If the instance template is not marked as undetectable, we can
allow it to be called as a constructor. This broke previously with
commit ff05633408.
R=verwaest@chromium.org
Bug: v8:7670
Change-Id: I6ecde33bd7532bea4786b2282efce9060bb76276
Reviewed-on: https://chromium-review.googlesource.com/c/1272579
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56577}
Now that the preparser doesn't track errors anymore, it also doesn't make sense
to prepare the message.
Change-Id: Ifc69e67f9220be69812257b0fc18b55097236dbd
Reviewed-on: https://chromium-review.googlesource.com/c/1275818
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56574}
It's rarely used, so just using {compiler::WasmGraphBuilder} directly
is easier to understand and does not add much to the code length.
R=titzer@chromium.org
Bug: v8:8238
Change-Id: I8eafaac59295047a8540ebe256f00dff61ddae82
Reviewed-on: https://chromium-review.googlesource.com/c/1276426
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56571}
These test mainly the data structures of JSWeakFactory / JSWeakCell.
BUG=v8:8179
Change-Id: I20ffd07c18bbb2e21c69d11aa65d1e245203cc82
Reviewed-on: https://chromium-review.googlesource.com/c/1267939
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56569}
Simpliy track arrow-formal-parameters through errors and copy it from binding
pattern errors in AccumulateImpl rather than using a separate flag.
Change-Id: I8146718f490f3c9a5de3c30dec2aa3218831523f
Reviewed-on: https://chromium-review.googlesource.com/c/1275816
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56568}
A new CSA function, MoveElements() does an efficient memmove
operation when the ElementsKind or new-space status allows it.
A few other TNode cleanups applied in the file, for example,
preferring the StoreFixedDoubleArrayHole() function.
Change-Id: Ia0848c066eebbbbe321f81afe0cfa7df7567cbb7
Reviewed-on: https://chromium-review.googlesource.com/c/1268235
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56567}
The tests are scratching at the overall timeout.
TBR=mslekova@chromium.org
NOTRY=true
Change-Id: I817337eff76dcf36306d7f5ceaaef34eea7886d3
Reviewed-on: https://chromium-review.googlesource.com/c/1276385
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56565}
This will allow us to use ts-node to execute tests written
in TypeScript.
Bug: v8:7327
Change-Id: I0804db1f112448350c5e91135242e6ec6706d231
Reviewed-on: https://chromium-review.googlesource.com/c/1274086
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56564}
In the preparser we don't need to worry about adding duplicate error objects to
the list, so we can simply unconditionally set the error flag. Restructure the
accumulator so we can also guarantee that we're checking the same flag as we're
setting.
Change-Id: I6a22cae468e77e5c6283c6fe937ca655f73991ac
Reviewed-on: https://chromium-review.googlesource.com/c/1275813
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56561}
The {MaskOut} operation is faster than using {operator~}, since
{operator~} needs to ensure to return a valid register list, so it
contains an additional AND operation with the mask of all registers.
Hence use {MaskOut} more consistently, and remove the now unused
{operator~} on {LiftoffRegList}.
R=ahaas@chromium.org
Bug: v8:6600
Change-Id: Icf072e564c4e391cafa2abeeba53cf275cee75f8
Reviewed-on: https://chromium-review.googlesource.com/c/1275810
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56560}
The templatized function body decoder already properly terminates
control flow, it is not needed for the graph building implementation to
do that explicitly upon {Throw} and {Rethrow}.
R=titzer@chromium.org
BUG=v8:8091
Change-Id: I47a93135c41b4cdf2fa6b8f5c7abfd6c212aaa12
Reviewed-on: https://chromium-review.googlesource.com/c/1273239
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56559}
For now, all it does is control when the heap broker starts
serializing. Eventually it will do what its name suggests.
I'm also renaming --concurrent-compiler-frontend to the more
accurate --concurrent-typed-lowering. Note that it's forceably
implied by --concurrent-inlining.
Bug: v8:7790
Change-Id: I55c1d8f1538146e89f3e166cb9165f6f38447146
Reviewed-on: https://chromium-review.googlesource.com/c/1270839
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56557}
This makes sure that catch blocks that are practically unreachable due
to missing exceptional projections are handled properly. Note that this
is independent of how reachability will be outlined in the final spec
for exception handling. Currently we just assume that all catch blocks
are spec-wise reachable.
R=titzer@chromium.org
TEST=mjsunit/wasm/exceptions-catchall
BUG=v8:8091
Change-Id: I13607a59bd76be146df836e88105a2fbafedb760
Reviewed-on: https://chromium-review.googlesource.com/c/1273018
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56556}
The implicit parameter syntax adds a second parameter list
before the explicit parameter list when declaring macros, builtins and
runtime functions:
extern macro MyMacro(implicit a: Smi)(b: Oddball);
when calling the macro, only the formal parameters can be provided
at the call site. The implicit parameters are implicitly looked-up
by name in the scope of the call and prepended to the explicit parameter
list. The values that are found by name for each implicit parameter must
be castable the corresponding implicit parameter type:
MyMacro(Null); // Error, a is not defined
...
const a: Smi = 0;
MyMacro(Null); // OK
...
const a: Object = 0;
MyMacro(Null); // Error, a has wrong type
For external macros, builtins and runtime functions, the formal
parameter list expected on the C++ side is the concatenation of the
implicit and explicit parameter lists.
As a drive-by: fix the formatting of typeswitch statements in the
the presence of deferred-marked blocks and funky white space.
Bug: v8:7793
Change-Id: I40da8405c706d7cdeca35367c9c954d0b33f6bf4
Reviewed-on: https://chromium-review.googlesource.com/c/1270996
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56555}
This JSAsyncFunctionObject represents the implicit generator object
inside of async functions, and also holds the outer promise for the
async functions. This in turn allows us to get rid of the .promise
in the Parser / BytecodeGenerator completely, and will make it
possible to build zero-cost async stack traces independent of the
concrete synchronous part of the stack frame (which currently breaks
in Node.js).
In the bytecode all the async function operations now take this new
JSAsyncFunctionObject instead of passing both the .generator_object
and the .promise, which further simplifies and shrinks the bytecode.
It also reduces the size of async function frames, potentially making
the suspend/resume cheaper.
This also changes `await` to use intrinsics instead of calling to
special JSFunctions on the native context, and thus reduces the size of
the native contexts.
Drive-by-fix: Introduce a dedicated JSCreateAsyncFunctionObject operator
to TurboFan.
Bug: v8:7253, v8:7522
Change-Id: I2305302285156aa1f71328ecac70377abdd92c80
Ref: nodejs/node#11865
Design-Document: http://bit.ly/v8-zero-cost-async-stack-traces
Reviewed-on: https://chromium-review.googlesource.com/c/1273049
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56554}
Cast byte* to void* before printing so that it's not interpreted as a
null-terminated string.
Change-Id: I32b5a51913c3382b43d7b231d6b8fd4c17e32bb6
Reviewed-on: https://chromium-review.googlesource.com/c/1275352
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56553}
... and Heap::root_handle() to RootsTable.
This is a preliminary step before moving IsolateData object from Heap to Isolate
which is required for pointer-compression friendly heap layout.
Bug: v8:8182
Change-Id: Ideacc1c9e4435be7a33db08415ac1ad46e956199
Reviewed-on: https://chromium-review.googlesource.com/c/1273238
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56552}
... containing RootsTable, ExternalReferenceTable, builtins array and
potentially some other data that can be accessed via the RootRegister.
This is a preliminary step before adding support for pointer-compression
friendly heap layout.
Bug: v8:8182
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I2899f657aaff1351a5304afa0b1a4c5ae4cfc31d
Reviewed-on: https://chromium-review.googlesource.com/c/1245426
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56551}
This is behind a new flag --harmony-namespace-exports.
Bug: v8:8101
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I9c252b6de2b08223fcf3296340b78d721471bdb4
Reviewed-on: https://chromium-review.googlesource.com/c/1258004
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56550}
Remove InstallWithIntrinsicDefaultProto which is not needed
and reduce the size of context
Bug: v8:5751
Change-Id: Ia830629abdf94921315faadc708f4f135f720949
Reviewed-on: https://chromium-review.googlesource.com/c/1274986
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56549}
This migrates the test configurations of all builders on the main
console (aka client.v8) to the V8 repository, preparing removal from
build/scripts/slave/recipe_modules/v8/builders.py.
NOTRY=true
Bug: chromium:830557
Change-Id: I40b8f31ab48426c7122c87e0221d6f05dc205e81
Reviewed-on: https://chromium-review.googlesource.com/c/1273237
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56547}
Use naming similar to the spec: "table" instead of "function table",
"element segment" instead of "function table init".
Change-Id: Ib1b6cdfa566f8bd00017ccedf9440084204f10ff
Reviewed-on: https://chromium-review.googlesource.com/c/1273612
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56545}
This reverts commit fa65063a98.
Reason for revert:
This changes API contract with Blink as some state is destroyed before
actually tearing down the Isolate. Flushing the second round tasks
then tries to access various state that is already gone on the Blink
side. See bugs.
Bug: chromium:893944, chromium:893549, chromium:890631
Original change's description:
> [heap] Run phantom handle callbacks on tear down
>
> Pending phantom handle callbacks are not reliably executed if the heap
> shuts down. This can cause to memory leaks or other unwanted behaviour,
> like in wasm where the NativeModules (held in Managed objects
> implemented via phantom handles) unregister from the WasmEngine in the
> second-pass callback. This must be executed before tearing down the
> WasmEngine.
>
> This CL fixes this by running pending callback synchronously on heap
> tear down.
>
> R=ulan@chromium.org, mlippautz@chromium.org
>
> Bug: v8:8208
> Change-Id: I27b630c4d8f1fb12309040ea2179b64eed38710a
> Reviewed-on: https://chromium-review.googlesource.com/1249101
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#56286}
TBR=ulan@chromium.org,mlippautz@chromium.org,clemensh@chromium.org
Bug: v8:8208
Change-Id: I4b403fd84473edb8895c3725ff3348574c54247b
Reviewed-on: https://chromium-review.googlesource.com/c/1274085
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56542}
Port a2b3480611
Original Commit Message:
This CL refactors the implementation of WASM->JS import wrappers in order
to make the wrapper code shareable. Instead of specializing to the import
index, we use a tuple as the object ref in the both the import and indirect
tables. The tuple allows the wrapper code to load both the calling
instance and the target callable, rather than relying on code specialization.
This requires some tricky codegen machinery, because WASM call descriptors
expect an instance argument in a given register, yet the wrappers receive
a tuple, the code generator must generate a prologue that loads the
instance (and the callable), since it is not possible to express this at
the graph level.
R=titzer@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I34302b8ff737296fc98c032f1e9848b4bb9fae13
Reviewed-on: https://chromium-review.googlesource.com/c/1273866
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#56541}
Pass on information about the embedder state using the fact that tasks
are run from top level
Bug: chromium:893944
Change-Id: I01441778770c5acc784540e496eec5c3fdb87796
Reviewed-on: https://chromium-review.googlesource.com/c/1273048
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56540}
The NumberMultiply typing rule gave up in the presence of NaN inputs,
but we can still infer useful ranges here and just union the result
of that with the NaN propagation (similar for MinusZero propagation).
This way we can still makes sense of these ranges at the uses.
Bug: v8:8015
Change-Id: Ic4c5e8edc6c68776ff3baca9628ad7de0f8e2a92
Reviewed-on: https://chromium-review.googlesource.com/c/1261143
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56539}
Port 4cbec82cbe
Original Commit Message:
Pure refactoring CL. Introduce a symbolic name for the register
used to hold the function index when calling the lazy compile stub.
This makes it easier to see this contract when looking at the
macro assembler.
R=titzer@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I320373dfe4734b27b85217a829bf574bc7b90a2d
Reviewed-on: https://chromium-review.googlesource.com/c/1273825
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#56536}
a) The current size of the backing store for the array under splice
wasn't considered. Additionally, allocate the array with the
normal growing strategy.
b) Use primitives memcpy and memmove when
appropriate. These calls are wrapped in new CSA functions
MoveElements and CopyElements, which use the C functions when a
write barrier isn't needed (otherwise they just copy elements
in a loop).
Bug: chromium:880780
Change-Id: I39a917c71036f52250c68f2cced77a1c24f97b67
Reviewed-on: https://chromium-review.googlesource.com/c/1243104
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56534}
libc++'s _LIBCPP_DEBUG gets upset when comparators take non-const
references.
Bug: chromium:893810
Change-Id: I838ff08bfd53893984f0ce41a9d78d6f1d80a324
Reviewed-on: https://chromium-review.googlesource.com/c/1272184
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: David Benjamin <davidben@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56533}
Disable a new test that triggers a known issue with the arguments
adaptor trampoline.
TBR=jgruber@chromium.org
Change-Id: Id89b71e49e5dbef06d75758d98ed162c07fc34f4
Bug: v8:6666
Reviewed-on: https://chromium-review.googlesource.com/c/1273052
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56532}
Block coverage is based on a system of ranges that can either have
both a start and end position, or only a start position (so-called
singleton ranges). When formatting coverage information, singletons
are expanded until the end of the immediate full parent range. E.g.
in:
{0, 10} // Full range.
{5, -1} // Singleton range.
the singleton range is expanded to {5, 10}.
Singletons are produced mostly for continuation counters that track
whether we execute past a specific language construct.
Unfortunately, continuation counters can turn up in spots that confuse
our post-processing. For example:
if (true) { ... block1 ... } else { ... block2 ... }
If block1 produces a continuation counter, it could end up with the
same start position as the else-branch counter. Since we merge
identical blocks, the else-branch could incorrectly end up with an
execution count of one.
We need to avoid merging such cases. A full range should always take
precedence over a singleton range; a singleton range should never
expand to completely fill a full range. An additional post-processing
pass ensures this.
Bug: v8:8237
Change-Id: Idb3ec7b2feddc0585313810b9c8be1e9f4ec64bf
Reviewed-on: https://chromium-review.googlesource.com/c/1273095
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56531}
The MapIterator protector protects the original iteration behaviors of
Map.prototype.keys(), Map.prototype.values(), and Set.prototype.entries().
It does not protect the original iteration behavior of
Map.prototype[Symbol.iterator](). The protector is invalidated when:
* The 'next' property is set on an object where the property holder is the
%MapIteratorPrototype% (e.g. because the object is that very prototype).
* The 'Symbol.iterator' property is set on an object where the property
holder is the %IteratorPrototype%. Note that this also invalidates the
SetIterator protector (see below).
The SetIterator protector protects the original iteration behavior of
Set.prototype.keys(), Set.prototype.values(), Set.prototype.entries(),
and Set.prototype[Symbol.iterator](). The protector is invalidated when:
* The 'next' property is set on an object where the property holder is the
%SetIteratorPrototype% (e.g. because the object is that very prototype).
* The 'Symbol.iterator' property is set on an object where the property
holder is the %SetPrototype% OR %IteratorPrototype%. This means that
setting Symbol.iterator on a MapIterator object can also invalidate the
SetIterator protector, and vice versa, setting Symbol.iterator on a
SetIterator object can also invalidate the MapIterator. This is an over-
approximation for the sake of simplicity.
Bug: v8:7980
Change-Id: I54ad6e4c7f19ccc27d7001f6c4b6c8d6ea4ee871
Reviewed-on: https://chromium-review.googlesource.com/c/1273102
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Hai Dang <dhai@google.com>
Cr-Commit-Position: refs/heads/master@{#56530}
1) As found by the GC fuzzer: missing HandleScopes.
2) The RecordSlot barrier was missing for NativeContext::AddDirtyJSWeakFactory.
3) Need Context::Scope to surround the cleanup function (if it results in an
error, we try to get native_context() from Isolate).
BUG=v8:8179,v8:8286
Change-Id: I2d995a76770658848e3c9629333bedbc2ef43b82
Reviewed-on: https://chromium-review.googlesource.com/c/1273051
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56529}
