Commit Graph

7080 Commits

Author SHA1 Message Date
Jakob Kummerow
f89db5d24a Fix LoadGlobalIC for cleared WeakCells
BUG=chromium:702793

Change-Id: Ia52823968a757f8f7fc8802deab60f570ffdb58c
Reviewed-on: https://chromium-review.googlesource.com/456280
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43920}
2017-03-18 00:52:09 +00:00
Marja Hölttä
ab4233e38a [parser|cleanup] Add tests for duplicate parameters.
There are at least 3 mechanisms for detecting duplicate parameters.
- ExpressionClassifier
- Scope::DeclareParameter checking IsDeclaredParameter
- PatternRewriter::VisitVariableProxy failing to declare a duplicate parameter

The conditions for when duplicate parameters are allowed and when not are pretty
involved too. They are allowed when
- the function is not an arrow function and not a concise method *and*
- when the parameter list is simple *and*
- we're in sloppy mode (incl. the function doesn't declare itself strict).

In addition, we don't recognize some of the early errors, and it's 
non-trivial to see which ones are recognized and which not (see bug
v8:6108). E.g., (dup, dup) => {}; is recognized but (dup, [dup]) => {} is
not. And (dup, [dup]) => 1; is.

We do have tests for some aspects of duplicate parameters (e.g., arrow function
duplicate parameters are included in arrow function tests), but it's hard to see
whether all combinations of the relevant conditions are tested.

This CL adds more structured tests which hopefully enables reducing the
duplicate parameter detection mechanisms to 2 or maybe even to 1.

BUG=v8:6092

Change-Id: Idd3db43b380aae4b9a89be5f1ed0755d39bfb36d
Reviewed-on: https://chromium-review.googlesource.com/456336
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43895}
2017-03-17 12:10:35 +00:00
Andreas Haas
87354ade6b [wasm] Remove the WasmTrapHelper
Since TrapIf has been implemented on all platforms, there is no need
anymore for the old WasmTrapHelper code. This CL also removes
TrapIf-specific tests.

R=titzer@chromium.org, clemensh@chromium.org

Change-Id: Ic069598441b7bd63bde2e66f4e536abea5ecebe6
Reviewed-on: https://chromium-review.googlesource.com/452380
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43887}
2017-03-17 10:30:31 +00:00
titzer
3bbd81afbc [testing] Add the notion of a wait count to allow tests to robustly wait on asynchronous tasks.
Note that this also modifies mjsunit.js to allow the {failWithMessage} method to be monkey-patched by a test. This is necessary because assertions which fail in a promise's then-clause would normally only throw an exception, which is swallowed by the promise, causing the test to silently pass. Instead, patching this {failWithMessage} functionality allows then clauses to use the full assertion machinery of mjsunit.js.

R=ulan@chromium.org, gsathya@chromium.org

BUG=

Review-Url: https://codereview.chromium.org/2752043002
Cr-Commit-Position: refs/heads/master@{#43875}
2017-03-16 18:20:19 +00:00
cwhan.tunz
da1bddcd75 [typedarrays] Implement %TypedArray%.prototype.lastIndexOf in C++
- Implement C++ builtins and ElementsAccessor for
  %TypedArray%.prototype.lastIndexOf
- Remove TypedArrayLastIndexOf in src/js/typedarray.js
- Combine InnerArrayLastIndexOf and ArrayLastIndexOf in src/js/array.js

BUG=v8:5929

Review-Url: https://codereview.chromium.org/2744283002
Cr-Commit-Position: refs/heads/master@{#43870}
2017-03-16 16:28:00 +00:00
Clemens Hammacher
783f68c53b [wasm] [interpreter] Throw exception on trap
This behaviour was missing before. If a trap is encountered in the
interpreter, we now throw the right error. With test.

R=titzer@chromium.org, ahaas@chromium.org
BUG=v8:5822

Change-Id: I09c23d15fcde32ec586fb6d3094a5ec49155a9a2
Reviewed-on: https://chromium-review.googlesource.com/453839
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43859}
2017-03-16 12:01:15 +00:00
Clemens Hammacher
f3aeb762ae [wasm] [interpreter] Implement calling imported functions
When instantiating the wasm interpreter for debugging, we unwrap all
wasm-to-js wrappers and store the callable objects. The handles are
stored in a DeferredHandleScope and deleted when the InterpreterHandle
(store in WasmDebugInfo) is freed.
A call to an imported function reads the arguments from the stack,
converts them to JS objects, calls the callable, converts back the
return value and pushes it onto the stack.
Reentering the interpreter from the calles JS code is not permitted
yet, but will be in a follow-up CL.
Also, indirect calls to imported functions will have to follow.

R=titzer@chromium.org, ahaas@chromium.org
BUG=v8:5822

Change-Id: I66c35053bccb6cf8d416606e4f840d888ccb3b65
Reviewed-on: https://chromium-review.googlesource.com/453838
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43855}
2017-03-16 10:57:16 +00:00
bmeurer
9224d5d1bc [csa] Bailout to the runtime for ToInteger conversion in Array.p.indexOf.
The fast-path for Array.prototype.indexOf first checks whether the
receiver is a fast-mode JSArray (and there are no elements in the
prototype chain in case of holey arrays), then loads the known
JSArray::length, and afterwards calls ToInteger on the fromIndex.

But this ToInteger(fromIndex) call can cause arbitrary side effects if
the fromIndex is a JSReceiver, in particular it can invalidate the
assumptions about the fast-mode of the receiver and the length. In the
worst case this leads to OOB memory access.

Quick-fix is to bailout to the runtime if the fromIndex is neither a Smi
nor undefined, which represents the common cases.

R=jarin@chromium.org
BUG=chromium:702058

Review-Url: https://codereview.chromium.org/2756663002
Cr-Commit-Position: refs/heads/master@{#43843}
2017-03-16 06:53:09 +00:00
Clemens Hammacher
69da6fcd2a [wasm] Fix wasm to js wrapper on ia32 for i64 return
When generating the code for an illegal (non-js-compliant) wrapper for
a js function, we were generating a zero constant of the return type.
This failed on ia32 if the return type is i64.
The correct thing to do is to return two i32 zero constants.

R=titzer@chromium.org
BUG=v8:6104, v8:6096

Change-Id: Idc0dd8d3eef901c22d5278d97f1879b000a18588
Reviewed-on: https://chromium-review.googlesource.com/455857
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43835}
2017-03-15 16:14:19 +00:00
leszeks
2b1ed94464 [test] Fix mjsunit/getters-on-elements to reset function state
The function "foo" in "base_getter_test" was picking up a left-over
optimised code object from foo's code map, the third time that
base_getter_test was run, instead of optimising it itself. This
broke the assumptions of the test, that each case was functionally
independent from the others, and had started off with empty feedback
and no optimised code.

This breaks the test though, so we have to blacklist it pending a fix
to the root cause (http://crbug.com/v8/6101).

Review-Url: https://codereview.chromium.org/2750623004
Cr-Commit-Position: refs/heads/master@{#43828}
2017-03-15 13:31:01 +00:00
Wiktor Garbacz
bb927eb439 [parser] Fix template escapes in preparser
BUG=v8:6100

Change-Id: Ib8729b2688bbaf6fb397737ccf1b1c086698ab93
Reviewed-on: https://chromium-review.googlesource.com/455876
Commit-Queue: Wiktor Garbacz <wiktorg@google.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43822}
2017-03-15 12:44:41 +00:00
Clemens Hammacher
3e6873abcb [wasm] Fix wasm to js wrapper for illegal signature
When compiling a wasm to js wrapper for a signature which is not JS
compatible, we generate a runtime call to throw a type error and return
immediately afterwards. We were using the return value of the runtime
call as return value for the wrapper.
This worked for integer return values, since the same registers are
used for tagged values and integer values. For float values, however,
it failed, since the return value needs to be stored in another
register.

R=titzer@chromium.org
BUG=v8:6096

Change-Id: I8f39ea132cd150c3044673d25fa3c3588b4266bf
Reviewed-on: https://chromium-review.googlesource.com/455816
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43821}
2017-03-15 12:19:08 +00:00
Michael Achenbach
6e376b6c5b [test] Mark slow tests
Mark slow tests discovered by manual audit of reported durations.

Slow tests will run first, which will lead to higher test runner throughput.

Also some tests have flaky timeouts occasionally.

BUG=chromium:601468

Change-Id: If9aeb5422e79ff25b867b01c50386a5fdebeb494
Reviewed-on: https://chromium-review.googlesource.com/455736
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43819}
2017-03-15 12:05:12 +00:00
jarin
5790aad425 [turbofan] Fix typing for NumberMin and NumberMax to handle uninhabited types.
BUG=chromium:700883

Review-Url: https://codereview.chromium.org/2751513006
Cr-Commit-Position: refs/heads/master@{#43812}
2017-03-15 07:46:25 +00:00
jarin
8c114d1737 [turbofan] Handle Smi -> Float32 conversion in representation changer.
BUG=chromium:693425

Review-Url: https://codereview.chromium.org/2749193003
Cr-Commit-Position: refs/heads/master@{#43811}
2017-03-15 07:44:59 +00:00
Ross McIlroy
b7648be7ec [Flags] Remove --ignition-staging flag.
Removes the --ignition-staging flag since it is no longer used
by anything and won't be a shipping configuration. Also removes
ignition_turbo variant from testrunner, since it is now 
the same as the turbofan variant.

BUG=v8:4280

Change-Id: I3b96e986879fc70b8e202fe9496334828acdd0ba
Reviewed-on: https://chromium-review.googlesource.com/452621
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43806}
2017-03-14 23:07:09 +00:00
bradnelson
8c1af20baf [wasm][asm.js] Fix asm.js in tests to be more strictly valid.
These tests fail with the new asm.js parser, because they are invalid under
a more strict reading of the spec.

NOTE: These also fail to validate when run in Firefox.

BUG=v8:4203
BUG=v8:6090
R=aseemgarg@chromium.org,eholk@chromium.org

Review-Url: https://codereview.chromium.org/2745393002
Cr-Commit-Position: refs/heads/master@{#43803}
2017-03-14 20:17:04 +00:00
Michael Achenbach
a0077f222b [test] Skip slow tests
BUG=chromium:682617
TBR=mstarzinger@chromium.org,mvstanton@chromium.org,rmcilroy@chromium.org
NOTRY=true

Change-Id: If121a5d01bba113374bc1673780fc713997e54a9
Reviewed-on: https://chromium-review.googlesource.com/454618
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43776}
2017-03-14 11:43:01 +00:00
Michael Starzinger
3b597bb701 [runtime] Fix KeyAccumulator for non-internalized keys.
This fixes a corner-case in {KeyAccumulator::CollectOwnJSProxyKeys}
where the keys returned by {JSReceiver::OwnPropertyKeys} for an array
are not internalized and hence have a diverging identity from keys
returned by the "ownKeys" trap of a proxy.

R=cbruni@chromium.org
TEST=mjsunit/regress/regress-crbug-700678
BUG=chromium:700678

Change-Id: I5efd012eade14bd45c69e4abb0aeda684baf38f0
Reviewed-on: https://chromium-review.googlesource.com/452979
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43775}
2017-03-14 11:19:28 +00:00
Michael Achenbach
9f4188c252 [test] Fix fullcode and ignition testing variants
BUG=chromium:682617
R=mstarzinger@chromium.org,mvstanton@chromium.org,rmcilroy@chromium.org

Change-Id: Id0c904e080bb09e4ac1a127a02b110459442f7f3
Reviewed-on: https://chromium-review.googlesource.com/452484
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43771}
2017-03-14 09:59:04 +00:00
binji
65200967b7 Reland moving Atomics builtins to C++
This reverts the previous revert, commit
5a04f4fd68.

Previously reverted changes:

>    Revert "[SAB] Move Atomics builtins to C++"
>
>     This reverts commit 2b9840d86f.
>
>     Revert "[SAB] Remove unreachable Uint8Clamped atomics paths"
>
>     This reverts commit d1160fb14f.
>
>     Revert "Remove tiny unit test for MinSimple/MaxSimple"
>
>     This reverts commit 837760ecb7.
>
>     Revert "Remove infrastructure for experimental JS natives"
>
>     This reverts commit 8cfe45b6f1.

These changes were reverted to improve a perf regression on a Chrome
bot. Since then, the regression has reappeared, then disappeared again
all from seemingly unrelated changes.

BUG=v8:6033
TBR=adamk@chromium.org,hpayer@chromium.org,yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2732213005
Cr-Commit-Position: refs/heads/master@{#43758}
2017-03-13 20:59:15 +00:00
Peter Marshall
06fef85bdd [builtins] Port TypedArrayConstructByArrayBuffer to CodeStubAssembler.
Part of the performance and refactoring work to move the TypedArray
constructors into CSA. This CL moves ConstructByArrayBuffer from JS
to CSA.

BUG=v8:5977

Change-Id: I0a200e6b3f6261ea2372ea9c3d3ca98e313cf2c5
Reviewed-on: https://chromium-review.googlesource.com/451620
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43747}
2017-03-13 14:04:37 +00:00
Ilija.Pavlovic
d9bcc067ca [turbofan] Fix regress-694088.js for big endian.
Test regress-694088.js is adapted for execution on big endian platforms.

TEST=test/mjsunit/compiler/regress-694088.js
BUG=

Review-Url: https://codereview.chromium.org/2739403002
Cr-Commit-Position: refs/heads/master@{#43746}
2017-03-13 12:59:48 +00:00
Michael Achenbach
384fe54e02 [test] Mark slow msan tests
TBR=mstarzinger@chromium.org,rmcilroy@chromium.org
NOTRY=true

Change-Id: I355953b0b24a64e3c5e1a43cdeaa8ec2650b0988
Reviewed-on: https://chromium-review.googlesource.com/453459
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43737}
2017-03-13 08:17:54 +00:00
bmeurer
9bee8f1065 [turbofan] Fix lowering of Number.isNaN().
BUG=v8:6082
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2743183003
Cr-Commit-Position: refs/heads/master@{#43735}
2017-03-13 07:00:59 +00:00
Michael Starzinger
f2ad990f41 Fix bogus implication from --turbo to --crankshaft.
Now that the --turbo flag is on by default, this implication makes it
impossible to disable the runtime profiler to prevent functions from
being considered hot. Essentially the --nocrankshaft flag was borked.

R=machenbach@chromium.org

Change-Id: I698008b4b69038e8bfab6d8ec3ccf57e2fd71701
Reviewed-on: https://chromium-review.googlesource.com/452619
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43720}
2017-03-10 11:37:24 +00:00
Camillo Bruni
53d67fe45d [tools] Show more entries in the ticks-processor
- lower the cutoff-threshold for bottom up graphs to 1%
- show all builtins/stubs/ics by default

R=jkummerow@chromium.org

Change-Id: I522173155b817ae20a37c40ecf411f2b55d82105
Reviewed-on: https://chromium-review.googlesource.com/452482
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43717}
2017-03-10 10:34:11 +00:00
bmeurer
18be5d7057 [turbofan] Revert invalid optimization of flooring division.
The optimization

  NumberFloor(NumberDivide(lhs, rhs))

to

  NumberToInt32(NumberDivide(lhs, rhs))

for potentially negative lhs is not valid, since Math.floor rounds
towards -infinity, whereas ToInt32 truncates.

BUG=chromium:699282
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2743673002
Cr-Commit-Position: refs/heads/master@{#43699}
2017-03-09 13:41:39 +00:00
Igor Sheludko
fa7b88fddd [json] Fix error reporting when parsing an internalized one-byte string.
BUG=chromium:686010

Change-Id: I7bd4ab48f90a1013132bf037fd352ab55747189c
Reviewed-on: https://chromium-review.googlesource.com/451377
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43691}
2017-03-09 12:28:17 +00:00
yangguo
f2408624c9 [json] use OrderedHashSet for replacer property list.
R=ishell@chromium.org
BUG=v8:6071

Review-Url: https://codereview.chromium.org/2740073002
Cr-Commit-Position: refs/heads/master@{#43690}
2017-03-09 12:27:46 +00:00
jgruber
5002a4a961 [regexp] Properly flatten string during initialization
This fixes an incorrect usage of String::Flatten in EscapeRegExpSource.

It also adds %ConstructConsString (to easily and reliably construct cons
strings in tests) and Factory::NewConsString (to enable guaranteed cons
string construction without preemptive flattening attempts).

BUG=chromium:698790

Review-Url: https://codereview.chromium.org/2736383003
Cr-Commit-Position: refs/heads/master@{#43686}
2017-03-09 12:25:19 +00:00
Michael Starzinger
fb887b8192 [zone] Fix propagation of OOM in Zone::NewSegment.
This fixes various allocator methods to properly propagate {nullptr} to
callers without accidentally dereferencing it. We also disable one test
case for stress mode as it runs out of memory due to inlining limits
being lifted in the stress mode.

R=bmeurer@chromium.org
TEST=mjsunit/array-natives-elements
BUG=v8:6061

Change-Id: Id0a7b826a8612d00b4f4ae8aa0bea011c50890ca
Reviewed-on: https://chromium-review.googlesource.com/451365
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43672}
2017-03-08 13:26:55 +00:00
bmeurer
6560707945 [ia32] Fix invalid DCHECK on cmpw with immediate.
The immediate passed to cmpw can be either a signed 16-bit or an
unsigned 16-bit integer, but the DCHECK was testing for signed 16-bit
values only.

R=mstarzinger@chromium.org
BUG=v8:6063

Review-Url: https://codereview.chromium.org/2735363002
Cr-Commit-Position: refs/heads/master@{#43671}
2017-03-08 13:04:45 +00:00
cwhan.tunz
5fc1bd5b32 [typedarrays] check byte offset for fast typedarray sort
BUG=v8:5953

Review-Url: https://codereview.chromium.org/2733393002
Cr-Commit-Position: refs/heads/master@{#43666}
2017-03-08 12:01:19 +00:00
Ross McIlroy
f774d8c56f [Flags] Add negation implications for --turbo negative so --no-turbo works.
Once we enabled --turbo by default we need to turn all the implications
off with --no-turbo as well. Chrome sets flags in V8 using SetFlagFromString,
which enforces the implications each time it is called. Therefore, if --turbo
is enabled by default, and an unrelated flag is set, the turbo implications are
enabled but not later disabled if we set --no-turbo. To fix this, add negative
implications as well.

BUG=chromium:692409

Change-Id: Iadb0ca542f49ba65c7419cda8c7a03636a8d5ba9
Reviewed-on: https://chromium-review.googlesource.com/451320
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43655}
2017-03-07 20:41:12 +00:00
mvstanton
15bed19495 Adjust some tests to prepare enabling Ignition+TurboFan
BUG=v8:5267, chromium:692409

Review-Url: https://codereview.chromium.org/2720713003
Cr-Commit-Position: refs/heads/master@{#43638}
2017-03-07 13:27:55 +00:00
Peter Marshall
ead3656cbd [builtins] Port TypedArrayConstructByLength to CodeStubAssembler.
Part of the performance and refactoring work to move the TypedArray
constructors into CSA. This CL moves ConstructByLength from JS
to CSA.

There are still other callers to typed_array_initialize in
typedarray.js, so we share the implementation using DoInitialize.

In a later CL we can split apart DoInitialize once we have more
TA constructors written in CSA, so that we can reuse specific
parts more easily.

BUG=v8:5977

Change-Id: Ia51e8363970e9a025a82933e56a7baaf82cb1eec
Reviewed-on: https://chromium-review.googlesource.com/448220
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43626}
2017-03-07 09:15:17 +00:00
Clemens Hammacher
7d8a3028dd [wasm] Fix code specialization for empty memory buffer
From asm.js code we might get an empty ArrayBuffer as heap memory. In
this case, both the old memory start and the new memory start will be
nullptr. The size however has to be patched from default_size to 0.

This CL changes code specialization to be able to either patch memory
references, or patch memory sizes or both.

R=titzer@chromium.org, ahaas@chromium.org
BUG=chromium:698587

Change-Id: I4d9d811d75cb83842f23df317e8e7fc02aeb5146
Reviewed-on: https://chromium-review.googlesource.com/450257
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43613}
2017-03-06 13:39:54 +00:00
bmeurer
1e4a2725b8 [turbofan] Teach escape analysis about ObjectIsNaN.
BUG=chromium:698607
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2735633003
Cr-Commit-Position: refs/heads/master@{#43612}
2017-03-06 12:55:28 +00:00
jarin
fe704477d6 [deoptimizer] When deoptimizing code, unlink all functions referring to that code.
Drive by: remove two unused methods in optimized code visitor.

Review-Url: https://codereview.chromium.org/2730323002
Cr-Commit-Position: refs/heads/master@{#43611}
2017-03-06 12:22:05 +00:00
jarin
fcce4797bc [profiler] Graphical front-end for tick processor.
Improvements:
- top-down call tree.
- interactive restriction to time interval.

Review-Url: https://codereview.chromium.org/2696903002
Cr-Commit-Position: refs/heads/master@{#43599}
2017-03-04 13:04:58 +00:00
bakkot
baa74e89b6 [parser] Correctly handle invalid escapes in adjacent template tokens.
A previous patch lifting the restriction on invalid escape sequences in
tagged templates had a bug when two template tokens appeared immediately
adject to each other. This moves invalid escape information from the
tokenizer state proper into the TokenDesc, preventing the overwriting
which caused this issue.

Previous CL is at
https://codereview.chromium.org/2665513002

BUG=v8:6029,v8:5546

Review-Url: https://codereview.chromium.org/2724003006
Cr-Commit-Position: refs/heads/master@{#43596}
2017-03-03 22:08:57 +00:00
Peter Marshall
5f79c9231a [builtins] Ensure length is within Smi range in TypedArray constructor.
The callsite in ConstructByArrayBuffer could have a length that is
above Smi range if the buffer had such a length. Check this before
calling. Add a test too.

BUG=v8:5977, chromium:698201

Change-Id: Ic22046a31607f1f85642c8caf7f5ed064edb3110
Reviewed-on: https://chromium-review.googlesource.com/449813
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43589}
2017-03-03 14:42:34 +00:00
tebbi
e61ff99104 [turbofan] compute arguments length in deoptimizer
Following the design of https://codereview.chromium.org/2692753004, also compute the arguments length in the deoptimizer sucht that it does not have to be computed in optimized code.

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2729163002
Cr-Commit-Position: refs/heads/master@{#43587}
2017-03-03 13:43:40 +00:00
Peter Marshall
1a6487fd65 Fix incorrect side-effect ordering in TypedArray constructor.
We should throw a RangeError for offset % elementSize before
length.toPrimitive is observable. Adds a test that checks this, too.

BUG=v8:6037

Change-Id: Ie9f2551c8e8fb0018b508762ac93cdc470e15dde
Reviewed-on: https://chromium-review.googlesource.com/449792
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43582}
2017-03-03 12:34:55 +00:00
bmeurer
de52562d8e [turbofan] Introduce dedicated ObjectIsNaN operator.
We can compile a !== a and Number.isNaN(a) to ObjectIsNaN. The former is
commonly used to check for NaN, i.e. in case of equals in AngularJS.

R=jarin@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2722483003
Cr-Commit-Position: refs/heads/master@{#43572}
2017-03-03 09:08:14 +00:00
Adam Klein
fb16583179 Retain source order when hoisting sloppy block functions
This involved adding a count_ member to SloppyBlockFunctionMap, so
to avoid making DeclarationScope larger, this patch makes the
creation of the map lazy, thus reducing the size of DeclarationScope
by several words in the process.

BUG=chromium:688567

Change-Id: If9a9eb2ccc01690fe10edadb3aa9625454ff4a19
Reviewed-on: https://chromium-review.googlesource.com/448701
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43558}
2017-03-02 21:06:00 +00:00
Peter Marshall
ff8b1abb1a [builtins] Reland of Port TypedArrayInitialize to CodeStubAssembler.
Turbofan is a lot slower than Crankshaft at constructing TypedArrays,
because we always go to the C++ builtin. Port the builtin to CSA
to improve performance, and to clean up the implementation, which is
split across multiple files and pieces at the moment.

This CL increases the performance with --future to roughly the same
as with crankshaft.

BUG=v8:5977

Change-Id: Id0d91a4592de41a3a308846d79bd44a608931762
Reviewed-on: https://chromium-review.googlesource.com/448537
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43548}
2017-03-02 14:31:18 +00:00
Peter Marshall
a8e15e8fc5 Revert "[builtins] Port TypedArrayInitialize to CodeStubAssembler."
This reverts commit b23b2c107b.

Reason for revert: Makes Linux debug bot sad

Original change's description:
> [builtins] Port TypedArrayInitialize to CodeStubAssembler.
> 
> Turbofan is a lot slower than Crankshaft at constructing TypedArrays,
> because we always go to the C++ builtin. Port the builtin to CSA
> to improve performance, and to clean up the implementation, which is
> split across multiple files and pieces at the moment.
> 
> This CL increases the performance with --future to roughly the same
> as with crankshaft.
> 
> BUG=v8:5977
> 
> Change-Id: I5a4c4b544a735a56290b85bf33c2f3718df7e2b8
> Reviewed-on: https://chromium-review.googlesource.com/445717
> Commit-Queue: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#43518}

TBR=cbruni@chromium.org,petermarshall@chromium.org,bmeurer@chromium.org,v8-reviews@googlegroups.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5977

Change-Id: I5d5bc8b4677a405c716d78e688af80ae9c737b4a
Reviewed-on: https://chromium-review.googlesource.com/448558
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43520}
2017-03-01 15:55:51 +00:00
Peter Marshall
b23b2c107b [builtins] Port TypedArrayInitialize to CodeStubAssembler.
Turbofan is a lot slower than Crankshaft at constructing TypedArrays,
because we always go to the C++ builtin. Port the builtin to CSA
to improve performance, and to clean up the implementation, which is
split across multiple files and pieces at the moment.

This CL increases the performance with --future to roughly the same
as with crankshaft.

BUG=v8:5977

Change-Id: I5a4c4b544a735a56290b85bf33c2f3718df7e2b8
Reviewed-on: https://chromium-review.googlesource.com/445717
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43518}
2017-03-01 14:28:23 +00:00
Michael Starzinger
6ec735e08b [compiler] Fix {UseTurboFan} for disabled optimization.
This fixes a corner-case in the above predicate that was introduced to
allow fully disabling optimization using %NeverOptimizeFunction. This
property of a function is a transient property (i.e. changes over time),
whereas {UseTurboFan} is designed to be a static property (i.e. gives
same answer over time). Violating this led to cases where functions got
optimization disabled for other reasons would suddenly be baselined.
The correct place to check transient properties is when optimization is
requested.

R=jarin@chromium.org
TEST=mjsunit/never-baseline

Change-Id: I37eb0c70d2b39704be29fd4bda76975bfbede66b
Reviewed-on: https://chromium-review.googlesource.com/447937
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43514}
2017-03-01 12:53:59 +00:00
Andreas Haas
c77622318d [runtime] Fix flattening of ConsStrings with empty first parts.
String::SlowFlatten assumed that ConsStrings with empty first parts have
flattened strings as their second part. TurboFan, however, can create
ConsStrings with empty first parts and arbitrary second parts. With
this CL we call String::Flatten on the second part of a ConsString if
the first part is empty, but only when String::Flatten would not call
String::SlowFlatten.

R=jkummerow@chromium.org

BUG=chromium:696651

Change-Id: I9acb681de1be695e1ec2f6f6d28b9e4dc4344e98
Reviewed-on: https://chromium-review.googlesource.com/448457
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43513}
2017-03-01 12:50:32 +00:00
Igor Sheludko
e003d21d4a [runtime] Properly handle null constructor case when feeding back normalization.
BUG=chromium:697017

Change-Id: Ibb7165387a983987dcd04be330591b6bb70ff991
Reviewed-on: https://chromium-review.googlesource.com/448217
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43507}
2017-03-01 10:02:14 +00:00
Georg Neis
78d9d5b51a [ast] Fix bug in deserialization of catch scopes.
The maybe-assigned flag of the catch variable was not preserved.

BUG=v8:5636,chromium:696332

Change-Id: I9c55e1b1312bdebc53bc45bc3ca1c982bdbe9846
Reviewed-on: https://chromium-review.googlesource.com/447680
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43506}
2017-03-01 08:45:46 +00:00
Georg Neis
1c578f2477 Fix completion value of class declarations.
BUG=v8:6022

Change-Id: I54205cb3ecc2dd31ed62e55726f0ec5fcd202c30
Reviewed-on: https://chromium-review.googlesource.com/446349
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43500}
2017-02-28 19:36:45 +00:00
Adam Klein
fc023664bd Accurately record eval calls in arrow parameter lists
Previously, we over-approximated Scope::scope_calls_eval_ in
arrow functions: if either the outer scope or the arrow function
parameters had a direct eval call, we marked both scopes as calling
eval. This over-approximation kept getting us into trouble, though,
especially when eager or lazy parsing would disagree about the
"calls eval" bit.

This patch instead tracks eval calls accurately, using a boolean on
Scope::Snapshot that is reset as appropriately depending on whether
a particular AssignmentExpression turned out to be an arrow parameter
list or not.

BUG=chromium:691687

Change-Id: I527dc59b4d32a2797805ff26dc9f70b1311377b2
Reviewed-on: https://chromium-review.googlesource.com/446094
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43499}
2017-02-28 19:15:09 +00:00
Georg Neis
59c9e6ff69 [modules] Fix bug in Module::Instantiate.
The order in which things were done wasn't quite correct and lead
to wrong behaviour for certain circular module graphs.

BUG=v8:1569,chromium:694566

Change-Id: I291186e261268c853a30ad891ff362904e0b28ef
Reviewed-on: https://chromium-review.googlesource.com/447399
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43497}
2017-02-28 19:00:58 +00:00
yangguo
a813525a07 [regexp] fix /\W/ui wrt \u017f and \u212a.
R=jgruber@chromium.org
BUG=v8:5080

Review-Url: https://codereview.chromium.org/2725583002
Cr-Commit-Position: refs/heads/master@{#43496}
2017-02-28 18:28:42 +00:00
Igor Sheludko
1c7f83980e [runtime] Mark old JSGlobalProxy's map as unstable when an iframe navigates away.
This CL also introduces Realm.navigate(i).

BUG=chromium:683667

Change-Id: I9227292ea3a575f34367e82fc6297d234d3eecae
Reviewed-on: https://chromium-review.googlesource.com/447638
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43494}
2017-02-28 17:05:51 +00:00
mvstanton
bfa425cc08 Remove shared-function-tier-up-default.js
It tests a pipeline configuration we are removing.

BUG=v8:5778

Review-Url: https://codereview.chromium.org/2715153005
Cr-Commit-Position: refs/heads/master@{#43491}
2017-02-28 15:31:08 +00:00
yangguo
a5dfa06213 [unibrow] remove mongolian vowel separator as white space.
Unibrow is currently at Unicode version 7.0.0, which does not
include mongolian vowel separator (\u180E) as white space. In
order to appease test262 at the time however we kept it as a
whitespace.

Test262 has since then been updated. And while this is not an
update of unibrow, we are removing \u180E as white space here.

R=jshin@chromium.org, littledan@chromium.org
BUG=v8:5155

Review-Url: https://codereview.chromium.org/2720953003
Cr-Commit-Position: refs/heads/master@{#43485}
2017-02-28 13:42:29 +00:00
Michael Starzinger
09a07038f2 [turbofan] Fix lowering of %_GetSuperConstructor intrinsic.
The above intrinsic by now has to perform a check whether the prototype
of a derived constructor is actually a constructor function itself. This
is done as part of the {JSGetConstructorCall} operator. The intrinsic
should just reduce down to the operator to maintain correct semantics.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-696622
BUG=chromium:696622

Change-Id: Ia19c188f17ad16b12248db1f01a01b8d7258499b
Reviewed-on: https://chromium-review.googlesource.com/447716
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43479}
2017-02-28 12:47:37 +00:00
tebbi
9881b6c740 [turbofan] extend escape analysis to reduce CheckMaps
R=bmeurer@chromium.org

BUG=

Review-Url: https://codereview.chromium.org/2680973013
Cr-Original-Commit-Position: refs/heads/master@{#43163}
Committed: f01c8a6e4b
Review-Url: https://codereview.chromium.org/2680973013
Cr-Commit-Position: refs/heads/master@{#43478}
2017-02-28 12:44:01 +00:00
jarin
3c36aacc87 [turbofan] Fix handling of typed array loads in load elimination.
BUG=chromium:694088

Review-Url: https://codereview.chromium.org/2725593002
Cr-Commit-Position: refs/heads/master@{#43477}
2017-02-28 12:20:19 +00:00
tebbi
7467f16d73 [turbofan] escape analysis supports arguments object and rest elements
The new NewUnmappedArgumentsElements node now takes two inputs:
- the frame holding the arguments (current frame or arguments adaptor frame)
- the length of the suffix of passed arguments to be copied into the backing store

These inputs are computed with two new node types:
ArgumentsFrame()
ArgumentsLength[formal_parameter_count,is_rest_length](Node* arguments_frame)
The node type NewRestParameterElements can now be expressed with NewUnmappedArgumentsElements and an appropriate length and is thus not needed anymore.

In escape analysis, we lower loads from the length field of NewUnmappedArgumentsElements with its length input and if we find out that no write access to the arguments elements exists, we replace element loads with direct stack access and replace the NewUnmappedArgumentsElements node with a node of the new node type ArgumentsElementsState. This corresponds to an ObjectState node and gets translated into a deoptimizer instruction to allocate the backing store. Together with the already existing deoptimizer support for the actual arguments object/rest parameters, this allows to remove all allocations for arguments objects/rest parameters in this case.
In the deoptimizer, we read the actual parameters from the stack while transforming the static deopt info into TranslatedValue objects.

If escape analysis cannot remove the backing store allocation, NewUnmappedArgumentsElements gets lo

BUG=v8:5726

Review-Url: https://codereview.chromium.org/2692753004
Cr-Commit-Position: refs/heads/master@{#43475}
2017-02-28 11:16:27 +00:00
Michael Starzinger
4d7e7acdf2 Fix test to not teach ClusterFuzz ugly tricks.
R=bradnelson@chromium.org
TEST=mjsunit/wasm/asm-with-wasm-off
BUG=chromium:696655

Change-Id: I9375d8ac2f111009233dc480529fd0f0e00fe811
Reviewed-on: https://chromium-review.googlesource.com/447398
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43472}
2017-02-28 10:25:50 +00:00
binji
5a04f4fd68 This is a speculative chain of reverts to improve a Chrome
perf regression. See crbug.com/695653 for more info.

Revert "[SAB] Move Atomics builtins to C++"

This reverts commit 2b9840d86f.

Revert "[SAB] Remove unreachable Uint8Clamped atomics paths"

This reverts commit d1160fb14f.

Revert "Remove tiny unit test for MinSimple/MaxSimple"

This reverts commit 837760ecb7.

Revert "Remove infrastructure for experimental JS natives"

This reverts commit 8cfe45b6f1.

BUG=695653
TBR=hablich@chromium.org

Review-Url: https://codereview.chromium.org/2715223003
Cr-Commit-Position: refs/heads/master@{#43462}
2017-02-27 22:26:27 +00:00
Eric Holk
f348e573c0 [wasm] Update JS API tests to version 1
BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=694954

Change-Id: I07d7eeccca716028e1151db3df7ebee81d4a9ef2
Reviewed-on: https://chromium-review.googlesource.com/446707
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43460}
2017-02-27 21:27:09 +00:00
Toon Verwaest
0e21a147db [runtime] Feed back normalization to constructors (behind flag)
When an instance of a constructor goes dictionary mode, this changes the initial map
of that constructor to also be in dictionary mode. This avoids spurious hidden class
creation, that also results in IC misses.

BUG=

Change-Id: I0e70f822ac345d0224f2092ec473621a603d4cc5
Reviewed-on: https://chromium-review.googlesource.com/446361
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43452}
2017-02-27 13:56:14 +00:00
Igor Sheludko
9760851789 [ic] KeyedStoreIC should use a slow stub when a prototype chain contains dictionary elements.
BUG=chromium:688734

Change-Id: If5dd370971cb02c4463fa20a489d0fa60b0423c4
Reviewed-on: https://chromium-review.googlesource.com/446845
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43451}
2017-02-27 13:41:11 +00:00
Choongwoo Han
cd3a76d56f [typedarrays] Fix Out of Bound Access in TypedArraySortFast
Compare function for std::sort should satisfy strict weak ordering
relation.

BUG=chromium:696251

Change-Id: I1c07e3bb1b012fd203bc059a21a75ae0fc61f5ac
Reviewed-on: https://chromium-review.googlesource.com/447036
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43446}
2017-02-27 11:41:25 +00:00
Yang Guo
e3ae7ad9c7 [regexp] fix regexp lookbehind with back reference on ARM.
BUG=chromium:695416

Change-Id: Ied3a389d0dfb0132c798bc85e10f7b1fd4432eb4
Reviewed-on: https://chromium-review.googlesource.com/446343
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43435}
2017-02-27 06:29:47 +00:00
caitp
0423341034 [async-iteration] implement Async-from-Sync Iterator
Introduce a new Object to allow GetIterator("async") to function when the
iterable does not have a Symbol.asyncIterator method.

This patch has been split out from https://codereview.chromium.org/2622833002/
and incorporates test cases.

BUG=v8:5855, v8:4483
R=jgruber@chromium.org, rmcilroy@chromium.org, neis@chromium.org
TBR=hpayer@chromium.org, bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2645313003
Cr-Commit-Position: refs/heads/master@{#43419}
2017-02-24 17:48:49 +00:00
neis
42ded33b5b [compiler] Speculate a little more in SpeculativeShiftRightLogical.
If the RHS is 0 and we have Smi feedback, speculate that the result (the LHS)
will continue to be in the Unsigned31 range.  This helps us avoid converting
the result to double when merging with Signed32.

R=jarin@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2709423002
Cr-Commit-Position: refs/heads/master@{#43415}
2017-02-24 14:39:38 +00:00
adamk
837760ecb7 Remove tiny unit test for MinSimple/MaxSimple
The source code of those functions is simple a ternary operator, and
the test seems to have been designed as a "regression" test for the
previous implementation (which used a macro, and thus evaluated its
arguments multiple times).

I don't think the test is worth the weight of supporting importing
JS natives from tests.

This patch removes the last test that depends on JS natives.

R=littledan@chromium.org

Review-Url: https://codereview.chromium.org/2711833002
Cr-Commit-Position: refs/heads/master@{#43394}
2017-02-23 18:19:16 +00:00
adamk
184e80a60d Remove a regression test that depended on utils.ImportNow()
The test itself was for an issue that's handled statically since
https://codereview.chromium.org/1302313013 (we were missing some
instance types in a switch statement).

This leaves us with only a single test that depends on the JS
native import system.

R=littledan@chromium.org

Review-Url: https://codereview.chromium.org/2707133005
Cr-Commit-Position: refs/heads/master@{#43393}
2017-02-23 17:31:51 +00:00
bakkot
18e4c46de5 [parser] Lift template literal invalid escape restriction
This implements the proposal at
https://github.com/tc39/proposal-template-literal-revision
staged behind a flag --harmony-template-escapes. The proposal allows
invalid octal, unicode, and hexadecimal escape sequences to appear in
tagged template literals, instead of being a syntax error. These have
a 'cooked' value of 'undefined', but are still accessible through the
'raw' property.

BUG=v8:5546

Review-Url: https://codereview.chromium.org/2665513002
Cr-Commit-Position: refs/heads/master@{#43384}
2017-02-22 21:20:32 +00:00
titzer
6a09a41622 [wasm] Remove support for experimental version 0xD.
R=mtrofin@chromium.org
BUG=chromium:575167,chromium:694657

Review-Url: https://codereview.chromium.org/2709753003
Cr-Original-Commit-Position: refs/heads/master@{#43368}
Committed: c8329253ea
Review-Url: https://codereview.chromium.org/2709753003
Cr-Commit-Position: refs/heads/master@{#43383}
2017-02-22 21:02:39 +00:00
Michael Starzinger
beb94c5e87 [turbofan] Fix Object.prototype.__proto__ getter reduction.
This fixes a corner-case where the call reduction of the aforementioned
getter did not simulate the {ToObject} conversion of the receiver value
as required by the spec. This caused the wrong prototype to be constant
promoted (i.e. {null} instead of wrapper object prototype).

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-694709
BUG=chromium:694709

Change-Id: Idf3a37071949d9ddaf5ef43974570c06fd31c0c9
Reviewed-on: https://chromium-review.googlesource.com/445818
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43376}
2017-02-22 15:07:49 +00:00
machenbach
5004748868 Revert of [wasm] Remove support for experimental version 0xD. (patchset #3 id:40001 of https://codereview.chromium.org/2709753003/ )
Reason for revert:
Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/13730

Original issue's description:
> [wasm] Remove support for experimental version 0xD.
>
> R=mtrofin@chromium.org
> BUG=chromium:575167,chromium:694657
>
> Review-Url: https://codereview.chromium.org/2709753003
> Cr-Commit-Position: refs/heads/master@{#43368}
> Committed: c8329253ea

TBR=ahaas@chromium.org,mtrofin@chromium.org,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:575167,chromium:694657

Review-Url: https://codereview.chromium.org/2706303004
Cr-Commit-Position: refs/heads/master@{#43373}
2017-02-22 13:59:23 +00:00
titzer
c8329253ea [wasm] Remove support for experimental version 0xD.
R=mtrofin@chromium.org
BUG=chromium:575167,chromium:694657

Review-Url: https://codereview.chromium.org/2709753003
Cr-Commit-Position: refs/heads/master@{#43368}
2017-02-22 12:06:09 +00:00
yangguo
901c29eb1c [inspector] extend protocol for code coverage.
R=jgruber@chromium.org, kozyatinskiy@chromium.org, pfeldman@chromium.org
BUG=v8:5808

Review-Url: https://codereview.chromium.org/2700743002
Cr-Commit-Position: refs/heads/master@{#43363}
2017-02-22 10:21:57 +00:00
Caitlin Potter
4cd8a8b784 [builtins] fix slow-path handling of -Infinity in ArrayIncludes
This is a speculative fix, but I believe it might work.

Idea is to keep `start_from` as a double while establishing an appropriate
index to begin iteration. This should keep -Infinity intact rather than
converting it to a positive high value, which would break the algorithm.
This is similar to what had been implemented on the fast path before it was
changed to send non-Smis to the slow path.

BUG=v8:5986
R=bmeurer@chromium.org, cbruni@chromium.org, machenbach@chromium.org, adamk@chromium.org

Change-Id: I9965fd2e75a8972f3f1c7a18e51bd580030a66ea
Reviewed-on: https://chromium-review.googlesource.com/445857
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43358}
2017-02-21 23:31:39 +00:00
clemensh
cc805e42af [wasm] Enforce module size limit early enough
The limit needs to be checked before casting the length to int in
ModuleWireBytes.

R=titzer@chromium.org
BUG=694433

Review-Url: https://codereview.chromium.org/2705233002
Cr-Commit-Position: refs/heads/master@{#43352}
2017-02-21 18:13:02 +00:00
Michael Starzinger
875ccb48ff [turbofan] Fix missing name check for keyed global load.
This fixes a missing name check for keyed property loads targeting the
global object where the feedback was warmed up with a single name. This
affects {JSLoadProperty} nodes only, syntactic global property loads via
the {JSLoadGlobal} operator are not affected.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-694416
BUG=chromium:694416

Change-Id: I54aa3f27eaa72630539f02602ec7642b04835b27
Reviewed-on: https://chromium-review.googlesource.com/445224
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43344}
2017-02-21 14:51:07 +00:00
mtrofin
b40d44ecc1 [wasm] Embedder can control what buffers wasm compilation works on.
Two controls, one for instantiation and one for compilation. They allow
the embedder (e.g. Chrome) check properties of the parameters of those
two operations, and decide if they are allowed to continue.

For example, Chrome may now decline compilation of certain size buffers,
in synchronous cases; same for instantiation (where the buffer size
refers to the size of the buffer containing wasm wire bytes)

BUG=v8:5981

Review-Url: https://codereview.chromium.org/2699843003
Cr-Original-Commit-Position: refs/heads/master@{#43295}
Committed: d9bc0ffb16
Review-Url: https://codereview.chromium.org/2699843003
Cr-Commit-Position: refs/heads/master@{#43336}
2017-02-21 03:43:14 +00:00
littledan
2b9840d86f [SAB] Move Atomics builtins to C++
This patch refactors the Atomics builtins so that they are implemented
as C++ builtins rather than experimental JS builtins. Previously, each
of these functions called out to a runtime function, so no significant
change in performance is anticipated. The goal of this patch is to
remove the last user of experimental JS builtins so that the mechanism
can be removed, for performance reasons. The patch includes a drive-by
fix of a check-fail. For the most part, the patch is just moving code
without modification from runtime-atomics.cc to
builtins-sharedarraybuffer.cc .

BUG=v8:5880

Review-Url: https://codereview.chromium.org/2698813004
Cr-Commit-Position: refs/heads/master@{#43335}
2017-02-20 22:08:52 +00:00
dusan.simicic
38affafd35 MIPS[64]: Skip float-constant-folding tests
qNaN and sNaN values have different binary representation on MIPS
compared to ARM/x86 architectures. We are skipping these tests because
we can't provide specific NaNs encodings from ARM/x86 architectures.

BUG=

Review-Url: https://codereview.chromium.org/2702213003
Cr-Commit-Position: refs/heads/master@{#43327}
2017-02-20 16:21:49 +00:00
Caitlin Potter
6746227291 [builtins] fix incorrect return value in ArrayIncludes
Take runtime path if startIndex parameter requires a ToInteger() call,
which can modify the elements kind of the receiver.

This removes a stub call from the builtin, and simplifies code slightly.

BUG=v8:5986
R=bmeurer@chromium.org, cbruni@chromium.org

Change-Id: Id238a81ab8ba28621858004b34d00a4356b8037f
Reviewed-on: https://chromium-review.googlesource.com/445006
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#43323}
2017-02-20 14:41:25 +00:00
jgruber
3acc00a017 [regexp] Fix smi receiver in stack accessors
info.This returns a Local<Object>, which results in a call to
Utils::OpenHandle<JSReceiver>.  Casting to a Local<Value> first uses the
correct OpenHandle<Object> overload.

BUG=chromium:693500

Review-Url: https://codereview.chromium.org/2706833002
Cr-Commit-Position: refs/heads/master@{#43314}
2017-02-20 11:48:10 +00:00
Igor Sheludko
c6b57edc04 [crankshaft][turbofan] Compilers' part of constant field tracking.
The constant field tracking is still disabled.

BUG=v8:5495

Change-Id: I543fe50b82e2255bbf200ea785ec53e3623e30cb
Reviewed-on: https://chromium-review.googlesource.com/440924
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43304}
2017-02-20 09:05:55 +00:00
hablich
1bbbfb42d5 Revert of [wasm] Embedder can control what buffers wasm compilation works on. (patchset #3 id:60001 of https://codereview.chromium.org/2699843003/ )
Reason for revert:
Introduces a new test failure/flake: https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/16427

Original issue's description:
> [wasm] Embedder can control what buffers wasm compilation works on.
>
> Two controls, one for instantiation and one for compilation. They allow
> the embedder (e.g. Chrome) check properties of the parameters of those
> two operations, and decide if they are allowed to continue.
>
> For example, Chrome may now decline compilation of certain size buffers,
> in synchronous cases; same for instantiation (where the buffer size
> refers to the size of the buffer containing wasm wire bytes)
>
> BUG=v8:5981
>
> Review-Url: https://codereview.chromium.org/2699843003
> Cr-Commit-Position: refs/heads/master@{#43295}
> Committed: d9bc0ffb16

TBR=bradnelson@chromium.org,titzer@chromium.org,mtrofin@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5981

Review-Url: https://codereview.chromium.org/2701413002
Cr-Commit-Position: refs/heads/master@{#43303}
2017-02-20 08:01:01 +00:00
Georg Neis
8686368321 [interpreter] When generating bytecode, properly track current scope.
The bytecode generator did not necessarily know for which scope, and
thus language mode, it was generating code, because it only tracked
scopes that have a context.  This led to wrong behavior in some
examples involving class expressions (which are always in strict
mode).

With this CL, the bytecode generator explicitly tracks the current
scope, independent of whether it has a context.

BUG=v8:5927

Change-Id: Ifa6b3ee5e13e07b63d00e74c7f557a328633c88b
Reviewed-on: https://chromium-review.googlesource.com/444785
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43300}
2017-02-19 13:08:19 +00:00
vabr
6302753e2f Fix typeof optimization for undetectable
Currently, typeof o, where o is an undetectable
callable object (such as document.all), returns 'function' if
optimised. It should, however, return 'undefined'.

This CL excludes undetectable objects from the optimization
resulting in type 'function' and renames the related code to
reflect that.

BUG=v8:5972
R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2697063002
Cr-Commit-Position: refs/heads/master@{#43298}
2017-02-18 12:43:37 +00:00
mtrofin
d9bc0ffb16 [wasm] Embedder can control what buffers wasm compilation works on.
Two controls, one for instantiation and one for compilation. They allow
the embedder (e.g. Chrome) check properties of the parameters of those
two operations, and decide if they are allowed to continue.

For example, Chrome may now decline compilation of certain size buffers,
in synchronous cases; same for instantiation (where the buffer size
refers to the size of the buffer containing wasm wire bytes)

BUG=v8:5981

Review-Url: https://codereview.chromium.org/2699843003
Cr-Commit-Position: refs/heads/master@{#43295}
2017-02-18 01:08:36 +00:00
gsathya
18ad0f13af [ESnext] Implement Promise.prototype.finally
Adds five new TF builtins for the spec defined functions/closures. This follows
mechanism similar to promise resolving functions approach where we store the
closure variables in a custom context.

Adds a new --harmony-promise-finally flag.

BUG=v8:5967

Review-Url: https://codereview.chromium.org/2695753002
Cr-Commit-Position: refs/heads/master@{#43294}
2017-02-17 22:10:28 +00:00
binji
4dfd5e5ee2 Make regress-crbug-514081 less flaky by having max serialization size
BUG=v8:5906
R=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2697723004
Cr-Commit-Position: refs/heads/master@{#43292}
2017-02-17 18:55:54 +00:00
Camillo Bruni
3a43be9b78 [elements] Check if the backing store has been neutered for indexOf
BUG=691323

Change-Id: I84f2c90355982567c421639e115745eadd5fcb21
Reviewed-on: https://chromium-review.googlesource.com/441964
Reviewed-by: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43279}
2017-02-17 12:49:21 +00:00
jwolfe
d1d4b9ce51 Implement new Function.prototype.toString --harmony-function-tostring
For functions declared in source code, the .toString() representation
will be an excerpt of the source code.
* For functions declared with the "function" keyword, the excerpt
  starts at the "function" or "async" keyword and ends at the final "}".
  The previous behavior would start the excerpt at the "(" of the
  parameter list, and prepend a canonical `"function " + name` or
  similar, which would discard comments and formatting surrounding the
  function's name. Anonymous functions declared as function expressions
  no longer get the name "anonymous" in their toString representation.
* For methods, the excerpt starts at the "get", "set", "*" (for
  generator methods), or property name, whichever comes first.
  Previously, the toString representation for methods would use a
  canonical prefix before the "(" of the parameter list. Note that any
  "static" keyword is omitted.
* For arrow functions and class declarations, the excerpt is unchanged.

For functions created with the Function, GeneratorFunction, or
AsyncFunction constructors:
* The string separating the parameter text and body text is now
  "\n) {\n", where previously it was "\n/*``*/) {\n" or ") {\n".
* At one point, newline normalization was required by the spec here,
  but that was removed from the spec, and so this CL does not do it.

Included in this CL is a fix for CreateDynamicFunction parsing. ')'
and '`' characters in the parameter string are no longer disallowed,
and Function("a=function(", "}){") is no longer allowed.

BUG=v8:4958, v8:4230

Review-Url: https://codereview.chromium.org/2156303002
Cr-Commit-Position: refs/heads/master@{#43262}
2017-02-16 20:19:24 +00:00
gsathya
7ee77b9be6 [mjsunit] Exit on hitting unreachable code instead of throwing
Errors are swallowed by promises, so just exit with stack trace.

Review-Url: https://codereview.chromium.org/2693383004
Cr-Commit-Position: refs/heads/master@{#43254}
2017-02-16 14:46:55 +00:00
mvstanton
ae8f28208f This is a workaround for the fact that %SetCode can "lose" the script for a js native. If the js native is re-initialized (for a Realm or something), then the source SharedFunctionInfo won't have a script anymore. Nonetheless, we may want to optimize the function. If we've compiled bytecode, then we can compile optimized code without a script.
Here, we carve out a special exception for this case, so that we can turn on the --mark-shared-functions-for-tier-up.

BUG=v8:5946
R=leszeks@chromium.org

Review-Url: https://codereview.chromium.org/2684033007
Cr-Original-Commit-Position: refs/heads/master@{#43240}
Committed: 4123a3dd79
Review-Url: https://codereview.chromium.org/2684033007
Cr-Commit-Position: refs/heads/master@{#43252}
2017-02-16 14:39:17 +00:00
rossberg
e2b83fbbfd [wasm] Inspect right control frames for unreachable flag
We were looking at the unreachable flag or stack_depth of the target frame
instead of the current one in a couple of places (most notably BreakTo).
This change fixes these bugs and makes us pass the latest spec tests for
br_table validation. Also need to ensure that br_table targets have consistent
types, which is not implied if the stack is polymorphic.

R=titzer@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2696813002
Cr-Commit-Position: refs/heads/master@{#43250}
2017-02-16 14:12:01 +00:00
Andreas Haas
5f1661aad7 [turbofan] For Word32Shl optimizations only consider the last 5 bits of the shift
One optimization in the machine-operator-reducer did not consider that
that word32 shift left instructions only consider the last 5 bits of
the shift input.

The issue only occurs for WebAssembly because in JavaScript we always
add a "& 0xf" on the shift value to the TurboFan graph.

For additional background: The JavaScript and WebAssembly spec both
say that only the last 5 bits of the shift value are used in the
word32-shift-left operation. This means that an "x << 0x29", in the
code is actually executed as "x << 0x09". Therefore the changes in
this CL are okay because they mask the last 5 bit of the shift value.

BUG=chromium:689450

Change-Id: Id92f298ed6d7f1714b109b3f4fbcecd5ac6d30f7
Reviewed-on: https://chromium-review.googlesource.com/439312
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43245}
2017-02-16 12:09:32 +00:00
machenbach
4d942ac741 Revert of Allow a ParseInfo without a script for %SetCode users (patchset #5 id:220001 of https://codereview.chromium.org/2684033007/ )
Reason for revert:
Please remove the file in status file too. Breaks presubmit:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20presubmit/builds/14754

Or lets call it post-submit :(

Original issue's description:
> This is a workaround for the fact that %SetCode can "lose" the script for a js native. If the js native is re-initialized (for a Realm or something), then the source SharedFunctionInfo won't have a script anymore. Nonetheless, we may want to optimize the function. If we've compiled bytecode, then we can compile optimized code without a script.
>
> Here, we carve out a special exception for this case, so that we can turn on the --mark-shared-functions-for-tier-up.
>
> BUG=v8:5946
> R=leszeks@chromium.org
>
> Review-Url: https://codereview.chromium.org/2684033007
> Cr-Commit-Position: refs/heads/master@{#43240}
> Committed: 4123a3dd79

TBR=leszeks@chromium.org,mstarzinger@chromium.org,marja@chromium.org,mvstanton@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5946

Review-Url: https://codereview.chromium.org/2703553002
Cr-Commit-Position: refs/heads/master@{#43242}
2017-02-16 10:39:58 +00:00
mvstanton
4123a3dd79 This is a workaround for the fact that %SetCode can "lose" the script for a js native. If the js native is re-initialized (for a Realm or something), then the source SharedFunctionInfo won't have a script anymore. Nonetheless, we may want to optimize the function. If we've compiled bytecode, then we can compile optimized code without a script.
Here, we carve out a special exception for this case, so that we can turn on the --mark-shared-functions-for-tier-up.

BUG=v8:5946
R=leszeks@chromium.org

Review-Url: https://codereview.chromium.org/2684033007
Cr-Commit-Position: refs/heads/master@{#43240}
2017-02-16 10:23:59 +00:00
littledan
d31c5410c4 [builtins] Apply ES2016 conditional default timezone semantics
ES2016 changed the default timezone of dates to be conditional on
whether a time is included. The semantics were a compromise approach
based on web compatibility feedback from V8, but until now, we have been
shipping ES5.1 default timezone semantics. This patch implements the
new semantics, following ChakraCore and SpiderMonkey (though JSC
implements V8's previous semantics).

BUG=chromium:589858

Review-Url: https://codereview.chromium.org/2648603002
Cr-Commit-Position: refs/heads/master@{#43239}
2017-02-16 10:02:01 +00:00
jgruber
c0fe56e63d [regexp] Correct lastIndex behavior in RegExp.prototype[@@replace]
@@replace has a pretty complex implementation, taking different paths
for various situations (e.g.: global/nonglobal regexp, functional/string
replace argument, etc.). Each of these paths must implement similar
logic for calling into the RegExpBuiltinExec spec operation, and many
paths get this subtly wrong.

This CL fixes a couple of issues related to the way @@replace handles lastIndex:
* All paths now respect lastIndex when calling into exec (some used to assume 0).
* lastIndex is now advanced after a successful match for sticky regexps.
* lastIndex is now only reset to 0 on failure for sticky regexps.

BUG=v8:5361

Review-Url: https://codereview.chromium.org/2685183003
Cr-Commit-Position: refs/heads/master@{#43234}
2017-02-16 09:21:37 +00:00
yangguo
c39123dd53 [debugger] implement inspector-facing API for code coverage.
The inspector uses V8's API handles and should not access
V8 internals. This change makes sure it can use the coverage
data in an encapsulated way.

R=jgruber@chromium.org, kozyatinskiy@chromium.org
BUG=v8:5808

Review-Url: https://codereview.chromium.org/2696163002
Cr-Commit-Position: refs/heads/master@{#43231}
2017-02-16 08:36:12 +00:00
caitp
76ab55e3d3 [async-iteration] add support for for-await-of loops in Async Functions
When --harmony-async-iteration is enabled, it is now possible to
use the for-await-of loop, which uses the Async Iteration protocol
rather than the ordinary ES6 Iteration protocol.

the Async-from-Sync Iterator object is not implemented in this CL,
and so for-await-of loops will abort execution if the iterated object
does not have a Symbol.asyncIterator() method. Async-from-Sync
Iterators are implemented seperately in https://codereview.chromium.org/2645313003/

BUG=v8:5855, v8:4483
R=neis@chromium.org, littledan@chromium.org, adamk@chromium.org

Review-Url: https://codereview.chromium.org/2637403008
Cr-Commit-Position: refs/heads/master@{#43224}
2017-02-15 19:39:06 +00:00
Peter Marshall
817e0358e3 [builtins] Convert the hole to undefined when pushing spread arguments.
The mips64 implementation always ended up in the slowpath due to some
loads that were the wrong width, so that is also fixed here.

BUG=v8:5974

Change-Id: Ie448a1fab5b7fca87597c5a1bf75443864e30c28
Reviewed-on: https://chromium-review.googlesource.com/443247
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43222}
2017-02-15 18:32:16 +00:00
caitp
dc302c74be Reland [typedarrays] move %TypedArray%.prototype.copyWithin to C++
- Removes shared InnerArrayCopyWithin JS builtin from src/js/array.js
- Implements %TypedArray%.prototype.copyWithin as a C++ builtin, which
relies on std::memmove rather than accessing individual eleements.
- Fixes the case where copyWithin is invoked on a TypedArray with a
detached buffer.
- Add tests to ensure that +/-Infinity (for all 3 parameters) is handled
  correctly by the
algorithm

The C++ version gets through the benchmark more than 25000 times as
quickly as the JS implementation.

BUG=v8:5925, v8:5929, v8:4648
R=cbruni@chromium.org, adamk@chromium.org, littledan@chromium.org

Review-Url: https://codereview.chromium.org/2697593002
Cr-Commit-Position: refs/heads/master@{#43213}
2017-02-15 14:21:18 +00:00
ishell@chromium.org
65f0e958f6 [runtime][tests] More *TypeFeedbackVector* -> *FeedbackVector* renamings.
BUG=

Change-Id: I859fef6b18e51cca80343a89e2b6f38eee95d408
Reviewed-on: https://chromium-review.googlesource.com/442428
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43206}
2017-02-15 08:53:51 +00:00
vabr
e3d761d94b ParserBase should accept ESCAPED_STRICT_RESERVED_WORD as an identifier
ParserBase::is_any_identifier currently does not recognise
Token::ESCAPED_STRICT_RESERVED_WORD as an identifier. This seems different
from what ParserBase::ParseIdentifierName does, and also prevents
"l\u0065t", unlike "let", from becoming a label.

This CL extends is_any_identifier to also accept ESCAPED_STRICT_RESERVED_WORD.

BUG=v8:5692

Review-Url: https://codereview.chromium.org/2695973003
Cr-Commit-Position: refs/heads/master@{#43204}
2017-02-15 02:35:12 +00:00
eholk
c7eabee422 [wasm] include JS conformance tests in Wasm mjsunit tests
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5507

Review-Url: https://codereview.chromium.org/2660903003
Cr-Original-Commit-Position: refs/heads/master@{#42821}
Committed: eb9b5edffb
Review-Url: https://codereview.chromium.org/2660903003
Cr-Commit-Position: refs/heads/master@{#43201}
2017-02-14 18:25:32 +00:00
Georg Neis
a68dcff45b [test] Add some more tests for async functions.
BUG=

Change-Id: I4a5db9bc045a63e710d0115523ab23b98e7c7ae6
Reviewed-on: https://chromium-review.googlesource.com/442504
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43189}
2017-02-14 14:49:45 +00:00
vabr
b478e9c11c Fix TypeError message for Reflect.construct
If the Reflect.construct receives an argument expected to be a constructor,
and the argument is not a constructor, V8 currently declares that
Reflect.construct is not a function. It should instead say that the offending
argument is not a constructor.

This is the case for all ports of builtins
(Builtins::Generate_ReflectConstruct). All of them make an
attempt to at least pass the right argument to the TypeError parametrised
message, calling out the offending Reflect.construct argument. However,
Runtime::kThrowCalledNonCallable extracts the callsite from those arguments,
discarding the precise information.

This CL adds Runtime::kNotConstructor, which reports the arguments passed
to it, and the CL also modifies the ports of builtins to make use of
Runtime::kNotConstructor

BUG=v8:5671

Review-Url: https://codereview.chromium.org/2688393003
Cr-Commit-Position: refs/heads/master@{#43182}
2017-02-14 11:21:34 +00:00
gsathya
a09157033b [tests] make the function expression, an iife to run the test
R=neis@chromium.org

Review-Url: https://codereview.chromium.org/2690163004
Cr-Commit-Position: refs/heads/master@{#43180}
2017-02-14 10:15:21 +00:00
clemensh
be1a5f7551 [asm] Fix lots of invalid asm.js tests
I identified lots of asm.js tests that are actually not valid according
to the spec, hence they execute in default-javascript-mode.
This CL fixes most of them by adding additional type annotations.

The atomic tests are totally non-spec-compliant by expecting a fourth
argument, and infinite-loops-taken expects a function-type parameter,
so I did not fix those.
I also did not fix the regression tests.

R=titzer@chromium.org, bradnelson@chromium.org
BUG=v8:4203

Review-Url: https://codereview.chromium.org/2663243002
Cr-Commit-Position: refs/heads/master@{#43179}
2017-02-14 09:26:52 +00:00
clemensh
0b287bd4ea [asm-wasm] Fix continue target of do-while loops
See associated bug: A continue if a do-while loop did jump back to the
loop header, instead of jumping to the condition.
This CL fixes this and adds a test case.

R=bradnelson@chromium.org, titzer@chromium.org
BUG=v8:5912

Review-Url: https://codereview.chromium.org/2693993002
Cr-Commit-Position: refs/heads/master@{#43178}
2017-02-14 08:57:35 +00:00
bbudge
deabb19abc Remove SIMD.js from V8.
LOG=Y
BUG=v8:4124,v8:5948
R=bradnelson@chromium.org,bmeurer@chromium.org,jochen@chromium.org,hpayer@chromium.org,danno@chromium.org

Review-Url: https://codereview.chromium.org/2684313003
Cr-Original-Original-Commit-Position: refs/heads/master@{#43162}
Committed: d170c57ab9
Review-Url: https://codereview.chromium.org/2684313003
Cr-Original-Commit-Position: refs/heads/master@{#43169}
Committed: a9b59a11f1
Review-Url: https://codereview.chromium.org/2684313003
Cr-Commit-Position: refs/heads/master@{#43176}
2017-02-14 06:57:25 +00:00
yangguo
033d3b577b [debugger] change coverage format to nested, with function name.
R=jgruber@chromium.org, kozyatinskiy@chromium.org
BUG=v8:5808

Review-Url: https://codereview.chromium.org/2694623003
Cr-Commit-Position: refs/heads/master@{#43175}
2017-02-14 06:47:58 +00:00
franzih
a386eb4f04 Revert of Remove SIMD.js from V8. (patchset #7 id:120001 of https://codereview.chromium.org/2684313003/ )
Reason for revert:
Breaks Node integration build.

Original issue's description:
> Remove SIMD.js from V8.
>
> LOG=Y
> BUG=v8:4124,v8:5948
> R=bradnelson@chromium.org,bmeurer@chromium.org,jochen@chromium.org,hpayer@chromium.org,danno@chromium.org
>
> Review-Url: https://codereview.chromium.org/2684313003
> Cr-Original-Commit-Position: refs/heads/master@{#43162}
> Committed: d170c57ab9
> Review-Url: https://codereview.chromium.org/2684313003
> Cr-Commit-Position: refs/heads/master@{#43169}
> Committed: a9b59a11f1

TBR=bradnelson@chromium.org,bmeurer@chromium.org,jochen@chromium.org,hpayer@chromium.org,danno@chromium.org,bradnelson@google.com,machenbach@chromium.org,bbudge@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4124,v8:5948

Review-Url: https://codereview.chromium.org/2695653005
Cr-Commit-Position: refs/heads/master@{#43170}
2017-02-13 21:33:46 +00:00
bbudge
a9b59a11f1 Remove SIMD.js from V8.
LOG=Y
BUG=v8:4124,v8:5948
R=bradnelson@chromium.org,bmeurer@chromium.org,jochen@chromium.org,hpayer@chromium.org,danno@chromium.org

Review-Url: https://codereview.chromium.org/2684313003
Cr-Original-Commit-Position: refs/heads/master@{#43162}
Committed: d170c57ab9
Review-Url: https://codereview.chromium.org/2684313003
Cr-Commit-Position: refs/heads/master@{#43169}
2017-02-13 20:43:08 +00:00
bradnelson
43fc15bb79 Revert of Remove SIMD.js from V8. (patchset #7 id:120001 of https://codereview.chromium.org/2684313003/ )
Reason for revert:
red

Original issue's description:
> Remove SIMD.js from V8.
>
> LOG=Y
> BUG=v8:4124,5948
> R=bradnelson@chromium.org,bmeurer@chromium.org,jochen@chromium.org,hpayer@chromium.org,danno@chromium.org
> (notry since trybots can't patch directory deletes)
> NOTRY=true
>
> Review-Url: https://codereview.chromium.org/2684313003
> Cr-Commit-Position: refs/heads/master@{#43162}
> Committed: d170c57ab9

TBR=bmeurer@chromium.org,jochen@chromium.org,hpayer@chromium.org,danno@chromium.org,bradnelson@google.com,bbudge@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4124,5948

Review-Url: https://codereview.chromium.org/2692933002
Cr-Commit-Position: refs/heads/master@{#43164}
2017-02-13 18:12:14 +00:00
bbudge
d170c57ab9 Remove SIMD.js from V8.
LOG=Y
BUG=v8:4124,5948
R=bradnelson@chromium.org,bmeurer@chromium.org,jochen@chromium.org,hpayer@chromium.org,danno@chromium.org
(notry since trybots can't patch directory deletes)
NOTRY=true

Review-Url: https://codereview.chromium.org/2684313003
Cr-Commit-Position: refs/heads/master@{#43162}
2017-02-13 15:59:22 +00:00
vabr
1dd803f9d3 Fix error message for invalid buffer offset
The constructor for TypedArray in js/typedarray.js emitted
kInvalidTypedArrayAlignment if the array offset exceeded the size of the
underlying buffer. This seems like a typo introduced in
https://codereview.chromium.org/2090353003.

The error message to be emitted instead coincides with the already existing
kInvalidDataViewOffset. The message string is independent of whether the
object in question is a DataView or a typed array, so this CL:
  (1) renames kInvalidDataViewOffset to just kInvalidOffset, and
  (2) uses kInvalidOffset instead of kInvalidTypedArrayAlignment for cases
      when the TypedArray is constructed with an offset exceeding the buffer
      size.

BUG=v8:5733
TEST=Run d8, execute "new Uint8Array(new ArrayBuffer(1),2)", see the error message mention the invalid offset 2.

Review-Url: https://codereview.chromium.org/2692753002
Cr-Commit-Position: refs/heads/master@{#43151}
2017-02-13 10:28:34 +00:00
vabr
e08f85fcfe Unify TypeError messages
This CL fixes some nits in TypeError messages, unifying the form of
kDefineDisallowed and kObjectNotExtensible to match what is used by the
majority of the other messages:
  * "Cannot" vs. "Can't" -> choose "Cannot"
  * "property:%" -> "property %"
  * omit the full-stop at the end of the message

BUG=v8:5673

Review-Url: https://codereview.chromium.org/2686233008
Cr-Commit-Position: refs/heads/master@{#43150}
2017-02-13 10:27:03 +00:00
Michael Starzinger
6ee0b6cec6 [turbofan] Correct lazy deopt by {JSCreate} operation.
This adds support for deoptimizing into the JSConstructStub after the
receiver instantiation but before the actual constructor invocation.
Such a deoptimization point is needed for cases where instantiation
might be observed (e.g. when new.target is a proxy) and hence might
trigger a deopt.

We use this new deoptimization point for the "after" frame-state the
inliner attaches to {JSCreate} nodes being inserted when constructor
calls are being inlined.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-5638b
BUG=v8:5638

Change-Id: I7c72c807ee8fb76d12e0e9ccab86d970ab1a0efd
Reviewed-on: https://chromium-review.googlesource.com/440125
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43149}
2017-02-13 10:14:54 +00:00
bmeurer
1a2362089c [es2015] Remove the @@hasInstance protector cell.
We cannot skip the @@hasInstance lookup in instanceof depending on a
global protector cell, as the lookup of the property is observable
via proxies or accessors. So remove the global protector and properly
implement CSA::InstanceOf via GetPropertyStub, with an appropriate
fast-path for Function.prototype[@@hasInstance] where we call the
builtin code object directly if the function matches, skipping all
the checks from the call sequence, and also avoid the redundant
ToBoolean conversion on the result.

R=yangguo@chromium.org
TBR=ulan@chromium.org
BUG=v8:5958

Review-Url: https://codereview.chromium.org/2684033012
Cr-Commit-Position: refs/heads/master@{#43137}
2017-02-13 07:16:27 +00:00
littledan
4530f0dc0c Revert of [typedarrays] move %TypedArray%.prototype.copyWithin to C++ (patchset #6 id:100001 of https://codereview.chromium.org/2671233002/ )
Reason for revert:
Due to security issue described in review thread.

Original issue's description:
> [typedarrays] move %TypedArray%.prototype.copyWithin to C++
>
> - Removes shared InnerArrayCopyWithin JS builtin from src/js/array.js
> - Implements %TypedArray%.prototype.copyWithin as a C++ builtin, which
> relies on std::memmove rather than accessing individual eleements.
> - Fixes the case where copyWithin is invoked on a TypedArray with a
> detached buffer.
> - Add tests to ensure that +/-Infinity (for all 3 parameters) is handled correctly by the
> algorithm
>
> The C++ version gets through the benchmark more than 25000 times as
> quickly as the JS implementation.
>
> BUG=v8:5925, v8:5929, v8:4648
> R=cbruni@chromium.org, adamk@chromium.org, littledan@chromium.org
>
> Review-Url: https://codereview.chromium.org/2671233002
> Cr-Commit-Position: refs/heads/master@{#42975}
> Committed: 0f1c626d55

TBR=cbruni@chromium.org,adamk@chromium.org,bmeurer@chromium.org,cwhan.tunz@gmail.com,caitp@igalia.com
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5925, v8:5929, v8:4648

Review-Url: https://codereview.chromium.org/2693753002
Cr-Commit-Position: refs/heads/master@{#43132}
2017-02-12 21:16:18 +00:00
cwhan.tunz
48dff523f7 Throw when a holey property is set in Array.sort
Do not allow that holey properties are defined in Array sort.
Throw a type error if the array is not extensible and there are holey
properties in the middle of the array.

BUG=v8:4888

Review-Url: https://codereview.chromium.org/2664173002
Cr-Commit-Position: refs/heads/master@{#43126}
2017-02-11 13:00:40 +00:00
caitp
39642fa2be [async-await] (simpler) fix for Return in try/finally in async functions
Alternative approach to https://codereview.chromium.org/2667983004/, which
does not depend on implicit control flow changes from
https://codereview.chromium.org/2664083002

- Remove handling for `async function` from Parser::RewriteReturn(). This functionality
is moved to BytecodeGenerator::BuildAsyncReturn(). This ensures that promise resolution
is deferred until all finally blocks are evaluated fully.

- Add a new deferred command (CMD_ASYNC_RETURN), which instructs ControlScope to
generate return code using BuildAsyncReturn rather than BuildReturn.

- Parser has a new `NewReturnStatement()` helper which determines what type of return
statement to generate based on the type of function.

BUG=v8:5896, v8:4483
R=littledan@chromium.org, neis@chromium.org, rmcilroy@chromium.org, adamk@chromium.org, gsathya@chromium.org

Review-Url: https://codereview.chromium.org/2685683002
Cr-Commit-Position: refs/heads/master@{#43104}
2017-02-10 14:38:58 +00:00
mstarzinger
6c12d57ead [crankshaft] Fix Smi overflow in {HMaybeGrowElements}.
This fixes the case where the index passed to {HMaybeGrowElements} used
to derive the new capacity for the elements backing store does not fit
into Smi range. Such an overflow would fail the capacity check and cause
growing to be skipped. Subsequent keyed stores would potentially go out
of bounds.

R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-686427
BUG=chromium:686427

Review-Url: https://codereview.chromium.org/2686263002
Cr-Commit-Position: refs/heads/master@{#43101}
2017-02-10 14:20:55 +00:00
yangguo
8422e25bb2 [debugger] add precise mode for code coverage.
Collecting precise invocation counts need to be explicitly
enabled. Once enabled, we disable optimization (optimized
code does not increment invocation count, and may inline
callees), and make sure feedback vectors interesting for
code coverage is not garbage-collected.

R=hpayer@chromium.org, jgruber@chromium.org
BUG=v8:5808

Review-Url: https://codereview.chromium.org/2686063002
Cr-Commit-Position: refs/heads/master@{#43082}
2017-02-10 08:21:03 +00:00
ishell
a4f4c74050 [runtime][ic] Constant field tracking support.
This CL includes runtime and IC parts of the tracking. It is controlled by
compile-time flag FLAG_constant_field_tracking and currently disabled.

Transition from kConst to kMutable still involves map deprecation.

BUG=v8:5495

Review-Url: https://codereview.chromium.org/2598543003
Cr-Commit-Position: refs/heads/master@{#43081}
2017-02-10 08:05:25 +00:00
yangguo
058d7ab7f4 [debugger] implement per-function code coverage.
Collect code coverage from the available invocation counts.
The granularity is at function level, and invocation counts may
be lost to GC.

Coverage::Collect returns a std::vector of Coverage::ScriptData.
Each ScriptData contains a script ID and a std::vector of
Coverage::RangeEntry.
Each RangeEntry consists of a end position and the invocation
count. The start position is implicit from the end position of
the previous RangeEntry, or 0 if it's the first RangeEntry.

R=jgruber@chromium.org
BUG=v8:5808

Review-Url: https://codereview.chromium.org/2689493002
Cr-Commit-Position: refs/heads/master@{#43072}
2017-02-09 19:00:49 +00:00
mstarzinger
eb5915b428 Fix test to not teach ClusterFuzz ugly tricks.
R=ishell@chromium.org
TEST=mjsunit/regress/regress-5902
BUG=chromium:688837

Review-Url: https://codereview.chromium.org/2682203003
Cr-Commit-Position: refs/heads/master@{#43068}
2017-02-09 16:46:06 +00:00
jgruber
b798b5212a [regexp] Update lastIndex semantics in RegExpBuiltinExec
Updated according to the recent spec change at
https://github.com/tc39/ecma262/pull/798.

BUG=v8:5949

Review-Url: https://codereview.chromium.org/2681323002
Cr-Commit-Position: refs/heads/master@{#43062}
2017-02-09 14:54:05 +00:00
jgruber
1d3317ff05 [regexp] Ensure IrregexpExecRaw is passed a flat string
BUG=v8:5943

Review-Url: https://codereview.chromium.org/2681123002
Cr-Commit-Position: refs/heads/master@{#43058}
2017-02-09 11:24:08 +00:00
titzer
fa7d1f8f75 [wasm] Accept version 0x1 binaries.
R=rossberg@chromium.org,bradnelson@chromium.org
BUG=chromium:575167, chromium:690281

Review-Url: https://codereview.chromium.org/2681993003
Cr-Commit-Position: refs/heads/master@{#43048}
2017-02-09 02:09:47 +00:00
Marja Hölttä
9b35d8f575 [parsing] Produce same Scopes in Parser and PreParser when the params are not simple.
E.g.,
{ function lazy_inner(b = somevar) { let somevar; } }

If we don't produce the same scopes, PreParser thinks that the unresolved
variable inside the default parameter resolves into the variable declared inside
the function. Thus, it's not correctly recorded as a free variable.

One part is already done by https://codereview.chromium.org/2638333002 . But at
the laziness boundary, we still produced different scopes.

Unlike previously thought, this is also needed for lazy inner function
correctness, not only for "preparser scope analysis" (ie., skipping inner
functions).

BUG=v8:5938

Change-Id: I047cd43ef16478bb0f18d1f114845e7d1ab8c5f2
Reviewed-on: https://chromium-review.googlesource.com/439345
Commit-Queue: Marja Hölttä <marja@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43044}
2017-02-08 17:14:30 +00:00
Peter Marshall
2237106ae2 [turbo] Reduce CallWithSpread where iteration is not observable.
Where the arguments have already been inlined, we can replace these
calls with a direct call. We have to make sure that the iteration over
the arguments is not observable.

Also factor out the large chunk of logic shared with
ReduceJSConstructWithSpread.

BUG=v8:5932

Change-Id: I6c4fac670028fbd8ca82c4474d4392231573bc49
Reviewed-on: https://chromium-review.googlesource.com/439329
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43039}
2017-02-08 14:17:59 +00:00
Jochen Eisinger
30224360c1 Cut down memory usage of array-functions-prototype-misc.js by 10x
It used to require >1GB of memory which leads to flaky test failures on
machines with less memory when executing multiple variants in parallel

R=cbruni@chromium.org,ulan@chromium.org
BUG=v8:5706

Change-Id: Id8c6f49cbfa51f2d443991c1493f225810efb18f
Reviewed-on: https://chromium-review.googlesource.com/439310
Commit-Queue: Camillo Bruni <cbruni@google.com>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43038}
2017-02-08 13:39:12 +00:00
Marja Hölttä
8cbe27e7ae [parser] Turn off FLAG_lazy_inner_functions.
(Minimal change to support easy backmerging.)

BUG=v8:5938

Change-Id: Icad35c90d9c2451cd63a4ab7e495d9b5252da693
Reviewed-on: https://chromium-review.googlesource.com/439170
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43031}
2017-02-08 10:39:31 +00:00
Andreas Haas
59bb18867a [x64] Consider both operands when emitting the REX prefix for testb.
The testb instruction requires the REX prefix when either of its
operands uses a register with the high bit set. The existing code only
considered the register operand. In the test case the REX prefix was not
emitted because the testb instruction had the register operand RAX which
does not have the high bit set. The REX prefix was necessary though
because the memory operand used R8, which has the high bit set.

R=bmeurer@chromium.org
BUG=chromium:688876

Change-Id: Ib214bebbe75965664f2aea530e29afa95a54f44f
Reviewed-on: https://chromium-review.googlesource.com/439145
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43030}
2017-02-08 10:27:45 +00:00
cbruni
029a145fdb [builtins] fix String.prototype.indexOf with negative indices
BUG=689078

Review-Url: https://codereview.chromium.org/2679173002
Cr-Commit-Position: refs/heads/master@{#43016}
2017-02-07 21:30:58 +00:00
hablich
5f9c89af70 Reland of [parsing] Fix maybe-assigned for loop variables. (patchset #1 id:1 of https://codereview.chromium.org/2679263002/ )
Reason for revert:
False alarm, bot hiccup

Original issue's description:
> Revert of [parsing] Fix maybe-assigned for loop variables. (patchset #3 id:40001 of https://codereview.chromium.org/2673403003/ )
>
> Reason for revert:
> Speculative revert because of https://codereview.chromium.org/2679163002/.
>
> Original issue's description:
> > [parsing] Fix maybe-assigned for loop variables.
> >
> > Due to hoisting, the value of a 'var'-declared variable may actually change even
> > if the code contains only the "initial" assignment, namely when that assignment
> > occurs inside a loop.  For example:
> >
> >   let i = 10;
> >   do { var x = i } while (i--):
> >
> > As a simple and very conservative approximation of this, we explicitly mark
> > as maybe-assigned any non-lexical variable whose "declaration" does not
> > syntactically occur in the function scope.  (In the example above, it
> > occurs in a block scope.)
> >
> > BUG=v8:5636
> >
> > Review-Url: https://codereview.chromium.org/2673403003
> > Cr-Commit-Position: refs/heads/master@{#42989}
> > Committed: a33fcd663b
>
> TBR=marja@chromium.org,adamk@chromium.org,neis@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:5636
>
> Review-Url: https://codereview.chromium.org/2679263002
> Cr-Commit-Position: refs/heads/master@{#43010}
> Committed: f3ae5ccf57

TBR=marja@chromium.org,adamk@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5636

Review-Url: https://codereview.chromium.org/2686663002
Cr-Commit-Position: refs/heads/master@{#43013}
2017-02-07 20:43:17 +00:00
hablich
96e4f6145b Reland of Thread maybe-assigned through the bytecodes. (patchset #1 id:1 of https://codereview.chromium.org/2680923003/ )
Reason for revert:
False alarm, bot hiccup

Original issue's description:
> Revert of Thread maybe-assigned through the bytecodes. (patchset #5 id:80001 of https://codereview.chromium.org/2655733003/ )
>
> Reason for revert:
> needed for properly reverting f3ae5ccf57
>
> Original issue's description:
> > Thread maybe-assigned through the bytecodes.
> >
> > This introduces LoadImmutableContextSlot and LoadImmutableCurrentContextSlot
> > bytecodes, which are emitted when reading from never-assigned context slot.
> >
> > There is a subtlety here: the slot are not immutable, the meaning is
> > actually undefined-or-hole-or-immutable.
> >
> > Review-Url: https://codereview.chromium.org/2655733003
> > Cr-Commit-Position: refs/heads/master@{#43000}
> > Committed: 17c2dd3886
>
> TBR=rmcilroy@chromium.org,bmeurer@chromium.org,neis@chromium.org,jarin@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
>
> Review-Url: https://codereview.chromium.org/2680923003
> Cr-Commit-Position: refs/heads/master@{#43011}
> Committed: ece4e54a31

TBR=rmcilroy@chromium.org,bmeurer@chromium.org,neis@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2679953003
Cr-Commit-Position: refs/heads/master@{#43012}
2017-02-07 20:42:03 +00:00
hablich
ece4e54a31 Revert of Thread maybe-assigned through the bytecodes. (patchset #5 id:80001 of https://codereview.chromium.org/2655733003/ )
Reason for revert:
needed for properly reverting f3ae5ccf57

Original issue's description:
> Thread maybe-assigned through the bytecodes.
>
> This introduces LoadImmutableContextSlot and LoadImmutableCurrentContextSlot
> bytecodes, which are emitted when reading from never-assigned context slot.
>
> There is a subtlety here: the slot are not immutable, the meaning is
> actually undefined-or-hole-or-immutable.
>
> Review-Url: https://codereview.chromium.org/2655733003
> Cr-Commit-Position: refs/heads/master@{#43000}
> Committed: 17c2dd3886

TBR=rmcilroy@chromium.org,bmeurer@chromium.org,neis@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2680923003
Cr-Commit-Position: refs/heads/master@{#43011}
2017-02-07 20:19:24 +00:00
hablich
f3ae5ccf57 Revert of [parsing] Fix maybe-assigned for loop variables. (patchset #3 id:40001 of https://codereview.chromium.org/2673403003/ )
Reason for revert:
Speculative revert because of https://codereview.chromium.org/2679163002/.

Original issue's description:
> [parsing] Fix maybe-assigned for loop variables.
>
> Due to hoisting, the value of a 'var'-declared variable may actually change even
> if the code contains only the "initial" assignment, namely when that assignment
> occurs inside a loop.  For example:
>
>   let i = 10;
>   do { var x = i } while (i--):
>
> As a simple and very conservative approximation of this, we explicitly mark
> as maybe-assigned any non-lexical variable whose "declaration" does not
> syntactically occur in the function scope.  (In the example above, it
> occurs in a block scope.)
>
> BUG=v8:5636
>
> Review-Url: https://codereview.chromium.org/2673403003
> Cr-Commit-Position: refs/heads/master@{#42989}
> Committed: a33fcd663b

TBR=marja@chromium.org,adamk@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5636

Review-Url: https://codereview.chromium.org/2679263002
Cr-Commit-Position: refs/heads/master@{#43010}
2017-02-07 19:40:24 +00:00