For dictionary-mode receivers, the KeyedStoreGeneric stub can store
properties directly in most cases. Doing so avoids the need to have
an entry in the stub cache for every map/property combination.
Original review: https://codereview.chromium.org/2504403005/
Review-Url: https://codereview.chromium.org/2524943002
Cr-Commit-Position: refs/heads/master@{#41218}
Previous fuzzer fix broke the case when the pending assessment came from the same
block. In that case, the assessments table does not have an entry yet for the block,
because we register only when we're done processing a block.
BUG=667745
Review-Url: https://codereview.chromium.org/2519973004
Cr-Commit-Position: refs/heads/master@{#41193}
* Fix setting script-scope variables through inspector by internalizing
their names.
* Reconstruct values of Number, String, and Boolean classes.
* Adapt a couple of tests for API restrictions.
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2512963002
Cr-Commit-Position: refs/heads/master@{#41175}
This fixes stack unwinding to always recompute the stack pointer for
interpreted frames. For frames materialized by the deoptimizer we elide
the handler frame in between, hence arguments being pushed on the stack
will no longer be pushed into the handler frame but into the interpreted
frame directly.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-662830
BUG=chromium:662830
Review-Url: https://codereview.chromium.org/2517203003
Cr-Commit-Position: refs/heads/master@{#41170}
The verifier needs to use the block and assessments in that block corresponding to
a predecessor of a "pending" assessment. Not doing that causes incorrect
assessments when 2 locations are swapped.
BUG=665402
Review-Url: https://codereview.chromium.org/2515803002
Cr-Commit-Position: refs/heads/master@{#41159}
Adapted various tests to restrictions of inspector protocol:
* osr-typing-debug-change: Don't set function variable value.
* debug-evaluate-locals: Add variable introduced by eval, run typeof
inside evaluate().
* regress-419663: Don't set duplicate breakpoints.
* regress-crbug-465298: Compare against function name instead of value.
* regress-crbug-621361: Make evaluate return string results.
* debug-script: Various counts were off due to new way tests are called.
Added new inspector script type.
Breakpoints now contain the actual break position, and remote object
reconstruction has been extended a bit.
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2505363002
Cr-Commit-Position: refs/heads/master@{#41129}
The code which pushes and pops to the function name inference stack
generally checks if the stack is active with the IsOpen method. One
piece of code pertaining to async functions was missing that check.
This patch adds it.
BUG=chromium:658267
R=gsathya,caitp
Review-Url: https://codereview.chromium.org/2514893002
Cr-Commit-Position: refs/heads/master@{#41120}
It originates from the era where we used to run a separate preparse step
before parsing and store the function data. Now the usage of preparser
is something completely different, so this flag doesn't make sense any
more.
In addition, this way we get more test coverage for preparser (for small
scripts).
BUG=
Review-Url: https://codereview.chromium.org/2513563002
Cr-Commit-Position: refs/heads/master@{#41110}
This adds clearAllBreakPoints functionality (which requires tracking set
breakpoints internally), and several script-related functions that rely
on runtime functions.
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2508853003
Cr-Commit-Position: refs/heads/master@{#41064}
This adds access to the LiveEdit API object, frame.restart(), and
various breakpoint setters. The LiveEdit API still depends on the JS
debugging context and blocks its removal; but it should be removed
once LiveEdit is rewritten in the midterm.
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2503293002
Cr-Commit-Position: refs/heads/master@{#41062}
The operator in question is guaranteed to produce a tagged value that is
not equal to the-hole, it however does not guarantee the value to be a
HeapObject. The correct representation hence is {kTagged}.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-665587
BUG=chromium:665587
Review-Url: https://codereview.chromium.org/2504183002
Cr-Commit-Position: refs/heads/master@{#41032}
The reason is that non-configurability still allows a writable property to become read-only.
BUG=chromium:663750
Review-Url: https://codereview.chromium.org/2508873002
Cr-Commit-Position: refs/heads/master@{#41029}
This CL further extends the debug wrapper, migrates around 60 tests, and
removes a few tests that use functionality we will not support anymore.
In more detail:
* Removed tests that use:
* enable/disable individual breakpoints
* invocationText()
* the ScriptCollected event
* showBreakPoints
* evalFromScript (and similar)
* mirror.constructedBy and mirror.referencedBy
* event_data.promise()
* Some frame.evaluate uses were adapted since due to differences between
remote objects (inspector) and mirrors. For instance, exceptions are
currently not recreated exactly, since the inspector protocol does not
give us the stack and message separately. Other objects (such as
'this' in debug-evaluate-receiver-before-super) need to be explicitly
converted to a string before the test works correctly.
* Ensure that inspector stores the script before sending ScriptParsed and
ScriptFailedToParse events in order to be able to use the script from
within those events.
* Better remote object reconstruction (e.g. for undefined and arrays).
* New functionality in wrapper:
* debuggerFlags().breakPointsActive.setValue()
* scripts()
* execState.setVariableValue()
* execState.scopeObject().value()
* execState.scopeObject().property()
* execState.frame().allScopes()
* eventData.exception()
* eventData.script()
* setBreakPointsActive()
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2497973002
Cr-Commit-Position: refs/heads/master@{#41019}
This fixes the bogus {Word32Equal} comparison in the ToString builtin
implementing Object.prototype.toString to be a pointer-size {WordEqual}
comparison instead. Comparing just the lower half-word is insufficient
on 64-bit architectures.
R=jgruber@chromium.org
TEST=mjsunit/regress/regress-crbug-664506
BUG=chromium:664506
Review-Url: https://codereview.chromium.org/2496043003
Cr-Commit-Position: refs/heads/master@{#40963}
A SmiUntag() was missing when loading the old backing store's length.
BUG=chromium:664469
Review-Url: https://codereview.chromium.org/2492783004
Cr-Commit-Position: refs/heads/master@{#40921}
This CL adds support for:
* conditional breaks in setBreakpoint,
* locals in frame.local{Count,Name,Value},
* evaluation on a frame in frame.evaluate,
* and more detailed scope information in scopeObject.
Uses of several functions that are not covered by the
inspector protocol and are only used in tests have been removed.
Local handling has been modified to also include arguments as locals.
Inspector differs in this regard from our FrameDetails in that
arguments are always shown as locals. Argument-related functions
were removed.
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2491543002
Cr-Commit-Position: refs/heads/master@{#40917}
This changes {FrameState} nodes modeling "after" states to use bytecode
offsets pointing to the deoptimizing bytecode. This is in sync with the
normal execution, as the bytecode offset is advanced after operations
complete in regular bytecode handlers.
The change is necessary to ensure lazy deoptimized frames contain an
accurate bytecode offset while they are on the stack. Such frames can be
inspected by various stack walks. The continuation builtin will advance
the bytecode offset upon return.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-660379
BUG=chromium:660379
Review-Url: https://codereview.chromium.org/2487173002
Cr-Commit-Position: refs/heads/master@{#40887}
If an exception is thrown when there is a Promise being created, the Promise
catch prediction code would call into a part implemented in JavaScript to see if
the Promise has a catch handler. If it is not possible to call back into JS,
e.g., due to a stack overflow, then this would lead to a crash. This patch
"speculates" that, if it's impossible to call back into JavaScript, then the
error is unhandled, avoding the issue. In a future patch, the catch prediction
logic should be entirely written in C++, but this patch adds a minimal fix to
be more friendly to backports.
BUG=chromium:662935
R=jgruber
Review-Url: https://codereview.chromium.org/2487833002
Cr-Commit-Position: refs/heads/master@{#40851}
Don't rely on carry flags you didn't set yourself.
BUG=chromium:663402
Review-Url: https://codereview.chromium.org/2484283002
Cr-Commit-Position: refs/heads/master@{#40848}
This adds clearStepping plus the family of
{set,clear}BreakOn{,Uncaught}Exception functions.
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2482903002
Cr-Commit-Position: refs/heads/master@{#40834}
We really should deopt before the for-in index increment.
BUG=chromium:662904
Review-Url: https://codereview.chromium.org/2476423003
Cr-Commit-Position: refs/heads/master@{#40828}
This moves all tests currently working with the inspector debugger wrapper to
test/debugger.
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2480223002
Cr-Commit-Position: refs/heads/master@{#40824}
- When module bytes have a memory maximum defined, compiled module object should set maximum memory
- Exported memory objects should set maximum value on the memory objects
- Update tests to use declared maximum values.
R=ahaas@chromium.org
Review-Url: https://codereview.chromium.org/2474333003
Cr-Commit-Position: refs/heads/master@{#40820}
Note: This CL might regress code that relies on such arguments access.
In that case, we could still optimize the access if it accesses at
constant index (and the argument at that index is not context-allocated).
If any code relies on a general access to context-allocated arguments,
we would need to analyze the function for assignment to the arguments - this
might be quite tricky.
BUG=chromium:662845
Review-Url: https://codereview.chromium.org/2484723002
Cr-Commit-Position: refs/heads/master@{#40813}
The revert somehow lost the contents of regress-2825.js.
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
BUG=chromium:662928
Review URL: https://codereview.chromium.org/2483863002 .
Cr-Commit-Position: refs/heads/master@{#40806}
This moves all tests currently working with the inspector debugger wrapper to
test/debugger.
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2480223002
Cr-Commit-Position: refs/heads/master@{#40804}
We need to rename the receiver on CheckHeapObject, because we
don't canonicalize numbers in SignedSmall range, and thus we
the representation selection can hand out TaggedSigned values
for receiver uses, even though we checked for TaggedPointerness
first.
Note that this is rather hacky and just intended to fix the bug
ASAP. We need to think about how to deal with representations in
earlier compilation stages.
BUG=chromium:662410
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2485563002
Cr-Commit-Position: refs/heads/master@{#40792}
This disables the usage of the {maybe_assigned} flag that the variable
resolution computes for each variable on non-asm.js code. Note that the
analysis is fundamentally broken for destructuring and top-level lexical
variables. Also note that this still uses the analysis for asm.js code
even though it is not validated. One can still trigger the bug by using
invalid constructs within a function marked with "use asm". The fix is
intentionally minimal so that it can be merged to release branches.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-659915
BUG=chromium:659915
Review-Url: https://codereview.chromium.org/2471523005
Cr-Commit-Position: refs/heads/master@{#40716}
This turns the ZoneList with minimum 6 words overhead into a linked list through variables, using 2 words for the empty list. Additionally the average number of pointers per entry goes down to the optimal 1 per variable that's in a list.
This does introduce 1 pointer unnecessary overhead for dynamic variables. If that becomes a problem we could distinguish between variables in lists and variables not in lists. We can distinguish them at construction-time.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2475433002
Cr-Commit-Position: refs/heads/master@{#40714}
Conflicting type feedback on Load/StoreICs can lead to out-of-bounds
field access, which is essentially dead code, but EscapeAnalysis was
confused about those. For now, mark the objects as escaping in these
cases, middle-term we want to deal better with this kind of compile-
time known dead code.
BUG=chromium:658185,v8:4586
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2459273002
Cr-Commit-Position: refs/heads/master@{#40662}
This flag is on by default for now. Whenever heuristics in the compiler
pipeline decide to use Ignition+TurboFan, then {BytecodeGraphBuilder} is
active. Removing the flag reduces maintenance overhead.
R=mvstanton@chromium.org
Review-Url: https://codereview.chromium.org/2437103002
Cr-Commit-Position: refs/heads/master@{#40639}
For global object property cells, we did not check that the map on the
previous object is still the same for which we actually optimized. So
the optimized code was not in sync with the actual state of the property
cell. When loading from such a global object property cell, Crankshaft
optimizes away any map checks (based on the stable map assumption),
leading to arbitrary memory access in the worst case.
TurboFan has the same bug for stores, but is safe on loads because we
do appropriate map checks there. However mixing TurboFan and Crankshaft
still exposes the bug.
R=yangguo@chromium.org
BUG=chromium:659475
Review-Url: https://codereview.chromium.org/2444233004
Cr-Commit-Position: refs/heads/master@{#40592}
The TurboFan backends currently don't support tail-calls to CPP builtins
because the semantics of kJavaScriptCallArgCountRegister has different
semantics for stub call descriptors versus JavaScript call descriptors.
This is actually a short-coming of the backends and follow-up work will
make the backends more robust in that regard to fail hard on unsupported
constructs like that. This just disables the lowering creating such a
tail-call.
R=bmeurer@chromium.org
BUG=chromium:658691
TEST=mjsunit/regress/regress-crbug-658691
Review-Url: https://codereview.chromium.org/2447383002
Cr-Commit-Position: refs/heads/master@{#40590}
Reason for revert:
Breaks tree: http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/8789
Original issue's description:
> [compiler] Properly validate stable map assumption for globals.
>
> For global object property cells, we did not check that the map on the
> previous object is still the same for which we actually optimized. So
> the optimized code was not in sync with the actual state of the property
> cell. When loading from such a global object property cell, Crankshaft
> optimizes away any map checks (based on the stable map assumption),
> leading to arbitrary memory access in the worst case.
>
> TurboFan has the same bug for stores, but is safe on loads because we
> do appropriate map checks there. However mixing TurboFan and Crankshaft
> still exposes the bug.
>
> R=yangguo@chromium.org
> BUG=chromium:659475
TBR=yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:659475
Review-Url: https://codereview.chromium.org/2454513003
Cr-Commit-Position: refs/heads/master@{#40582}
For global object property cells, we did not check that the map on the
previous object is still the same for which we actually optimized. So
the optimized code was not in sync with the actual state of the property
cell. When loading from such a global object property cell, Crankshaft
optimizes away any map checks (based on the stable map assumption),
leading to arbitrary memory access in the worst case.
TurboFan has the same bug for stores, but is safe on loads because we
do appropriate map checks there. However mixing TurboFan and Crankshaft
still exposes the bug.
R=yangguo@chromium.org
BUG=chromium:659475
Review-Url: https://codereview.chromium.org/2444233004
Cr-Commit-Position: refs/heads/master@{#40578}
This brings the BytecodeGenerator in line with FullCodeGenerator, now that
more requests for hole checks are flowing through BuildVariableAssignment.
BUG=chromium:658528
Review-Url: https://codereview.chromium.org/2447783002
Cr-Commit-Position: refs/heads/master@{#40557}
Object.create(null) is most likely to be used for dictionary-like objects.
Hence it would be beneficial to directly create a slow-mode object and avoid
additional overhead later-on.
BUG=
Review-Url: https://codereview.chromium.org/2430273007
Cr-Commit-Position: refs/heads/master@{#40551}
This CL removes code that is now unused since the port of regexp.js has been
completed. Removed functions / classes are:
* regexp.js (GetSubstitution moved to string.js)
* RegExpConstructResult stub
* RegExpFlags intrinsic
* RegExpSource intrinsic
* RegExpInitializeAndCompile runtime function
BUG=v8:5339
Review-Url: https://codereview.chromium.org/2448463002
Cr-Commit-Position: refs/heads/master@{#40547}
CL https://codereview.chromium.org/2177273002 changed FastNewFunctionContextStub
to take a number of slots parameter and in-doing so removed the maximum slot
count for FastNewFunctionContextStub. This made it possible to create a
closure which is larger than kMaxRegularHeapObjectSize and so can't be
allocated by FastNewFunctionContextStub.
Reintroduce FastNewFunctionContextStub::kMaxSlots (but make the limit much
larger) to ensure we call the runtime for contexts which need to be
allocated in the LO space.
BUG=chromium:655573
Review-Url: https://codereview.chromium.org/2445703002
Cr-Commit-Position: refs/heads/master@{#40541}
The test ensures that in RegExp.prototype[@@split], exec is neither
accessed too early nor too often.
BUG=v8:5339,v8:5434
Review-Url: https://codereview.chromium.org/2440413002
Cr-Commit-Position: refs/heads/master@{#40526}
When lowering JSToLength, we cannot just smash arbitrary bounds on the
Select nodes, as that will confuse the representation selection later.
Instead properly rename the input using NumberMax and NumberMin.
R=jarin@chromium.org
BUG=chromium:657478
Review-Url: https://codereview.chromium.org/2440333002
Cr-Commit-Position: refs/heads/master@{#40519}
This CL refactors the handling of metadata associated with WebAssembly
modules to reduce the duplicate marshalling of data from the C++ world
to the JavaScript world. It does this by wrapping the C++ WasmModule*
object in a Foreign that is rooted from the on-heap WasmCompiledModule
(which is itself just a FixedArray). Upon serialization, the C++ object
is ignored and the original WASM wire bytes are serialized. Upon
deserialization, the C++ object is reconstituted by reparsing the bytes.
This is motivated by increasing complications in implementing the JS
API, in particular WebAssembly.Table, which must perform signature
canonicalization across instances.
Additionally, this CL implements the proper base + offset initialization
behavior for tables.
R=rossberg@chromium.org,bradnelson@chromium.org,mtrofin@chromium.org,yangguo@chromium.org
BUG=v8:5507, chromium:575167, chromium:657316
Review-Url: https://chromiumcodereview.appspot.com/2424623002
Cr-Commit-Position: refs/heads/master@{#40434}
Using uint32 to store the the number of control outputs allows WebAssembly switches to have more than 2^16 case.
BUG=v8:5531
TEST=mjsunit/regress/wasm/regression-5531
R=titzer@chromium.org
Review-Url: https://chromiumcodereview.appspot.com/2425983002
Cr-Commit-Position: refs/heads/master@{#40420}
When inlining JSCallConstruct in turbofan, receiver is initialized to model
the behaviour of constructor. When an implicit receiver is not required the
receiver value should be set to the hole value instead of undefined value.
When initializing the receiver via super calls, we check that the receiver
is the hole value.
BUG=chromium:653407
Review-Url: https://codereview.chromium.org/2424123002
Cr-Commit-Position: refs/heads/master@{#40396}
The inlined version of Array.prototype.push returned the value that was
pushed instead of the new "length" property value.
R=jarin@chromium.org
BUG=chromium:656037
Review-Url: https://codereview.chromium.org/2425903002
Cr-Commit-Position: refs/heads/master@{#40384}
There are a couple of operators that can indeed produce Float32
representation, which we might end up using in a TaggedSigned
context, so add the missing conversion (indirectly via Float64).
BUG=chromium:656275
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2421193002
Cr-Commit-Position: refs/heads/master@{#40334}
A decoder error sets builder_ to null, which causes builder_->StackCheck
to segfault.
R=titzer@chromium.org
TEST=mjsunit/regress/wasm/loop-stack-check
Review-Url: https://codereview.chromium.org/2416873002
Cr-Commit-Position: refs/heads/master@{#40271}
We accidently dropped the effect on the floor that we have for the
polymorphic map check in case of array elements access.
BUG=chromium:655004
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2411273002
Cr-Commit-Position: refs/heads/master@{#40201}
For ConsString, the left hand side must be either sequential or external
if the right hand side is empty.
R=jarin@chromium.org
BUG=chromium:654723
NOTRY=true
Review-Url: https://codereview.chromium.org/2410893003
Cr-Commit-Position: refs/heads/master@{#40192}
There were once plans to generate cross-context code with TurboFan,
however that doesn't fit into the model anymore, and so all of this
is essentially dead untested code (and thus most likely already broken
in subtle ways). With this mode still in place it would also be a lot
harder to make inlining based on SharedFunctionInfo work.
BUG=v8:2206,v8:5499
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2406803002
Cr-Commit-Position: refs/heads/master@{#40109}
- Added gating code in the module-decoder to allow SIMD code only when
it can be decoded correctly
- SIMD128 values should not be exported to JS
- Try/Catch should not be available in asmjs modules
- Trivial fixes for S128 values
BUG=chromium:648079
R=ahaas@chromium.org, titzer@chromium.org, bradnelson@chromium.org
Review-Url: https://codereview.chromium.org/2400863003
Cr-Commit-Position: refs/heads/master@{#40067}
This patch sets `this` to be undefined when calling resolve and reject
functions attached to the deferred.
BUG=v8:5476
Review-Url: https://codereview.chromium.org/2399053003
Cr-Commit-Position: refs/heads/master@{#40056}
The implementation of MemorySize with RelocatableInt32Constants is
problematic if MemorySize is placed close to a GrowMemory instruction in
the code. The use of a runtime function guarantees that the order in
which MemorySize and GrowMemory is executed is correct.
R=titzer@chromium.org
BUG=chromium:651961
TEST=mjsunit/regress/wasm/regression-651961
Committed: https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689
Review-Url: https://codereview.chromium.org/2386183004
Cr-Original-Commit-Position: refs/heads/master@{#39972}
Cr-Commit-Position: refs/heads/master@{#39980}
Reason for revert:
Patch problem
Original issue's description:
> [wasm] Call a runtime function for a MemorySize instruction.
>
> The implementation of MemorySize with RelocatableInt32Constants is
> problematic if MemorySize is placed close to a GrowMemory instruction in
> the code. The use of a runtime function guarantees that the order in
> which MemorySize and GrowMemory is executed is correct.
>
> R=titzer@chromium.org
> BUG=chromium:651961
> TEST=mjsunit/regress/wasm/regression-651961
>
> Committed: https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689
> Cr-Commit-Position: refs/heads/master@{#39972}
TBR=titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:651961
Review-Url: https://codereview.chromium.org/2391223002
Cr-Commit-Position: refs/heads/master@{#39973}
The implementation of MemorySize with RelocatableInt32Constants is
problematic if MemorySize is placed close to a GrowMemory instruction in
the code. The use of a runtime function guarantees that the order in
which MemorySize and GrowMemory is executed is correct.
R=titzer@chromium.org
BUG=chromium:651961
TEST=mjsunit/regress/wasm/regression-651961
Review-Url: https://codereview.chromium.org/2386183004
Cr-Commit-Position: refs/heads/master@{#39972}
This fixes a gc stress bug. We cannot rely on an ordering of
clearing of the weak cells, so we explicitly reset the weak
link to the owning instance, when finalizing a compiled
module. In turn, this serves as a reliable signal when GCs
happen while instantiating, allowing us to correctly link the
new instance.
BUG=chromium:652425
Review-Url: https://codereview.chromium.org/2393443003
Cr-Commit-Position: refs/heads/master@{#39964}
Previously, b6e9f625c1 fixed self-assignment
in parameters to throw. But it failed to deal with the case of
destructuring with defaults. This patch extends that previous approach
to always treat the end of a parameter as its initializer position,
whether it has an initializer or not.
This is the minimal change to make it easy to merge; a follow-up
will rename the field of Parameter from "initializer_end_position"
to "end_position".
BUG=v8:5454
Review-Url: https://codereview.chromium.org/2390943002
Cr-Commit-Position: refs/heads/master@{#39962}
In some (rare) cases, the context depth passed to a dynamic variable lookup can
be zero. In these cases, the fast path for the lookup (i.e. load from context or
global) can always be taken, as there is no need to search the current context.
However, with no slow path checks, the bytecode graph builder had a null
environment for the slow path, causing segfaults when this graph was built.
This patch adds a null check for the slow path environment, and skips building
the slow path if the environment is null.
BUG=chromium:652186
Review-Url: https://codereview.chromium.org/2385123002
Cr-Commit-Position: refs/heads/master@{#39949}
Currently the parameter is first parsed as a reference, and then translated into a parameter. The reference stays around though, and gets resolved to the parameter. That automatically creates a use. Now that I drop all unresolved references when we abort preparsing, that also drops the unresolved reference.
Instead, mark the variable as used when its marked as forced context allocation. That's what happens in almost all other cases.
This raises the question: does it really make sense to parse parameters this ways? It seems pretty generic, but neither fast nor memory-efficient ... Did I misunderstand something?
Just land if you think the CL looks good as is.
BUG=chromium:651613
Review-Url: https://codereview.chromium.org/2386623002
Cr-Commit-Position: refs/heads/master@{#39935}
Making new nodes inside of exception-handled blocks fiddles around with the
current environment to merge the exception paths. In particular, the current
environment pointer is mutated. This patch ensures that when we merge the fast
and slow paths of the LdaContextLookup, we actually merge the correct
environment and do not accidentally merge the exceptional environment.
BUG=chromium:651394
Review-Url: https://codereview.chromium.org/2379043002
Cr-Commit-Position: refs/heads/master@{#39878}
The module size is encoded as a HeapNumber, and needs to be
explicitly cloned.
BUG=chromium:647649
Review-Url: https://codereview.chromium.org/2347333002
Cr-Commit-Position: refs/heads/master@{#39845}
TurboFan lowering (see [0]) of ConsString creation cannot ensure that
the first part of the cons string is non-empty without introducing a phi
and negatively impacting performance.
This modifies ConsStringIterator to allow empty first parts of
ConsStrings.
BUG=v8:5440
Review-Url: https://codereview.chromium.org/2377983002
Cr-Commit-Position: refs/heads/master@{#39817}
