When reading malformed input, the length of variable-length types can be very large. Computing operand length with this and adding it to PC will overflow and screw up decode.
This patch switches to unsigned int for arity and lengths, terminates loop analysis on error, adds overflow checking to BranchTableOperand, and adds a unit test.
Review-Url: https://codereview.chromium.org/2052623003
Cr-Commit-Position: refs/heads/master@{#37301}
the .eh_frame format as part of the jitdump generated when
FLAG_perf_prof is enabled. The final goal is allowing precise unwinding
of callchains that include JITted code when profiling V8 using perf.
Unwinding information is stored in the body of code objects after the
code itself, prefixed with its length and aligned to a 8-byte boundary.
A boolean flag in the header signals its presence, resulting in zero
memory overhead when the generation of unwinding info is disabled or
no such information was attached to the code object.
A new jitdump record type (with id 4) is introduced for specifying
optional unwinding information for code load records. The EhFrameHdr
struct is also introduced, together with a constructor to initialise it
from the associated code object.
At this stage no unwinding information is written to the jitdump, but
the infrastructure for doing so is ready in place.
BUG=v8:4899
LOG=N
Review-Url: https://codereview.chromium.org/1993653003
Cr-Commit-Position: refs/heads/master@{#37296}
This adds a missing lazy bailout point when defining data properties
with computed property names in object literals. The runtime call to
Runtime::kDefineDataPropertyInLiteral can trigger deopts. The necessary
bailout ID already exists and is now properly used.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-621816
BUG=chromium:621816
Review-Url: https://codereview.chromium.org/2099133003
Cr-Commit-Position: refs/heads/master@{#37294}
Instead of a JS implementation that calls C++ runtime functions, migrate String.fromCodePoint() to C++.
BUG=v8:5049
Review-Url: https://codereview.chromium.org/2038563003
Cr-Commit-Position: refs/heads/master@{#37293}
This is a building block for GetPropertyStub. It supports querying fast,
slow and global objects without native accessors and interceptors.
BUG=v8:4911
LOG=Y
Review-Url: https://codereview.chromium.org/2079823002
Cr-Commit-Position: refs/heads/master@{#37291}
Proxy objects need special treatment in toString(). Usually, we use the
@@toStringTag, if it is set, otherwise we determine the result of toString()
by checking IsArray() and other internal slots. According to
ES2017 19.1.3.6, IsArray() and the internal slots must be checked first,
then get(@@toStringTag). The result of IsArray() and internal slots is discarded if
@@toStringTag is set. For proxy
objects, we must obey this order, because get() can have side-effects, i.e.,
revoke the proxy. For all other objects, we can skip the check of the
internal slots, if @@toStringTag is set.
BUG=
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review-Url: https://codereview.chromium.org/2090773006
Cr-Commit-Position: refs/heads/master@{#37289}
- Add a const bool kSimpleFPAliasing variable for each platform so it's
easier for the compiler to eliminate dead code.
- Modify RegisterAllocator to use it.
LOG=N
BUG=v8:4124
Review-Url: https://codereview.chromium.org/2101473002
Cr-Commit-Position: refs/heads/master@{#37288}
We can check if the instance type of an object is JS_PROMISE_TYPE to determine if it is a promise rather than test whether the property promise_state_symbol is present.
BUG=
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review-Url: https://codereview.chromium.org/2091243002
Cr-Commit-Position: refs/heads/master@{#37283}
port f5b83dec4e (r37061)
original commit message:
As a first step towards showing builtin frames in stack traces, we will now
push target and new target unconditionally.
Since the various specializations of BuiltinArguments are made redundant by
this change, we can remove them and all related code.
BUG=
Review-Url: https://codereview.chromium.org/2095323002
Cr-Commit-Position: refs/heads/master@{#37282}
The global object can be loaded from the native context and the name can be loaded in the type feedback metadata.
BUG=chromium:576312
Review-Url: https://codereview.chromium.org/2096653003
Cr-Commit-Position: refs/heads/master@{#37278}
port 198e09de5a (r37053)
original commit message:
Construct a BUILTIN frame before throwing an exception from runtime.
BUG=
Review-Url: https://codereview.chromium.org/2094223002
Cr-Commit-Position: refs/heads/master@{#37275}
If we know that a constant can be represented as word32, then we don't
need to insert a checked conversion, but just change the constant
appropriately.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2100063002
Cr-Commit-Position: refs/heads/master@{#37273}
port f47b9e9810 (r37051)
original commit message:
This adds a new BUILTIN frame type, which supports variable number of
arguments for builtins implemented in hand-written native code (we will
extend this mechanism to TurboFan builtins at some point). Convert the
Math.max and Math.min builtins to construct a BUILTIN frame if required.
This does not yet work for C++ builtins, but that'll be the next step.
BUG=
Review-Url: https://codereview.chromium.org/2096283003
Cr-Commit-Position: refs/heads/master@{#37270}
port d5f2ac5e33 (r37047)
original commit message:
Import base::ieee754::exp() from FreeBSD msun and introduce a Float64Exp
TurboFan operator based on that, similar to what we do for Float64Log.
Rewrite Math.exp() as TurboFan builtin and use that operator to also
inline Math.exp() into optimized TurboFan functions.
BUG=
Review-Url: https://codereview.chromium.org/2096283002
Cr-Commit-Position: refs/heads/master@{#37269}
port c5e3c9bf56 (r37011)
original commit message:
Only Intel needed changes, arm and mips work as expected.
BUG=
Review-Url: https://codereview.chromium.org/2094143003
Cr-Commit-Position: refs/heads/master@{#37267}
port 2d1f977c93 (r36978)
original commit message:
Support for relocatable globals, to facilitate compilation before
instantiation.
BUG=
Review-Url: https://codereview.chromium.org/2096273002
Cr-Commit-Position: refs/heads/master@{#37266}
port 6470ddadf9 (r36950)
original commit message:
This introduces SilenceNaN operator, which makes sure that we only
store quiet NaNs into holey arrays. We omit the NaN silencing code
at instruction selection time if the input is an operation that
cannot possibly produce signalling NaNs.
BUG=
Review-Url: https://codereview.chromium.org/2099143002
Cr-Commit-Position: refs/heads/master@{#37265}
Rolling v8/build to 95bb77009ecdeaa992b031b947142fbf7da57ed6
Rolling v8/tools/mb to 62e2d060db3b06208f5d6558db03efd140ecd180
TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org
Review-Url: https://codereview.chromium.org/2098293002
Cr-Commit-Position: refs/heads/master@{#37264}
port e95cfafb67 (r36917)
original commit message:
This fixes FastNewStrictArgumentsStub and FastNewRestParameterStub to no
longer assume that the strict arguments object being allocated will fit
into new-space. The case where said object needs to move to large object
space is now handled in the runtime.
BUG=
Review-Url: https://codereview.chromium.org/2100003002
Cr-Commit-Position: refs/heads/master@{#37263}
port 89d8c57b9c (r36916)
original commit message:
Import base::ieee754::atan() and base::ieee754::atan2() from fdlibm and
introduce Float64Atan and Float64Atan2 TurboFan operators based on those,
similar to what we already did for Float64Log and Float64Log1p. Rewrite
Math.atan() and Math.atan2() as TurboFan builtin and use the operators
to also inline Math.atan() and Math.atan2() into optimized TurboFan functions.
BUG=
Review-Url: https://codereview.chromium.org/2093423003
Cr-Commit-Position: refs/heads/master@{#37262}
Rolling v8/build to e6d755246d1db2bc122ff2bfbc2b741b43d4afb7
Rolling v8/tools/mb to 3bf9b2fd6fb3127fc9b29d30cc4ff82eb025b7f6
TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org
Review-Url: https://codereview.chromium.org/2088393007
Cr-Commit-Position: refs/heads/master@{#37261}
We deviate from spec in that, in our implementation, __defineGetter__ on non-
configurable properties returns false instead of throwing a TypeError. This commit
adds a use counter to track how often we would be throwing an error we currently
avoid, to determine if we can change to align with spec or if the spec is not
implementable.
BUG=v8:5070
Review-Url: https://codereview.chromium.org/2089533002
Cr-Commit-Position: refs/heads/master@{#37259}
port 7ceed92ac0 (r36914)
original commit message:
Import base::ieee754::log1p() from fdlibm and introduce a Float64Log1p
TurboFan operator based on that, similar to what we do for Float64Log.
Rewrite Math.log1p() as TurboFan builtin and use that operator to also
inline Math.log1p() into optimized TurboFan functions.
Also unify the handling of the special IEEE 754 functions somewhat in
the TurboFan backends. At some point we can hopefully express this
completely in the InstructionSelector (once we have an idea what to do
with the ST(0) return issue on IA-32/X87).
BUG=
Drive-by-fix: Add some more test coverage for the log function.
Review-Url: https://codereview.chromium.org/2094953002
Cr-Commit-Position: refs/heads/master@{#37255}
This simplifies the calling convention of LoadGlobalIC.
Currently we do a linear search to get the name but I'll address this in a follow-up CL.
BUG=chromium:576312
TBR=rossberg@chromium.org
Review-Url: https://codereview.chromium.org/2084913006
Cr-Commit-Position: refs/heads/master@{#37253}