapt a couple of tests for API restrictions.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2512963002
Cr-Commit-Position: refs/heads/master@{#41175}
2016-11-22 12:44:18 +00:00
titzer
5a1fbe24ba [d8] Do not try to verify zero-ness of failed virtual memory allocation.
BUG=chromium:667603
R=clemensh@chromium.org

Review-Url: https://codereview.chromium.org/2519363002
Cr-Commit-Position: refs/heads/master@{#41174}
2016-11-22 12:36:37 +00:00
mstarzinger
a90671f1b9 [interpreter] Fix stack unwinding of deoptimized frames.
This fixes stack unwinding to always recompute the stack pointer for
interpreted frames. For frames materialized by the deoptimizer we elide
the handler frame in between, hence arguments being pushed on the stack
will no longer be pushed into the handler frame but into the interpreted
frame directly.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-662830
BUG=chromium:662830

Review-Url: https://codereview.chromium.org/2517203003
Cr-Commit-Position: refs/heads/master@{#41170}
2016-11-22 11:28:45 +00:00
bmeurer
84c9360b82 [turbofan] Fix broken effect chain for instanceof.
BUG=chromium:667689
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2518313002
Cr-Commit-Position: refs/heads/master@{#41169}
2016-11-22 11:05:35 +00:00
mtrofin
71144e5aa6 [turbofan] Use correct block when tracing pending assessments in regalloc verifier
The verifier needs to use the block and assessments in that block corresponding to
a predecessor of a "pending" assessment. Not doing that causes incorrect
assessments when 2 locations are swapped.

BUG=665402

Review-Url: https://codereview.chromium.org/2515803002
Cr-Commit-Position: refs/heads/master@{#41159}
2016-11-21 22:21:14 +00:00
eholk
d0fe942d23 [wasm] Throw a RangeError if Wasm memory could not be allocated.
This fixes a bug found by the fuzzer where we would attempt to
dereference a null handle if memory allocation failed. In this case,
the failure was because the amount of memory requested was above V8's
hardcoded limit.

BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=666741

Review-Url: https://codereview.chromium.org/2514983002
Cr-Commit-Position: refs/heads/master@{#41158}
2016-11-21 21:58:53 +00:00
ishell
8ca50a8862 [ic] Ensure prototype validity cell guards global object's prototype changes for LoadGlobalIC.
BUG=chromium:666742, v8:5561

Review-Url: https://codereview.chromium.org/2512183002
Cr-Commit-Position: refs/heads/master@{#41136}
2016-11-21 12:46:44 +00:00
ishell
4513532f63 [ic] Don't check full prototype chain if name is a private symbol.
BUG=chromium:664974, chromium:664802, v8:5561

Review-Url: https://codereview.chromium.org/2513893003
Cr-Commit-Position: refs/heads/master@{#41133}
2016-11-21 11:21:43 +00:00
jgruber
1834ab7246 [debug-wrapper] Adapt tests, breakpoint.actual_location
Adapted various tests to restrictions of inspector protocol:

* osr-typing-debug-change: Don't set function variable value.
* debug-evaluate-locals: Add variable introduced by eval, run typeof
  inside evaluate().
* regress-419663: Don't set duplicate breakpoints.
* regress-crbug-465298: Compare against function name instead of value.
* regress-crbug-621361: Make evaluate return string results.
* debug-script: Various counts were off due to new way tests are called.
                Added new inspector script type.

Breakpoints now contain the actual break position, and remote object
reconstruction has been extended a bit.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2505363002
Cr-Commit-Position: refs/heads/master@{#41129}
2016-11-21 09:29:17 +00:00
littledan
06f8e87726 Fix function name inference corruption for async functions
The code which pushes and pops to the function name inference stack
generally checks if the stack is active with the IsOpen method. One
piece of code pertaining to async functions was missing that check.
This patch adds it.

BUG=chromium:658267
R=gsathya,caitp

Review-Url: https://codereview.chromium.org/2514893002
Cr-Commit-Position: refs/heads/master@{#41120}
2016-11-18 18:31:54 +00:00
marja
4a5b7e32c4 Remove FLAG_min_preparse_length.
It originates from the era where we used to run a separate preparse step
before parsing and store the function data. Now the usage of preparser
is something completely different, so this flag doesn't make sense any
more.

In addition, this way we get more test coverage for preparser (for small
scripts).

BUG=

Review-Url: https://codereview.chromium.org/2513563002
Cr-Commit-Position: refs/heads/master@{#41110}
2016-11-18 14:06:49 +00:00
verwaest
0c70f3729e [crankshaft] Don't inline the fast path for instanceof if the function has a non-instance .prototype
BUG=chromium:666308

Review-Url: https://codereview.chromium.org/2516603002
Cr-Commit-Position: refs/heads/master@{#41105}
2016-11-18 12:57:37 +00:00
ishell
937b8cb684 [ic] Support data handlers in LoadGlobalIC.
Also fixed handling of load non-existent handlers outside typeof.

BUG=v8:5561, chromium:662854

Review-Url: https://codereview.chromium.org/2511603002
Cr-Commit-Position: refs/heads/master@{#41073}
2016-11-17 12:18:40 +00:00
jgruber
2c8a4155aa [debug-wrapper] clearAllBreakPoints and several scripts functions
This adds clearAllBreakPoints functionality (which requires tracking set
breakpoints internally), and several script-related functions that rely
on runtime functions.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2508853003
Cr-Commit-Position: refs/heads/master@{#41064}
2016-11-17 09:34:18 +00:00
jgruber
4fb4f3408c [debug-wrapper] LiveEdit, frame.restart(), breakpoints
This adds access to the LiveEdit API object, frame.restart(), and
various breakpoint setters. The LiveEdit API still depends on the JS
debugging context and blocks its removal; but it should be removed
once LiveEdit is rewritten in the midterm.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2503293002
Cr-Commit-Position: refs/heads/master@{#41062}
2016-11-17 08:43:59 +00:00
ishell
f718cd1309 [ic] Invalidate prototype validity cell when a slow prototype becomes fast.
BUG=chromium:665886

Review-Url: https://codereview.chromium.org/2502393002
Cr-Commit-Position: refs/heads/master@{#41045}
2016-11-16 17:45:33 +00:00
mstarzinger
31a8ec7762 [turbofan] Fix bogus representation for {kCheckTaggedHole}.
The operator in question is guaranteed to produce a tagged value that is
not equal to the-hole, it however does not guarantee the value to be a
HeapObject. The correct representation hence is {kTagged}.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-665587
BUG=chromium:665587

Review-Url: https://codereview.chromium.org/2504183002
Cr-Commit-Position: refs/heads/master@{#41032}
2016-11-16 12:53:47 +00:00
ishell
446d6a0678 [turbofan] Always install code dependency when optimizing a store to global property.
The reason is that non-configurability still allows a writable property to become read-only.

BUG=chromium:663750

Review-Url: https://codereview.chromium.org/2508873002
Cr-Commit-Position: refs/heads/master@{#41029}
2016-11-16 12:03:01 +00:00
jgruber
b06c4ce5a6 [debug-wrapper] Further extend the debug wrapper
This CL further extends the debug wrapper, migrates around 60 tests, and
removes a few tests that use functionality we will not support anymore.

In more detail:

* Removed tests that use:
  * enable/disable individual breakpoints
  * invocationText()
  * the ScriptCollected event
  * showBreakPoints
  * evalFromScript (and similar)
  * mirror.constructedBy and mirror.referencedBy
  * event_data.promise()
* Some frame.evaluate uses were adapted since due to differences between
  remote objects (inspector) and mirrors. For instance, exceptions are
  currently not recreated exactly, since the inspector protocol does not
  give us the stack and message separately. Other objects (such as
  'this' in debug-evaluate-receiver-before-super) need to be explicitly
  converted to a string before the test works correctly.
* Ensure that inspector stores the script before sending ScriptParsed and
  ScriptFailedToParse events in order to be able to use the script from
  within those events.
* Better remote object reconstruction (e.g. for undefined and arrays).
* New functionality in wrapper:
  * debuggerFlags().breakPointsActive.setValue()
  * scripts()
  * execState.setVariableValue()
  * execState.scopeObject().value()
  * execState.scopeObject().property()
  * execState.frame().allScopes()
  * eventData.exception()
  * eventData.script()
  * setBreakPointsActive()

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2497973002
Cr-Commit-Position: refs/heads/master@{#41019}
2016-11-16 08:34:44 +00:00
mstarzinger
79aee39f24 [builtins] Fix pointer comparison in ToString builtin.
This fixes the bogus {Word32Equal} comparison in the ToString builtin
implementing Object.prototype.toString to be a pointer-size {WordEqual}
comparison instead. Comparing just the lower half-word is insufficient
on 64-bit architectures.

R=jgruber@chromium.org
TEST=mjsunit/regress/regress-crbug-664506
BUG=chromium:664506

Review-Url: https://codereview.chromium.org/2496043003
Cr-Commit-Position: refs/heads/master@{#40963}
2016-11-14 12:44:29 +00:00
bmeurer
5667280310 [turbofan] Properly allocate constant-folded string.
When constant-folding S[K], make sure to return a String, and not the
character code as Number.

BUG=chromium:664942
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2503433002
Cr-Commit-Position: refs/heads/master@{#40960}
2016-11-14 11:58:09 +00:00
verwaest
942604dfb2 Add test for making private symbols non-enumerable
BUG=chromium:664411

Review-Url: https://codereview.chromium.org/2498963002
Cr-Commit-Position: refs/heads/master@{#40950}
2016-11-14 09:17:07 +00:00
jkummerow
567904f1a7 [ic] Fix elements conversion in KeyedStoreGeneric
A SmiUntag() was missing when loading the old backing store's length.

BUG=chromium:664469

Review-Url: https://codereview.chromium.org/2492783004
Cr-Commit-Position: refs/heads/master@{#40921}
2016-11-11 13:02:10 +00:00
jgruber
b32ee40de8 [debug-wrapper] Conditional breaks, locals, evaluate, scopes
This CL adds support for:
* conditional breaks in setBreakpoint,
* locals in frame.local{Count,Name,Value},
* evaluation on a frame in frame.evaluate,
* and more detailed scope information in scopeObject.

Uses of several functions that are not covered by the
inspector protocol and are only used in tests have been removed.

Local handling has been modified to also include arguments as locals.
Inspector differs in this regard from our FrameDetails in that
arguments are always shown as locals. Argument-related functions
were removed.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2491543002
Cr-Commit-Position: refs/heads/master@{#40917}
2016-11-11 12:08:34 +00:00
ishell
45b9f15f44 [runtime] Treat empty property cells properly when doing Object.freeze() on a global object.
BUG=chromium:663750, chromium:664123

Review-Url: https://codereview.chromium.org/2495563002
Cr-Commit-Position: refs/heads/master@{#40902}
2016-11-10 16:01:15 +00:00
jarin
c71e5e1294 [crankshaft] Always force number representation for increment.
BUG=chromium:664087

Review-Url: https://codereview.chromium.org/2491333002
Cr-Commit-Position: refs/heads/master@{#40900}
2016-11-10 14:51:18 +00:00
mstarzinger
25d2268ecc [crankshaft] Fix constant folding of HDiv instruction.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-662367
BUG=chromium:662367

Review-Url: https://codereview.chromium.org/2486923004
Cr-Commit-Position: refs/heads/master@{#40897}
2016-11-10 14:27:52 +00:00
jkummerow
cc2a2771a6 [stubs] Fix CodeStubAssembler::TrapAllocationMemento
to actually trap allocation mementos.

Review-Url: https://codereview.chromium.org/2487943005
Cr-Commit-Position: refs/heads/master@{#40895}
2016-11-10 13:47:41 +00:00
bmeurer
6d533403f9 [crankshaft] Not all HAdd instructions produce a number.
BUG=chromium:664084
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2494703002
Cr-Commit-Position: refs/heads/master@{#40894}
2016-11-10 13:11:28 +00:00
mstarzinger
93c6595200 [turbofan] Advance bytecode offset after lazy deopt.
This changes {FrameState} nodes modeling "after" states to use bytecode
offsets pointing to the deoptimizing bytecode. This is in sync with the
normal execution, as the bytecode offset is advanced after operations
complete in regular bytecode handlers.

The change is necessary to ensure lazy deoptimized frames contain an
accurate bytecode offset while they are on the stack. Such frames can be
inspected by various stack walks. The continuation builtin will advance
the bytecode offset upon return.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-660379
BUG=chromium:660379

Review-Url: https://codereview.chromium.org/2487173002
Cr-Commit-Position: refs/heads/master@{#40887}
2016-11-10 11:35:22 +00:00
ishell
6aa16edf36 [runtime] Ensure Object.freeze() deoptimizes code that depends on global property cells.
BUG=chromium:663750

Review-Url: https://codereview.chromium.org/2488223002
Cr-Commit-Position: refs/heads/master@{#40882}
2016-11-10 10:37:26 +00:00
littledan
5975c47a6a Avoid calling out to JS during stack overflow
If an exception is thrown when there is a Promise being created, the Promise
catch prediction code would call into a part implemented in JavaScript to see if
the Promise has a catch handler. If it is not possible to call back into JS,
e.g., due to a stack overflow, then this would lead to a crash. This patch
"speculates" that, if it's impossible to call back into JavaScript, then the
error is unhandled, avoding the issue. In a future patch, the catch prediction
logic should be entirely written in C++, but this patch adds a minimal fix to
be more friendly to backports.

BUG=chromium:662935
R=jgruber

Review-Url: https://codereview.chromium.org/2487833002
Cr-Commit-Position: refs/heads/master@{#40851}
2016-11-09 07:53:08 +00:00
jkummerow
87332fdf67 [arm] Fix custom addition in MacroAssembler::[Fast]Allocate
Don't rely on carry flags you didn't set yourself.

BUG=chromium:663402

Review-Url: https://codereview.chromium.org/2484283002
Cr-Commit-Position: refs/heads/master@{#40848}
2016-11-08 18:19:30 +00:00
jgruber
0cb3897179 [debugger] Basic scope functionality and exception events in wrapper
BUG=v8:5530

Review-Url: https://codereview.chromium.org/2487673002
Cr-Commit-Position: refs/heads/master@{#40840}
2016-11-08 14:54:10 +00:00
jgruber
4d6ff7dfaa [debugger] Stepping and break-related functions in wrapper
This adds clearStepping plus the family of
{set,clear}BreakOn{,Uncaught}Exception functions.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2482903002
Cr-Commit-Position: refs/heads/master@{#40834}
2016-11-08 13:54:37 +00:00
jarin
5d89844130 [crankshaft] FIx for in deopt at the end of the loop.
We really should deopt before the for-in index increment.

BUG=chromium:662904

Review-Url: https://codereview.chromium.org/2476423003
Cr-Commit-Position: refs/heads/master@{#40828}
2016-11-08 12:33:56 +00:00
jgruber
60d60fd716 [debugger] Migrate more debugger tests to inspector
This moves all tests currently working with the inspector debugger wrapper to
test/debugger.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2480223002
Cr-Commit-Position: refs/heads/master@{#40824}
2016-11-08 10:39:08 +00:00
gdeepti
625767df91 [wasm] Linear/Exported memory maximum property should be set when maximum is defined.
- When module bytes have a memory maximum defined, compiled module object should set maximum memory
 - Exported memory objects should set maximum value on the memory objects
 - Update tests to use declared maximum values.

R=ahaas@chromium.org

Review-Url: https://codereview.chromium.org/2474333003
Cr-Commit-Position: refs/heads/master@{#40820}
2016-11-08 09:55:27 +00:00
jarin
7f801ff35b [crankshaft] Do not optimize argument access if any parameter is context-allocated.
Note: This CL might regress code that relies on such arguments access.
In that case, we could still optimize the access if it accesses at
constant index (and the argument at that index is not context-allocated).

If any code relies on a general access to context-allocated arguments,
we would need to analyze the function for assignment to the arguments - this
might be quite tricky.

BUG=chromium:662845

Review-Url: https://codereview.chromium.org/2484723002
Cr-Commit-Position: refs/heads/master@{#40813}
2016-11-07 19:10:15 +00:00
jgruber
39b86ad453 Manually complete failed revert
The revert somehow lost the contents of regress-2825.js.

NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
BUG=chromium:662928

Review URL: https://codereview.chromium.org/2483863002 .

Cr-Commit-Position: refs/heads/master@{#40806}
2016-11-07 15:46:50 +00:00
jgruber
d5948caed5 Revert of [debugger] Migrate more debugger tests to inspector (patchset #2 id:20001 of https://codereview.chromium.org/2480223002/ )
Reason for revert:
http://build.chromium.org/p/client.v8/builders/V8%20Linux%20gcc%204.8/builds/9724

Original issue's description:
> [debugger] Migrate more debugger tests to inspector
>
> This moves all tests currently working with the inspector debugger wrapper to
> test/debugger.
>
> BUG=v8:5530

TBR=yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5530

Review-Url: https://codereview.chromium.org/2480283002
Cr-Commit-Position: refs/heads/master@{#40805}
2016-11-07 15:11:46 +00:00
jgruber
9e07e0005d [debugger] Migrate more debugger tests to inspector
This moves all tests currently working with the inspector debugger wrapper to
test/debugger.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2480223002
Cr-Commit-Position: refs/heads/master@{#40804}
2016-11-07 14:58:59 +00:00
yangguo
acd0c3cf76 [debugger] fix blacklisted tests.
BUG=v8:5581

R=jgruber@chromium.org

Review-Url: https://codereview.chromium.org/2469043003
Cr-Commit-Position: refs/heads/master@{#40793}
2016-11-07 09:43:57 +00:00
bmeurer
a758c19761 [turbofan] Properly rename receiver on CheckHeapObject.
We need to rename the receiver on CheckHeapObject, because we
don't canonicalize numbers in SignedSmall range, and thus we
the representation selection can hand out TaggedSigned values
for receiver uses, even though we checked for TaggedPointerness
first.

Note that this is rather hacky and just intended to fix the bug
ASAP. We need to think about how to deal with representations in
earlier compilation stages.

BUG=chromium:662410
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2485563002
Cr-Commit-Position: refs/heads/master@{#40792}
2016-11-07 08:41:34 +00:00
adamk
010770085b Remove always-true --harmony-restrictive-declarations flag
The flag has been on since at least Chrome 53.

R=littledan@chromium.org

Review-Url: https://codereview.chromium.org/2478883002
Cr-Commit-Position: refs/heads/master@{#40780}
2016-11-04 18:50:41 +00:00
mstarzinger
9906b3e677 [crankshaft] Fix constant folding of HDiv instruction.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-662367
BUG=chromium:662367

Review-Url: https://codereview.chromium.org/2472413002
Cr-Commit-Position: refs/heads/master@{#40773}
2016-11-04 15:08:12 +00:00
henrique.ferreiro
dfcd545682 Remove the 'caller' property from the strict-mode arguments map
This was removed from ECMAScript in the September 2016 TC39 meeting, see https://github.com/tc39/ecma262/issues/670.

BUG=v8:5535

Review-Url: https://codereview.chromium.org/2430383004
Cr-Commit-Position: refs/heads/master@{#40770}
2016-11-04 14:30:29 +00:00
bmeurer
10033749fd [turbofan] CheckBounds cannot be used within asm.js.
Also properly deal with constant indices for String element access in
the JSNativeContextSpecialization.

BUG=chromium:661949
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2474013002
Cr-Commit-Position: refs/heads/master@{#40723}
2016-11-03 12:35:04 +00:00
rmcilroy
c887113d93 [Tests] Fix some concurrent optimization tests on Ignition.
BUG=v8:4680

Review-Url: https://codereview.chromium.org/2467223004
Cr-Commit-Position: refs/heads/master@{#40718}
2016-11-03 11:00:45 +00:00
mstarzinger
b02e7fb86e [turbofan] Disable usage of {maybe_assigned} variable flag.
This disables the usage of the {maybe_assigned} flag that the variable
resolution computes for each variable on non-asm.js code. Note that the
analysis is fundamentally broken for destructuring and top-level lexical
variables. Also note that this still uses the analysis for asm.js code
even though it is not validated. One can still trigger the bug by using
invalid constructs within a function marked with "use asm". The fix is
intentionally minimal so that it can be merged to release branches.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-659915
BUG=chromium:659915

Review-Url: https://codereview.chromium.org/2471523005
Cr-Commit-Position: refs/heads/master@{#40716}
2016-11-03 10:24:06 +00:00
verwaest
4fa2ebcbe0 Turn Scope::locals_ into a ThreadedList
This turns the ZoneList with minimum 6 words overhead into a linked list through variables, using 2 words for the empty list. Additionally the average number of pointers per entry goes down to the optimal 1 per variable that's in a list.

This does introduce 1 pointer unnecessary overhead for dynamic variables. If that becomes a problem we could distinguish between variables in lists and variables not in lists. We can distinguish them at construction-time.

BUG=v8:5209

Review-Url: https://codereview.chromium.org/2475433002
Cr-Commit-Position: refs/heads/master@{#40714}
2016-11-03 10:07:12 +00:00
bmeurer
7201bad99d [turbofan] Properly deal with out-of-bounds fields in EscapeAnalysis.
Conflicting type feedback on Load/StoreICs can lead to out-of-bounds
field access, which is essentially dead code, but EscapeAnalysis was
confused about those. For now, mark the objects as escaping in these
cases, middle-term we want to deal better with this kind of compile-
time known dead code.

BUG=chromium:658185,v8:4586
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2459273002
Cr-Commit-Position: refs/heads/master@{#40662}
2016-10-31 06:43:25 +00:00
mstarzinger
ae24992839 [turbofan] Remove deprecated --turbo-from-bytecode flag.
This flag is on by default for now. Whenever heuristics in the compiler
pipeline decide to use Ignition+TurboFan, then {BytecodeGraphBuilder} is
active. Removing the flag reduces maintenance overhead.

R=mvstanton@chromium.org

Review-Url: https://codereview.chromium.org/2437103002
Cr-Commit-Position: refs/heads/master@{#40639}
2016-10-28 09:54:04 +00:00
bmeurer
305948fa76 [ic] Properly deal with all oddballs when updating BinaryOpIC state.
R=jarin@chromium.org
BUG=chromium:659967

Review-Url: https://codereview.chromium.org/2453633005
Cr-Commit-Position: refs/heads/master@{#40616}
2016-10-27 12:16:13 +00:00
jgruber
88c5a300c5 [regexp] Set static property attributes as in spec proposal
'[...] accessor properties who have the attributes { [[Enumerable]]:
false, [[Configurable]]: true } [...]'

BUG=v8:5566

Review-Url: https://codereview.chromium.org/2452913002
Cr-Commit-Position: refs/heads/master@{#40609}
2016-10-27 08:26:05 +00:00
titzer
24d38be132 [wasm] Remove the "Wasm" object.
BUG=chromium:575167, v8:5507

R=rossberg@chromium.org,bradnelson@chromium.org
CC=ahaas@chromium.org

Review-Url: https://codereview.chromium.org/2447013004
Cr-Commit-Position: refs/heads/master@{#40601}
2016-10-26 16:58:53 +00:00
titzer
3f207617d7 [wasm] Binary 0xD: update encoding of opcodes, types, and add immediates.
R=ahaas@chromium.org,rossberg@chromium.org,binji@chromium.org,bradnelson@chromium.org
BUG=chromium:575167, chromium:659591

Review-Url: https://codereview.chromium.org/2440953002
Cr-Commit-Position: refs/heads/master@{#40600}
2016-10-26 16:56:49 +00:00
bmeurer
2bd7464ec1 [compiler] Properly validate stable map assumption for globals.
For global object property cells, we did not check that the map on the
previous object is still the same for which we actually optimized. So
the optimized code was not in sync with the actual state of the property
cell. When loading from such a global object property cell, Crankshaft
optimizes away any map checks (based on the stable map assumption),
leading to arbitrary memory access in the worst case.

TurboFan has the same bug for stores, but is safe on loads because we
do appropriate map checks there. However mixing TurboFan and Crankshaft
still exposes the bug.

R=yangguo@chromium.org
BUG=chromium:659475

Review-Url: https://codereview.chromium.org/2444233004
Cr-Commit-Position: refs/heads/master@{#40592}
2016-10-26 13:44:03 +00:00
mstarzinger
2ab2ec2243 [turbofan] Disable bogus lowering of builtin tail-calls.
The TurboFan backends currently don't support tail-calls to CPP builtins
because the semantics of kJavaScriptCallArgCountRegister has different
semantics for stub call descriptors versus JavaScript call descriptors.
This is actually a short-coming of the backends and follow-up work will
make the backends more robust in that regard to fail hard on unsupported
constructs like that. This just disables the lowering creating such a
tail-call.

R=bmeurer@chromium.org
BUG=chromium:658691
TEST=mjsunit/regress/regress-crbug-658691

Review-Url: https://codereview.chromium.org/2447383002
Cr-Commit-Position: refs/heads/master@{#40590}
2016-10-26 12:49:06 +00:00
bmeurer
d0a047d440 Revert of [compiler] Properly validate stable map assumption for globals. (patchset #3 id:40001 of https://codereview.chromium.org/2444233004/ )
Reason for revert:
Breaks tree: http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/8789

Original issue's description:
> [compiler] Properly validate stable map assumption for globals.
>
> For global object property cells, we did not check that the map on the
> previous object is still the same for which we actually optimized. So
> the optimized code was not in sync with the actual state of the property
> cell. When loading from such a global object property cell, Crankshaft
> optimizes away any map checks (based on the stable map assumption),
> leading to arbitrary memory access in the worst case.
>
> TurboFan has the same bug for stores, but is safe on loads because we
> do appropriate map checks there. However mixing TurboFan and Crankshaft
> still exposes the bug.
>
> R=yangguo@chromium.org
> BUG=chromium:659475

TBR=yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:659475

Review-Url: https://codereview.chromium.org/2454513003
Cr-Commit-Position: refs/heads/master@{#40582}
2016-10-26 11:11:43 +00:00
bmeurer
3aa57eb920 [compiler] Properly validate stable map assumption for globals.
For global object property cells, we did not check that the map on the
previous object is still the same for which we actually optimized. So
the optimized code was not in sync with the actual state of the property
cell. When loading from such a global object property cell, Crankshaft
optimizes away any map checks (based on the stable map assumption),
leading to arbitrary memory access in the worst case.

TurboFan has the same bug for stores, but is safe on loads because we
do appropriate map checks there. However mixing TurboFan and Crankshaft
still exposes the bug.

R=yangguo@chromium.org
BUG=chromium:659475

Review-Url: https://codereview.chromium.org/2444233004
Cr-Commit-Position: refs/heads/master@{#40578}
2016-10-26 08:55:10 +00:00
adamk
56626f302d [ignition] Use more-targeted check for CONST-this-initialization hole check
This brings the BytecodeGenerator in line with FullCodeGenerator, now that
more requests for hole checks are flowing through BuildVariableAssignment.

BUG=chromium:658528

Review-Url: https://codereview.chromium.org/2447783002
Cr-Commit-Position: refs/heads/master@{#40557}
2016-10-25 11:08:06 +00:00
cbruni
532c16eca0 [runtime] Object.create(null) creates a slow object
Object.create(null) is most likely to be used for dictionary-like objects.
Hence it would be beneficial to directly create a slow-mode object and avoid
additional overhead later-on.

BUG=

Review-Url: https://codereview.chromium.org/2430273007
Cr-Commit-Position: refs/heads/master@{#40551}
2016-10-25 08:30:50 +00:00
yangguo
baba15223c [debugger] fix stepping out of across throwing.
R=jgruber@chromium.org
BUG=v8:5559

Review-Url: https://codereview.chromium.org/2445233004
Cr-Commit-Position: refs/heads/master@{#40549}
2016-10-25 08:00:52 +00:00
jgruber
77ddcfb3e0 [regexp] Remove unused code
This CL removes code that is now unused since the port of regexp.js has been
completed. Removed functions / classes are:

* regexp.js (GetSubstitution moved to string.js)
* RegExpConstructResult stub
* RegExpFlags intrinsic
* RegExpSource intrinsic
* RegExpInitializeAndCompile runtime function

BUG=v8:5339

Review-Url: https://codereview.chromium.org/2448463002
Cr-Commit-Position: refs/heads/master@{#40547}
2016-10-25 07:19:13 +00:00
rmcilroy
381b5437b2 Don't call FastNewFunctionContextStub if context is bigger than kMaxRegularHeapObjectSize.
CL https://codereview.chromium.org/2177273002 changed FastNewFunctionContextStub
to take a number of slots parameter and in-doing so removed the maximum slot
count for FastNewFunctionContextStub. This made it possible to create a
closure which is larger than kMaxRegularHeapObjectSize and so can't be
allocated by FastNewFunctionContextStub.

Reintroduce FastNewFunctionContextStub::kMaxSlots (but make the limit much
larger) to ensure we call the runtime for contexts which need to be
allocated in the LO space.

BUG=chromium:655573

Review-Url: https://codereview.chromium.org/2445703002
Cr-Commit-Position: refs/heads/master@{#40541}
2016-10-24 17:23:21 +00:00
jgruber
f87d73c7cf [regexp] Add regression test for v8:5434
The test ensures that in RegExp.prototype[@@split], exec is neither
accessed too early nor too often.

BUG=v8:5339,v8:5434

Review-Url: https://codereview.chromium.org/2440413002
Cr-Commit-Position: refs/heads/master@{#40526}
2016-10-24 10:39:01 +00:00
bmeurer
a58d7907ea [turbofan] Fix typed lowering of JSToLength.
When lowering JSToLength, we cannot just smash arbitrary bounds on the
Select nodes, as that will confuse the representation selection later.
Instead properly rename the input using NumberMax and NumberMin.

R=jarin@chromium.org
BUG=chromium:657478

Review-Url: https://codereview.chromium.org/2440333002
Cr-Commit-Position: refs/heads/master@{#40519}
2016-10-24 06:37:22 +00:00
titzer
418b239f0b [wasm] Use a Managed<WasmModule> to hold metadata about modules.
This CL refactors the handling of metadata associated with WebAssembly
modules to reduce the duplicate marshalling of data from the C++ world
to the JavaScript world. It does this by wrapping the C++ WasmModule*
object in a Foreign that is rooted from the on-heap WasmCompiledModule
(which is itself just a FixedArray). Upon serialization, the C++ object
is ignored and the original WASM wire bytes are serialized. Upon
deserialization, the C++ object is reconstituted by reparsing the bytes.

This is motivated by increasing complications in implementing the JS
API, in particular WebAssembly.Table, which must perform signature
canonicalization across instances.

Additionally, this CL implements the proper base + offset initialization
behavior for tables.

R=rossberg@chromium.org,bradnelson@chromium.org,mtrofin@chromium.org,yangguo@chromium.org
BUG=v8:5507, chromium:575167, chromium:657316

Review-Url: https://chromiumcodereview.appspot.com/2424623002
Cr-Commit-Position: refs/heads/master@{#40434}
2016-10-19 13:07:22 +00:00
ahaas
2f3ca961c7 [turbofan] Use uint32 to store the number of control outputs instead of uint16.
Using uint32 to store the the number of control outputs allows WebAssembly switches to have more than 2^16 case.

BUG=v8:5531
TEST=mjsunit/regress/wasm/regression-5531
R=titzer@chromium.org

Review-Url: https://chromiumcodereview.appspot.com/2425983002
Cr-Commit-Position: refs/heads/master@{#40420}
2016-10-19 07:25:51 +00:00
mythria
cad36659b1 [turbofan] When inlining JSCallConstruct receiver should be set to the hole.
When inlining JSCallConstruct in turbofan, receiver is initialized to model
the behaviour of constructor. When an implicit receiver is not required the
receiver value should be set to the hole value instead of undefined value.
When initializing the receiver via super calls, we check that the receiver
is the hole value.

BUG=chromium:653407

Review-Url: https://codereview.chromium.org/2424123002
Cr-Commit-Position: refs/heads/master@{#40396}
2016-10-18 11:48:15 +00:00
bmeurer
85844420a2 [turbofan] Fix return value of Array.prototype.push.
The inlined version of Array.prototype.push returned the value that was
pushed instead of the new "length" property value.

R=jarin@chromium.org
BUG=chromium:656037

Review-Url: https://codereview.chromium.org/2425903002
Cr-Commit-Position: refs/heads/master@{#40384}
2016-10-18 08:02:25 +00:00
bmeurer
96f1327a93 [turbofan] Add missing Float32 -> TaggedSigned conversion.
There are a couple of operators that can indeed produce Float32
representation, which we might end up using in a TaggedSigned
context, so add the missing conversion (indirectly via Float64).

BUG=chromium:656275
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2421193002
Cr-Commit-Position: refs/heads/master@{#40334}
2016-10-17 05:41:09 +00:00
ahaas
fa1f9c37d1 [wasm] Do not generate a loop stack check upon a decoder error.
A decoder error sets builder_ to null, which causes builder_->StackCheck
to segfault.

R=titzer@chromium.org

TEST=mjsunit/regress/wasm/loop-stack-check

Review-Url: https://codereview.chromium.org/2416873002
Cr-Commit-Position: refs/heads/master@{#40271}
2016-10-13 14:33:11 +00:00
ahaas
0e1f6d8bfc [wasm] Do not create TF nodes during verification
BUG=chromium:654377
TEST=mjsunit/regress/wasm/regression-654377
R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2403013002
Cr-Commit-Position: refs/heads/master@{#40246}
2016-10-13 08:21:47 +00:00
ishell
9a0109d72e [crankshaft] Range analysis should not rely on overflowed ranges.
BUG=chromium:645438

Review-Url: https://codereview.chromium.org/2412853002
Cr-Commit-Position: refs/heads/master@{#40202}
2016-10-12 09:06:32 +00:00
bmeurer
edfe391ef5 [turbofan] Fix effect chain for polymorphic array access.
We accidently dropped the effect on the floor that we have for the
polymorphic map check in case of array elements access.

BUG=chromium:655004
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2411273002
Cr-Commit-Position: refs/heads/master@{#40201}
2016-10-12 08:31:55 +00:00
adamk
1eaf2927ba Change TF regression test to not trigger tons of allocation
Instead of allocating an ArrayBuffer in the test, use a different example
from the original bug.

R=bmeurer@chromium.org
BUG=chromium:644631, v8:5504

Review-Url: https://codereview.chromium.org/2408403002
Cr-Commit-Position: refs/heads/master@{#40195}
2016-10-12 07:33:29 +00:00
bmeurer
a4f37da86f [turbofan] Respect ConsString invariant.
For ConsString, the left hand side must be either sequential or external
if the right hand side is empty.

R=jarin@chromium.org
BUG=chromium:654723
NOTRY=true

Review-Url: https://codereview.chromium.org/2410893003
Cr-Commit-Position: refs/heads/master@{#40192}
2016-10-12 07:00:52 +00:00
bmeurer
f6bd23f244 [turbofan] Enforce native context specialization.
There were once plans to generate cross-context code with TurboFan,
however that doesn't fit into the model anymore, and so all of this
is essentially dead untested code (and thus most likely already broken
in subtle ways). With this mode still in place it would also be a lot
harder to make inlining based on SharedFunctionInfo work.

BUG=v8:2206,v8:5499
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2406803002
Cr-Commit-Position: refs/heads/master@{#40109}
2016-10-10 05:53:51 +00:00
gdeepti
19dab886a4 [wasm] Simd128 types should not be available in asmjs modules.
- Added gating code in the module-decoder to allow SIMD code only when
 it can be decoded correctly
 - SIMD128 values should not be exported to JS
 - Try/Catch should not be available in asmjs modules
 - Trivial fixes for S128  values

BUG=chromium:648079

R=ahaas@chromium.org, titzer@chromium.org, bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2400863003
Cr-Commit-Position: refs/heads/master@{#40067}
2016-10-07 07:52:19 +00:00
gsathya
9d836ec64a [promises] fix deferred object leak
This patch sets `this` to be undefined when calling resolve and reject
functions attached to the deferred.

BUG=v8:5476

Review-Url: https://codereview.chromium.org/2399053003
Cr-Commit-Position: refs/heads/master@{#40056}
2016-10-06 18:29:35 +00:00
ahaas
aa93e6ca95 [wasm] Call a runtime function for a MemorySize instruction.
The implementation of MemorySize with RelocatableInt32Constants is
problematic if MemorySize is placed close to a GrowMemory instruction in
the code. The use of a runtime function guarantees that the order in
which MemorySize and GrowMemory is executed is correct.

R=titzer@chromium.org
BUG=chromium:651961
TEST=mjsunit/regress/wasm/regression-651961

Committed: https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689
Review-Url: https://codereview.chromium.org/2386183004
Cr-Original-Commit-Position: refs/heads/master@{#39972}
Cr-Commit-Position: refs/heads/master@{#39980}
2016-10-05 09:12:08 +00:00
ahaas
9701e79127 Revert of [wasm] Call a runtime function for a MemorySize instruction. (patchset #2 id:20001 of https://codereview.chromium.org/2386183004/ )
Reason for revert:
Patch problem

Original issue's description:
> [wasm] Call a runtime function for a MemorySize instruction.
>
> The implementation of MemorySize with RelocatableInt32Constants is
> problematic if MemorySize is placed close to a GrowMemory instruction in
> the code. The use of a runtime function guarantees that the order in
> which MemorySize and GrowMemory is executed is correct.
>
> R=titzer@chromium.org
> BUG=chromium:651961
> TEST=mjsunit/regress/wasm/regression-651961
>
> Committed: https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689
> Cr-Commit-Position: refs/heads/master@{#39972}

TBR=titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:651961

Review-Url: https://codereview.chromium.org/2391223002
Cr-Commit-Position: refs/heads/master@{#39973}
2016-10-05 06:12:18 +00:00
ahaas
2c12a9a42d [wasm] Call a runtime function for a MemorySize instruction.
The implementation of MemorySize with RelocatableInt32Constants is
problematic if MemorySize is placed close to a GrowMemory instruction in
the code. The use of a runtime function guarantees that the order in
which MemorySize and GrowMemory is executed is correct.

R=titzer@chromium.org
BUG=chromium:651961
TEST=mjsunit/regress/wasm/regression-651961

Review-Url: https://codereview.chromium.org/2386183004
Cr-Commit-Position: refs/heads/master@{#39972}
2016-10-05 06:06:58 +00:00
mtrofin
c938f0df22 [wasm] explicitly mark off unlinked wasm module instances
This fixes a gc stress bug. We cannot rely on an ordering of
clearing of the weak cells, so we explicitly reset the weak
link to the owning instance, when finalizing a compiled
module. In turn, this serves as a reliable signal when GCs
happen while instantiating, allowing us to correctly link the
new instance.

BUG=chromium:652425

Review-Url: https://codereview.chromium.org/2393443003
Cr-Commit-Position: refs/heads/master@{#39964}
2016-10-04 21:23:24 +00:00
adamk
3c39bac440 Don't skip hole checks inside patterns in parameter lists
Previously, b6e9f625c1 fixed self-assignment
in parameters to throw. But it failed to deal with the case of
destructuring with defaults. This patch extends that previous approach
to always treat the end of a parameter as its initializer position,
whether it has an initializer or not.

This is the minimal change to make it easy to merge; a follow-up
will rename the field of Parameter from "initializer_end_position"
to "end_position".

BUG=v8:5454

Review-Url: https://codereview.chromium.org/2390943002
Cr-Commit-Position: refs/heads/master@{#39962}
2016-10-04 17:04:19 +00:00
leszeks
4ad3579119 [ignition] Fix building lookup graph when search depth is 0
In some (rare) cases, the context depth passed to a dynamic variable lookup can
be zero. In these cases, the fast path for the lookup (i.e. load from context or
global) can always be taken, as there is no need to search the current context.

However, with no slow path checks, the bytecode graph builder had a null
environment for the slow path, causing segfaults when this graph was built.

This patch adds a null check for the slow path environment, and skips building
the slow path if the environment is null.

BUG=chromium:652186

Review-Url: https://codereview.chromium.org/2385123002
Cr-Commit-Position: refs/heads/master@{#39949}
2016-10-04 11:08:11 +00:00
verwaest
9feab2d208 Mark param as used when we force context allocation due to implement access through arguments
Currently the parameter is first parsed as a reference, and then translated into a parameter. The reference stays around though, and gets resolved to the parameter. That automatically creates a use. Now that I drop all unresolved references when we abort preparsing, that also drops the unresolved reference.

Instead, mark the variable as used when its marked as forced context allocation. That's what happens in almost all other cases.

This raises the question: does it really make sense to parse parameters this ways? It seems pretty generic, but neither fast nor memory-efficient ... Did I misunderstand something?

Just land if you think the CL looks good as is.

BUG=chromium:651613

Review-Url: https://codereview.chromium.org/2386623002
Cr-Commit-Position: refs/heads/master@{#39935}
2016-10-03 17:21:20 +00:00
leszeks
537c855882 [ignition] BytecodeGraphBuilder: Merge correct environment in try block
Making new nodes inside of exception-handled blocks fiddles around with the
current environment to merge the exception paths. In particular, the current
environment pointer is mutated. This patch ensures that when we merge the fast
and slow paths of the LdaContextLookup, we actually merge the correct
environment and do not accidentally merge the exceptional environment.

BUG=chromium:651394

Review-Url: https://codereview.chromium.org/2379043002
Cr-Commit-Position: refs/heads/master@{#39878}
2016-09-29 15:18:06 +00:00
verwaest
fecd09ce32 Readd default function variables upon scope reset for preparse abort
BUG=chromium:651327

Review-Url: https://codereview.chromium.org/2380993003
Cr-Commit-Position: refs/heads/master@{#39864}
2016-09-29 13:29:15 +00:00
mtrofin
aff5ab1132 [wasm] fix for GC during instantiation.
BUG=chromium:651070

Review-Url: https://codereview.chromium.org/2371403003
Cr-Commit-Position: refs/heads/master@{#39848}
2016-09-29 04:24:42 +00:00
mtrofin
df490c3484 [wasm] Fix for cloning module heap size value
The module size is encoded as a HeapNumber, and needs to be
explicitly cloned.

BUG=chromium:647649

Review-Url: https://codereview.chromium.org/2347333002
Cr-Commit-Position: refs/heads/master@{#39845}
2016-09-29 00:48:28 +00:00
ishell
8d8c134b12 [ic][mips][mips64] Ensure store handlers return value in proper register.
BUG=chromium:650973

Review-Url: https://codereview.chromium.org/2374003002
Cr-Commit-Position: refs/heads/master@{#39823}
2016-09-28 11:46:44 +00:00
jgruber
da27e0c886 Allow empty first parts of ConsStrings
TurboFan lowering (see [0]) of ConsString creation cannot ensure that
the first part of the cons string is non-empty without introducing a phi
and negatively impacting performance.

This modifies ConsStringIterator to allow empty first parts of
ConsStrings.

BUG=v8:5440

Review-Url: https://codereview.chromium.org/2377983002
Cr-Commit-Position: refs/heads/master@{#39817}
2016-09-28 09:46:56 +00:00
bmeurer
15a449b141 [typedarray] Properly initialize JSTypedArray::length with Smi.
Even after https://codereview.chromium.org/2371963002 we still did not
always store a Smi into the JSTypedArray::length field, the runtime
function %TypedArrayInitializeFromArrayLike was still storing whatever
it got from the JavaScript code, which is highly dependent on internal
decisions of the ICs and the representation selection in the optimizing
compilers, so that's pretty fragile.

R=verwaest@chromium.org
BUG=chromium:650933

Review-Url: https://codereview.chromium.org/2377943002
Cr-Commit-Position: refs/heads/master@{#39802}
2016-09-28 05:49:37 +00:00
jgruber
515994b8ca [regexp] Don't cache exec method in Regexp.proto[@@split]
The call to RegExpSubclassExec may refer to a different exec method
since splitter is newly constructed previously to the call.

BUG=v8:5351

Review-Url: https://codereview.chromium.org/2370733003
Cr-Commit-Position: refs/heads/master@{#39774}
2016-09-27 14:02:33 +00:00
verwaest
c0ded71713 Don't reset parameters if we aborted preparsing, rebuild them from the params_ list
BUG=

Review-Url: https://codereview.chromium.org/2372703004
Cr-Commit-Position: refs/heads/master@{#39769}
2016-09-27 13:05:32 +00:00
jkummerow
142f9dfcad [crankshaft] TypedArrayInitialize: force length to be a Smi
BUG=chromium:650404

Review-Url: https://codereview.chromium.org/2371963002
Cr-Commit-Position: refs/heads/master@{#39744}
2016-09-26 23:00:45 +00:00
verwaest
7f025eb626 Remove ARGUMENTS_VARIABLE and fix crankshaft to properly detect the arguments object and keep it alive when inlining .apply
BUG=

Review-Url: https://codereview.chromium.org/2367483003
Cr-Commit-Position: refs/heads/master@{#39670}
2016-09-23 14:27:02 +00:00
Michael Starzinger
4b2c6d03e4 [turbofan] Add proper type guards to escape analysis.
This makes sure the {EscapeAnalysisReducer} inserts proper {TypeGuard}
nodes if the replacement node is not a subtype of the original node.
This happens predominantly for code that has been made unreachable by
type checks.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-640497
BUG=chromium:640497

Review URL: https://codereview.chromium.org/2363573003 .

Cr-Commit-Position: refs/heads/master@{#39656}
2016-09-23 11:02:13 +00:00
lpy
68ee0a4f90 Add regression test for crbug.com/648740.
BUG=648740

Review-Url: https://codereview.chromium.org/2362563002
Cr-Commit-Position: refs/heads/master@{#39643}
2016-09-22 20:44:05 +00:00
verwaest
df7ecd1c1a Declare the arguments object before creating the function var, to make sure it masks it
BUG=chromium:649067

Review-Url: https://codereview.chromium.org/2362463003
Cr-Commit-Position: refs/heads/master@{#39642}
2016-09-22 19:16:42 +00:00
gsathya
ba41697cbd [promises] PromiseResolveThenableJob: change then to be a JSReceiver
BUG=v8:649078

Review-Url: https://codereview.chromium.org/2362503003
Cr-Commit-Position: refs/heads/master@{#39609}
2016-09-21 23:56:20 +00:00
mstarzinger
b097c6c4f1 [turbofan] Support for ConsString by escape analysis.
This add support for ConsString objects allocated inline to the escape
analysis pass. The raw hash field in such strings needs special handling
similar to existing raw fields. This also contains materialization code
within the deoptimizer as usual.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-648737
BUG=chromium:648737

Review-Url: https://codereview.chromium.org/2357153002
Cr-Commit-Position: refs/heads/master@{#39594}
2016-09-21 12:30:00 +00:00
cbruni
2fd6d6093e [elements] Handlify raw parameter_map pointers for SloppyArgumentsAccessor
Handlify pointers in IncludesValueImpl and DirectCollectElementIndicesImpl.

BUG=chromium:648373

Review-Url: https://codereview.chromium.org/2354773006
Cr-Commit-Position: refs/heads/master@{#39586}
2016-09-21 10:22:53 +00:00
mstarzinger
81f4342994 [turbofan] Remove bogus constant materialization from frame.
This removes an optimization from the code generator that tries to
materialize certain constants (i.e. context and closure) from the
stackframe when possible. This does not work with Harmony tail calls
which are split into several instructions. There have already been
numerous bugs in this optimization, it is too fragile in its current
form.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-648539
BUG=chromium:648539

Review-Url: https://codereview.chromium.org/2357583003
Cr-Commit-Position: refs/heads/master@{#39583}
2016-09-21 09:31:32 +00:00
littledan
dcd61b9020 Filter out synthetic variables from with scopes
This patch ensures that variables like .new_target aren't overwritable
using with scopes. It does this by ensuring that scope analysis does
not consider with scopes (or eval scopes) for such 'synthetic variables',
similarly to how the 'this' variable was already handled.
The patch also adds a DCHECK for the dynamic parallel to this case,
replacing a previous unreachable path for a particular instance.

BUG=v8:5405

Review-Url: https://codereview.chromium.org/2353623002
Cr-Commit-Position: refs/heads/master@{#39567}
2016-09-20 22:14:54 +00:00
littledan
bd078193a0 Remove synthetic unresolved variables from async/await desugaring
This patch uses temporaries rather than unresolved variables for
.promise and .debug_is_active. For .promise, a new field is added
to the FunctionState, similarly to .generator_object. This change
fixes a bug where .promise was locally shadowable by with, affecting
program semantics.

BUG=v8:5405

Review-Url: https://codereview.chromium.org/2359513002
Cr-Commit-Position: refs/heads/master@{#39566}
2016-09-20 21:31:32 +00:00
mstarzinger
4dab7b5a1d [turbofan] Fix loop assignment analysis on ForInStatements.
The implicit assignment to the induction variable in a ForInStatement
has been ignored by the AST loop assignment analysis. This was hidden
for cases where the parser introduced a ".for" temporary, but triggers
when the variable is declared outside the loop.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-647887
BUG=chromium:647887

Review-Url: https://codereview.chromium.org/2356733002
Cr-Commit-Position: refs/heads/master@{#39551}
2016-09-20 12:37:33 +00:00
bmeurer
d86038db25 [crankshaft] Protect against deopt loops from string length overflows.
Crankshaft just unconditionally deoptimizes the code when the length of
a string addition result would overflow. In order to protect against
deopt loops we insert a global protector cell.

We will use the same mechanism for inlining certain string additions
into TurboFan as well, and protecting against overflow (we will also
extend this to deal with String.prototype.concat and friends once we
get there).

BUG=v8:5404
R=jarin@chromium.org,hpayer@chromium.org
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux64_msan_rel

Committed: https://crrev.com/cb19257a926a55209a6d6858ce26d51a0447ba71
Review-Url: https://codereview.chromium.org/2348293002
Cr-Original-Commit-Position: refs/heads/master@{#39511}
Cr-Commit-Position: refs/heads/master@{#39525}
2016-09-20 05:59:35 +00:00
machenbach
53510f6a80 Revert of [crankshaft] Protect against deopt loops from string length overflows. (patchset #1 id:1 of https://codereview.chromium.org/2348293002/ )
Reason for revert:
Mean https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/10910

Original issue's description:
> [crankshaft] Protect against deopt loops from string length overflows.
>
> Crankshaft just unconditionally deoptimizes the code when the length of
> a string addition result would overflow. In order to protect against
> deopt loops we insert a global protector cell.
>
> We will use the same mechanism for inlining certain string additions
> into TurboFan as well, and protecting against overflow (we will also
> extend this to deal with String.prototype.concat and friends once we
> get there).
>
> BUG=v8:5404
> R=jarin@chromium.org,hpayer@chromium.org
>
> Committed: https://crrev.com/cb19257a926a55209a6d6858ce26d51a0447ba71
> Cr-Commit-Position: refs/heads/master@{#39511}

TBR=hpayer@chromium.org,jarin@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5404

Review-Url: https://codereview.chromium.org/2357433002
Cr-Commit-Position: refs/heads/master@{#39518}
2016-09-19 21:50:15 +00:00
bmeurer
cb19257a92 [crankshaft] Protect against deopt loops from string length overflows.
Crankshaft just unconditionally deoptimizes the code when the length of
a string addition result would overflow. In order to protect against
deopt loops we insert a global protector cell.

We will use the same mechanism for inlining certain string additions
into TurboFan as well, and protecting against overflow (we will also
extend this to deal with String.prototype.concat and friends once we
get there).

BUG=v8:5404
R=jarin@chromium.org,hpayer@chromium.org

Review-Url: https://codereview.chromium.org/2348293002
Cr-Commit-Position: refs/heads/master@{#39511}
2016-09-19 21:01:30 +00:00
mtrofin
7d008c0d1b [wasm] moved regression test under test/mjsunit/regression/wasm
We'd like wasm regressions to live under a subfolder of the mjsunit
regression folder.

BUG=

Review-Url: https://codereview.chromium.org/2344373002
Cr-Commit-Position: refs/heads/master@{#39483}
2016-09-17 00:29:10 +00:00
mstarzinger
c2cf8b11ed [turbofan] Handle stack overflow during inlining.
This handles the case where generating bytecode for inlining purposes
causes a stack overflow. We just abort inlining but also need to clear
pending exceptions.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-647217
BUG=chromium:647217

Review-Url: https://codereview.chromium.org/2339383002
Cr-Commit-Position: refs/heads/master@{#39448}
2016-09-15 14:05:13 +00:00
mstarzinger
b848716c98 [compiler] Fix confusion about OSR BailoutId semantics.
The semantics of the {BailoutId} representing an OSR entry point is
different between the interpreter and the full code generator. These
semantics are hard-coded in various graph builders. We need to ensure
that the correct graph builder is chosen for OSR compilations.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-5380
BUG=v8:5380

Review-Url: https://codereview.chromium.org/2341663002
Cr-Commit-Position: refs/heads/master@{#39444}
2016-09-15 11:00:42 +00:00
jgruber
8df547d402 [regexp] Avoid unneeded accesses to lastIndex
This implements https://github.com/tc39/ecma262/pull/627/.

BUG=v8:5360

Review-Url: https://codereview.chromium.org/2339443002
Cr-Commit-Position: refs/heads/master@{#39402}
2016-09-14 07:39:44 +00:00
mstarzinger
85289749f4 [interpreter] Add regression test for bogus OSR entry.
This adds a regression test for a bug where {OsrPoll} instructions
within the bytecode stream ended up outside of actual loops. This has
been fixed already, by merging {OsrPoll} into the backwards branch.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-645888
BUG=chromium:645888

Review-Url: https://codereview.chromium.org/2337033002
Cr-Commit-Position: refs/heads/master@{#39385}
2016-09-13 13:23:21 +00:00
mvstanton
2ab3fcf42f Record call counts also for megamorphic calls.
To make better inlining decisions, it's good to have call counts for poly/mega-morphic cases. This CL makes it work for calls, and another will follow to better unify the code between constructor calls and normal calls (and thence, to record megamorphic call counts there as well).

BUG=

Review-Url: https://codereview.chromium.org/2325083003
Cr-Commit-Position: refs/heads/master@{#39377}
2016-09-13 11:04:22 +00:00
cbruni
621f4af720 [elements] Handlify SloppyArguments IndexOfValueImpl
The raw pointer to the parameter_map might get stale in case of accessors present on
the arguments object.
Drive-by-fix: use nullptr instead of the_hole with isolate access.

BUG=chromium:645680

Review-Url: https://codereview.chromium.org/2332503002
Cr-Commit-Position: refs/heads/master@{#39359}
2016-09-12 17:32:09 +00:00
adamk
58325e616d [turbofan] Switch from a whitelist to a blacklist for NeedsFrameStateInput
The whitelist is populated with those inline intrinsics that are lowered
in JSIntrinsicInlining and were not previously blacklisted. Thus the only
additional FrameStates this CL adds are those where the caller tries to
call the INLINE version of an intrinsic but ends up calling the RUNTIME
version instead.

R=bmeurer@chromium.org
BUG=chromium:644631

Review-Url: https://codereview.chromium.org/2331543002
Cr-Commit-Position: refs/heads/master@{#39357}
2016-09-12 16:12:57 +00:00
mstarzinger
0681deb914 [interpreter] Fix destroyed new.target register use.
This fixes a corner-case where the bytecode was using the <new.target>
register directly without going through the local variable. The value
might be clobbered because the deoptimizer doesn't properly restore the
value. The label will causes bytecode pipeline to be flushed and hence
ensure {BytecodeRegisterOptimizer} doesn't reuse <new.target> anymore.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-645103
BUG=chromium:645103

Review-Url: https://codereview.chromium.org/2325133002
Cr-Commit-Position: refs/heads/master@{#39306}
2016-09-09 12:20:20 +00:00
adamk
e4273007b6 Properly handle holes following spreads in array literals
Before this change, the spread desugaring would naively call
`%AppendElement($R, the_hole)` and in some cases $R would have
a non-holey elements kind, putting the array into the bad state
of exposing holes to author code.

This patch avoids calling %AppendElement with a hole, instead
simply incrementing $R.length when it sees a hole in the literal
(this is safe because $R is known to be an Array). The existing
logic for elements transitions takes care of giving the array a
holey ElementsKind.

BUG=chromium:644215

Review-Url: https://codereview.chromium.org/2321533003
Cr-Commit-Position: refs/heads/master@{#39294}
2016-09-08 18:50:41 +00:00
mstarzinger
9984d6f689 [deoptimizer] Support materialization of ContextExtension.
This adds support to the deoptimizer to materialize ContextExtension
objects that have been de-materialized by escape analysis. This is
follow-up to the inline allocation of such objects during the create
lowering phase (i.e. JSCreateWithContext and JSCreateCatchContext).

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-644245
BUG=chromium:644245

Review-Url: https://codereview.chromium.org/2317353003
Cr-Commit-Position: refs/heads/master@{#39270}
2016-09-08 10:33:20 +00:00
bmeurer
4ed27fc836 [turbofan] Ensure that all prototypes are stable for push/pop.
When lowering Array.prototype.push/.pop to the fast inlined version, we
first need to ensure that all prototypes (including the Object.prototype)
are stable.

R=mvstanton@chromium.org
BUG=chromium:644689

Review-Url: https://codereview.chromium.org/2319533005
Cr-Commit-Position: refs/heads/master@{#39266}
2016-09-08 08:48:32 +00:00
bmeurer
91ed540ee6 [turbofan] Revert "Avoid overflow checks on SpeculativeNumberAdd/Subtract/Multiply."
The optimization is not correct for unsigned output types, and we the
overall complexity seems too high. We need to find a better way to
take into account the input/output type restrictions.

Also added a regression test for the unsigned output bug.

BUG=v8:5267,v8:5270,v8:5357
TBR=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2320013002
Cr-Commit-Position: refs/heads/master@{#39262}
2016-09-08 04:20:31 +00:00
lpy
7a38b927c8 Reland - Allow lexically declared "arguments" in function scope in sloppy mode.
Lexically declared "arguments" in sloppy mode will throw redeclaration error
currently, this patch fixes it by delaying the declaration of arguments until we
fully parse parameter list and function body.

BUG=v8:4577
LOG=N

Committed: https://crrev.com/70a613dd0a5f5d205b46559b55702764464851fa
Review-Url: https://codereview.chromium.org/2290753003
Cr-Original-Commit-Position: refs/heads/master@{#39109}
Cr-Commit-Position: refs/heads/master@{#39230}
2016-09-07 06:54:54 +00:00
mstarzinger
553d504923 [turbofan] Handle ObjectIsReceiver in escape analysis.
This adds handling of {IrOpcode::kObjectIsReceiver} nodes to the escape
status analysis. Such uses are treated as escaping for now until we add
dedicated handling to the escape analysis reducer.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-631027
BUG=chromium:631027

Review-Url: https://codereview.chromium.org/2317623003
Cr-Commit-Position: refs/heads/master@{#39205}
2016-09-06 11:59:31 +00:00
rmcilroy
c950256013 [Turbofan] Fix CallSuper argument order in BytecodeGraphBuilder.
The constructor and new.target arguments were passed to CallConstruct in
the wrong order by BytecodeGraphBuilder, which caused subclassing to be
incorrect when optimizing from bytecode.

Also clean up some unecessary functions in interpreter.cc found while
figuring this out.

BUG=chromium:642409

Review-Url: https://codereview.chromium.org/2312103002
Cr-Commit-Position: refs/heads/master@{#39204}
2016-09-06 11:53:19 +00:00
mstarzinger
cc1249b779 [compiler] Bytecode preparation fails for asm.js modules.
This handles the case where preparation of bytecode might fail inside
Compiler::EnsureBytecode due to the underlying function being a fully
validated asm.js module. We simply bailout of bytecode preparation.

R=bradnelson@chromium.org
TEST=mjsunit/regress/regress-crbug-644111
BUG=chromium:644111

Review-Url: https://codereview.chromium.org/2309853002
Cr-Commit-Position: refs/heads/master@{#39187}
2016-09-05 23:03:07 +00:00
jgruber
64c518d06d Do not include Error.captureStackTrace in the trace
BUG=v8:5342

Review-Url: https://codereview.chromium.org/2307783002
Cr-Commit-Position: refs/heads/master@{#39124}
2016-09-02 09:51:42 +00:00
bmeurer
86af343749 [test] Add regression test for http://crbug.com/642056.
The bug itself was already fixed in ToT as part of
http://crrev.com/2263273003.

R=machenbach@chromium.org
BUG=chromium:642056

Review-Url: https://codereview.chromium.org/2306913002
Cr-Commit-Position: refs/heads/master@{#39117}
2016-09-02 07:08:29 +00:00
machenbach
d67fedb12c Revert of Allow lexically declared "arguments" in function scope in sloppy mode. (patchset #5 id:100001 of https://codereview.chromium.org/2290753003/ )
Reason for revert:
Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/9470

Original issue's description:
> Allow lexically declared "arguments" in function scope in sloppy mode.
>
> Lexically declared "arguments" in sloppy mode will throw redeclaration error
> currently, this patch fixes it by delaying the declaration of arguments until we
> fully parse parameter list and function body.
>
> BUG=v8:4577
> LOG=N
>
> Committed: https://crrev.com/70a613dd0a5f5d205b46559b55702764464851fa
> Cr-Commit-Position: refs/heads/master@{#39109}

TBR=adamk@chromium.org,mythria@chromium.org,lpy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4577

Review-Url: https://codereview.chromium.org/2304853002
Cr-Commit-Position: refs/heads/master@{#39115}
2016-09-02 06:23:57 +00:00
lpy
70a613dd0a Allow lexically declared "arguments" in function scope in sloppy mode.
Lexically declared "arguments" in sloppy mode will throw redeclaration error
currently, this patch fixes it by delaying the declaration of arguments until we
fully parse parameter list and function body.

BUG=v8:4577
LOG=N

Review-Url: https://codereview.chromium.org/2290753003
Cr-Commit-Position: refs/heads/master@{#39109}
2016-09-01 22:10:34 +00:00
bmeurer
432790c92c [turbofan] Only check semantic axis for Type::None.
R=jarin@chromium.org
BUG=chromium:643073

Review-Url: https://codereview.chromium.org/2299903002
Cr-Commit-Position: refs/heads/master@{#39065}
2016-09-01 07:11:21 +00:00
bmeurer
64a7bd3877 [turbofan] Don't treat the hole NaN as constant inside the compiler.
We use a signaling NaN to represent the hole in
FAST_HOLEY_DOUBLE_ELEMENTS backing stores, but on Intel processors, the
C++ compiler may decide to (or be forced to due to calling conventions)
use X87 registers for double values. However transfering to X87
registers automatically quietens the NaNs and there's no way to disable
this. Therefore we should just always load the hole NaN from the canonical
place identified by the address_of_hole_nan external reference instead,
which might even be more efficient in some cases.

R=jarin@chromium.org, jkummerow@chromium.org
BUG=v8:5332

Review-Url: https://codereview.chromium.org/2303643002
Cr-Commit-Position: refs/heads/master@{#39062}
2016-09-01 06:02:19 +00:00
bmeurer
7b79224b21 [crankshaft] Disable further folding already folded allocations.
When we try to further fold previously folded allocations in Crankshaft
GVN we don't properly transform the allocations involved, which causes
the mechanism to leave holes in the new/old space (and thereby violate
the iterability property of the new/old space).

BUG=chromium:621868
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2297983003
Cr-Commit-Position: refs/heads/master@{#39040}
2016-08-31 09:48:45 +00:00
bmeurer
864cdc124c [test] Speed-up regression test for growing stores.
TBR=machenbach@chromium.org
BUG=chromium:635798,chromium:638295

Review-Url: https://codereview.chromium.org/2288813003
Cr-Commit-Position: refs/heads/master@{#38991}
2016-08-30 04:04:32 +00:00
littledan
5af4cd9840 Disallow tail calls from async functions and generators
Tail calls don't make sense from async functions and generators, as
each activation of these functions needs to make a new, distnict,
non-reused generator object. These tail calls are not required per
spec. This patch disables both syntactic and implicit tail calls
in async functions and generators.

R=neis
BUG=v8:5301,chromium:639270

Review-Url: https://codereview.chromium.org/2278413003
Cr-Commit-Position: refs/heads/master@{#38986}
2016-08-29 18:31:35 +00:00
mstarzinger
b52aecac7e [compiler] Make Compiler::EnsureBytecode not switch tiers.
This preserves the original shared code of the underlying function when
bytecode is provided. The method in question should only ensure bytecode
is present, but should avoid switching compilation tiers of the given
function. It might be that the function was fast-tracked to baseline by
inlining without going through the interpreted tier first.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-635923
BUG=chromium:635923

Review-Url: https://codereview.chromium.org/2278543002
Cr-Commit-Position: refs/heads/master@{#38866}
2016-08-24 14:09:59 +00:00
bmeurer
6646d73b6f [turbofan] Use ObjectIsReceiver directly for inlining.
Don't bother using %_IsJSReceiver, which immediately gets lowered to
ObjectIsReceiver anyways (by the JSIntrinsicLowering), but requires
some complicated rewiring of effect/control chains.

R=mstarzinger@chromium.org
BUG=chromium:640369

Review-Url: https://codereview.chromium.org/2271973003
Cr-Commit-Position: refs/heads/master@{#38864}
2016-08-24 11:09:32 +00:00
bradnelson
e5f5ac7d2b [wasm] asm.js - Remove Wasm.instantiateModuleFromAsm, use asm.js directly.
Make use of %IsAsmWasmCode in place of Wasm.instantiateModuleFromAsm,
in order to reduce the surface area of the Wasm object,
and to focus on testing asm.js coming in via the parser.

Ignore extra CONST_LEGACY assignment introduced by the parser
when modules have the form:
(function Foo(a, b, c) {..});
This requires both a validator and AsmWasmBuilder change.

Move stdlib use collection to import time,
to reject modules that import a function, even if not used.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=jpp@chromium.org,titzer@chromium.org

Review-Url: https://codereview.chromium.org/2264913002
Cr-Commit-Position: refs/heads/master@{#38806}
2016-08-23 04:07:23 +00:00
bradnelson
561bfcb70d [wasm] asm.js - Check stdlib.NaN is valid, prepare for the rest.
Record which asm.js stdlib members are used and add a check that NaN is actually correctly set. Other stdlib members to be added in a later change.

Also add a stdlib argument to Wasm.instantiateModuleFromAsm, in preparation for that function to be replaced by normal asm.js instantiation.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=jpp@chromium.org,titzer@chromium.org

Review-Url: https://codereview.chromium.org/2251433002
Cr-Commit-Position: refs/heads/master@{#38760}
2016-08-19 18:26:24 +00:00
mstarzinger
8ab555cc15 [interpreter] Fix canonicalization when preserving bytecode.
This fixes canonicalization of {SharedFunctionInfo} objects in the
{Compiler::GetSharedFunctionInfo} method when bytecode is preserved.
Eager compilation is only triggered when no code is present.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-638551
BUG=chromium:638551

Review-Url: https://codereview.chromium.org/2245263006
Cr-Commit-Position: refs/heads/master@{#38709}
2016-08-18 10:42:40 +00:00
rmcilroy
477495c886 [Parser] Track ContainsDot for SMI values.
Ensures SMI values have SMI type even if they have a dot (e.g., 1.0).
Adds SMI_WITH_DOT type to maintain this.

BUG=chromium:638134

Review-Url: https://codereview.chromium.org/2248693005
Cr-Commit-Position: refs/heads/master@{#38698}
2016-08-18 08:15:43 +00:00
bmeurer
665f0e4020 [turbofan] Fix CheckedInt32Mod lowering for -0 case with negative left hand side.
Properly deoptimize if the left hand side of a CheckedInt32Mod is
negative and the result of the operation is zero.

R=jarin@chromium.org
BUG=v8:5286

Review-Url: https://codereview.chromium.org/2243803002
Cr-Commit-Position: refs/heads/master@{#38615}
2016-08-12 12:13:51 +00:00
jgruber
d252808011 Handle missing context when getting frame details
This bug was triggered by a very specific combination:

* A context-allocated variable at script scope.
* OSR optimization.
* A scheduled breakpoint, which triggers at stack checks.

Stack checks differ from other possible breakpoint locations in that
the context (among other things) may be in a register and not on the
stack, making it impossible to recover during deoptimization. The
frame_inspector then returns undefined when asked for the context.

In GetFrameDetails, handle this case by omitting all context-allocated
variables.

BUG=v8:5279

Review-Url: https://codereview.chromium.org/2245603002
Cr-Commit-Position: refs/heads/master@{#38611}
2016-08-12 11:20:19 +00:00
bmeurer
7060bab81c [turbofan] Properly guard keyed stores wrt. setters in the prototype chain.
For holey/growing keyed stores, we need to check that there are no
setters in the prototype chain and protect against changes to that
via code dependencies.

R=verwaest@chromium.org
BUG=v8:5275,v8:5276

Review-Url: https://codereview.chromium.org/2231683002
Cr-Commit-Position: refs/heads/master@{#38514}
2016-08-10 06:30:22 +00:00
bmeurer
78727d4362 [runtime] %GrowArrayElements doesn't have a native context in TurboFan.
When we compile a growing store in TurboFan, we don't pass a (native)
context to the %GrowArrayElements fallback function, as the whole logic
is actually context independent. However, that means that we need to
bailout early in case the object is a prototype, which requires context
dependent checks in the array protector code.

R=cbruni@chromium.org
BUG=chromium:635798

Review-Url: https://codereview.chromium.org/2224253003
Cr-Commit-Position: refs/heads/master@{#38491}
2016-08-09 13:03:07 +00:00
rmcilroy
c1ae15d930 [Interpreter] Don't try to create bytecode array if HasStackOverflow().
BUG=chromium:635429

Review-Url: https://codereview.chromium.org/2228503004
Cr-Commit-Position: refs/heads/master@{#38474}
2016-08-09 07:24:13 +00:00
hpayer
caf5c5a194 [heap] Use smaller minimum allocation limit growing step when optimizing for memory usage.
BUG=chromium:634900

Review-Url: https://codereview.chromium.org/2223493002
Cr-Commit-Position: refs/heads/master@{#38435}
2016-08-08 11:32:01 +00:00
mstarzinger
f00b42ae31 [interpreter] Fix profiler when hitting OSR frame.
This fixes the runtime profiler to no longer assume that seeing an
optimized frame on the stack implies the underlying function is not
being interpreted when entered normally. This no longer holds with code
generated for OSR directly from bytecode (not installed on function).

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-632800
BUG=chromium:632800

Review-Url: https://codereview.chromium.org/2208603005
Cr-Commit-Position: refs/heads/master@{#38360}
2016-08-05 08:47:48 +00:00
mstarzinger
5671b663f9 [interpreter] Avoid tier-up when there is an OSR activation.
This makes sure we prevent a tier-up for function which also have an
optimized activation of OSR code on the stack. In case the OSR code
deoptimizes, it needs the bytecode to still be around.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-5262
BUG=v8:5262

Review-Url: https://codereview.chromium.org/2206363004
Cr-Commit-Position: refs/heads/master@{#38359}
2016-08-05 07:55:03 +00:00
yangguo
771b81f806 [debug] fix exception prediction for asm frames.
R=mstarzinger@chromium.org
BUG=chromium:633999

Review-Url: https://codereview.chromium.org/2215713002
Cr-Commit-Position: refs/heads/master@{#38358}
2016-08-05 07:14:21 +00:00
bmeurer
cad5b29610 [turbofan] Remove unnecessary prototype checks for element access.
We don't need to add stability dependencies on JSObject prototypes when
storing to an element, because we do the map check (and thereby guard
the elements kind) and we also properly deoptimize on holes if the array
protector is not usable.

R=verwaest@chromium.org
BUG=chromium:616709

Review-Url: https://codereview.chromium.org/2198833002
Cr-Commit-Position: refs/heads/master@{#38355}
2016-08-05 04:55:03 +00:00
adamk
e6d2c9b584 Properly pass InitializationFlag back from ScriptContextTable lookups
This was dropped accidentally in bb97d27ab.

R=verwaest@chromium.org
BUG=chromium:633884

Review-Url: https://codereview.chromium.org/2203213003
Cr-Commit-Position: refs/heads/master@{#38345}
2016-08-04 16:13:41 +00:00
mstarzinger
667d8ad099 [turbofan] Fix missing bailout for accessors in literals.
This adds the missing lazy bailout point when defining accessor pairs
within object literals via Runtime::kDefineAccessorPropertyUnchecked.
The runtime function in question can indeed trigger a lazy deopt due
to a DependentCode::kPrototypeCheckGroup dependency.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-633585
BUG=chromium:633585

Review-Url: https://codereview.chromium.org/2207413002
Cr-Commit-Position: refs/heads/master@{#38336}
2016-08-04 10:28:46 +00:00
jgruber
ea6b9609a6 Handle stack overflows in NoSideEffectToString
An infinite recursion can be triggered when NoSideEffectToString is
called on an error object with its name property set to itself.

BUG=633998

Review-Url: https://codereview.chromium.org/2206313002
Cr-Commit-Position: refs/heads/master@{#38325}
2016-08-04 07:45:11 +00:00
rmcilroy
aacbdacb89 [Crankshaft] Move don't crankshaft check before EnsureDeoptimizationSupport.
Avoids compiling baseline code when the function isn't able to be
optimized by crankshaft.

BUG=chromium:632289

Review-Url: https://codereview.chromium.org/2194453002
Cr-Commit-Position: refs/heads/master@{#38304}
2016-08-03 15:02:38 +00:00
jgruber
d48170dbf5 Move NoSideEffectToString to C++
BUG=

Review-Url: https://codereview.chromium.org/2206573002
Cr-Commit-Position: refs/heads/master@{#38289}
2016-08-03 12:22:23 +00:00
bmeurer
c9324fe6c5 [turbofan] Fix invalid representation selection for Phis/Selects.
We cannot just blindly make a representation selection for Phi or Select
based on the truncations, but we also need to consider the type of the
inputs (or actually of the Phi/Select node itself). We can only use
Word32 representation based on Word32 truncation if the inputs are
Number or Oddball, same for Float64.

R=epertoso@chromium.org
BUG=v8:5255

Review-Url: https://codereview.chromium.org/2206553002
Cr-Commit-Position: refs/heads/master@{#38241}
2016-08-02 12:11:09 +00:00
mstarzinger
962fd4ae4b [interpreter] Elide OSR polling from fake loops.
This makes sure we are not inserting {OsrPoll} instructions for any
statements that are not actually loops and have no back edges. Without
back edges the {BytecodeGraphBuilder} is unable to deduce loop ranges
and hence cannot construct a graph for OSR entry.

R=neis@chromium.org
TEST=mjsunit/regress/regress-5252
BUG=v8:5252

Review-Url: https://codereview.chromium.org/2200733002
Cr-Commit-Position: refs/heads/master@{#38233}
2016-08-02 09:16:59 +00:00
bmeurer
a758144329 [turbofan] Fix invalid comparison operator narrowing.
When we narrow a signed32 comparison to uint8 or uint16 representation,
we also need to change the condition to unsigned comparisons otherwise
the comparison will be done on int16/int8 which interprets the narrowed
bits wrong.

R=epertoso@chromium.org
BUG=v8:5254

Review-Url: https://codereview.chromium.org/2202803003
Cr-Commit-Position: refs/heads/master@{#38231}
2016-08-02 07:46:15 +00:00
jgruber
061d082dd3 Properly set function index in CallSite constructor
BUG=632965
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2199673002
Cr-Commit-Position: refs/heads/master@{#38208}
2016-08-01 12:59:57 +00:00
jgruber
1c7c0521f1 Set Error.stack property writable
Previously, the stack property was set up in JS as read-only; but since
it had a JS setter, writability was ignored and writing to stack was
possible.

This is no longer the case now that stack is either an actual data
property, or is associated with C++ accessors. Explicitly set the
property as writable to preserve old behavior.

BUG=5245
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2190313002
Cr-Commit-Position: refs/heads/master@{#38158}
2016-07-29 08:15:26 +00:00
ishell
fc66694de8 [fullcode][mips][mips64][ppc][s390] Avoid trashing of a home object when doing a count operation with keyed load/store to a super.
BUG=chromium:631917

Review-Url: https://codereview.chromium.org/2191663004
Cr-Commit-Position: refs/heads/master@{#38139}
2016-07-28 14:31:07 +00:00
danno
7f1fa30e34 [stubs] Port CreateWeakCellStub to turbofan
In the process also inline the stub into the appropriate interpreter bytecode
handler and make sure that the context register is preserved in hand-written
assembly code that calls the stub and expects the context register to be
preserved.

BUG=608675

Review-Url: https://codereview.chromium.org/2188993003
Cr-Commit-Position: refs/heads/master@{#38132}
2016-07-28 11:49:00 +00:00
mlippautz
e97b8686f2 [heap] Don't consider mementos on pages below age mark
Objects that reside below the age mark could be on pages that have been moved
within new space. In this case mementos survived which can actually point to
already-collected allocation sites.

BUG=chromium:631050,chromium:581412
R=hpayer@chromium.org

Review-Url: https://codereview.chromium.org/2179033005
Cr-Commit-Position: refs/heads/master@{#38094}
2016-07-27 12:18:16 +00:00
yangguo
071b655fa9 [debugger] Scope iterator should not visit inner function literals.
R=marja@chromium.org
BUG=chromium:621361

Review-Url: https://codereview.chromium.org/2185913003
Cr-Commit-Position: refs/heads/master@{#38087}
2016-07-27 09:04:20 +00:00
mstarzinger
908f355ecc [interpreter] Enable OSR test that no longer fails.
R=mythria@chromium.org
TEST=mjsunit/regress/regress-2618
BUG=v8:4764

Review-Url: https://codereview.chromium.org/2183463003
Cr-Commit-Position: refs/heads/master@{#38085}
2016-07-27 08:58:53 +00:00
bmeurer
32346aaea0 [turbofan] Fix overly aggressive dead code elimination.
When we eliminate nodes during truncation analysis that have no value
uses, we must make sure that we do not eliminate speculative number
operations that would have side effects depending on the inputs, i.e.
for example a SpeculativeNumberMultiply(x,y) does ToNumber(x) and
ToNumber(y) first, so if either x or y could throw an exception during
ToNumber conversion, we must not eliminate the multiplication, even if
it has no value uses (some later pass may kill the actual machine
multiplication, but the checks on the inputs have to remain still).
So we check whether both x and y are PlainPrimitive, i.e. neither
Receiver nor Symbol, which could raise exceptions for ToNumber, and
only in that case we propagate the "unusedness" of the node to its
inputs.

This also uncovered a bug with the type of Dead, which must be None,
as this represents an impossible value, so we had to fix that too.

Also the dead code removal will not work correctly for constants (i.e.
pure nodes with no value inputs), as those might be cached and hence
we might resurrect them for an unrelated node lowering during
SimplifiedLowering and only later kill the actual node (replacing its
uses with Dead), which would then also replace the new use with Dead.
So that was fixed as well. This shouldn't change anything for the
result, as unused constants automagically disappear from the graph later
on anyways.

R=yangguo@chromium.org
BUG=chromium:631318

Review-Url: https://codereview.chromium.org/2182003002
Cr-Commit-Position: refs/heads/master@{#38038}
2016-07-26 07:09:58 +00:00
neis
88a795d1c8 Remove the --ignition-generators flag.
This flag has been enabled by default for over a month now.

R=mstarzinger@chromium.org, rmcilroy@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2176143002
Cr-Commit-Position: refs/heads/master@{#38020}
2016-07-25 12:56:27 +00:00
mvstanton
480f155ed6 [Turbofan] IsUseLessGeneral shouldn't consider machine representation.
BUG=chromium:630952

Review-Url: https://codereview.chromium.org/2177193002
Cr-Commit-Position: refs/heads/master@{#38014}
2016-07-25 12:01:54 +00:00