Properly share both the constructor and the non-constructor maps
for bound functions. Previously we had only the non-constructor
map shared on the native context, and we had to create a new map
for every bound function whose [[BoundTargetFunction]] is a
constructor (in the ES6 sense).
This should repair the most recent regression on Speedometer.
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_dbg
R=jarin@chromium.org
BUG=chromium:536114,chromium:535408,v8:4430
LOG=n
Review URL: https://codereview.chromium.org/1379323002
Cr-Commit-Position: refs/heads/master@{#31086}
Arrow functions have been enabled by default since the 4.5 branch.
Review URL: https://codereview.chromium.org/1373633002
Cr-Commit-Position: refs/heads/master@{#31031}
Replacing it with SMI_ACCESSORS.
This change makes accesses to Smi fields in objects more regular (the
accessors now always consume/return an int rather than a Smi*), which
avoids a bunch of manual Smi::FromInt() and Smi::value() conversions,
and is a step on the way towards being able to generate objects-inl.h.
Review URL: https://codereview.chromium.org/1371893002
Cr-Commit-Position: refs/heads/master@{#30975}
There was already a bit on the Map named "function with prototype",
which basically meant that the Map was a map for a JSFunction that could
be used as a constructor. Now this CL generalizes that bit to
IsConstructor, which says that whatever (Heap)Object you are looking at
can be used as a constructor (i.e. the bit is also set for bound
functions that can be used as constructors and proxies that have a
[[Construct]] internal method).
This way we have a single chokepoint for IsConstructor checking, which
allows us to get rid of the various ways in which we tried to guess
whether something could be used as a constructor or not.
Drive-by-fix: Renamed IsConstructor on FunctionKind to
IsClassConstructor to resolve the weird name clash, and the
IsClassConstructor name also matches the spec.
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_layout_dbg,v8_linux_nosnap_dbg
R=jarin@chromium.org, rossberg@chromium.org
BUG=v8:4413, v8:4430
LOG=n
Committed: https://crrev.com/8de4d9351df4cf66c8a128d561a6e331d196be54
Cr-Commit-Position: refs/heads/master@{#30900}
Review URL: https://codereview.chromium.org/1358423002
Cr-Commit-Position: refs/heads/master@{#30902}
Reason for revert:
Failed on Fuzzer and MIPS bot.
Original issue's description:
> [es6] Introduce spec compliant IsConstructor.
>
> There was already a bit on the Map named "function with prototype",
> which basically meant that the Map was a map for a JSFunction that could
> be used as a constructor. Now this CL generalizes that bit to
> IsConstructor, which says that whatever (Heap)Object you are looking at
> can be used as a constructor (i.e. the bit is also set for bound
> functions that can be used as constructors and proxies that have a
> [[Construct]] internal method).
>
> This way we have a single chokepoint for IsConstructor checking, which
> allows us to get rid of the various ways in which we tried to guess
> whether something could be used as a constructor or not.
>
> Drive-by-fix: Renamed IsConstructor on FunctionKind to
> IsClassConstructor to resolve the weird name clash, and the
> IsClassConstructor name also matches the spec.
>
> R=jarin@chromium.org, rossberg@chromium.org
> BUG=v8:4430
> LOG=n
>
> Committed: https://crrev.com/8de4d9351df4cf66c8a128d561a6e331d196be54
> Cr-Commit-Position: refs/heads/master@{#30900}
TBR=jarin@chromium.org,rossberg@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4430
Review URL: https://codereview.chromium.org/1360403002
Cr-Commit-Position: refs/heads/master@{#30901}
There was already a bit on the Map named "function with prototype",
which basically meant that the Map was a map for a JSFunction that could
be used as a constructor. Now this CL generalizes that bit to
IsConstructor, which says that whatever (Heap)Object you are looking at
can be used as a constructor (i.e. the bit is also set for bound
functions that can be used as constructors and proxies that have a
[[Construct]] internal method).
This way we have a single chokepoint for IsConstructor checking, which
allows us to get rid of the various ways in which we tried to guess
whether something could be used as a constructor or not.
Drive-by-fix: Renamed IsConstructor on FunctionKind to
IsClassConstructor to resolve the weird name clash, and the
IsClassConstructor name also matches the spec.
R=jarin@chromium.org, rossberg@chromium.org
BUG=v8:4430
LOG=n
Review URL: https://codereview.chromium.org/1358423002
Cr-Commit-Position: refs/heads/master@{#30900}
For string wrappers (JSValue instances with [[StringData]] internal
fields), we can shortcirciut the ToPrimitive if
(a) the {input} map matches the initial map of the String function,
(b) the {input} [[Prototype]] is the unmodified %StringPrototype% (i.e.
no one monkey-patched toString, @@toPrimitive or valueOf), and
(c) the %ObjectPrototype% (i.e. the [[Prototype]] of the
%StringPrototype%) is also unmodified, that is no one sneaked a
@@toPrimitive into the %ObjectPrototype%.
If all these assumptions hold, we can just take the [[StringData]] value
and return it.
This just repairs a regression introduced by removing the
weird (and broken) intrinsic %_IsStringWrapperSafeForDefaultValue, which
was intendend to something similar to this, although less efficient and
wrong in the presence of @@toPrimitive. Long-term we might want to move
into the direction of having a ToPrimitiveStub that can do common cases
while staying in JavaScript land (i.e. not going to C++).
R=jarin@chromium.org
BUG=chromium:532524
LOG=n
Review URL: https://codereview.chromium.org/1366563002
Cr-Commit-Position: refs/heads/master@{#30890}
It's been enabled since M45, which is now well into its stable period,
with no problems reported.
Review URL: https://codereview.chromium.org/1356793002
Cr-Commit-Position: refs/heads/master@{#30835}
Typed arrays from the snapshot start out in the young space but they
all seem to end up in the old space sooner or later anyway. Let's
expedite that by allocating them in the old space right away.
Review URL: https://codereview.chromium.org/1347263003
Cr-Commit-Position: refs/heads/master@{#30804}
This adds a utils object meant specifically for V8 extras, presenting a limited
API surface for doing things that would otherwise require %-functions.
BUG=v8:4276
LOG=Y
R=jochen@chromium.org,yangguo@chromium.org
Review URL: https://codereview.chromium.org/1343113003
Cr-Commit-Position: refs/heads/master@{#30773}
Defines a new --harmony-tolength flag, and a ToLengthFlagged() runtime function,
that is used where ES6 requires ToLength(), but a pre-ES6 conversion existed
before. When the flag is disabled, the function uses TO_UINT32(), which is
the pre-ES6 behaviour. When the flag enabled, the ES6-compliant ToLength()
conversion is used.
Based on a patch initially from Diego Pino <dpino@igalia.com>
BUG=v8:3087
LOG=Y
Review URL: https://codereview.chromium.org/1309243003
Cr-Commit-Position: refs/heads/master@{#30772}
No need to rely on the %_IsConstructCall magic here, we can just
implement the Symbol constructor in C++ altogether (it was just a
stupid wrapper around %CreateSymbol anyway).
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/1349643002
Cr-Commit-Position: refs/heads/master@{#30762}
Implement the String constructor completely as native builtin,
avoiding the need to do gymnastics in JavaScript builtin to
properly detect the no argument case (which is different from
the undefined argument case) and also allowing to just
tailcall through to ToString or SymbolDescriptiveString for
the common case. Also the JavaScript builtin was misleading
since the case for construct call was unused, but could be
triggered in a wrong way once we support tail calls from
constructor functions.
This refactoring allows us to properly implement subclassing
for String builtins, once we have the correct initial_map on
derived classes (it's merely a matter of using NewTarget
instead of the target register now).
This introduces a new %SymbolDescriptiveString runtime
entry, which is also used by Symbol.toString() now.
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/1344893002
Cr-Commit-Position: refs/heads/master@{#30759}
- Moving parts of ArrayConcat from builtins.cc to the ElementsAccessor
- Removing ArrayConcat Runtime Function
BUG=v8:4317
LOG=N
Review URL: https://codereview.chromium.org/1330483003
Cr-Commit-Position: refs/heads/master@{#30619}
Use a single JSIteratorResult type for all implementation provided
iterator results (i.e. the String, Array and collection iterators,
and also for generators). This removes one source of unnecessary
polymorphism in for-of loops. It is accomplished by a new intrinsic
%_CreateIterResultObject() that should be used to create iterator
result objects from JavaScript builtins (there's a matching factory
method for C++ code).
Also restructure the %StringIteratorPrototype%.next() and
%ArrayIteratorPrototype%.next() functions to be a bit more friendly
to optimizing compilers.
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/1302173007
Cr-Commit-Position: refs/heads/master@{#30557}
This turns the has_instance_call_handler bit on Map into an is_callable
bit, that matches the spec definition of IsCallable (i.e. instances have
[[Call]] internal methods).
Also fix the typeof operator to properly say "function" for everything
that is callable.
Also remove the (unused) premature %_GetPrototype optimization from
Crankshaft, which just complicated the Map bit swap.
R=mstarzinger@chromium.org, rossberg@chromium.org, yangguo@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_layout_dbg
Review URL: https://codereview.chromium.org/1316933002
Cr-Commit-Position: refs/heads/master@{#30552}
This CL us a pure refactoring that makes an empty compilation unit
including just "isolate.h" or "contexts.h" but not "objects-inl.h"
compile without warnings or errors. This is needed to further reduce
the header dependency tangle.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1322883002
Cr-Commit-Position: refs/heads/master@{#30500}
This CL introduces HPrologue instruction which does the context allocation work and supports deoptimization.
Review URL: https://codereview.chromium.org/1317383002
Cr-Commit-Position: refs/heads/master@{#30496}
This way we don't need to expose JSReceiver::OrdinaryToPrimitive
as runtime function, and we don't need the separate JS trampoline.
This also adds tests for ToPrimitive on date objects, which are
special.
R=mstarzinger@chromium.org
BUG=v8:4307
LOG=n
Review URL: https://codereview.chromium.org/1324713002
Cr-Commit-Position: refs/heads/master@{#30473}
This makes it clear that only components within the "heap" directory
should be friends with the Heap class. The two notable exceptions are
Factory and Isolate which represent external interfaces into the heap.
R=mlippautz@chromium.org
Review URL: https://codereview.chromium.org/1320843002
Cr-Commit-Position: refs/heads/master@{#30408}
This CL is a nightmare! For the utterly irrelevant edge case of a sloppy function with non-simple parameters and a call to direct eval, like here,
let x = 1;
function f(g = () => x) {
var y
eval("var x = 2")
return g() + x // f() = 3
}
we have to do all of the following, on top of the declaration block ("varblock") contexts we already introduce around the body:
- Introduce the ability for varblock contexts to have both a ScopeInfo and an extension object (e.g., the body varblock in the example will contain both a static var y and a dynamic var x). No other scope needs that. Since there are no context slots left, a special new struct is introduced that pairs up scope info and extension object.
- When declaring lookup slots in the runtime, this new struct is allocated in the case where an extension object has to be added to a block scope (at which point the block's extension slot still contains a plain ScopeInfo).
- While at it, introduce some abstraction to access context extension slots in a more controlled manner, in order to keep special-casing to a minimum.
- Make sure that even empty varblock contexts do not get optimised away when they contain a sloppy eval, so that they can host the potential extension object.
- Extend dynamic search for declaration contexts (used by sloppy direct eval) to recognize varblock contexts.
- In the parser, if a function has a sloppy direct eval, introduce an additional varblock scope around each non-simple (desugared) parameter, as required by the spec to contain possible dynamic var bindings.
- In the pattern rewriter, add the ability to hoist the named variables the pattern declares to an outer scope. That is required because the actual destructuring has to be evaluated inside the protecting varblock scope, but the bindings that the desugaring introduces are in the outer scope.
- ScopeInfos need to save the information whether a block is a varblock, to make sloppy eval calls work correctly that deserialise them as part of the scope chain.
- Add the ability to materialize block scopes with extension objects in the debugger. Likewise, enable setting extension variables in block scopes via the debugger interface.
- While at it, refactor and unify some respective code in the debugger.
Sorry, this CL is large. I could try to split it up, but everything is rather entangled.
@mstarzinger: Please review the changes to contexts.
@yangguo: Please have a look at the debugger stuff.
R=littledan@chromium.org, mstarzinger@chromium.org, yangguo@chromium.org
BUG=v8:811,v8:2160
LOG=N
Review URL: https://codereview.chromium.org/1292753007
Cr-Commit-Position: refs/heads/master@{#30295}
We currently have several ways to share symbols that are used in
both native scripts and the runtime. This change unifies this.
We do not use the symbols registry since we don't need the
registry any longer after bootstrapping, but the registry stays
alive afterwards.
R=mlippautz@chromium.org, rossberg@chromium.org
Review URL: https://codereview.chromium.org/1293493004
Cr-Commit-Position: refs/heads/master@{#30280}
Embedders would use these for features which must be able to be turned
off at runtime, despite being compiled into V8. They can be turned on
and off by the embedder using the --experimental_extras flag, e.g. via
v8::SetFlagsFromString.
R=yangguo@chromium.org, mlippautz@chromium.org, hpayer@chromium.org
BUG=chromium:507137
LOG=Y
Review URL: https://codereview.chromium.org/1284413002
Cr-Commit-Position: refs/heads/master@{#30260}
This is to prevent unnecessary script contexts to be created for
native scripts, which could end up with a script context table
containing twenty script contexts for a newly created native context.
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/1301533002
Cr-Commit-Position: refs/heads/master@{#30188}
Reason for revert:
Several nosnap and custom snapshot failures.
Original issue's description:
> Debugger: use a Map to cache mirrors.
>
> This makes mirror cache lookup O(1) instead of O(n).
> The downside is that the lookup via handle is O(n). This
> is fine because handles are only used in the JSON api,
> which is not used by Chrome and on death row.
>
> Committed: https://crrev.com/890b1dfca84d9dfecdcfc56517ef541076c6eb1d
> Cr-Commit-Position: refs/heads/master@{#30150}
TBR=bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1292023002
Cr-Commit-Position: refs/heads/master@{#30153}
This makes mirror cache lookup O(1) instead of O(n).
The downside is that the lookup via handle is O(n). This
is fine because handles are only used in the JSON api,
which is not used by Chrome and on death row.
Review URL: https://codereview.chromium.org/1287243002
Cr-Commit-Position: refs/heads/master@{#30150}