Reason for revert:
FAilure on win32 bot, need to investigate webkit failures.
Original issue's description:
> Type Feedback Vector lives in the closure
>
> We get less "pollution" of type feedback if we have one vector per native
> context, rather than one for the whole system. This CL moves the vector
> appropriately.
>
> We rely more heavily on the Optimized Code Map in the SharedFunctionInfo. The
> vector actually lives in the first slot of the literals array (indeed there is
> great commonality between those arrays, they can be thought of as the same
> thing). So we make greater effort to ensure there is a valid literals array
> after compilation.
>
> This meant, for performance reasons, that we needed to extend
> FastNewClosureStub to support creating closures with literals. And ultimately,
> it drove us to move the optimized code map lookup out of FastNewClosureStub
> and into the compile lazy builtin.
>
> The heap change is trivial so I TBR Hannes for it...
>
> TBR=hpayer@chromium.org
>
> BUG=
>
> Committed: https://crrev.com/a5200f7ed4d11c6b882fa667da7a1864226544b4
> Cr-Commit-Position: refs/heads/master@{#33518}
TBR=bmeurer@chromium.org,akos.palfi@imgtec.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review URL: https://codereview.chromium.org/1632993003
Cr-Commit-Position: refs/heads/master@{#33520}
We get less "pollution" of type feedback if we have one vector per native
context, rather than one for the whole system. This CL moves the vector
appropriately.
We rely more heavily on the Optimized Code Map in the SharedFunctionInfo. The
vector actually lives in the first slot of the literals array (indeed there is
great commonality between those arrays, they can be thought of as the same
thing). So we make greater effort to ensure there is a valid literals array
after compilation.
This meant, for performance reasons, that we needed to extend
FastNewClosureStub to support creating closures with literals. And ultimately,
it drove us to move the optimized code map lookup out of FastNewClosureStub
and into the compile lazy builtin.
The heap change is trivial so I TBR Hannes for it...
TBR=hpayer@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1563213002
Cr-Commit-Position: refs/heads/master@{#33518}
This increases the size of register operands to be 16-bit.
Not all bytecodes have wide register variants, so when they are
needed a register translator will copy them into a small area
reserved at the top of the 8-bit register range and these registers
are supplied as arguments to the bytecode with 8-bit operands.
This is non-intrusive for typical bytecode where the number of
registers is less than 120. For bytecodes with wide register
operands (above the window) their index needs to be translated
to avoid the reserved translation window.
Enables splay.js to run in Octane and a handful of mjsunit tests.
BUG=v8:4280,v8:4675
LOG=NO
Review URL: https://codereview.chromium.org/1613163002
Cr-Commit-Position: refs/heads/master@{#33516}
Rename IntepreterExceptionEntryHandler builtin to InterpreterEnterBytecodeDispatch
and use it as the return address when building interpreter frames during deopt.
This ensures that we restart execution of the outer frame at the correct
bytecode.
BUG=v8:4280,v8:4678
LOG=N
Review URL: https://codereview.chromium.org/1633633002
Cr-Commit-Position: refs/heads/master@{#33512}
Adds support for calling native function literals. Moves the logic for building
the native function's SharedFunctionInfo out of full-codegen into compiler.cc
to allow it to be shared between fullcodegen and Ignition.
BUG=v8:4686
LOG=N
Review URL: https://codereview.chromium.org/1635553002
Cr-Commit-Position: refs/heads/master@{#33510}
This fixes corner cases where the start offsets of exception handler
regions within the handler table fall together. This assumption was
based on full-codegen code and no longer holds with the interpreter.
The tables however are still well nested and code has been added to
verify that in debug mode.
R=rmcilroy@chromium.org
BUG=v8:4674
LOG=n
Review URL: https://codereview.chromium.org/1633573002
Cr-Commit-Position: refs/heads/master@{#33495}
The current support for try-catch in the interpreter can handle most of
the cases appearing in our test suite. Also the flag in question did not
detect try-finally constructs. This removes the flag and instead extends
the test expectations.
R=rmcilroy@chromium.org
BUG=v8:4674
LOG=n
Review URL: https://codereview.chromium.org/1631593003
Cr-Commit-Position: refs/heads/master@{#33494}
These tests have been disabled while support for try-finally was work in
progress. By now control flow is connected properly and the tests pass.
R=oth@chromium.org
BUG=v8:4674
LOG=n
Review URL: https://codereview.chromium.org/1626503002
Cr-Commit-Position: refs/heads/master@{#33474}
This implements a first prototype of stack unwinding for interpreted
frames. The unwinding machinery performs a range-based lookup in the
given handler table and potentially continues dispatching at the handler
offset. Note that this does not yet correctly restore the context to the
correct value when the handler is being entered.
R=rmcilroy@chromium.org,oth@chromium.org
BUG=v8:4674
LOG=n
Review URL: https://codereview.chromium.org/1605633003
Cr-Commit-Position: refs/heads/master@{#33414}
This is to fix some of the failing test262 tests with ignition flag.
In few test262 tests, there is a throw from the script scope. Rewriter::Rewrite
pass converts expression statements into assignment statements in script scope.
This causes interpreter to fail because assignment expression expects a result
in accumulator but throw statement does not return a value. To fix this, we
now mark that accumulator contains a value when visiting throw statement.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1523423003
Cr-Commit-Position: refs/heads/master@{#33408}
Now that we support eval in Ignition, remove the fallback for eval checks
and make the flag only fallback on catch blocks.
BUG=v8:4280,v8:4676
LOG=N
Review URL: https://codereview.chromium.org/1595223004
Cr-Commit-Position: refs/heads/master@{#33384}
VisitObjectLiteral has two parts. First it creates a literal and then
sets properties or accessor properties. Setting properties requires a
runtime call and it expects the literal object which was created in the
first part is contiguous with other registers it allocates. Since these
are allocated in a different scope they are not always contiguous.
This causes problems with mjsunit/setter-on-constructor-prototype.js.
This cl fixes by allocating contiguous registers in the inner scope.
Literal value is copied into the newly allocated register so that all
the required registers are always contiguous.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1588903002
Cr-Commit-Position: refs/heads/master@{#33371}
When derived constructors return a non-object (or not undefined) we
currently throw an exception directly in the callee context. This was
achieved by desugaring the return statement for derived classes. To
be spec compliamnt a separate ConstructStubForDerived is introduced.
Instead of trowing directly, the desugared return statement inside
a derived constructor only returns an integer to indicate an incompatible
result.
BUG=v8:4509
LOG=n
Review URL: https://codereview.chromium.org/1593553002
Cr-Commit-Position: refs/heads/master@{#33336}
This avoids generating different scopes on the two compilation passes, which
results in various delirious side-effects.
There's some cleanup to be done in lazy arrow function parsing, but I'd
rather do that in a separate patch, with this one targeted at fixing the
particular crash.
BUG=chromium:572589
LOG=n
Review URL: https://codereview.chromium.org/1575333004
Cr-Commit-Position: refs/heads/master@{#33311}
Split RegisterAllocationScope out of ExpressionResult and allocate one
for each statement. This ensures that we always have an outer register
allocation scope for statement code (used in CountOperation and
RegisterExecutionResult). Also refactored the register allocator code to
move it to it's own file and rename from TemporaryRegisterScope to
BytecodeRegisterAllocator.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1587033002
Cr-Commit-Position: refs/heads/master@{#33296}
Removes assignment hazard scope. Reverts back to the naive scheme of
allocating a temporary for every variable load. It was decided to revert it
because the current implementation does not handle logical expressions,
ternary operators, visiting objects in named/keyed loads. Also, we wanted
to evaluate alternate approaches and choose one when we have a mechanism
to measure performance.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1576403004
Cr-Commit-Position: refs/heads/master@{#33269}
This fixes a number of crashes where other code was assuming there would
be at least one deopt point in all optimized functions (i.e., the
StackCheck) but we weren't producing any.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1572333002
Cr-Commit-Position: refs/heads/master@{#33243}
This patch improves ArrayBuffer and TypedArray subclassing by adding
support for @@species and constructing outputs to certain methods
by creating an instance of the constructor determined by the
SpeciesConstructor algorithm, rather than fixed to a superclass or
naively the constructor. The new behavior is enabled by the
--harmony-species flag. Care is taken to not significantly change the
observable behavior when the flag is off. Previously, TypedArrays
already supported subclassing by reading the constructor of the
receiver, but ArrayBuffers did not, and this old behavior is
preserved and tested for, to avoid a multi-stage upgrade path and keep
things simple for users.
R=adamk
BUG=v8:4093
LOG=Y
Review URL: https://codereview.chromium.org/1574903004
Cr-Commit-Position: refs/heads/master@{#33223}
As V8 becomes more and more spec-compliant, Promise polyfill libraries
like core.js expect fully correct. However, our Promises do not yet
support Symbol.species. Therefore, a case like
```
var test = new Promise(function(){});
test.constructor = function(){};
Promise.resolve(test)
```
would lead to an unhandled Promise rejection, whereas it should not
because test.constructor[Symbol.species] is undefined, so test.then
should end up constructing %Promise% as a fallback, rather than
calling test.constructor as if it were a constructor, which leads
this error checking code to throw.
For now, this patch removes the error checking code (which was not
present until recently). In an interactive test using core.js, the
error message on the console goes away with this patch. When @@species
support is in place, this patch can be reverted. A regression test
is added which checks for the same thing.
Partially reverted patch was originally out for review at
https://codereview.chromium.org/1531073004
BUG=v8:4633
LOG=Y
R=adamk,caitp88@gmail.com
Review URL: https://codereview.chromium.org/1578893002
Cr-Commit-Position: refs/heads/master@{#33217}
Reason for revert:
Crash fixed by https://codereview.chromium.org/1564923007
Original issue's description:
> Revert of Ship ES2015 sloppy-mode function hoisting, let, class (patchset #7 id:120001 of https://codereview.chromium.org/1551443002/ )
>
> Reason for revert:
> Causes frequent crashes in Canary: chromium:537816
>
> Original issue's description:
> > Ship ES2015 sloppy-mode function hoisting, let, class
> >
> > This patch doesn't ship all features of ES2015 variable/scoping
> > changes, notably omitting the removal of legacy const. I think
> > function hoisting, let and class in sloppy mode can stand to
> > themselves as a package, and the legacy const change is much
> > riskier and more likely to be reverted, so my intention is to
> > pursue those as a separate, follow-on patch.
> >
> > R=adamk@chromium.org
> > BUG=v8:4285,v8:3305
> > LOG=Y
> > CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
> >
> > Committed: https://crrev.com/fcff8588a5a01587643d6c2507c7b882c78a2957
> > Cr-Commit-Position: refs/heads/master@{#33133}
>
> TBR=adamk@chromium.org
> # Not skipping CQ checks because original CL landed more than 1 days ago.
> BUG=v8:4285,v8:3305,chromium:537816
> LOG=Y
>
> Committed: https://crrev.com/adac5956c6216056a211cfaa460a00ac1500d8f8
> Cr-Commit-Position: refs/heads/master@{#33162}
TBR=adamk@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4285,v8:3305,chromium:537816
Review URL: https://codereview.chromium.org/1571793002
Cr-Commit-Position: refs/heads/master@{#33189}
Reason for revert:
Causes frequent crashes in Canary: chromium:537816
Original issue's description:
> Ship ES2015 sloppy-mode function hoisting, let, class
>
> This patch doesn't ship all features of ES2015 variable/scoping
> changes, notably omitting the removal of legacy const. I think
> function hoisting, let and class in sloppy mode can stand to
> themselves as a package, and the legacy const change is much
> riskier and more likely to be reverted, so my intention is to
> pursue those as a separate, follow-on patch.
>
> R=adamk@chromium.org
> BUG=v8:4285,v8:3305
> LOG=Y
> CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
>
> Committed: https://crrev.com/fcff8588a5a01587643d6c2507c7b882c78a2957
> Cr-Commit-Position: refs/heads/master@{#33133}
TBR=adamk@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:4285,v8:3305,chromium:537816
LOG=Y
Review URL: https://codereview.chromium.org/1565263002
Cr-Commit-Position: refs/heads/master@{#33162}
This patch implements @@species, guarded behind the --harmony-species
flag, on Arrays. Methods which return an Array will instead return
the appropriate instance based on the ArraySpeciesCreate algorithm.
The algorithm is implemented in C++ to get access to realm information
and to implement some Array methods in C++, but it is also accessed
from JavaScript through a new runtime function. A couple interactive
Octane runs show no performance regression with the flag turned off,
but turning --harmony-species on will surely have a significant
regression, as Array methods now heavily use ObjectDefineProperty.
BUG=v8:4093
LOG=Y
R=adamk,cbruni
Review URL: https://codereview.chromium.org/1560763002
Cr-Commit-Position: refs/heads/master@{#33144}
This patch doesn't ship all features of ES2015 variable/scoping
changes, notably omitting the removal of legacy const. I think
function hoisting, let and class in sloppy mode can stand to
themselves as a package, and the legacy const change is much
riskier and more likely to be reverted, so my intention is to
pursue those as a separate, follow-on patch.
R=adamk@chromium.org
BUG=v8:4285,v8:3305
LOG=Y
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1551443002
Cr-Commit-Position: refs/heads/master@{#33133}
Correctly validate promise capabilities in NewPromiseCapabilities() and in
GetCapabilitiesExtractor(). Also explicitly follows Promise.race step 2 and
similar cases in the spec, rather than passing tests asserting these steps
are taken in NewPromiseCapability
Also changes Promise.reject to match specification.
Fixes the following test262 tests:
- built-ins/Promise/all/capability-executor-called-twice.js
- built-ins/Promise/all/capability-executor-not-callable.js
- built-ins/Promise/prototype/then/capability-executor-called-twice.js
- built-ins/Promise/prototype/then/capability-executor-not-callable.js
- built-ins/Promise/reject/capability-executor-called-twice.js
- built-ins/Promise/reject/capability-executor-not-callable.js
- built-ins/Promise/resolve/capability-executor-called-twice.js
- built-ins/Promise/resolve/capability-executor-not-callable.js
- built-ins/Promise/race/capability-executor-called-twice.js
- built-ins/Promise/race/capability-executor-not-callable.js
- built-ins/Promise/reject/S25.4.4.4_A3.1_T1.js
- built-ins/Promise/race/S25.4.4.3_A3.1_T2.js
Per v8:3641, mjsunit/es6/debug-promises/throw-with-undefined-reject.js becomes invalid. The exception is thrown before the chain handler is ever invoked, and is caught externally by d8's own handler --- thus evading the uncaught exception event.
BUG=v8:4633, v8:4631, v8:4243, v8:3641
LOG=N
R=littledan@chromium.org, cbruni@chromium.org
Review URL: https://codereview.chromium.org/1531073004
Cr-Commit-Position: refs/heads/master@{#33128}
Deopt support is added on two levels. On the IR level,
a new ObjectState node is added, which represenents an
object to be materialized. ObjectState nodes appear as
inputs of FrameState and StateValues nodes. On the
instruction select/code-generation level, the
FrameStateDescriptor class handles the nesting
introduced by ObjectState, and ensures that deopt code
with CAPTURED_OBJECT/DUPLICATED_OBJECT entries are
generated similarly to what crankshaft's escape
analysis does.
Two unittests test correctness of the IR level implementation.
Correctness for instruction selection / code generation
is tested by mjsunit tests.
R=jarin@chromium.org,mstarzinger@chromium.org
BUG=v8:4586
LOG=n
Review URL: https://codereview.chromium.org/1485183002
Cr-Commit-Position: refs/heads/master@{#33115}
Adds --turbo to the set of flags run with ignition (making the
configuration pure Ignition+TurboFan except for fallbacks to
full-codegen for catch / eval). Also changes the default
--ignition-filter to allow everything, rather than omit everything.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1537433003
Cr-Commit-Position: refs/heads/master@{#33090}
This restricts turbofan to turbofan-supported subset for the shipping
configuration ("use asm" and features unsupported by Crankshaft).
Without this, we compile with Turbofan even when there is
try-catch-finally as long as the function is "use asm" or
it contains a feature unsupported by crankshaft but supported
by turbofan (e.g., 'with' statement).
BUG=
Review URL: https://codereview.chromium.org/1552233002
Cr-Commit-Position: refs/heads/master@{#33085}
This patch relands a change to ES2015 Promises which brings us closer to
spec compliance. In this new version, a bug which would lose async callstack
data was fixed.
R=adamk
CC=rossberg,caitp
LOG=Y
BUG=v8:3641
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1538663002
Cr-Commit-Position: refs/heads/master@{#33065}
This matches the behavior of JSObject::JSObjectVerify() and seems to be
the current contract for --verify-heap.
BUG=chromium:572590
LOG=n
Review URL: https://codereview.chromium.org/1553463002
Cr-Commit-Position: refs/heads/master@{#33056}
Consecutive registers are allocated in two passes. First we "reserve"
a set of registers and these get allocated when we actually use them.
If we request for a temporary register before we use all the consecutive
registers, the earlier implementation does not gaurantee that it allocates
outside the reservation for consecutive registers. This could cause problems
for example, in call_func(a, b++, c). This cl fixes
TemporaryRegisterScope::NewRegister, to return a new temporary register
outside the reservation for consecutive registers.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1531273002
Cr-Commit-Position: refs/heads/master@{#33005}
Introduce a new Apply builtin that forms a correct and optimizable
foundation for the Function.prototype.apply, Reflect.construct and
Reflect.apply builtins (which properly does the PrepareForTailCall
as required by the ES2015 spec).
The new Apply builtin avoids going to the runtime if it is safe to
just access the backing store elements of the argArray, i.e. if you
pass a JSArray with no holes, or an unmapped, unmodified sloppy or
strict arguments object.
mips/mips64 ports by Balazs Kilvady <balazs.kilvady@imgtec.com>
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux64_tsan_rel
BUG=v8:4413, v8:4430
LOG=n
R=yangguo@chromium.org
Committed: e4d2538911
Review URL: https://codereview.chromium.org/1523753002 .
Cr-Commit-Position: refs/heads/master@{#32929}
This fixes a path in the compilation pipeline that side-stepped the
interpreter when a function literal was eagerly compiled. This caused
the interpreter to miss some test coverage.
R=rmcilroy@chromium.org
Review URL: https://codereview.chromium.org/1528853002
Cr-Commit-Position: refs/heads/master@{#32867}
The third argument optionally specifies the frame from which to step.
This feature is not used and not well tested.
R=jkummerow@chromium.org
BUG=chromium:569835
LOG=N
Review URL: https://codereview.chromium.org/1525993002
Cr-Commit-Position: refs/heads/master@{#32865}
We used to flood the handler when preparing for stepping,
even if we may not throw. Instead, we now flood the
handler only when we actually throw.
This also solves an issue with step-next when we throw and
leave the function unexpectedly. In combination with
microtasks, this could cause a crash.
R=mstarzinger@chromium.org
BUG=chromium:568477
LOG=N
Review URL: https://codereview.chromium.org/1527593002
Cr-Commit-Position: refs/heads/master@{#32856}
- proxies-with-unscopables needed updating of trap names
- proxies-symbols doesn't make sense any more: it tested symbol fitering/
blacklisting, but Proxies interact with Symbols just fine according to
the current spec.
BUG=v8:1543
LOG=n
Review URL: https://codereview.chromium.org/1529473002
Cr-Commit-Position: refs/heads/master@{#32844}
This CL tries to correctly support the following:
- stringifying a proxy,
- stringifying with a proxy as replacer (callable or arraylike),
- stringifying with a replacer that returns a proxy,
- parsing with a callable proxy as reviver,
- parsing with a reviver that inserts proxies into the object,
- and whatever else you can imagine.
This also fixes some bugs observable without proxies.
BUG=v8:3139,v8:1543
LOG=n
Review URL: https://codereview.chromium.org/1515133002
Cr-Commit-Position: refs/heads/master@{#32843}
Bugfixes and improvements in escape analysis include:
* Handling of ObjectIsSmi (non-escaping)
* Handling of nested phi replacements
* Handling of phis with arity > 2
* Resilience against effectful nodes dangling from start
* Allocations escape now, if non-const load/store is performed
* Fixed a bug where non-allocated objects where tracked
* Allow fixed double arrays to be tracked
R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n
Review URL: https://codereview.chromium.org/1510973006
Cr-Commit-Position: refs/heads/master@{#32833}
As discussed in person, this adds the code from v8-native-prototype into
V8 proper, guarded by GYP flags that do not build the code by default.
Passing wasm=on to 'make' or setting v8_wasm as a GYP flag activates
building of this code.
An additional header file is added to and exported from the compiler
directory, src/compiler/wasm-compiler.h. This exposes a limited interface
with opaque Node and Graph types to the decoder to build TF graphs, as
well as functions to compile WASM graphs.
The mjsunit tests added are blacklisted because they fail without the
WASM object exposed to JS, which is also disabled by the build config
option.
This corresponds closely to 5981e06ebc, with some formatting fixes and moving some files into src/compiler.
R=mstarzinger@chromium.org, bradnelson@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1504713014
Cr-Commit-Position: refs/heads/master@{#32794}
Without this fix, AssignmentExpressions that happen to be arrow functions
would lead to unbalanced Enter/Leave calls on the fni_, causing thrashing
while trying to infer function names. Symptoms include slow parsing
or OOM (when we create too many AstConsStrings).
To try to keep this from happening in the future, added an RAII helper
class to handle Entering/Leaving FNI state.
The included regression test crashes on my workstation without the patch.
Note that it's too slow in debug mode (as well as under TurboFan),
so I've skipped it there.
BUG=v8:4595
LOG=y
Review URL: https://codereview.chromium.org/1507283003
Cr-Commit-Position: refs/heads/master@{#32768}
When the reviver returns undefined, the property in question must be deleted
even for arrays. So far this only happened for non-array objects.
Also change the property enumeration to be spec-conformant, which is observable when the reviver modifies its "this" object directly. There are a few further issues that need to be addressed in a separate CL.
R=yangguo@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1506933003
Cr-Commit-Position: refs/heads/master@{#32750}
This patch improves escape analysis and fixes bugs
triggered by clusterfuzz. Impovements include:
* Handling of LoadElement/StoreElement if index is a
constant
* Handling of JSStoreProperty: invalidate all information,
as the store could have altered any field.
* Treat phis that use an allocation as escaping
* Improve resolution of replacements
R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n
Review URL: https://codereview.chromium.org/1499143002
Cr-Commit-Position: refs/heads/master@{#32656}
- Add JSReceiver::SetIntegrityLevel, with a fast path for regular objects.
- Make Object.{freeze,seal} call this via %Object{Freeze,Seal}, thus no longer
using broken or deprecated functions from v8natives.js.
- Add JSReceiver::OwnPropertyKeys convenience function.
- Reenable harmony/proxies-hash.js test.
R=rossberg
BUG=v8:1543
LOG=N
Review URL: https://codereview.chromium.org/1489423002
Cr-Commit-Position: refs/heads/master@{#32651}
The backing store is only held alive indirectly via the array buffer
referenced by the holder (typed array), so it's not enough to keep the
elements alive (or even just the external pointer loaded from the
elements).
R=mstarzinger@chromium.org,bmeurer@chromium.org
LOG=n
BUG=v8:1827
Review URL: https://codereview.chromium.org/1493983004
Cr-Commit-Position: refs/heads/master@{#32644}
Reason for revert:
[Sheriff] Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/3266
Please request rebase upstream first.
Original issue's description:
> Clean up promises and fix an edge case bug
>
> This patch builds on previous Promise spec compliance work by
> cleaning out some old code which existed to support
> Promise.prototype.chain, rephrasing some code to correspond more
> closely to the specification, and removing some incorrect brand
> checking. A test is added for a bug in an edge case which was fixed.
>
> R=rossberg
> BUG=v8:3641
> LOG=Y
>
> Committed: https://crrev.com/1deb89c8fd3cb69714ae0a24e3b5a4e78f6b73b4
> Cr-Commit-Position: refs/heads/master@{#32627}
TBR=rossberg@chromium.org,caitpotter88@gmail.com,littledan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3641
Review URL: https://codereview.chromium.org/1501763004
Cr-Commit-Position: refs/heads/master@{#32629}
This patch builds on previous Promise spec compliance work by
cleaning out some old code which existed to support
Promise.prototype.chain, rephrasing some code to correspond more
closely to the specification, and removing some incorrect brand
checking. A test is added for a bug in an edge case which was fixed.
R=rossberg
BUG=v8:3641
LOG=Y
Review URL: https://codereview.chromium.org/1488783002
Cr-Commit-Position: refs/heads/master@{#32627}
This is the first part of escape analysis for turbofan.
At the moment, there is no deopt support, and support
for loops is partial (only binary Phis are handled).
The CL includes 4 unittests.
There are also 8 new mjsunit tests, some of which are
skiped as they require features not yet implemented.
BUG=v8:4586
LOG=n
Review URL: https://codereview.chromium.org/1457683003
Cr-Commit-Position: refs/heads/master@{#32498}
This switches all remaining builtin methods to use the ES6 new.target
value when determined whether being called as a constructor or not. This
is prepatory work for fully deprecating the aforementioned intrinsic.
R=rossberg@chromium.org
Review URL: https://codereview.chromium.org/1474343002
Cr-Commit-Position: refs/heads/master@{#32447}
The fast-prototype test has been outsmarted by constructor inlining
because the instantiation is been correctly optimized away. Internal
state introspection about prototype turning fast was upset by that.
R=bmeurer@chromium.org
BUG=v8:4544
LOG=n
Review URL: https://codereview.chromium.org/1474763007
Cr-Commit-Position: refs/heads/master@{#32338}
This fixes the array literal expression stack tracking in the presence
of spread expressions. Deoptimization within a spread expression was
borked.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-deopt-in-array-literal-spread
Review URL: https://codereview.chromium.org/1455953002
Cr-Commit-Position: refs/heads/master@{#32079}
With do-expressions any expression used within literals can turn into an
OSR entry-point. This means the literal object being constructed is then
renamed to an OSR value and needs to be reloaded from the environment.
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-osr-in-literal
Review URL: https://codereview.chromium.org/1451423002
Cr-Commit-Position: refs/heads/master@{#32047}
* Limit triggering of tail calls to explicit use of a new inline runtime
function %_TailCall. %_TailCall works just like %_Call except for using
tail-calling mechanics (currently only in TF).
* Remove hack that recognized some specific usages of %_Call and converted them
into tail calls.
* Support tail calls for all calls where the number of callee stack parameters
is less than or equal to the number of caller stack parameters.
* Use the gap resolver to swizzle parameters and registers to tail calls.
BUG=v8:4076
LOG=n
Review URL: https://codereview.chromium.org/1439613003
Cr-Commit-Position: refs/heads/master@{#31987}
With do-expressions any expression used as a case label can turn into an
OSR entry-point. This means the value being switched over is renamed to
an OSR value and needs to be reloaded from the environment at each case.
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-osr-in-case-label
Review URL: https://codereview.chromium.org/1438123007
Cr-Commit-Position: refs/heads/master@{#31986}
This implements a first version of support for constructor call inlining
in the inlining machinery. For now we can only inline calls where the
actual constructor and the original constructor coincide (i.e. no super
constructor calls). Note that the target of a super constructor call is
loaded with a runtime call, so there is no way for it to be constant
promoted at the moment.
R=bmeurer@chromium.org
BUG=v8:4544
LOG=n
Review URL: https://codereview.chromium.org/1435873002
Cr-Commit-Position: refs/heads/master@{#31954}
Adds a blacklist of tests which are currently unsupported or broken in Ignition to
the mjsunit and test262 test status.
Also removes --ignition-script-filter flag, and adds a
--ignition_fallback_on_eval_and_catch flag which fallsback to fullcodegen for
functions which call eval or contain a catch block.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1420963009
Cr-Commit-Position: refs/heads/master@{#31864}
The current implementation of classes throws the TypeError at the wrong
point, after activating a new context when directly calling a class
constructor. According to the spec, the TypeError has to be thrown
in the caller context.
LOG=N
BUG=v8:4428
Committed: https://crrev.com/6a06bc0a774933719f62009d81b3f1686d83bb90
Cr-Commit-Position: refs/heads/master@{#31786}
Review URL: https://codereview.chromium.org/1418623007
Cr-Commit-Position: refs/heads/master@{#31790}
Reason for revert:
failing build bot
Original issue's description:
> [runtime] Fix ES6 9.2.1 [[Call]] when encountering a classConstructor.
>
> The current implementation of classes throws the TypeError at the wrong
> point, after activating a new context when directly calling a class
> constructor. According to the spec, the TypeError has to be thrown
> in the caller context.
>
> LOG=N
> BUG=v8:4428
>
> Committed: https://crrev.com/6a06bc0a774933719f62009d81b3f1686d83bb90
> Cr-Commit-Position: refs/heads/master@{#31786}
TBR=bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4428
Review URL: https://codereview.chromium.org/1415783006
Cr-Commit-Position: refs/heads/master@{#31787}
The current implementation of classes throws the TypeError at the wrong
point, after activating a new context when directly calling a class
constructor. According to the spec, the TypeError has to be thrown
in the caller context.
LOG=N
BUG=v8:4428
Review URL: https://codereview.chromium.org/1418623007
Cr-Commit-Position: refs/heads/master@{#31786}
This removes special casing for the 'f.arguments' property accessor. Any
local 'arguments' variable should not be allowed to influence the value
returned by the indirect 'f.arguments' property. That property creates a
new object with a separate identity everytime it is read. This is by now
consistent with other browsers.
R=rossberg@chromium.org
TEST=mjsunit/arguments-indirect
Review URL: https://codereview.chromium.org/1408983006
Cr-Commit-Position: refs/heads/master@{#31776}
This fixes the representation type for values in JSArray::length fields
when JSNativeContextSpecialization lowers loads. Only arrays with fast
elements kind are guaranteed to have a Smi represented length.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-4515
BUG=v8:4515, v8:4493, v8:4470
LOG=n
Review URL: https://codereview.chromium.org/1410393006
Cr-Commit-Position: refs/heads/master@{#31558}
The reason is when native_context_specialization flag is ture, X87 turbofan
will hit the known issue that X87 will change a sNaN to qNaN by default. And
then it will fail when bit-comparing the source (sNaN) and the result (qNaN).
reland https://codereview.chromium.org/1414733004/.
BUG=
Review URL: https://codereview.chromium.org/1419573007
Cr-Commit-Position: refs/heads/master@{#31552}
Reason for revert:
because of merge mistake, "regress/" is missed when skipping one test case for X87.
"regress/" will be added when relanding it.
Original issue's description:
> X87: disable the regress-undefined-nan test case for x87.
>
> The reason is when native_context_specialization flag is ture, X87 turbofan
> will hit the known issue that X87 will change a sNaN to qNaN by default. And
> then it will fail when bit-comparing the source (sNaN) and the result (qNaN).
>
> BUG=
>
> Committed: https://crrev.com/b3c719ebbad6c87afefa33a7d0b3f412b2e304db
> Cr-Commit-Position: refs/heads/master@{#31530}
TBR=bmeurer@chromium.org,weiliang.lin@intel.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review URL: https://codereview.chromium.org/1417303005
Cr-Commit-Position: refs/heads/master@{#31543}
The reason is when native_context_specialization flag is ture, X87 turbofan
will hit the known issue that X87 will change a sNaN to qNaN by default. And
then it will fail when bit-comparing the source (sNaN) and the result (qNaN).
BUG=
Review URL: https://codereview.chromium.org/1414733004
Cr-Commit-Position: refs/heads/master@{#31530}
The newly introduced root makes sure that we do not flush the
optimized code while the function is being compiled.
BUG=v8:4493
LOG=n
Review URL: https://codereview.chromium.org/1415133002
Cr-Commit-Position: refs/heads/master@{#31444}
This makes sure that initializing assignments of let-declared variables
perform an environment lookup and hence keep the variable alive. This is
needed because full-codegen contains debug code verifying the variable
is still inside the TDZ at the initializing assignment.
R=jarin@chromium.org
TEST=mjsunit/compiler/regress-variable-liveness-let
BUG=v8:4493
LOG=n
Review URL: https://codereview.chromium.org/1420573002
Cr-Commit-Position: refs/heads/master@{#31437}
This stages the general purpose inlining mechanism in TurboFan and
also disables the remaining tests that still fail. We do this to get
test coverage early and to avoid regressing inlining as we go along.
R=jarin@chromium.org,mstarzinger@chromium.org
BUG=v8:4493
LOG=n
Review URL: https://codereview.chromium.org/1419623002
Cr-Commit-Position: refs/heads/master@{#31406}
This stages the general purpose inlining mechanism in TurboFan and also
disables the remaining tests that still fail. We do this to get test
coverage early and to avoid regressing inlining as we go along.
R=bmeurer@chromium.org
BUG=v8:4493
LOG=n
Review URL: https://codereview.chromium.org/1412703002
Cr-Commit-Position: refs/heads/master@{#31386}
This introduces an explicit lazy bailout. It is wrapped in the call
node, mostly because the lazy deoptimization processing is married
to the call processing in the instruction selector and the code generator.
It is still a terrible hack.
R=bmeurer@chromium.org,mstarzinger@chromium.org
BUG=chromium:543994,v8:4195
LOG=n
Review URL: https://codereview.chromium.org/1412443003
Cr-Commit-Position: refs/heads/master@{#31353}
The runtime flag in question makes no sense, because the feature cannot
be disabled without keeping the snapshot in sync. We should avoid having
the flag in our "mjsunit" test suite, so that CluserFuzz doesn't pick it
up. The test in question is already skipped, the change will not affect
test results on our waterfall.
R=mvstanton@chromium.org
TEST=mjsunit/call-counts
BUG=v8:4458
LOG=n
Review URL: https://codereview.chromium.org/1409533003
Cr-Commit-Position: refs/heads/master@{#31302}
This is in preparation to enabling --turbo-inlining by default, fixing
various issues when general purpose inlining is running against our
entire test suite.
R=bmeurer@chromium.org
BUG=v8:4493
LOG=n
Review URL: https://codereview.chromium.org/1407533004
Cr-Commit-Position: refs/heads/master@{#31294}
Swarming won't support an incremental data file. By just
sorting the lowest hanging fruits to the beginning we
already get a big bang for the buck (>80% of the improvement
we get otherwise).
This will require semi-regular manual updates of the
slowest tests.
BUG=chromium:535160
LOG=n
Review URL: https://codereview.chromium.org/1385443002
Cr-Commit-Position: refs/heads/master@{#31061}
Whenever a generalization is computed, the inputs must be checked for being cleared, and if they are, the generalization must be Type::Any.
Hopefully this fixes Chromium issue 527994 as well.
BUG=v8:4325,chromium:527994
LOG=n
Review URL: https://codereview.chromium.org/1361103002
Cr-Commit-Position: refs/heads/master@{#30887}
The two tests in question got a lot slower and started to timeout now
that the C++ fallback implementation of the %Arguments intrinsics is
composable with respect to inlining.
R=bmeurer@chromium.org,machenbach@chromium.org
Review URL: https://codereview.chromium.org/1330203003
Cr-Commit-Position: refs/heads/master@{#30674}
script_executed and last_run are read/written by multiple threads. Also
externalized_shared_contents_ is modified by multiple threads.
BUG=4306
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1252623003
Cr-Commit-Position: refs/heads/master@{#29912}
zlib is broken for mips after 35eb3a0260.
We're still working on a fix. Skip test for now, so the bots cycle green.
BUG=
Review URL: https://codereview.chromium.org/1209253005
Cr-Commit-Position: refs/heads/master@{#29356}
The use of jalr ra is unpredictable if instruction in branch delay slot
is in next page.
This finally fixes random failures in JS debugger and InteruptRequest tests.
TEST=mjsunit/debug-*,
cctest/test-api/RequestInterruptTestWithNativeAccessor
BUG=
Review URL: https://codereview.chromium.org/1220443002
Cr-Commit-Position: refs/heads/master@{#29331}
This test starts failing when the --harmony-array flag is turned on,
but the failure does not directly have to do with that flag. Disabling
the test in debug mode to unblock the release.
BUG=v8:4237
LOG=n
R=adamk,erikcorry
Review URL: https://codereview.chromium.org/1202523005
Cr-Commit-Position: refs/heads/master@{#29207}
This test appears to trigger some bug in either ASAN or V8 when
accompanied by an increase in JS code size. Disabling the test
on ASAN runs to unblock adding new JS code.
BUG=v8:4236
LOG=N
R=adamk
Review URL: https://codereview.chromium.org/1203523002
Cr-Commit-Position: refs/heads/master@{#29201}
This fixes a terrible interaction of code flushing and the clearing of
optimized code maps hanging off a SharedFunctionInfo. The following is
what happened:
1) Incremental marking cleared map in SharedFunctionInfo s, however it
was not enqueued as a flushing candidate because one JSFunction f1
still had optimized code.
2) Deoptimization of f1 made s eligible for code flushing.
3) Optimization of f2 added new entry to optimized code map of s.
4) The JSFunction f2 became unreachable and hence is never marked.
5) Incremental marking now visits f1, finds it eligible for flushing,
also s is eligible for flushing, both are enqueued.
6) Marking finishes, code flusher clears f1 and s, but the optimized
code map of s still contains an entry.
7) Boom!
R=ulan@chromium.org,hpayer@chromium.org
TEST=mjsunit/es6/generators-iteration
BUG=v8:3803
LOG=N
Review URL: https://codereview.chromium.org/1197713004
Cr-Commit-Position: refs/heads/master@{#29177}
This patch includes the following changes.
1, Enable the turbofan backend support for X87 platform. It depends on previous CL: 3fdfebd26.
2, Enable the test cases which are disabled because turbofan for X87 was not enabled.
BUG=v8:4135
LOG=N
Review URL: https://codereview.chromium.org/1179763004
Cr-Commit-Position: refs/heads/master@{#29049}
This fixes the graph wiring of implicit JSToNumber nodes inserted by
JSTypedLowering, to be correctly hooked into a surrounding exceptional
continuation.
R=bmeurer@chromium.org
TEST=mjsunit/compiler/try-binop,test262
Review URL: https://codereview.chromium.org/1178153004
Cr-Commit-Position: refs/heads/master@{#28975}
This deprecates the aforementioned mutator in favor of a simpler
NodeProperties::ReplaceUses that doesn't perform any relaxation.
Preparation for enabling support for try-catch statements.
R=bmeurer@chromium.org
TEST=unittests/NodePropertiesTest
Review URL: https://codereview.chromium.org/1172773003
Cr-Commit-Position: refs/heads/master@{#28897}
This adds a stripped down version of the SQLite benchmark (running with
--size 1) to the mjsunit suite. We might want to move that to a
dedicated slow/stress/whatever test suite once an appropriate decision
is made.
R=machenbach@chromium.org
Review URL: https://codereview.chromium.org/1094043002
Cr-Commit-Position: refs/heads/master@{#27930}
This adds a missing bailout id to a ForInStatement for when retrieving
and filtering a property name deoptimizes. This can happen with proxies
that have a getPropertyDescriptor trap.
R=jarin@chromium.org
TEST=mjsunit/for-in-opt
Review URL: https://codereview.chromium.org/1086083002
Cr-Commit-Position: refs/heads/master@{#27846}
Those two tests fail in gc-stress and custom snapshot (embedding mjsunit.js).
This is likely due to different GC timing with the custom snapshot.
R=mstarzinger@chromium.org
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1078653002
Cr-Commit-Position: refs/heads/master@{#27688}
This enables eager optimization of top-level code with TurboFan and
extends test coverage by triggering it with the --always-opt flag.
Script contexts are now also properly allocated in TurboFan.
R=titzer@chromium.org
Review URL: https://codereview.chromium.org/1053063003
Cr-Commit-Position: refs/heads/master@{#27633}
Only one FrameInspector can be active at a time on any given stack,
this ensures that it's lifetime is sufficiently scoped.
R=yangguo@chromium.org
TEST=mjsunit/regress/regress-crbug-259300
Review URL: https://codereview.chromium.org/1034743002
Cr-Commit-Position: refs/heads/master@{#27477}
This adapts the debugger so that the first break event starting the
stepping process can come from optimized code. TurboFan supports a
debugger statement and hence can be the top-most frame whenever the
Debug::HandleDebugBreak handler is triggered.
R=yangguo@chromium.org
TEST=mjsunit/debug,cctest/test-debug
Review URL: https://codereview.chromium.org/1038613002
Cr-Commit-Position: refs/heads/master@{#27447}
The root cause for the bug is that the positions assigned to desugared
code was inconsistent with the source ranges of block scopes.
Since the fact that the position is assigned causes the debugger to
break at the parser-generated statement, the fix is to remove positions
from those nodes that we do not want to break on.
The CL also teaches Hydrogen to tolerate these cases.
R=adamk@chromium.org,rossberg@chromium.org
BUG=chromium:468661
LOG=Y
Review URL: https://codereview.chromium.org/1032653002
Cr-Commit-Position: refs/heads/master@{#27424}
The test demonstrates a bad interaction between arguments object
materialization, escape analysis and exception handling.
We can return a wrong arguments object if we materialize arguments
object (using f.arguments) and then throw around f's frame so that f
does not clean up the materialized frame information (see the
MaterializedObjectStore in deoptimizer.h/.cc). If we enter another
function that has the same frame pointer and request an arguments object
of (or lazily deoptimize) that function, we can get the materialized
object of the original function.
We should clean up the materialized object store when we unwind the
stack.
BUG=v8:3985
LOG=n
Review URL: https://codereview.chromium.org/1032623003
Cr-Commit-Position: refs/heads/master@{#27406}
Updated excludes to remove SKIPs where possible. Either
removing if no longer needed or replacing with SLOW where
tests just need more time to run
modified: test/cctest/cctest.status
modified: test/mjsunit/mjsunit.status
R=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1017073003
Cr-Commit-Position: refs/heads/master@{#27287}
The test/cctest/cctest.status and test/mjsunit/mjsunit.status
tests now pass under the simulator so removing these
excludes
modified: test/cctest/cctest.status
modified: test/mjsunit/mjsunit.status
R=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/995393003
Cr-Commit-Position: refs/heads/master@{#27145}
Contribution of PowerPC port (continuation of 422063005,
817143002,866843003, and 901083004). This patch updates
the ppc directories to make them current with changes in
common code as of today.
We had to exclude the test test-serialize/SerializeInternalReference
until we agree on the right way to add those changes for PPC as
outlined in the description in the google doc provided earlier.
We also had to exclude a couple of other tests due to new
failures seen since the last uplevel. We excluded as opposed
to waiting until we could investigate to maximize the chance
of getting PPC compiling in the google repos before new
breaking changes are made.
I'll note that before applying any of our changes the
mozilla part of quickcheck was already broken when using
the lastest repo content so I had to run without that
modified: src/compiler/ppc/code-generator-ppc.cc
modified: src/compiler/ppc/instruction-codes-ppc.h
modified: src/compiler/ppc/instruction-selector-ppc.cc
modified: src/ic/ppc/handler-compiler-ppc.cc
modified: src/ic/ppc/ic-compiler-ppc.cc
modified: src/ppc/assembler-ppc-inl.h
modified: src/ppc/assembler-ppc.cc
modified: src/ppc/assembler-ppc.h
modified: src/ppc/builtins-ppc.cc
modified: src/ppc/code-stubs-ppc.cc
modified: src/ppc/codegen-ppc.cc
modified: src/ppc/full-codegen-ppc.cc
modified: src/ppc/lithium-codegen-ppc.cc
modified: src/ppc/macro-assembler-ppc.cc
modified: src/ppc/macro-assembler-ppc.h
modified: test/cctest/cctest.status
R=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/994533004
Cr-Commit-Position: refs/heads/master@{#27125}
Internal references are absolute addresses into the instruction
stream. Turn them into relative addresses when serializing and
back when deserializing to keep them valid.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/976623002
Cr-Commit-Position: refs/heads/master@{#27020}
Contribution of PowerPC port (continuation of 422063005, 817143002,
866843003, and 901083004. This patch updates the ppc directories
to make them current with changes in common code, removes the
optimization to use the ool constant pool, and excludes tests that
don't pass under the ppc simulator given a 240s timeout.
Subsequent patches will cover:
- remaining optimizations for PPC
- remaining AIX changes not resolved by 4.8 compiler (4.8 is only recently available for AIX)
- incremental updates required to ppc directories due to platform specific changes made
in google repos while we complete the above steps.
modified: src/compiler/ppc/code-generator-ppc.cc
modified: src/ic/ppc/handler-compiler-ppc.cc
modified: src/ppc/assembler-ppc-inl.h
modified: src/ppc/assembler-ppc.cc
modified: src/ppc/assembler-ppc.h
modified: src/ppc/builtins-ppc.cc
modified: src/ppc/code-stubs-ppc.cc
modified: src/ppc/debug-ppc.cc
modified: src/ppc/deoptimizer-ppc.cc
modified: src/ppc/frames-ppc.cc
modified: src/ppc/frames-ppc.h
modified: src/ppc/full-codegen-ppc.cc
modified: src/ppc/lithium-codegen-ppc.cc
modified: src/ppc/lithium-ppc.cc
modified: src/ppc/lithium-ppc.h
modified: src/ppc/macro-assembler-ppc.cc
modified: src/ppc/macro-assembler-ppc.h
modified: test/cctest/cctest.status
modified: test/mjsunit/mjsunit.status
R=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/965823002
Cr-Commit-Position: refs/heads/master@{#26951}
This reverts commit b57be748b1 and
disables the test/mjsunit/debug-clearbreakpointgroup.js because
BreakLocationIterator::ClearBreakPoint is already broken for unrelated reasons (see v8:3924).
BUG=v8:3877
LOG=N
TEST=cctest/test-heap/Regress3877
Review URL: https://codereview.chromium.org/957373002
Cr-Commit-Position: refs/heads/master@{#26893}
super() is only allowed in a class constructor.
super.p is allowed in methods, accessors and constructors.
The parser now checks the FunctionState to see what kind of function
we are currently inside.
BUG=v8:3330
LOG=N
R=dslomov@chromium.org, marja@chromium.org
Review URL: https://codereview.chromium.org/915563003
Cr-Commit-Position: refs/heads/master@{#26557}
Contribution of PowerPC port (continuation of 422063005 and 817143002). This patch covers
the key changes needed to the common files needed to support AIX. Subsequent
patches will cover:
- changes to update the ppc directories so they are current with the changes
in the rest of the project.
- remaining AIX changes not resolved by 4.8 compiler
- individual optimizations for PPC
This is based off of the GitHub repository
https://github.com/andrewlow/v8ppcR=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/866843003
Cr-Commit-Position: refs/heads/master@{#26343}
The approach taken in this CL is to incrementally move toward the
currently-specced version of modules in ES6. The biggest change in this
patch is separating the parsing of modules from the parsing of scripts,
getting rid of the 'module' keyword and thus disallowing modules-in-scripts
as well as modules-in-modules.
The syntax supported by import/export declarations has not yet been significantly
changed, with the major exception being that import declarations require a string
as the 'from' part.
Most of the existing tests have been disabled, with a first new test added
in cctest/test-parsing.
BUG=v8:1569
LOG=n
Review URL: https://codereview.chromium.org/881623002
Cr-Commit-Position: refs/heads/master@{#26299}
This adds support for computed property names, under the flag
--harmony-computed-property-names, for both object literals and
classes.
This is a revert of the revert, 7d48fd9dc2.
BUG=v8:3754
LOG=Y
R=dslomov@chromium.org
Review URL: https://codereview.chromium.org/798243004
Cr-Commit-Position: refs/heads/master@{#26084}
When compiling with the macro DCHECK_ALWAYS_ON defined, DCHECKs and
supporting code gets compiled and enabled.
This increases test coverage for chromium release buildbots
BUG=v8:3731
R=jkummerow@chromium.org
LOG=y
Review URL: https://codereview.chromium.org/760213005
Cr-Commit-Position: refs/heads/master@{#25701}
Emscripten requires little-endian arch. It has assertion for endianness:
assert(HEAPU8[0] === 255 && HEAPU8[3] === 0,
'Typed arrays 2 must be run on a little-endian system');
TEST=mjsunit/asm/embenchen/*
BUG=
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/708663003
Patch from Paul Lind <paul.lind@imgtec.com>.
Cr-Commit-Position: refs/heads/master@{#25177}
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@25177 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Trimming the graph consists of breaking links from nodes that are not reachable from end to nodes that are reachable from end. Such dead nodes show up in the use lists of the live nodes and though mostly harmless, just clutter up the graph. They also can limit instruction selection opportunities, so it is good to get rid of them.
This CL is one half of the ControlReducer functionality, the other half
being branch folding.
R=bmeurer@chromium.org
BUG=
Review URL: https://codereview.chromium.org/661923002
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Since the deopt patch address needs to be available during GC to
resolve safepoints, we need to move it to the code object (instead of
the deoptimization input data) - accessing a separate fixed array
is not safe during GC. This CL adds a deoptimization_pc field to
each safepoint. The fields points to the deoptimization block.
The CL also fixes wrong register allocator constraints for
frame states on calls. These should always live on the stack
because registers are not preserved during a call.
BUG=
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/504493002
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23334 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Bunch of changes were necessary:
- refactor attaching the frame states/lazy bailouts in AstGraphBuilder
(essentialy reland of r23096),
- attaching frame state to some JS nodes in a similar way to attaching
context (this is quite ugly and we should take another look at this),
- new bailout point for the debugger statement,
- register allocation constraints for the frame states,
- generating translations and deopt entries, attaching them to
safepoints,
- enabled one mjsunit test for debugger state that uses the generated
frame state.
BUG=
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/492203002
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23270 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The `right == 0` checks only worked for `0 <= right < 32`. This patch
replaces the checks with simple tests for negative results.
The attached test can detect this error, but the test relies on a broken
flag (--noopt-safe-uint32-operations), so it is skipped for now. See
issue 3487 for details.
BUG=
R=ulan@chromium.org
Review URL: https://codereview.chromium.org/487913005
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23243 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The change relative to the previous CL is a logic change in
DropActivationsInActiveThreadImpl. The previous CL skipped the matcher
unless the frame was a JS frame; this was correct for
MultipleFunctionTarget but not for SingleFrameTarget.
I have not been able to reproduce the original failures on either
architecture (ia32 or x64; stack frame dropping is unsupported on other
architectures).
R=yangguo@chromium.org
LOG=N
TEST=mjsunit/harmony/generators-debug-liveedit.js
BUG=
Review URL: https://codereview.chromium.org/270283002
Patch from Andy Wingo <wingo@igalia.com>.
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21419 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This patch reverts r21062 which disabled Object.observe and the relevant tests.
It also adds enforcement for the following three invariants:
1) No observer may receive a change record describing changes to an object which is in different security origin (context have differing security tokens)
2) No observer may receive a change record whose context's security token is different from that of the object described by the change.
3) Object.getNotifier will return null if the caller and the provided object are in differing security origins
Further, it ensures that the global object can never be observed nor a notifier retrieved for it.
Tests are included.
R=verwaest@chromium.org, rossberg
LOG=Y
Review URL: https://codereview.chromium.org/265503002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21122 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Important notices:
- The snapshot cannot be created for big-endian target in cross-compilation
environment on little-endian host using simulator.
- In order to have i18n support working on big-endian target, the icudt46b.dat and
icudt46b_dat.S files should be generated and upstreamed to ICU repo.
- The mjsunit 'nans' test is endian dependent, it is skipped for mips target.
- The zlib and Mandreel from Octane 2.0 benchmark are endian dependent due to
use of typed arrays.
TEST=
BUG=
R=jkummerow@chromium.org, plind44@gmail.com
Review URL: https://codereview.chromium.org/228943009
Patch from Dusan Milosavljevic <Dusan.Milosavljevic@rt-rk.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20778 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Add random seed to run-tests.py, using either a user supplied
value or a random number generated by random.SystemRandom().
This same random seed is passed to all test cases, making sure
that we can easily reproduce test failures that depend on
random numbers (i.e. bugs related to our handwritten ASLR).
Also fix all uses of rand() to make use of our RNG class
instead.
R=machenbach@chromium.org
Review URL: https://codereview.chromium.org/231443002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20637 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Code generation would fail when assembling a branch to a label that is bound
outside the immediate range of the instruction. A64 is sensitive to this, as the
various branching instructions have different ranges, going down to +-32KB for
TBZ/TBNZ. The MacroAssembler is augmented to handle branches to targets that
may exceed the immediate range of instructions.
When branching backward to a label exceeding the instruction range, the
MacroAssembler can simply tweak the generated code to use an unconditional
branch with a longer range. For example instead of
B(cond, &label);
the MacroAssembler can generate:
b(InvertCondition(cond), &done);
b(&label);
bind(&done);
Since the target is not known when the branch is emitted, forward branches uses
a different mechanism. The MacroAssembler keeps track of forward branches to
unbound labels. When the code generation approaches the end of the range of a
branch, a veneer is generated for the branch.
BUG=v8:3148
LOG=Y
R=ulan@chromium.org
Review URL: https://codereview.chromium.org/169893002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19444 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Throwing under FLAG_debug_code confuses the rest of our infrastructure
which expects a safe point at the site of call into the runtime
for throw. We were doing that to make a clusterfuzz test happy, but
the better solution is to assert/abort under debug_code, and prevent
clusterfuzz from fuzzing on internal APIs that crash on incorrect
values.
We'll need to alter the fuzzer to turn off fuzzing for:
string-natives.js
lithium/SeqStringSetChar.js
regress/regress-seqstrsetchar-ex3.js
regress/regress-seqstrsetchar-ex1.js
regress/regress-crbug-320922.js
So as to prevent the fuzzer from running
%_OneByteSeqStringSetChar() and
%_TwoByteSeqStringSetChar().
BUG=
R=hpayer@chromium.org, machenbach@chromium.org
Review URL: https://codereview.chromium.org/139903005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18878 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Our generic KeyedStoreIC doesn't handle the case when a callback is
set on array elements in the prototype chain of the object, nor do
we recognize that we need to avoid the monomorphic case if these
callbacks exist.
This CL addresses the issue by looking for dictionary elements in
the prototype chain on IC misses and crankshaft element store
instructions. When found, the generic IC is used. The generic IC is
changed to go to the runtime in this case too.
In general, keyed loads are immune from this problem because they
won't return the hole: discovery of the hole goes to the runtime where
the callback will be found in the prototype chain. Double array loads
in crankshaft can return the hole but only if the prototype chain is
unaltered (we will catch such alterations).
Includes the following patch as well (already reviewed by bmeurer):
Performance regression found in test regress-2185-2.js. The problem was
that the bailout method for TransitionAndStoreStub was not performing
the appropriate transition.
(Review URL for the ElementsTransitionAndStoreIC_Miss change:
https://codereview.chromium.org/26911007)
R=danno@chromium.org
Review URL: https://codereview.chromium.org/35413006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17525 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When a generator suspends, it saves its state out to the heap and
unwinds try handlers but doesn't pop anything off the stack. Instead it
relies on no GC happening between the suspend and the return from the
generator. However this was not the case: boxing the result object
could cause GC, which would try to traverse the stack but would
misinterpret words from unwound try handlers as heap objects.
This CL changes to allocate the result objects before the suspend. It
also removes the generators-iteration skip introduced in r15065.
R=mstarzinger@chromium.org
TEST=mjsunit/harmony/generators-iteration
BUG=
Review URL: https://codereview.chromium.org/16801006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15079 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
ia32, unlike the other architectures, includes a --debug-code check that
asserts that runtime functions do not return the hole. However the new
SuspendJSGeneratorObject runtime does return the hole at times.
This CL adds a wee hack that only signals an error if the callee was not
SuspendJSGeneratorObject.
R=mstarzinger@chromium.org
BUG=
Review URL: https://codereview.chromium.org/13856011
Patch from Andy Wingo <wingo@igalia.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14437 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The generator object methods "next", "send", and "throw" now
include some inline assembly to set up a resumed stack frame. In some
common cases, we can just jump back into the frame to resume it.
Otherwise the resume code calls out to a runtime to fill in the operand
stack, rewind the handlers, and possibly to throw an exception.
BUG=v8:2355
TESTS=mjsunit/harmony/generators-iteration
Review URL: https://codereview.chromium.org/14066016
Patch from Andy Wingo <wingo@igalia.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14415 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Currently, when a long series of removable simulates are merged, we do
this by merging them one by one as we find them. As we merge the value
value lists of the simulates, those lists snowball so that we get a
quadratic complexity wrt runtime and memory consumption.
Instead, we gather simulates that need to be merged, and merge them
backwards starting from the last simulate.
R=jkummerow@chromium.org
BUG=v8:2612
Review URL: https://chromiumcodereview.appspot.com/13649003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14169 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This includes:
* Adding support for saving callee-clobbered double registers in Crankshaft code.
* Adding a new "HTrapAllocationMemento" hydrogen instruction to handle AllocationSiteInfo data in crankshafted stubs.
* Adding a new "HAllocate" hydrogen instruction that can allocate raw memory from the GC in crankshafted code.
* Support for manipulation of the hole in HChange instructions for Crankshafted stubs.
* Utility routines to manually build loops and if statements containing hydrogen code.
Review URL: https://codereview.chromium.org/11659022
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13585 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
