In ES6 function name and length are configurable. However, the length
and name properties of the poison pill function must not be
configurable.
BUG=v8:4011
LOG=N
R=adamk@chromium.org, rossberg@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1061393002
Cr-Commit-Position: refs/heads/master@{#27855}
This adds a missing bailout id to a ForInStatement for when retrieving
and filtering a property name deoptimizes. This can happen with proxies
that have a getPropertyDescriptor trap.
R=jarin@chromium.org
TEST=mjsunit/for-in-opt
Review URL: https://codereview.chromium.org/1086083002
Cr-Commit-Position: refs/heads/master@{#27846}
Instead of modifying a context chain and then modifying it back, causing
potential mismatches, we clone the inner context chain and evaluate
the expression in this cloned context. We then copy all local variable
values back if needed.
R=yangguo@chromium.org,yurys@chromium.org
Review URL: https://codereview.chromium.org/1088503003
Cr-Commit-Position: refs/heads/master@{#27809}
Does not entirely disallow the use of 'eval' as an identifier in strong mode,
as originally proposed.
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1059273004
Cr-Commit-Position: refs/heads/master@{#27796}
Deoptimization infrastructure already handles it correctly.
This change fixes repetitive deoptimizations in the code like this:
var u32 = new Uint32Array(1);
u32[0] = -1;
function tr(x) { return x|0; }
function ld() { return tr(u32[0]); }
while (true) ld();
Currently inlined tr will contain HArgumentsObject that is considered uint32-unsafe use and prevents u32[0] from becoming uint32 load - instead a speculative int32 load is generated which just deopts.
BUG=
Review URL: https://codereview.chromium.org/1077113002
Cr-Commit-Position: refs/heads/master@{#27781}
This makes the compilers agree on the source position of a message
generated by "throw new Error()", it points to the beginning of the
throw directive.
R=titzer@chromium.org
TEST=message/regress/regress-3995
BUG=v8:3995
LOG=N
Review URL: https://codereview.chromium.org/1049703002
Cr-Commit-Position: refs/heads/master@{#27775}
The ES6 specification does not explicitly state the attributes for the
'next' and 'throw' property descriptors, so their values are defined by
Section 17 [1]:
> Every other data property described in clauses 18 through 26 and in
> Annex B.2 has the attributes
> { [[Writable]]: true, [[Enumerable]]: false, [[Configurable]]: true }
> unless otherwise specified.
[1]
https://people.mozilla.org/~jorendorff/es6-draft.html#sec-ecmascript-standard-built-in-objects
BUG=v8:3986
LOG=N
R=wingo,arv
Review URL: https://codereview.chromium.org/1051363003
Cr-Commit-Position: refs/heads/master@{#27770}
Implements the strong mode proposal's static restrictions on the use of the
identifier 'undefined', for arrow functions. Assumes these restrictions are
intended to be identical to the restrictions on the use of 'eval and 'arguments'
in strict mode. In addition, Location variables inconsistantly named (e.g.
dupe_error_loc vs dupe_loc) are now consistently named the shorter way.
Baseline: https://codereview.chromium.org/1070633002
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1060883004
Cr-Commit-Position: refs/heads/master@{#27756}
identifier. Delete unused (and now incorrect) function IsValidStrictVariable.
Implements the strong mode proposal's static restrictions on the use of the
identifier 'undefined'. Assumes these restrictions are intended to be identical
to the restrictions on the use of 'eval' and 'arguments' in strict mode. The
AllowEvalOrArgumentsAsIdentifier enum has been renamed to
AllowRestrictedIdentifiers as logic involving it is now also used for this case.
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1070633002
Cr-Commit-Position: refs/heads/master@{#27744}
Currently we always generate a diamond in the graph builder for every
legacy const context slot, which we cannot get rid of until late control
reduction, even if we know after context specialization that the slot is
already initialized.
Now we generate a select instead, which the CommonOperatorReducer
happily removes during typed lowering. This greatly speeds up asm.js
code generated by Emscripten with the new POINTER_MASKING mode.
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/1072353002
Cr-Commit-Position: refs/heads/master@{#27739}
When ObjectToString is installed on Object.prototype twice (once in v8natives.js, and once in harmony-tostring.js), this pollutes old code spaces on some devices. To prevent this, the function is only installed once, preventing test failures when the --harmony-tostring flag is flipped on by default.
BUG=v8:3502
LOG=N
R=arv@chromium.org
Review URL: https://codereview.chromium.org/1072083002
Cr-Commit-Position: refs/heads/master@{#27720}
This is a workaround to make the debugger happy about TurboFan frames
when the debugger causes frame inspection. Note that this can happen
because the debugger can be activated while there still are optimized
TurboFan activations on the stack.
R=ishell@chromium.org
BUG=chromium:465298
TEST=mjsunit/regress/regress-crbug-465298
LOG=N
Review URL: https://codereview.chromium.org/1074793003
Cr-Commit-Position: refs/heads/master@{#27717}
Those two tests fail in gc-stress and custom snapshot (embedding mjsunit.js).
This is likely due to different GC timing with the custom snapshot.
R=mstarzinger@chromium.org
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1078653002
Cr-Commit-Position: refs/heads/master@{#27688}
If we optimize a function before gathering feedback it may be
peppered with soft deoptimizations. So it can't help but deoptimize.
A judicious reading of the code isn't enough to determine what the
optimization state should be in the face of such chaotic gyrations.
BUG=
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/1069363003
Cr-Commit-Position: refs/heads/master@{#27671}
This enables eager optimization of top-level code with TurboFan and
extends test coverage by triggering it with the --always-opt flag.
Script contexts are now also properly allocated in TurboFan.
R=titzer@chromium.org
Review URL: https://codereview.chromium.org/1053063003
Cr-Commit-Position: refs/heads/master@{#27633}
The motivation is that we prefer to avoid creating internal properties, and we have a usable field on maps ("transitions", which is not used for prototype maps).
This CL also ensures the invariant that prototype maps are never shared, even if they are in dictionary mode.
Review URL: https://codereview.chromium.org/1033653002
Cr-Commit-Position: refs/heads/master@{#27617}
Optimistically pushing a lot of arguments can run into the stack limit of the process, at least on operating systems where this limit is close to the limit that V8 sets for itself.
BUG=chromium:469768
LOG=y
Review URL: https://codereview.chromium.org/1056913003
Cr-Commit-Position: refs/heads/master@{#27614}
From ES6 25.2.3 ("Properties of the GeneratorFunction Prototype
Object"):
> The GeneratorFunction prototype object is an ordinary object. It is
> not a function object and does not have an [[ECMAScriptCode]] internal
> slot or any other of the internal slots listed in Table 27 or Table
> 56.
Introduce one assertion for the value's type and additional tests for its
properties. Remove an invalid assertion that fails as a result of this
fix.
BUG=v8:3991
LOG=N
Review URL: https://codereview.chromium.org/1062633002
Cr-Commit-Position: refs/heads/master@{#27603}
In ES6 Object.getOwnPropertyDescriptor should call ToObject, which
means that primitive values will return descriptors from the wrapper.
BUG=v8:3964
LOG=N
R=adamk, rossberg@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/998163004
Cr-Commit-Position: refs/heads/master@{#27569}
The removed assertion consistently passes not because the invoked
`close` method internally throws a `TypeError` but because the `close`
method does not exist. The ES6 specification does not define a `close`
method on the GeneratorPrototype, so this test is a tautology.
BUG=None
LOG=N
R=arv
Review URL: https://codereview.chromium.org/1046963002
Cr-Commit-Position: refs/heads/master@{#27567}
The modified assertions targeted the property descriptor for the
template object's first "cooked" value. The code immediately preceeding
these statements asserts these values.
Update the assertions to instead target the property descriptor for the
template object's first "raw" value (which are otherwise untested).
BUG=
Review URL: https://codereview.chromium.org/1049523003
Cr-Commit-Position: refs/heads/master@{#27566}
This reverts commit 992751d0dc.
The final spec for Object.getPrototypeOf calls ToObject on the
parameter, which means that it should only throw for null and
undefined. For other non object values the prototype of the wrapper
should be used.
Difference from last time: Updated .status and will disable Blink
side tests as needed.
BUG=v8:3964
LOG=N
R=adamk, rossberg@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1051523003
Cr-Commit-Position: refs/heads/master@{#27558}
The spec settled on ToBoolean instead of only using not undefined.
BUG=v8:3827
LOG=N
R=adamk
Review URL: https://codereview.chromium.org/1045113002
Cr-Commit-Position: refs/heads/master@{#27548}
This test will fail once we optimize top-level code, because the
aforementioned intrinsic doesn't perform a NumberToUint32 conversion.
R=titzer@chromium.org
TEST=mjsunit/asm/math-clz32
Review URL: https://codereview.chromium.org/1041173002
Cr-Commit-Position: refs/heads/master@{#27524}
A bug allows JSObject literals with elements to have the elements in the
boilerplate modified.
BUG=466993
LOG=N
Review URL: https://codereview.chromium.org/1037273002
Cr-Commit-Position: refs/heads/master@{#27511}
On 'debugger' statement, if anything in debugger calls 'EnsureDebugInfo'
on a function, EnsureDebugInfo would compile and substitute code without
debug break slots. This causes weird behavior later when stepping fails
to work (see added test as an example).
This fix is to make sure the debugger is prepared for breakpoints in
that case as well.
Also adds extra testing for bug 468661.
R=yangguo@chromium.org,yurys@chromium.orh
BUG=v8:3990,chromium:468661
LOG=N
Review URL: https://codereview.chromium.org/1032353002
Cr-Commit-Position: refs/heads/master@{#27502}
Only one FrameInspector can be active at a time on any given stack,
this ensures that it's lifetime is sufficiently scoped.
R=yangguo@chromium.org
TEST=mjsunit/regress/regress-crbug-259300
Review URL: https://codereview.chromium.org/1034743002
Cr-Commit-Position: refs/heads/master@{#27477}
Instead of CanRetainOtherContext, we now manually blacklist all access-checked objects.
BUG=
Review URL: https://codereview.chromium.org/1020803004
Cr-Commit-Position: refs/heads/master@{#27473}
This method uses in messages.js in GetSourceLine and GetPositionInLine. This methods uses in v8::Message API methods and there is no documentation about it.
Method looks obsolete.
One of the strange side effect is shown by attached issue.
BUG=chromium:468781
TBR=yangguo@chromium.org
LOG=Y
Review URL: https://codereview.chromium.org/1033973002
Cr-Commit-Position: refs/heads/master@{#27458}
This adapts the debugger so that the first break event starting the
stepping process can come from optimized code. TurboFan supports a
debugger statement and hence can be the top-most frame whenever the
Debug::HandleDebugBreak handler is triggered.
R=yangguo@chromium.org
TEST=mjsunit/debug,cctest/test-debug
Review URL: https://codereview.chromium.org/1038613002
Cr-Commit-Position: refs/heads/master@{#27447}
Also fix Debug.showBreakPoints for multiple break points at the same location.
BUG=v8:3960
LOG=N
Review URL: https://codereview.chromium.org/998253005
Cr-Commit-Position: refs/heads/master@{#27444}
This switches full-codegen to no longer push and pop StackHandler
markers onto the operand stack, but relies on a range-based handler
table instead. We only use StackHandlers in JSEntryStubs to mark the
transition from C to JS code.
Note that this makes deoptimization and OSR from within any try-block
work out of the box, makes the non-exception paths faster and should
overall be neutral on the memory footprint (pros).
On the other hand it makes the exception paths slower and actually
throwing and exception more expensive (cons).
R=yangguo@chromium.org
TEST=cctest/test-run-jsexceptions/DeoptTry
Review URL: https://codereview.chromium.org/1010883002
Cr-Commit-Position: refs/heads/master@{#27440}
The root cause for the bug is that the positions assigned to desugared
code was inconsistent with the source ranges of block scopes.
Since the fact that the position is assigned causes the debugger to
break at the parser-generated statement, the fix is to remove positions
from those nodes that we do not want to break on.
The CL also teaches Hydrogen to tolerate these cases.
R=adamk@chromium.org,rossberg@chromium.org
BUG=chromium:468661
LOG=Y
Review URL: https://codereview.chromium.org/1032653002
Cr-Commit-Position: refs/heads/master@{#27424}
Gather references to unbound variables where the reference (VariableProxy) is
inside strong mode. Check them against the global object when a script is bound
to a context (during compilation).
This CL only checks unbound variables which are not inside lazy functions - TBD
how do we solve that; alternatives: add developer mode which disables laziness /
do the check whenever lazy functions are really compiled.
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1005063002
Cr-Commit-Position: refs/heads/master@{#27422}
The test demonstrates a bad interaction between arguments object
materialization, escape analysis and exception handling.
We can return a wrong arguments object if we materialize arguments
object (using f.arguments) and then throw around f's frame so that f
does not clean up the materialized frame information (see the
MaterializedObjectStore in deoptimizer.h/.cc). If we enter another
function that has the same frame pointer and request an arguments object
of (or lazily deoptimize) that function, we can get the materialized
object of the original function.
We should clean up the materialized object store when we unwind the
stack.
BUG=v8:3985
LOG=n
Review URL: https://codereview.chromium.org/1032623003
Cr-Commit-Position: refs/heads/master@{#27406}
Reason for revert:
Layout test failures. Please update layout test expectations before landing this, in order to not block the roll.
Original issue's description:
> [es6] Object.getPrototypeOf should work with values
>
> The final spec for Object.getPrototypeOf calls ToObject on the
> parameter, which means that it should only throw for null and
> undefined. For other non object values the prototype of the wrapper
> should be used.
>
> BUG=v8:3964
> LOG=N
> R=adamk, rossberg@chromium.org
>
> Committed: https://crrev.com/ea463a916bbe5994b0d2d04e8075058b373b2e2c
> Cr-Commit-Position: refs/heads/master@{#27354}
TBR=adamk@chromium.org,rossberg@chromium.org,arv@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3964
Review URL: https://codereview.chromium.org/1033623002
Cr-Commit-Position: refs/heads/master@{#27389}
Handlers should be in charge of this work. The change uncovered a bug in
vector-ics related to keyed loads into strings. It's important for
StringCharCodeAtGenerator, a helper used in full code and in
LoadIndexedStringStub (a handler) to protect the vector and slot registers
when it makes a runtime call to convert a HeapNumber to a Smi.
It's still possible for the handler to MISS after this call, perhaps due
to out of bounds access. In that case, the vector and slot registers need
to be delivered safely to the MISS handler.
BUG=
Review URL: https://codereview.chromium.org/1028093002
Cr-Commit-Position: refs/heads/master@{#27377}
This method uses in messages.js in GetSourceLine and GetPositionInLine. This methods uses in v8::Message API methods and there is no documentation about it.
Method looks obsolete.
One of the strange side effect is shown by attached issue.
BUG=chromium:468781
R=yangguo@chromium.org
LOG=Y
Review URL: https://codereview.chromium.org/1022333004
Cr-Commit-Position: refs/heads/master@{#27374}
15.5.4.6 5.b requires each part to be converted using ToString(). This also needs to occur in the single argument fast-case.
BUG=v8:3981
R=arv@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/1029103002
Cr-Commit-Position: refs/heads/master@{#27372}
The final spec for Object.getPrototypeOf calls ToObject on the
parameter, which means that it should only throw for null and
undefined. For other non object values the prototype of the wrapper
should be used.
BUG=v8:3964
LOG=N
R=adamk, rossberg@chromium.org
Review URL: https://codereview.chromium.org/1014813003
Cr-Commit-Position: refs/heads/master@{#27354}
The problem manifests itself when parsing manages to return something
meaningful in the presence of a stack overflow. This happens because
calling ParserBase::Next() will still return one valid token on stack
overflow, before starting to return invalid tokens.
Take the following input as example:
a.map(v => v + 1);
| |
already next token
parsed (which will be an invalid token
(identifier) because of a stack overflow)
The "v" may have been already parsed into a VariableProxy, then if a
stack overflow occurs, next token will be an invalid token (instead
of Token::ARROW), but the parser will return the VariableProxy.
This always happens when lazy-parsing arrow functions, so the position
in the input stream where the the arrow function code ends is known.
This fix adds a check that ensures that parsing ended at the end
position of the arrow function.
BUG=465671
LOG=N
Review URL: https://codereview.chromium.org/1023483003
Cr-Commit-Position: refs/heads/master@{#27325}
With this change, we remember the types of frame state inputs (in a new
operator, called TypedStateValues). Instead of inferring the value types
when building translations, we used the recorded types.
The original approach was not reliable because the passes after
simplified lowering can change node types, and this in turn confuses
the translation builder.
BUG=chromium:468727
LOG=n
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1015423002
Cr-Commit-Position: refs/heads/master@{#27310}
When the debugger is active, a host of connected functions get an associated
DebugInfo structure, and their code is copied. The debugger uses the original
code to occasionally patch ICs with their initial value. Although IC learning
can occur, it's thrown away often, depending on the constellation of
breakpoints active or deactivating. Finally, feedback is discarded when the
debugger is turned off.
The type feedback vector needs to be brought into line with this behavior, so
now the debugger clears it's IC slots at appropriate bottlenecks in debug.cc.
R=yangguo@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1014373002
Cr-Commit-Position: refs/heads/master@{#27289}
Updated excludes to remove SKIPs where possible. Either
removing if no longer needed or replacing with SLOW where
tests just need more time to run
modified: test/cctest/cctest.status
modified: test/mjsunit/mjsunit.status
R=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1017073003
Cr-Commit-Position: refs/heads/master@{#27287}
The change introduces a second frame state (for the state before
the operation) for the StoreProperty nodes. If the store writes
into a typed array, the frame state is used for lazy deopt from
the to-number conversion that is performed by the store.
BUG=v8:3963
LOG=n
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/997983004
Cr-Commit-Position: refs/heads/master@{#27285}
In constructing the transfer between loop copies, we need to merge the backedges from all the previous copies of the given loop. The control reduction will work out which ones are really reachable.
R=mstarzinger@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1004993004
Cr-Commit-Position: refs/heads/master@{#27246}
This ensures that there is only one stub that deals with unwinding the
stack. Having more than one place containing that logic is brittle and
error prone, especially when it is a corner case only for RangeErrors.
R=titzer@chromium.org
TEST=mjsunit/regress/regress-crbug-467047
BUG=chromium:467047
LOG=N
Review URL: https://codereview.chromium.org/1012103002
Cr-Commit-Position: refs/heads/master@{#27243}
The evaluation order of receiver versus arguments is not properly
defined by C++. This caused issues with Clang where the environment
changed after the receiveing environment was already loaded.
R=jarin@chromium.org
BUG=chromium:467531
TEST=mjsunit/regress/regress-crbug-467531
LOG=N
Review URL: https://codereview.chromium.org/1015683002
Cr-Commit-Position: refs/heads/master@{#27238}
ES6 specs the function length property (it was not part of ES5) and
it makes it configurable.
BUG=v8:3045
LOG=N
R=mstarzinger@chromium.org, adamk@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/993073002
Cr-Commit-Position: refs/heads/master@{#27190}
Error.stack contains function.name if its type is string.
Otherwise if function have inferred name then .stack contains it.
For functions from eval .stack property contains "eval".
LOG=N
BUG=chromium:17356
R=yurys@chromium.org
Review URL: https://codereview.chromium.org/919653002
Cr-Commit-Position: refs/heads/master@{#27186}
Cleanup: Better helpers, unified line splitting. Also asserting that without
strong mode, the snippets don't produce errors.
Fix: The eval related tests were wrong (we didn't make sure that the error
thrown comes from strong scoping and is not a normal runtime error).
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/993393002
Cr-Commit-Position: refs/heads/master@{#27153}
The test/cctest/cctest.status and test/mjsunit/mjsunit.status
tests now pass under the simulator so removing these
excludes
modified: test/cctest/cctest.status
modified: test/mjsunit/mjsunit.status
R=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/995393003
Cr-Commit-Position: refs/heads/master@{#27145}
Contribution of PowerPC port (continuation of 422063005,
817143002,866843003, and 901083004). This patch updates
the ppc directories to make them current with changes in
common code as of today.
We had to exclude the test test-serialize/SerializeInternalReference
until we agree on the right way to add those changes for PPC as
outlined in the description in the google doc provided earlier.
We also had to exclude a couple of other tests due to new
failures seen since the last uplevel. We excluded as opposed
to waiting until we could investigate to maximize the chance
of getting PPC compiling in the google repos before new
breaking changes are made.
I'll note that before applying any of our changes the
mozilla part of quickcheck was already broken when using
the lastest repo content so I had to run without that
modified: src/compiler/ppc/code-generator-ppc.cc
modified: src/compiler/ppc/instruction-codes-ppc.h
modified: src/compiler/ppc/instruction-selector-ppc.cc
modified: src/ic/ppc/handler-compiler-ppc.cc
modified: src/ic/ppc/ic-compiler-ppc.cc
modified: src/ppc/assembler-ppc-inl.h
modified: src/ppc/assembler-ppc.cc
modified: src/ppc/assembler-ppc.h
modified: src/ppc/builtins-ppc.cc
modified: src/ppc/code-stubs-ppc.cc
modified: src/ppc/codegen-ppc.cc
modified: src/ppc/full-codegen-ppc.cc
modified: src/ppc/lithium-codegen-ppc.cc
modified: src/ppc/macro-assembler-ppc.cc
modified: src/ppc/macro-assembler-ppc.h
modified: test/cctest/cctest.status
R=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/994533004
Cr-Commit-Position: refs/heads/master@{#27125}
The prototype of a class constructor function is read only. When we set
computed property names we were ignoring this and we were overriding the
property.
Since the prototype is the only possible own read only property on the
constructor function object we special case this so we do not have to
check this for every property in the class literal.
BUG=v8:3945
LOG=N
R=mstarzinger@chromium.org, dslomov@chromium.org
Review URL: https://codereview.chromium.org/985643003
Cr-Commit-Position: refs/heads/master@{#27106}
This makes sure only the %_DeoptimizeNow intrinsic is inlined, and
not the %DeoptimizeNow one. It hence re-establishes the invariant
that JSIntrinsicLowering only deals with inline intrinsics.
R=jarin@chromium.org
TEST=mjsunit/compiler/eager-deopt-simple
Review URL: https://codereview.chromium.org/988333003
Cr-Commit-Position: refs/heads/master@{#27070}
This involved renaming apart a few more intrinsics. In the long run,
we want to clean up redundant intrinsics which just delegate.
BUG=v8:3947
LOG=n
Review URL: https://codereview.chromium.org/984963002
Cr-Commit-Position: refs/heads/master@{#27043}
Internal references are absolute addresses into the instruction
stream. Turn them into relative addresses when serializing and
back when deserializing to keep them valid.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/976623002
Cr-Commit-Position: refs/heads/master@{#27020}
This adds support for the double bits intrinsics to TurboFan, and is
a first step towards fast Math functions inlined into TurboFan code
or even compiled by themselves with TurboFan.
Review URL: https://codereview.chromium.org/974313002
Cr-Commit-Position: refs/heads/master@{#27006}
Function name property is now standardized in ES6. It was a Mozilla proprietary
extension before. With ES6, the property was made configurable, so that it can
be used instead of another proprietary property, displayName.
This is a revert of revert c791d84112.
Last time this broke a Chrome browser test which has since been updated:
5f75a3be4c
BUG=v8:3333
LOG=N
R=mstarzinger@chromium.org,verwaest@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/977003004
Cr-Commit-Position: refs/heads/master@{#26996}
This just contains test, no fixes. Note that some of the tests are
still disabled because they either fail or we don't want ClusterFuzz
to pick up the flag yet.
R=jarin@chromium.org
TEST=cctest/test-run-jsexceptions/Deopt,mjsunit/compiler/try-deopt
Review URL: https://codereview.chromium.org/972943004
Cr-Commit-Position: refs/heads/master@{#26968}
Contribution of PowerPC port (continuation of 422063005, 817143002,
866843003, and 901083004. This patch updates the ppc directories
to make them current with changes in common code, removes the
optimization to use the ool constant pool, and excludes tests that
don't pass under the ppc simulator given a 240s timeout.
Subsequent patches will cover:
- remaining optimizations for PPC
- remaining AIX changes not resolved by 4.8 compiler (4.8 is only recently available for AIX)
- incremental updates required to ppc directories due to platform specific changes made
in google repos while we complete the above steps.
modified: src/compiler/ppc/code-generator-ppc.cc
modified: src/ic/ppc/handler-compiler-ppc.cc
modified: src/ppc/assembler-ppc-inl.h
modified: src/ppc/assembler-ppc.cc
modified: src/ppc/assembler-ppc.h
modified: src/ppc/builtins-ppc.cc
modified: src/ppc/code-stubs-ppc.cc
modified: src/ppc/debug-ppc.cc
modified: src/ppc/deoptimizer-ppc.cc
modified: src/ppc/frames-ppc.cc
modified: src/ppc/frames-ppc.h
modified: src/ppc/full-codegen-ppc.cc
modified: src/ppc/lithium-codegen-ppc.cc
modified: src/ppc/lithium-ppc.cc
modified: src/ppc/lithium-ppc.h
modified: src/ppc/macro-assembler-ppc.cc
modified: src/ppc/macro-assembler-ppc.h
modified: test/cctest/cctest.status
modified: test/mjsunit/mjsunit.status
R=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/965823002
Cr-Commit-Position: refs/heads/master@{#26951}
This is partially based on r21609 but that CL was incomplete.
Function name is still non writable so one has to use defineProperty
to change the actual value.
BUG=v8:3333
LOG=N
R=adamk, mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/960343002
Cr-Commit-Position: refs/heads/master@{#26924}
This reverts commit b57be748b1 and
disables the test/mjsunit/debug-clearbreakpointgroup.js because
BreakLocationIterator::ClearBreakPoint is already broken for unrelated reasons (see v8:3924).
BUG=v8:3877
LOG=N
TEST=cctest/test-heap/Regress3877
Review URL: https://codereview.chromium.org/957373002
Cr-Commit-Position: refs/heads/master@{#26893}
We cannot yet detect use-before-declaration in general, because for that we'd
need to analyze the context when compiling. But we can detect an error case
where we first see a use, then a declaration.
For this, I also added end position tracking (needed for error messages) to
VariableProxy.
Note: the position naming is completely inconsistent: start_position &
end_position, position & end_position, pos & end_pos, beg_pos & end_pos, to name
a few. This doesn't fix all of it, but tries to unify towards start_position &
end_position whenever possible w/ minimal changes.
BUG=
Review URL: https://codereview.chromium.org/943543002
Cr-Commit-Position: refs/heads/master@{#26880}
This implements a special case of block cloning to recognize constructs like
if (a ? b : c) { ... }
that happen to be generated by Emscripten quite often.
Review URL: https://codereview.chromium.org/947963002
Cr-Commit-Position: refs/heads/master@{#26808}
This is done using desugaring. Before this we had:
result = iterator.next()
with this we instead do:
!%_IsSpecObject(result = iterator.next()) &&
%ThrowIteratorResultNotAnObject(result)
BUG=v8:3916
LOG=N
Review URL: https://codereview.chromium.org/929733003
Cr-Commit-Position: refs/heads/master@{#26805}
The adder should be gotten before the iterator.
Motivation: Once this is done we should be able to use a for-of loop
instead which leads to cleaner code and correct behavior once the
for-of loop correctly supports abrupt completion.
BUG=None
LOG=N
R=adamk
Review URL: https://codereview.chromium.org/949933002
Cr-Commit-Position: refs/heads/master@{#26803}
Because we generated a different hash code for 0 and -0 we ended up
not even getting to the SameValueZero check.
BUG=v8:3906
LOG=N
R=adamk
Review URL: https://codereview.chromium.org/947443005
Cr-Commit-Position: refs/heads/master@{#26787}
After further spec reading it turns out that we should not do ToObject
on the iterable.
BUG=None
LOG=N
R=adamk
Review URL: https://codereview.chromium.org/941313003
Cr-Commit-Position: refs/heads/master@{#26786}
When the property is not found on the [[HomeObject]] prototype chain
then we should do a [[DefineOwnProperty]] on the instance.
BUG=v8:3330
LOG=N
Review URL: https://codereview.chromium.org/934463003
Cr-Commit-Position: refs/heads/master@{#26754}
It would force us to make mjsunit.js strong-compatible, and that's too much for
now (for the upcoming features) and would have a ripple effect on other
tests. Especially debug-script.js which unships harmony features would break.
R=rossberg@chromium.org
BUG=
Review URL: https://codereview.chromium.org/930293002
Cr-Commit-Position: refs/heads/master@{#26694}
This adds a new ControlFlowOptimizer that - for now - recognizes chains
of Branches generated by the SwitchBuilder for a subset of javascript
switches into Switch nodes. Those Switch nodes are then lowered to
either table or lookup switches.
Also rename Case to IfValue (and introduce IfDefault) for consistency.
BUG=v8:3872
LOG=n
Review URL: https://codereview.chromium.org/931623002
Cr-Commit-Position: refs/heads/master@{#26691}
1) Mutually recursive functions
2) Strong code using non-strong var before declaration.
These test cases ensure that we don't accidentally kill these wanted behaviors
when adding restrictions to strong mode.
BUG=
Review URL: https://codereview.chromium.org/927143002
Cr-Commit-Position: refs/heads/master@{#26671}
The preparser needs to log the usage of super properties and then update
the scope when we create the function later.
BUG=v8:3888
LOG=N
R=dslomov@chromium.org, marja
Review URL: https://codereview.chromium.org/923683002
Cr-Commit-Position: refs/heads/master@{#26642}
This CL fixes tests that no longer valid and also fixes two issues:
1. 'super()' in non derived constructors.
2. Failure to step into derived constructors.
R=arv@chromium.org, yurys@chromium.org
BUG=v8:3834
LOG=Y
Review URL: https://codereview.chromium.org/923443003
Cr-Commit-Position: refs/heads/master@{#26628}
Function.prototype.toMethod was removed from ES6.
This removes the function and updates the tests to either
use %ToMethod or a dedicated syntax (using concise method
or a class).
BUG=v8:3330
LOG=N
R=dslomov@chromium.org, adamk
Review URL: https://codereview.chromium.org/914713002
Cr-Commit-Position: refs/heads/master@{#26559}
super() is only allowed in a class constructor.
super.p is allowed in methods, accessors and constructors.
The parser now checks the FunctionState to see what kind of function
we are currently inside.
BUG=v8:3330
LOG=N
R=dslomov@chromium.org, marja@chromium.org
Review URL: https://codereview.chromium.org/915563003
Cr-Commit-Position: refs/heads/master@{#26557}
Adding the line "// MODULE" to an mjsunit file will now cause
run-tests.py to prefix the test case with "--module" in the
d8 commandline.
d8 has itself been updated to treat files preceded with "--module" as
modules (that is, it compiles them with ScriptCompiler::CompileModule,
and turns on --harmony-modules).
Review URL: https://codereview.chromium.org/902263002
Cr-Commit-Position: refs/heads/master@{#26555}
We incorrectly disallowed eval and arguments in accessor and method
names. This was because we checked the name inside the
ParseFunctionLiteral. We now flag accessors so that lazy parsing of
these functions are treated correctly.
BUG=v8:1984
R=adamk, dslomov@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/899363002
Cr-Commit-Position: refs/heads/master@{#26497}
This way we can ship \u{..} escapes in strings / identifiers before shipping /u
regexps.
BUG=
Review URL: https://codereview.chromium.org/903703002
Cr-Commit-Position: refs/heads/master@{#26461}
It must always populate int32_value_, even if that's lossy, because other code (specifically, constant folding for truncating operations) relies on it.
BUG=v8:3865
LOG=y
Review URL: https://codereview.chromium.org/897263002
Cr-Commit-Position: refs/heads/master@{#26453}
We used to have a parse error for conflicting property keys. This check
was removed to match ES6 (SpiderMonkey & Chakra already made this change).
Since this check was removed we ended up with a few new cases when
generating code. For example, accessors always generated code even if
those should have been shadowed by a data property.
BUG=v8:3856
LOG=Y
R=adamk, dslomov@chromium.org
Review URL: https://codereview.chromium.org/895693002
Cr-Commit-Position: refs/heads/master@{#26441}
Applies to API implementation of O.p.toString
- Removes special handling of non-string @@toStringTag values (use builtinTag)
- Removes special handling of @@toStringTags which match [[Class]] names (remove ~ prefix)
- Add tests for non-string @@toStringTag values in test-api.cc
BUG=v8:3502
R=arv@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/892393003
Cr-Commit-Position: refs/heads/master@{#26415}
If a (pure) node has two or more uses, but there exists a path from the
common dominator of these uses to end, which does not contain a use,
then we split the node such that no unnecessary computation takes place.
Note however, that this only applies if the node cannot be hoisted out
of a loop.
BUG=v8:3864
LOG=n
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/899433005
Cr-Commit-Position: refs/heads/master@{#26404}
Both SameValue and SameValueZero consider different NaNs equal, so we
better assign the same hash value to all NaNs.
BUG=v8:3859
LOG=y
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/897593002
Cr-Commit-Position: refs/heads/master@{#26391}
Contribution of PowerPC port (continuation of 422063005 and 817143002). This patch covers
the key changes needed to the common files needed to support AIX. Subsequent
patches will cover:
- changes to update the ppc directories so they are current with the changes
in the rest of the project.
- remaining AIX changes not resolved by 4.8 compiler
- individual optimizations for PPC
This is based off of the GitHub repository
https://github.com/andrewlow/v8ppcR=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/866843003
Cr-Commit-Position: refs/heads/master@{#26343}
This removes the duplicate property check from object literals.
Instead we repurpose the ObjectLiteralChecker into two cases, implemented
by two subclasses to ObjectLiteralCheckerBase called ObjectLiteralChecker
and ClassLiteralChecker.
The object literal checker now only checks for duplicate __proto__ fields in
object literals.
The class literal checker checks for duplicate constructors, non constructor
fields named constructor as well as static properties named prototype.
BUG=v8:3819
LOG=Y
R=adamk, dslomov@chromium.org
Review URL: https://codereview.chromium.org/873823003
Cr-Commit-Position: refs/heads/master@{#26336}
Arrow function parameter lists are parsed as expressions. When an identifier
is found a VariableProxy is created and added to the list of unresolved
variables for the scope. When parsing a function lazily, the scope has been
already resolved, so with this patch only the VariableProxy is created,
without adding it as an unresolved variable in the scope.
BUG=v8:3501
LOG=Y
Review URL: https://codereview.chromium.org/880253004
Cr-Commit-Position: refs/heads/master@{#26328}
The approach taken in this CL is to incrementally move toward the
currently-specced version of modules in ES6. The biggest change in this
patch is separating the parsing of modules from the parsing of scripts,
getting rid of the 'module' keyword and thus disallowing modules-in-scripts
as well as modules-in-modules.
The syntax supported by import/export declarations has not yet been significantly
changed, with the major exception being that import declarations require a string
as the 'from' part.
Most of the existing tests have been disabled, with a first new test added
in cctest/test-parsing.
BUG=v8:1569
LOG=n
Review URL: https://codereview.chromium.org/881623002
Cr-Commit-Position: refs/heads/master@{#26299}
The whole logic in DoMul makes me cry, so I made only the minimal
change to fix the issue...
BUG=v8:451322
LOG=y
Review URL: https://codereview.chromium.org/873703002
Cr-Commit-Position: refs/heads/master@{#26261}
Also fix mjsunit/regress/regress-undefined-nan to ensure that we are
testing transfer via xmm registers by forcing the transfer to be in an
optimized function.
BUG=v8:3839
LOG=n
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/863153002
Cr-Commit-Position: refs/heads/master@{#26213}