If the fuzzer input cannot be executed in the interpreter within a step
limit, then the interpreter does not calculate the result but instead
finishes with a RangeError. The problem with the input of the bug report
was that the interpreter finished with that RangeError, but the
execution of the compiled code still returned a result, which was
naturally not a RangeError and therefore caused the result check to fail.
With this CL the compiled code is not even executed when there is a
RangeError after the execution in the interpreter. Thereby we also
avoid executing an infinite loop.
BUG=chromium:734435
R=clemensh@chromium.org
Change-Id: If9d0fb9e14e84f06d6f11d22f882363d56c1c20b
Reviewed-on: https://chromium-review.googlesource.com/544838
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46140}
This patch also adds handling of NativeContext and BytecodeArray.
BUG=chromium:694255
Change-Id: I6d4b2db03ece7346200853bd0b80daf65672787f
Reviewed-on: https://chromium-review.googlesource.com/543237
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46139}
This is a reland of 54b42a55e7
Original change's description:
> [build] Add filter script for official build
>
> This adds a V8-side script to list the files contained in an official archive.
>
> This'll accompany the infra-side archive recipe:
> https://chromium-review.googlesource.com/c/544298/
>
> Keeping this script on the V8-side will make it easy to change the
> archived build product.
>
> NOTRY=true
>
> Bug: v8:5918
> Change-Id: I9fcb2eae183a26e7ce11c839d95a583a049cbe75
> Reviewed-on: https://chromium-review.googlesource.com/544877
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46135}
TBR=vogelheim@chromium.org
NOTRY=true
Bug: v8:5918
Change-Id: I87b58c78a2cbd97f4da37ac93fe1e8ee77bf5ca0
Reviewed-on: https://chromium-review.googlesource.com/544979
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46138}
This reverts commit 54b42a55e7.
Reason for revert: Fails on native arm builders.
Original change's description:
> [build] Add filter script for official build
>
> This adds a V8-side script to list the files contained in an official archive.
>
> This'll accompany the infra-side archive recipe:
> https://chromium-review.googlesource.com/c/544298/
>
> Keeping this script on the V8-side will make it easy to change the
> archived build product.
>
> NOTRY=true
>
> Bug: v8:5918
> Change-Id: I9fcb2eae183a26e7ce11c839d95a583a049cbe75
> Reviewed-on: https://chromium-review.googlesource.com/544877
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46135}
TBR=machenbach@chromium.org,vogelheim@chromium.org,tandrii@chromium.org,jochen@chromium.org
Change-Id: Ic3bb59b5f0864941c8f8b590b0a351c103988f93
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:5918
Reviewed-on: https://chromium-review.googlesource.com/544978
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46137}
In the failing case (see test), the loop variable (which should be context
allocated) is in a hidden scope, so we need to save and restore data for hidden
scopes too.
The !is_hidden() check was overly limiting - NeedsScopeData already handles the
"hidden leaf scope" case which is the one we want to avoid.
(Btw, this also means that the previous assumption "variables in hidden scopes
are not context allocated" was wrong.)
BUG=v8:5516
Change-Id: I1c6116654b19ef0cfd64e8a743b46af683a9fcd5
Reviewed-on: https://chromium-review.googlesource.com/544938
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46136}
This adds a V8-side script to list the files contained in an official archive.
This'll accompany the infra-side archive recipe:
https://chromium-review.googlesource.com/c/544298/
Keeping this script on the V8-side will make it easy to change the
archived build product.
NOTRY=true
Bug: v8:5918
Change-Id: I9fcb2eae183a26e7ce11c839d95a583a049cbe75
Reviewed-on: https://chromium-review.googlesource.com/544877
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46135}
The DCHECKs were checking that the data we stored about a Scope (param count
etc) matches the Scope where we're restoring the data to.
But for skipped functions, this data is not in the Scope, so it doesn't make
sense to DCHECK them.
BUG=v8:5516
Change-Id: I6ad66ec4dd5fe31da52c0d5b533b336e3956ee1d
Reviewed-on: https://chromium-review.googlesource.com/544300
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46134}
let f = function g() { ... } declares "g" inside the function. This
CL makes the preparser declare it too, and saves + restores the scope data for
it.
BUG=v8:5516
Change-Id: Id4c64f446d30f5252038cfb0f0f473b85ba24a9b
Reviewed-on: https://chromium-review.googlesource.com/544816
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46133}
Currently the descriptors are moved from the old map to the new map,
which is unsafe for the concurrent marker. This patch removes the map
mutation.
Change-Id: I3f7ce455c7344148a122c7443cf32a4eef0307be
Reviewed-on: https://chromium-review.googlesource.com/535480
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46131}
transition, check to see if we have already done this transition.
BUG=v8:6450
Review-Url: https://codereview.chromium.org/2915863004
Cr-Commit-Position: refs/heads/master@{#46129}
The test setup was as follows:
- Preparse function test() { ... }, get scope allocation data.
- Apply the scope allocation data to (function test() { ... })();
- Compare against normal scope allocation for (function test() { ... })();
But the IIFE is unnecessary - we already disable lazy parsing.
Cleaning this up is needed because in the next CL, I want to fix the Scopes
produced by PreParser in this case:
let f = function g() {
// Here we should declare g!
}
And that fix will make the variables in
function test() {
// Here we don't declare test
}
and
(function test() {
// Here we do declare test
})();
not match any more, so it doesn't make sense to compare them against each other.
BUG=v8:5516
Change-Id: I93d154c6977bb3cbe405b6ca193cf6283df297bc
Reviewed-on: https://chromium-review.googlesource.com/543341
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46128}
SeededNumberDictionaries are used to implement element backing stores of JSObjects, not internally used dictionaries. This saves space for the anyway unused PropertyDetails entry (1/3 fields).
Bug:
Change-Id: I6fe9fae6de500dd0bcb722f51a7543952c7813e9
Reviewed-on: https://chromium-review.googlesource.com/543343
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46124}
This switches all uses of the patching {BinaryOpICStub} over to the
respective existing and non-patching CSA-builtins, and removes some
supporting code. It also removes the inlined SMI handling.
R=verwaest@chromium.org
BUG=v8:6408
Change-Id: If547c0127bfcafbd01ccb33b702b1868006ebcb1
Reviewed-on: https://chromium-review.googlesource.com/541398
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46122}
This CL does same changes as
https://chromium-review.googlesource.com/c/540763/, but for async
compilation instead of for parallel compilation. The biggest difference
is that for async compilation I start background tasks again when half
of the memory is free again and not when all the memory is free again.
Original description:
It is possible that the foreground task is unable to clear the
scheduled unfinished work, eventually leading to an OOM.
We use either code_range on 64 bit, or the capacity of the code space,
as a heuristic for how much memory to use for compilation.
The change avoids blocking the background threads while we're over the
memory threshold. This is to avoid starving the GC.
R=mtrofin@chromium.org
Change-Id: I7399e2474f72f6727e6e50176dd7ba95cdcd3238
Reviewed-on: https://chromium-review.googlesource.com/543477
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46120}
This will allow for embedders to easily implement their own Platform
without duplicating the tracing controller code.
BUG=v8:6511
R=fmeawad@chromium.org
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I7c64933d12b2cf53f0636fbc87f6ad5d22019f5c
Reviewed-on: https://chromium-review.googlesource.com/543015
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Fadi Meawad <fmeawad@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46118}
In edge cases such as the following, sloppy-mode block-scoped function
hoisting is expected to occur:
eval(`
with({a: 1}) {
function a() {}
}
`)
In this case, there should be the equivalent of a var declaration
outside of the eval, which gets set to the value of the local function
a when the body of the with is executed.
Previously, the way that var declarations are hoisted out of eval
meant that the assignment to that var was an ordinary DYNAMIC_GLOBAL
assignment. However, such a lookup mode meant that the object in the
with scope received the assignment!
This patch fixes that error by marking the assignments produced by
the sloppy mode block scoped function hoisting desugaring so as to
generate a different runtime call which skips with scopes.
Bug: chromium:720247, v8:5135
Change-Id: Ie36322ddc9ca848bf680163e8c016f50d4597748
Reviewed-on: https://chromium-review.googlesource.com/529230
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46116}
Collect code coverage by compiling for one or more target architectures
and then running tests, in the same directory. This way, gcov aggregates
results.
Bug:
Change-Id: I3bf05416c535c0c566e48d4e73adc4eb49ba2793
Reviewed-on: https://chromium-review.googlesource.com/527522
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46110}
Port 24b7026d73
Original Commit Message:
For interpreted functions, use the optimized code slot in the feedback
vector to store an optimization marker (optimize/in optimization queue)
rather than changing the JSFunction's code object. Then, adapt the
self-healing mechanism to also dispatch based on this optimization
marker. Similarly, replace SFI marking with optimization marker checks
in CompileLazy.
This allows JSFunctions to share optimization information (replacing
shared function marking) without leaking this information across native
contexts. Non I+TF functions (asm.js or --no-turbo) use a
CheckOptimizationMarker shim which generalises the old
CompileOptimized/InOptimizationQueue builtins and also checks the same
optimization marker as CompileLazy and InterpreterEntryTrampoline.
This is a reland of https://chromium-review.googlesource.com/c/509716R=leszeks@chromium.org, joransiu@ca.ibm.com, bjaideep@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Review-Url: https://codereview.chromium.org/2947903002
Cr-Commit-Position: refs/heads/master@{#46109}
This was left over from the previous CL to change S128LoadMem/S128StoreMem to
use prefixed opcodes. Decoding prefixed opcodes already checks for the
prototype flag.
BUG=V8:6020
R=bbudge@chromium.org
Review-Url: https://codereview.chromium.org/2946303002
Cr-Commit-Position: refs/heads/master@{#46108}
This will make it easier if we want to split it into two intrinsics, one
for creating an object with `done == true` and one with `done == false`.
Also remove apparently-dead method FullCodegen::EmitCreateIteratorResult.
Bug: v8:6408, v8:6409
Change-Id: I3d6022a9eff517dd8b664d65950502c22447b364
Reviewed-on: https://chromium-review.googlesource.com/543567
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46107}
(Reland: NeedsManualRebaseline'd newly-fixed layout test in Chromium.)
This was never legal; the spec only allows '\0' in strict-mode strings
or templates when not followed by a decimal digit. Previously we were
only enforcing that it not be followed by an _octal_ digit.
This was already fixed for numeric literals, but not for escape
sequences in strings.
BUG=v8:6504
Review-Url: https://codereview.chromium.org/2948903002
Cr-Commit-Position: refs/heads/master@{#46106}
This method returns position of importing stmt in module source.
R=neis@chromium.org
Bug: chromium:721589
Change-Id: I8639796a001fdfec7cf5aa1bf1a27493f7a757a9
Reviewed-on: https://chromium-review.googlesource.com/541322
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46105}
UpdateMaxNumberKey calls are moved to clients, who do have the
dictionary-holder. ::Add should basically always UpdateMaxNumberKey. I'm
reducing the number of entry points before looking into how to guarantee this.
Bug:
Change-Id: Iefe8a7fdf7c1e0a6d731bfd948d22849714498a9
Reviewed-on: https://chromium-review.googlesource.com/542895
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46104}
Allows BitVector to resize, updating its own data and data length to
match the new length. We can fast-path resizes which fit into the same
data length (since high bits are already zero), and replace the pattern
where a BitVector is cloned using CopyFrom.
Change-Id: If79ca782c516e93b2a27c5e335e263554d522e88
Reviewed-on: https://chromium-review.googlesource.com/539522
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46101}
Currently, the number of ticks to wait before optimizing is a constant (if
sufficient feedback is available). This cl changes it so that, larger
functions would have to wait longer for optimizing. The number of ticks
required scales linearly with the function size.
Bug:
Change-Id: Id27bea715cf15960667cf63381b1cbe8dac94428
Reviewed-on: https://chromium-review.googlesource.com/538614
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46097}
I can't reproduce any issues with an lsan build, so we will remove
this for now and keep an eye out.
Bug: v8:6315
Change-Id: Iad2a1b23f3614ec9a09a83bb01e235969c3f9fcc
Reviewed-on: https://chromium-review.googlesource.com/542835
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46096}
This CL improves reported source range precision in a couple of ways:
Source ranges are now standardized to consist of an inclusive start
index and an exclusive end index (similar to what's reported for
functions). For example:
0123456789 // Offset.
{ f(); } // Block represented as range {0,8}.
Duplicate singleton ranges (i.e. same start and end offsets) are now
merged (this only becomes relevant once jump statement coverage is
added). For example:
for (.) break; // Break- and loop continuation have same positions.
SourceRangeScope incorrectly collected starting position
(unconditionally) and end position (when no semi-colon was present).
01234567890123 // Offset.
for (.) break // Loop body range is {8,13}, was {6,9}.
Bug: v8:6000
Change-Id: I62e7c70cc894a20f318330a2fbbcedc47da2b5db
Reviewed-on: https://chromium-review.googlesource.com/541358
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46095}
Adds typed lowering of JSStringConcat to ConsString allocation if the
following conditions hold:
- All concatinations will result in a ConsString of >= ConString::kMinLength
- No concatinations will result in a empty string in the RHS unless there is
a sequential string in the LHS.
This also means JSStringConcat needs an eager checkpoint since it can
deopt if throwing a RangeError when the string length protector is valid.
BUG=v8:6243
Change-Id: I01ca79f884df467c10f2c032c72d51b5199c1a3c
Reviewed-on: https://chromium-review.googlesource.com/526636
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46093}
