Commit Graph

8531 Commits

Author SHA1 Message Date
Igor Sheludko
78c6bbd930 [ic] Use Map as transition handlers instead of StoreHandler objects.
This eases transition handlers caching and avoids memory overhead of
respective StoreHandler objects. In addition, it allows to use such
transition handlers on runtime side to make Object.assign implementation
a bit faster.

Bug: v8:5988
Change-Id: Iba660a11d4b300cd5f80615fb7e2608e53da8fee
Reviewed-on: https://chromium-review.googlesource.com/931701
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52187}
2018-03-23 15:37:40 +00:00
Sigurd Schneider
b6ddadd042 [turbofan] Rename StringFromCodePoint to StringFromSingleCodePoint
Also add a new fast-path for String.fromCodePoint.

R=neis@chromium.org

Bug: v8:7570, v8:7340
Change-Id: I6cd6e6fc98943588ecd646f24fcda043d4033ab0
Reviewed-on: https://chromium-review.googlesource.com/978244
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52183}
2018-03-23 14:28:38 +00:00
Benedikt Meurer
ee98ee583f [builtins] Limit slow Promise.all tests to x64.
Bug: v8:7253
Change-Id: I1724fdac3668bcc05ff581113ac843ab5ef1def2
Reviewed-on: https://chromium-review.googlesource.com/977971
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52179}
2018-03-23 13:15:38 +00:00
Eric Holk
d31dff841e [wasm] always allocate memory when guard regions are needed
When using trap handlers, memory references do not get any checks inserted. This
means there is no check for a null memory as happens when the memory size is
0. Normally this would be correctly caught as an out of bounds access, since the
low memory addresses are not normally mapped. However, if they were mapped for
some reason, we would not catch the out of bounds access.

The fix is to ensure WebAssembly instances always have a guard region even if
the memory is size 0.

This is a rewrite of 5e76ff5a4a

Note that this can lead to a large amount of unnecessary address space usage,
so we share a single reservation for empty array buffers.

Bug: chromium:769637

Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Ia8e84be6d595e347d3d342959f2c374db1a3f683
Reviewed-on: https://chromium-review.googlesource.com/702657
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52163}
2018-03-22 19:44:17 +00:00
Clemens Hammacher
2589ea08e3 [Liftoff] Fix conditional spilling
On float comparisons, we need a scratch byte register for the setcc
instruction, and if none is available, we spill. But this spilling code
is skipped if one of the operands is NaN. The cache state is updated
however, so following code assumes that the spill happened.
This CL fixes this by spilling before checking for NaN, such that the
spilling code is always executed.

R=titzer@chromium.org

Bug: v8:7582, v8:6600
Change-Id: I768d8de14e494d3ebea181c1f9f3129a4b005396
Reviewed-on: https://chromium-review.googlesource.com/973961
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52162}
2018-03-22 18:45:17 +00:00
Michael Achenbach
85432a2381 Revert "Reland "[d8][wasm] Test wasm compilation completion""
This reverts commit 4d1c2907d3.

Reason for revert: Still often hangs:
https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/23898

Original change's description:
> Reland "[d8][wasm] Test wasm compilation completion"
> 
> This is a reland of ed2605f040
> 
> Original change's description:
> > [d8][wasm] Test wasm compilation completion
> > 
> > d8 was recently changed to keep running until wasm compilation has
> > completed. This adds a message test to test that.
> > 
> > R=ahaas@chromium.org
> > 
> > Change-Id: I73af53b6df4ee5f9a6afd26cf2d71a269140465f
> > Reviewed-on: https://chromium-review.googlesource.com/966184
> > Reviewed-by: Andreas Haas <ahaas@chromium.org>
> > Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#52008}
> 
> Change-Id: Iadbd5056dfa58da454956c4e89369af8b0455b35
> Reviewed-on: https://chromium-review.googlesource.com/975242
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52154}

TBR=ahaas@chromium.org,clemensh@chromium.org

Change-Id: I4c2f3f69d6a2e749ce7c5379a3949d098c5946c4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/975835
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52160}
2018-03-22 17:43:29 +00:00
Clemens Hammacher
4d1c2907d3 Reland "[d8][wasm] Test wasm compilation completion"
This is a reland of ed2605f040

Original change's description:
> [d8][wasm] Test wasm compilation completion
> 
> d8 was recently changed to keep running until wasm compilation has
> completed. This adds a message test to test that.
> 
> R=ahaas@chromium.org
> 
> Change-Id: I73af53b6df4ee5f9a6afd26cf2d71a269140465f
> Reviewed-on: https://chromium-review.googlesource.com/966184
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52008}

Change-Id: Iadbd5056dfa58da454956c4e89369af8b0455b35
Reviewed-on: https://chromium-review.googlesource.com/975242
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52154}
2018-03-22 15:54:06 +00:00
Sigurd Schneider
543c007ea6 [turbofan] Optimize string comparisons more
Bug: v8:7531, chromium:822170
Change-Id: Ida5b0714a584df3d830f95088db51c1841b63cc2
Reviewed-on: https://chromium-review.googlesource.com/966062
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52153}
2018-03-22 15:05:46 +00:00
Clemens Hammacher
be1b2d66c0 [wasm] Fix deadlock on async compilation
See referenced bug: Async compilation can deadlock if a background task
queues the last compilation unit to be finished while the finisher
is already exiting because there was no more work.
This CL fixes this by making the finisher task check for new work after
setting the finisher_is_running_ flag to false.

R=ahaas@chromium.org
CC=kimanh@google.com

Bug: chromium:824681
Change-Id: If1f5700a9fdd5d150b36e37a5d14b692c2b0f3fb
Reviewed-on: https://chromium-review.googlesource.com/975301
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52139}
2018-03-22 11:57:21 +00:00
Benedikt Meurer
d8658177ba [builtins] Reduce resolve element closure overhead in Promise.all.
In Promise.all we used to allocate a fresh closure plus a fresh context
for each individual element, which is quite a lot of overhead, especially
since this could be shared in a single context for all elements. The only
bit of information that is needed for each resolve element closure is the
index under which to store the resulting value. With this change we move
this index to the "identity hash" field of the JSFunction, which doesn't
care about the concrete value anyways, as long as it's not zero (the "no
hash" sentinel), and share the rest of the fields in a single outer
context for all resolve element closures.

This limits the maximum number of elements for Promise.all to 2^21 for
now, but that should be fine. Shall we ever see the need for more than
this, we can add machinery to overflow to separate context for indices
larger than 2^21.

This significantly reduces the overhead due to Promise.all on the
parallel-async-es2017-native test, with execution time dropping from
around 148ms to 133ms, so overall a steady 10% improvement on this
benchmark.

Bug: v8:7253
Change-Id: I1092da771c4919f3db7129d2b0a244fc26a7b144
Reviewed-on: https://chromium-review.googlesource.com/973283
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52134}
2018-03-22 10:55:20 +00:00
Clemens Hammacher
8bb41e8d94 [Liftoff] Fix stack slot overwrite
On ia32, the upper "half stack slot" must be located above the lower
half stack slot (in absolute address), hence the index is
"2 * index - 1" instead of "2 * index + 1". Note that the index
describes the negative offset from the stack pointer.

R=titzer@chromium.org

Bug: v8:7579
Change-Id: If207af405b126ab30043432d7934273e6e2a5330
Reviewed-on: https://chromium-review.googlesource.com/973301
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52116}
2018-03-21 15:38:39 +00:00
Marja Hölttä
4f506dbeec [parser] Fix aborting preparsing of a function with a rest param.
BUG=chromium:813630

Change-Id: I9eeaeb8830533c178c8073f48f036f9af8887a55
Reviewed-on: https://chromium-review.googlesource.com/972901
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52095}
2018-03-21 09:04:07 +00:00
Georg Neis
7d5e6b1516 [compiler] Don't infer receiver map for keyed stores.
This avoids a deopt loop.

Bug: v8:7254
Change-Id: I3a676186bc52fd47b03f03c26cb07d9257993693
Reviewed-on: https://chromium-review.googlesource.com/968503
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52036}
2018-03-19 15:11:09 +00:00
Sathya Gunasekaran
f17ad9e316 [numeric separator] Add tests for parseInt
Bug: v8:7317
Change-Id: I6c88de63c4bdb31f873c18c450d26f60659171f2
Reviewed-on: https://chromium-review.googlesource.com/968621
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52030}
2018-03-19 14:12:44 +00:00
Clemens Hammacher
e6bd3ee5cd Revert "[d8][wasm] Test wasm compilation completion"
This reverts commit ed2605f040.

Reason for revert: Test flakes.

Original change's description:
> [d8][wasm] Test wasm compilation completion
> 
> d8 was recently changed to keep running until wasm compilation has
> completed. This adds a message test to test that.
> 
> R=​ahaas@chromium.org
> 
> Change-Id: I73af53b6df4ee5f9a6afd26cf2d71a269140465f
> Reviewed-on: https://chromium-review.googlesource.com/966184
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52008}

TBR=ahaas@chromium.org,clemensh@chromium.org

Change-Id: If1e015bd346a71df1da8effe92882c37a00d1e62
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/968521
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52023}
2018-03-19 12:03:14 +00:00
Sigurd Schneider
dfc2805ccf [turbofan] Add test for Number.{isFinite,isInteger} inlining
This adds variants of tests already in our test-suite that
exercise inlining fast-paths of Number.{isFinite,isInteger}.

Bug: chromium:823151, chromium:823100
Change-Id: Ibf1192b1325fb4f015acea94053fd51a7a7811a9
Reviewed-on: https://chromium-review.googlesource.com/968361
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52021}
2018-03-19 11:44:56 +00:00
Georg Neis
21e77157f8 Revert "[compiler] Don't infer receiver maps for stores."
This reverts commit c94dcb2117.

Reason for revert: several performances regressions.

Original change's description:
> [compiler] Don't infer receiver maps for stores.
> 
> This avoids a deopt loop.
> 
> Bug: v8:7254
> Change-Id: I9ab1dfc754c5ad63c451a9e2276aa1d7eb4c27b1
> Reviewed-on: https://chromium-review.googlesource.com/966065
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51994}

TBR=jarin@chromium.org,neis@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:7254
Change-Id: Iff9c6fb61a559e48ad11d2db9e559de61cc0f5ef
Reviewed-on: https://chromium-review.googlesource.com/968302
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52012}
2018-03-19 10:33:22 +00:00
Clemens Hammacher
ed2605f040 [d8][wasm] Test wasm compilation completion
d8 was recently changed to keep running until wasm compilation has
completed. This adds a message test to test that.

R=ahaas@chromium.org

Change-Id: I73af53b6df4ee5f9a6afd26cf2d71a269140465f
Reviewed-on: https://chromium-review.googlesource.com/966184
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52008}
2018-03-19 09:29:34 +00:00
Andreas Haas
c7d68161bd [d8] Add no-wait-for-wasm flag
The flag lets d8 wait for async compilation of WebAssembly to finish
before d8 shuts down.

R=clemensh@chromium.org
CC=​kimanh@google.com

Change-Id: I4cf59a1f35cc5a0ecaf769d2745df5e2e14eb509
Reviewed-on: https://chromium-review.googlesource.com/966031
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51999}
2018-03-16 15:35:27 +00:00
Georg Neis
c94dcb2117 [compiler] Don't infer receiver maps for stores.
This avoids a deopt loop.

Bug: v8:7254
Change-Id: I9ab1dfc754c5ad63c451a9e2276aa1d7eb4c27b1
Reviewed-on: https://chromium-review.googlesource.com/966065
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51994}
2018-03-16 13:10:24 +00:00
Sigurd Schneider
8a94f074de [turbofan] Move Number.isInteger to JSCallReducer
This also adds ObjectIsInteger and NumberIsInteger
operators.

Bug: v8:7340, v8:7250
Change-Id: I8067276d12c8532931f90e6397f8435362c2f9af
Reviewed-on: https://chromium-review.googlesource.com/951602
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51991}
2018-03-16 12:34:34 +00:00
Sathya Gunasekaran
a1d418edc0 [numeric separator] Add more tests for DecimalLiteral
Bug: v8:7317
Change-Id: I5b3072c84cf8d97c8ebfeb274d0f1134046666c9
Reviewed-on: https://chromium-review.googlesource.com/965063
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51989}
2018-03-16 12:06:54 +00:00
Sathya Gunasekaran
17c2a99450 [numeric separator] Add tests for ToNumber
Bug: v8:7317
Change-Id: I2182edc5169c622280a104036ff07507acc01fb9
Reviewed-on: https://chromium-review.googlesource.com/965982
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51988}
2018-03-16 12:03:34 +00:00
Clemens Hammacher
27e36250f7 [Liftoff][x64] Fix and optimize spilling i64 constants
There was a bug in spilling i64 constants, in that the half stack slot
*above* should have been filled with the high word instead of the one *below*.

Instead of just fixing this, this CL optimizes spilling x64 constants to the
stack by emitting shorter and faster code, especially if the constant fits in
31 bits (which is the majority of cases).

R=titzer@chromium.org

Bug: v8:7565,v8:6600
Change-Id: Id75ddafe82615930a84333a0c49bd515ccbcc093
Reviewed-on: https://chromium-review.googlesource.com/965062
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51985}
2018-03-16 11:05:11 +00:00
Sigurd Schneider
ddecd32dae [turbofan] Don't loose arguments of String#concat
Bug: v8:7516
Change-Id: I0a43197527e3fd4f14862fb782029e9325ae2a00
Reviewed-on: https://chromium-review.googlesource.com/966103
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51982}
2018-03-16 10:06:29 +00:00
Sigurd Schneider
516c25b412 [turbofan] Move Number.isFinite to JSCallReducer
This also introduces two new simplified operators,
NumberIsFinite and ObjectIsFiniteNumber; the latter
handles all values, and the former is a fast-path
of the fast-path that is inserted by typed optimization
if we know the input has Type::Number.

Bug: v8:7340, v8:7250
Change-Id: I1b4812c01bf470bbff40fb3da6e11da543a22cd2
Reviewed-on: https://chromium-review.googlesource.com/951244
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51980}
2018-03-16 09:14:09 +00:00
Benedikt Meurer
0875778fd8 [turbofan] Teach TurboFan about the TypedArray constructor.
This introduces a new JSCreateTypedArray operator, backed by a dedicated
CreateTypedArray builtin, and adds support to lowering new TypedArray
calls to this operator. This way we avoid the overhead of going through
the generic construct stub machinery for hot code. This not only
recovers the performance regression on the typed array constructor
benchmarks, but even improves slightly beyond what we had in 6.6.

We might in the future try to fully inline the TypedArray constructor
into optimized code for certain cases.

Bug: chromium:820726, v8:7503, v8:7518
Change-Id: Ied465924d5695db576d533792f1db68456b9b5ea
Reviewed-on: https://chromium-review.googlesource.com/959010
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51973}
2018-03-15 20:46:16 +00:00
Eric Holk
dfe7eb84e3 Mark neteured ArrayBuffers as not neuterable
Bug: chromium:821368
Change-Id: I4e7032d76a0ac0e291b9dab2f7bcb58ce84827cf
Reviewed-on: https://chromium-review.googlesource.com/963601
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51971}
2018-03-15 18:19:32 +00:00
Benedikt Meurer
c65f0a78c3 [turbofan] NumberToString can return non-sequential strings.
TurboFan assumed that the output of NumberToString is always a
sequential string, since that's what we put into the number to
string table. However we might eventually morph these strings
into ThinStrings when we need to internalize them, in which case
the type in TurboFan will be wrong, and we read out of bounds.

Also-By: tebbi@chromium.org
Bug: chromium:822284
Change-Id: I5aebe73028b95849fff72bba262c517677112353
Reviewed-on: https://chromium-review.googlesource.com/964523
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51970}
2018-03-15 17:52:12 +00:00
Mathias Bynens
697d39abff [esnext] Implement Array.prototype.{flatten,flatMap} 🥙
Proposal repo: https://tc39.github.io/proposal-flatMap/

Bug: v8:7220
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I61661fc6d5c39d084ce5c96a9e150e5c26799e2d
Also-By: bmeurer@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/957043
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51967}
2018-03-15 17:26:12 +00:00
Sathya Gunasekaran
9c98391015 [numeric separator] Ban implicit octal support
Bug: v8:7317
Change-Id: I20fb706c05852668a5a6ae8b69c150ae2e6b2f65
Reviewed-on: https://chromium-review.googlesource.com/960901
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51943}
2018-03-15 10:34:56 +00:00
Ilija Pavlovic
8581e30929 [mips]: Skip mjsunit/harmony/bigint/regressions.
This test creates a BigInt object with size more then 250 MB. On certain
test systems, this large memory consumption will cause the test failing.
Therefore, this test will be skipped for MIPS32 architecture.

TEST=mjsunit/harmony/bigint/regressions
BUG=

Change-Id: I21bf86c3e6058818c6db3ed8970c0f1e3873e0a6
Reviewed-on: https://chromium-review.googlesource.com/962381
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#51940}
2018-03-15 09:34:46 +00:00
Caitlin Potter
b8229612bf Reland "[esnext] re-implement template strings"
- Add a new bytecode for the ToString operation, replacing the old
intrinsic call (currently does not collect type feedback).
- Add a new AST node to represent TemplateLiterals, and avoid
generating unnecessary ToString operations in some simple cases.
- Use a single feedback slot for each string addition, because the
type feedback should always be the same for each addition

This seems to produce a very slight improvement on JSTests benchmarks
and bench-ruben.js from v8:7415, and it's possible that type feedback
for the ToString bytecode could provide more opportunities to eliminate
the runtime call in TurboFan.

Doesn't touch tagged templates

[esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral

Fixes an error where TemplateLiteral printing in --print-ast
would try to read an element beyond the length of a vector.

BUG=v8:7415, chromium:820596
R=adamk@chromium.org, gsathya@chromum.org, rmcilroy@chromium.org, ishell@chromium.org, bmeurer@chromium.org

Change-Id: Ie56894f73a6445550a5f95f42160c4e29ab1da42
Reviewed-on: https://chromium-review.googlesource.com/958408
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#51933}
2018-03-14 18:12:09 +00:00
Dan Elphick
b5da57a06d [builtins] Fix OOB read/write using Array.from
Always use the runtime to set the length on an array if it doesn't match
the expected length after populating it using Array.from.

Bug: chromium:821137
Change-Id: I5a730db58de61ba789040e6dfc815d6067fbae64
Reviewed-on: https://chromium-review.googlesource.com/962222
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51919}
2018-03-14 11:31:42 +00:00
Clemens Hammacher
cc862e69c9 [Liftoff] Fix stack pointer corruption
During a C call, a previous value of the stack pointer is stored in a
platform specific callee saved register. Loading the out argument of the
C call might overwrite the value in that register, if the destination
register collides with the platform specific register. Hence, do first
use that register to restore the previous stack pointer, and only then
load the out argument.
Similarly, when pushing arguments to the stack, do first push all
values and then set the platform specific register in order to avoid
overwriting an argument value held in that register.

Drive-by: Fix offset computations for parameters pushed to the stack
for c calls.

R=titzer@chromium.org

Bug: chromium:820802,chromium:820896,chromium:820807,v8:6600
Change-Id: If4567467b7912454f0bd2cad5927233c98894b03
Reviewed-on: https://chromium-review.googlesource.com/959064
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51916}
2018-03-14 08:13:12 +00:00
Kevin Gibbons
b3c03ff2ec [promise] Promise.all with broken iterable rejects rather than throwing
When Promise.all is called with something which violates the iterable
contract, the resulting error should be provided by returning a rejected
promise, not by throwing.

Bug: v8:7553
Change-Id: I2769b09b49c9b80ef380419489416fc0fabff51b
Reviewed-on: https://chromium-review.googlesource.com/959599
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51902}
2018-03-13 12:31:35 +00:00
Benedikt Meurer
631629ad54 [es2015] Properly deal with fast-path results from IterableToList.
The IterableToList helper builtin can return the input JSArray unchanged
if the fast-path detection decides that it doesn't need to iterate the
elements, which means we can also get a JSArray with an elements kind
that is not PACKED_ELEMENTS as a result of IterableToList.

Bug: chromium:821159, v8:7310
Change-Id: I93a886e6b7f1e1a58dd05affa46fea7501cc5a81
Reviewed-on: https://chromium-review.googlesource.com/959323
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51893}
2018-03-13 07:23:57 +00:00
Benedikt Meurer
022e1a5f94 [turbofan] Properly deal with killed nodes in LoadElimination.
Depending on visitation order the LoadElimination might be find memoized
nodes in its state tables that were killed by other reducers in the mean
time. The LoadElimination must just ignore those stale entries.

Bug: chromium:820820
Change-Id: Ia62e401ff77da547ed215a14074e70aeb5c3a766
Reviewed-on: https://chromium-review.googlesource.com/958843
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51892}
2018-03-13 06:27:13 +00:00
Andreas Haas
825d017568 [intl] Store the collator as a Managed
The lifetime of the collator is handled by the JavaScript heap. At the
moment this is implemented with a weak GlobalHandle. With this CL I
change the implementation to use a Managed object instead. In addition I
did some code cleanup.

The main reason for using a Managed is an lsan problem. The final GC in
d8 is triggered before all pending WebAssembly compilations get
canceled. Via the native context, WebAssembly compilation can keep the
Collator wrapper alive, and therefore the collator is never deallocated.
Managed, however, get processed at isolate teardown, independent of the
reachability of the Managed.

TEST=mjsunit/regress/regress-813440

Bug: chromium:813440
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ie727eb1aff2144586eb36426cc44a32357c0f822
Reviewed-on: https://chromium-review.googlesource.com/956069
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51886}
2018-03-12 16:46:42 +00:00
Tobias Tebbi
94bbb8bb09 [turbofan] escape analysis: no longer remove TypeGuard nodes
The analysis phase used to skip TypeGuard nodes, which are
normally re-introduced by the reduction phase. However, phi nodes
are created during the analysis phase already, and so it could happen
that a phi input skips a TypeGuard.

This CL solves the problem by not removing TypeGuard nodes in the first
place, but only forwarding the VirtualObject. This is analogous to how
we already treat FinishRegion nodes, which are similar in that they are
a renaming too.

Bug: chromium:741225
Change-Id: Icf8aa2d40a30d89788d875b37b9986111f9c966f
Reviewed-on: https://chromium-review.googlesource.com/958442
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51863}
2018-03-10 19:59:48 +00:00
Michael Achenbach
89204e90bb Revert "[esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral"
This reverts commit 0802e2b262.

Reason for revert: For reverting https://crrev.com/c/945408

Original change's description:
> [esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral
> 
> Fixes an error where TemplateLiteral printing in --print-ast
> would try to read an element beyond the length of a vector.
> 
> BUG=v8:7415, chromium:820596
> R=​adamk@chromium.org, gsathya@chromium.org
> 
> Change-Id: Idf9e0da8c165ee62bc1a348a91c2ed5ed798404a
> Reviewed-on: https://chromium-review.googlesource.com/957883
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Caitlin Potter <caitp@igalia.com>
> Cr-Commit-Position: refs/heads/master@{#51857}

TBR=adamk@chromium.org,gsathya@chromium.org,caitp@igalia.com

Change-Id: I5fe950cd823ae350b5f6c09227a62aef9dc2a008
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7415, chromium:820596
Reviewed-on: https://chromium-review.googlesource.com/957724
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51861}
2018-03-10 16:44:20 +00:00
Jakob Kummerow
0c0847bea4 [bigint] Fix Object::VerifyApiCallResultType
Add BigInt to the list of allowed result types.

Bug: v8:6791, chromium:819871
Change-Id: Ib636859da07b38c462ce7017d720e5370ba618d6
Reviewed-on: https://chromium-review.googlesource.com/957422
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51859}
2018-03-10 02:47:20 +00:00
Caitlin Potter
0802e2b262 [esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral
Fixes an error where TemplateLiteral printing in --print-ast
would try to read an element beyond the length of a vector.

BUG=v8:7415, chromium:820596
R=adamk@chromium.org, gsathya@chromium.org

Change-Id: Idf9e0da8c165ee62bc1a348a91c2ed5ed798404a
Reviewed-on: https://chromium-review.googlesource.com/957883
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#51857}
2018-03-10 01:13:50 +00:00
Benedikt Meurer
fd29e1d841 [builtins] Properly handle DICTIONARY_ELEMENTS in Promise.all closures.
Bug: chromium:820312
Change-Id: Ie9237a5c53ac7121e469af460a2f0ad5016d9d03
Reviewed-on: https://chromium-review.googlesource.com/957090
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51844}
2018-03-09 14:25:34 +00:00
Clemens Hammacher
a71e5f9a7b [wasm] Avoid integer overflow on function locals check
On 32-bit systems, the computation {count + type_list->size()} can
overflow, leading to memory corruption later on.

R=titzer@chromium.org

Bug: chromium:819869
Change-Id: Ic81d201e58211e3989b4e945cd52e98dc951fbda
Reviewed-on: https://chromium-review.googlesource.com/955025
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51817}
2018-03-08 17:00:55 +00:00
Benedikt Meurer
e583fc836b [turbofan] Fix invalid SpeculativeToNumber optimization.
When optimizing SpeculativeToNumber we need to pay attention to the
hint, otherwise we optimize away a Signed32 conversion, based on the
fact that the input is a Number.

Bug: chromium:819298
Change-Id: I2ac7b0dac708fee9083eca2880bd5674a82daaa3
Reviewed-on: https://chromium-review.googlesource.com/955423
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51805}
2018-03-08 12:38:29 +00:00
Sathya Gunasekaran
a3f0f0c6e5 [class] Add tests for private fields with eval
Bug: v8:5368
Change-Id: I3119ce753737afd44a03d2c44348912a96da6c97
Reviewed-on: https://chromium-review.googlesource.com/952481
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51794}
2018-03-07 19:33:56 +00:00
Jakob Kummerow
66f21389a7 [bigint] Fix Exponentiate for 1 ** multi_digit
Bug: chromium:819026
Change-Id: I2c58d5e2892f683747966e00aa047153085ac121
Reviewed-on: https://chromium-review.googlesource.com/950472
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51776}
2018-03-06 18:58:32 +00:00
Benedikt Meurer
6196dd051f [turbofan] Only store after all checks are done.
The optimized code for %ArrayIteratorPrototype%.next for holey arrays
was wrong, since it would first store the [[NextIndex]] and then check
whether it hit a hole. However in that case TurboFan doesn't have any
point to deoptimize to, so we need to perform the side-effecting stores
only after all checks are done.

Bug: v8:7510, v8:7514, chromium:819086
Change-Id: I0214c7124833286113e4dc7403ddc20a82fa8da3
Reviewed-on: https://chromium-review.googlesource.com/950723
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51753}
2018-03-06 09:09:11 +00:00
Taketoshi Aono
f0946c1b71 Reland proposal-numeric-separator.
Revert "Revert "[parser] Implements proposal-numeric-separator.""

This reverts commit 782f6401ee.

Original CL is https://chromium-review.googlesource.com/c/v8/v8/+/923441

Bug: v8:7317
Change-Id: I6f541c038bad0cff625094ba84aebe582bdeb12f
Reviewed-on: https://chromium-review.googlesource.com/945034
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51749}
2018-03-06 01:25:06 +00:00
Sigurd Schneider
0d5588dc2c [turbofan] Don't drop arguments in fast-path
Math fast-path cannot drop arguments because their side-effects
must be preserved. For example, Math.imul(x) dropped x entirely,
because if x is convertible to an integer, the result is 0.
This, however, is not OK because converting x to an integer might
throw.

Bug: chromium:818070, v8:7250, v8:7240
Change-Id: I8363e6dcd3fc78c879395aacb636d5782c3b023e
Reviewed-on: https://chromium-review.googlesource.com/948523
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51736}
2018-03-05 15:19:11 +00:00
Benedikt Meurer
06ee127b75 [es2015] Refactor the JSArrayIterator.
This changes the JSArrayIterator to always have only a single instance
type, instead of the zoo of instance types that we had before, and
which became less useful with the specification update to when "next"
is loaded from the iterator now. This greatly simplifies the baseline
implementation of the array iterator, which now only looks at the
iterated object during %ArrayIteratorPrototype%.next invocations.

In TurboFan we introduce a new JSCreateArrayIterator operator, that
holds the IterationKind and get's the iterated object as input. When
optimizing %ArrayIteratorPrototype%.next in the JSCallReducer, we
check whether the receiver is a JSCreateArrayIterator, and if so,
we try to infer maps for the iterated object from there. If we find
any, we speculatively assume that these won't have changed during
iteration (as we did before with the previous approach), and generate
fast code for both JSArray and JSTypedArray iteration.

Drive-by-fix: Drop the fast_array_iteration protector, it's not
necessary anymore since we have the deoptimization guard bit in
the JSCallReducer now.

This addresses the performance cliff noticed in webpack 4. The minimal
repro on the tracking bug goes from

  console.timeEnd: mono, 124.773000
  console.timeEnd: poly, 670.353000

to

  console.timeEnd: mono, 118.709000
  console.timeEnd: poly, 141.393000

so that's a 4.7x improvement.

Also make presubmit happy by adding the missing #undef's.

Bug: v8:7510, v7:7514
Change-Id: I79a46bfa2cd0f0710e09365ef72519b1bbb667b5
Reviewed-on: https://chromium-review.googlesource.com/946098
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51725}
2018-03-05 11:57:28 +00:00
Sigurd Schneider
d1df563059 [turbofan] Fix bug in Array.p.reduceRight
Bug: v8:7495
Change-Id: Id929804e0d0f78c17d81d07cd6a5c5e571449d35
Reviewed-on: https://chromium-review.googlesource.com/947974
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51720}
2018-03-05 10:52:32 +00:00
Georg Neis
c895a23a99 [ic] Relax a CHECK.
The CHECK didn't account for the recent introduction of
StoreInArrayLiteralIC.

Bug: v8:5940, chromium:818438
Change-Id: I73b4120eb39b16d766f0b1a9cb82ba44804b09a3
Reviewed-on: https://chromium-review.googlesource.com/947950
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51719}
2018-03-05 10:09:01 +00:00
Jakob Kummerow
62d1f78245 [bigint] Fix throwing in Exponentiate()
When the multiplication steps fail, they have already thrown an
exception internally, so we should not throw another.
The power-of-two fast path erroneously did not throw at all for
a few input values.

Bug: chromium:818277
Change-Id: If90f6aa3e77fc72e3434daca3b898c77739933ab
Reviewed-on: https://chromium-review.googlesource.com/947254
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51711}
2018-03-03 00:59:42 +00:00
Georg Neis
2e2860f74f [ic] Introduce new IC for storing into array literals.
... and use it in the implementation of array literal spreads,
replacing calls to %AppendElement.

Array spreads in destructuring will be taken care of in a separate CL.

Bug: v8:5940, v8:7446
Change-Id: Idec52398902a7fd3c1244852cf73246f142404f0
Reviewed-on: https://chromium-review.googlesource.com/915364
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51709}
2018-03-02 21:12:57 +00:00
Tobias Tebbi
b8abd2736e [turbofan] remove type-widening NaN-addition folding
Folding _ + NaN => NaN can widen type None to a constant type, which leads to floating DeadValue nodes. This CL fixes this by removing the optimization. Alternatively, we should consider removing all nodes of type None in simplified lowering.

Bug: chromium:817225
Change-Id: I2a126b360d70d3626f8a3c5e73ac72dc980ac8b3
Reviewed-on: https://chromium-review.googlesource.com/946129
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51699}
2018-03-02 14:19:59 +00:00
Clemens Hammacher
6195ebe160 [wasm] Fix DCHECK for lazy compilation
Table inits can contain imported functions, hence their code will be a
wasm-to-wasm wrapper.
Fix a DCHECK and add a regression test.

R=ahaas@chromium.org

Bug: chromium:817380
Change-Id: I836be589e1ae66839ccd470154c8dea488e6bc1f
Reviewed-on: https://chromium-review.googlesource.com/943107
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51685}
2018-03-02 09:48:11 +00:00
Deepti Gandluri
782f6401ee Revert "[parser] Implements proposal-numeric-separator."
This reverts commit 517df52488.

Reason for revert: Fails MSAN tests - https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/20030

Original change's description:
> [parser] Implements proposal-numeric-separator.
> 
> https://github.com/tc39/proposal-numeric-separator
> 
> This proposal-numeric-separator extends NumericLiteral and
> allows developers to insert underscore(_) inside numeric literal.
> 
> Bug: v8:7317
> Change-Id: I2a1a45cd6fe09cc5df63433bc915988fde687a33
> Reviewed-on: https://chromium-review.googlesource.com/923441
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51671}

TBR=adamk@chromium.org,jkummerow@chromium.org,hablich@chromium.org,gsathya@chromium.org,mathias@chromium.org,goto@google.com,brn@b6n.ch

Change-Id: I6dcf46820caf20f28fbc11d94a5e8ced3cbbc78d
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7317
Reviewed-on: https://chromium-review.googlesource.com/944767
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51672}
2018-03-01 23:04:36 +00:00
Taketoshi Aono
517df52488 [parser] Implements proposal-numeric-separator.
https://github.com/tc39/proposal-numeric-separator

This proposal-numeric-separator extends NumericLiteral and
allows developers to insert underscore(_) inside numeric literal.

Bug: v8:7317
Change-Id: I2a1a45cd6fe09cc5df63433bc915988fde687a33
Reviewed-on: https://chromium-review.googlesource.com/923441
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51671}
2018-03-01 22:28:14 +00:00
Jakob Kummerow
dcbcf0469d [bigint] Fix tie-to-even case in BigInt::ToNumber
Bug: v8:6791, v8:7506
Change-Id: I8ff41cb5fab03ab2ced8f21016a0744582a3fcee
Reviewed-on: https://chromium-review.googlesource.com/942387
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51666}
2018-03-01 19:46:57 +00:00
Clemens Hammacher
08a9e3eb20 [Liftoff] Fix get_use_count for register pairs
R=ahaas@chromium.org

Bug: v8:7508, v8:6600
Change-Id: I9eb04171eb489383bb746e2d04c6ffff304b7918
Reviewed-on: https://chromium-review.googlesource.com/942821
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51652}
2018-03-01 13:06:17 +00:00
Georg Neis
df35adc763 [bigint] Fix bug in exponentiation.
R=jkummerow@chromium.org

Bug: v8:7505, v8:6791
Change-Id: I11b0031dfafa499a813e3e52080ee5542224799a
Reviewed-on: https://chromium-review.googlesource.com/941130
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51639}
2018-02-28 21:16:15 +00:00
Georg Neis
148cb4d1b1 [modules] Fix handling of uninitialized exports in namespace objects.
For namespace objects, [[GetOwnProperty]] on an uninitialized property
throws a ReferenceError. This was not implemented everywhere. This CL
fixes all such issues I'm aware of.

Bug: v8:7470
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I5f024450005c4f4dcb3f41c844ef055f67a9a869
Reviewed-on: https://chromium-review.googlesource.com/937341
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51638}
2018-02-28 21:13:16 +00:00
Jakob Kummerow
c94df3cec4 Fix buffer-detached check in TypedArray.of/from
The assert-guarded comment claiming that ToNumber could not
possibly neuter the target array unfortunately turns out to
have been wishful thinking.

Bug: chromium:816961
Change-Id: Ib98f96f4cd7f33414c0b5a6037bfb881938cc15e
Reviewed-on: https://chromium-review.googlesource.com/939767
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51637}
2018-02-28 20:52:55 +00:00
Clemens Hammacher
567dcad1ae [wasm] Fix prototype property of exported functions
According to the spec, exported wasm functions should not have a
[[Construct]] method, hence they don't have a prototype.

R=bmeurer@chromium.org
CC=​titzer@chromium.org

Bug: v8:7503
Change-Id: I9e142d65a80c0ef6dbd743421771f194c2d50614
Reviewed-on: https://chromium-review.googlesource.com/939782
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51622}
2018-02-28 09:14:57 +00:00
Eric Holk
c137eb509d [typed arrays] GetBuffer returns old buffer for guarded buffers
This also adds a DCHECK that the buffer does not have guard pages in
MaterializeArrayBuffer because the code there does not know how correctly set up
a buffer with guard pages.

Bug: chromium:801849
Change-Id: Ic761fcdfbd16a2d6e87f4eb135f5d03b7aa2d71d
Reviewed-on: https://chromium-review.googlesource.com/938968
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51616}
2018-02-27 20:36:54 +00:00
Ross McIlroy
910f45fa8d Reland: [Compiler] Use CompilationCache for StreamedScript compilation.
Previously GetSharedFunctionInfoForStreamedScript didn't either check the
compilation cache or put the result of compilation into the compilation
cache. This would mean future compiles would need to re-parse / compile
the same script even if the isolate had already seen it. This CL
fixes this.

Also refactors the compilation pipelines to ensure we call debug->OnAfterCompile()
for all script compiles even when loading from a cache.

BUG=v8:5203

Change-Id: I4b06bdfc566425f4e6d70fc3e6e080b0dc497d48
Reviewed-on: https://chromium-review.googlesource.com/939464
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51607}
2018-02-27 15:41:14 +00:00
Michael Starzinger
15bf3ae5e1 [test] Re-enable tests that should no longer fail.
R=cbruni@chromium.org
BUG=v8:7438

Change-Id: I2359ff08f0c37c683bbcb164eb3120539d2bb124
Reviewed-on: https://chromium-review.googlesource.com/939468
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51605}
2018-02-27 15:31:54 +00:00
Clemens Hammacher
a0e66bca78 [Liftoff][ia32] Handle overflow in memory offset
When generating a 64bit memory operation on ia32, we need to emit two
operations, one at {offset+4}, one at {offset}. The computation
{offset+4} can overflow, which is ok because
1) it won't be used for code generation later, and
2) the generated code will not be reached because the memory access is
   always out of bounds anyway.

R=ahaas@chromium.org

Bug: v8:7499, v8:6600
Change-Id: Ia4660688c3291700c48efc201d15fc370b4dd854
Reviewed-on: https://chromium-review.googlesource.com/939389
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51604}
2018-02-27 15:06:24 +00:00
Camillo Bruni
c7d01c42ed [proxies] Use write barriers for Proxy [[Construct]] arguments
The number of arguments passed on the stack might exceed the regular
object size limits. Hence we need to emit write barriers when copying
the arguments from the stack into the allocated array.

Bug: chromium:813450
Change-Id: I829c5c32b1a7b5f4ddb01cc6ea92f85ab47126aa
Reviewed-on: https://chromium-review.googlesource.com/939174
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51603}
2018-02-27 14:41:08 +00:00
Jaroslav Sevcik
8c1234861c [turbofan] Bailout from optimizations for large bytecode sizes (>128kB).
Turbofan can only handle 64K control inputs for merges. Such large
can only be created by functions with 64K jumps, so we limit the
bytecode size to the minimum size of bytecode arrays with 64K jumps.

Bug: chromium:815392, v8:7438
Change-Id: I674705e87e19ce451b40d5827c9fe3e6ec17293a
Reviewed-on: https://chromium-review.googlesource.com/938421
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51598}
2018-02-27 13:22:53 +00:00
Clemens Hammacher
bd2c9d560c [wasm][testing] Fix definition of kSig_f_v
There is a clear mistake of using kWasmF64 instead of kWasmF32.

R=ahaas@chromium.org

Change-Id: I638d568b3736fdb8417f17bcd04d17268a45b965
Reviewed-on: https://chromium-review.googlesource.com/939178
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51595}
2018-02-27 12:52:23 +00:00
Choongwoo Han
1a1e93526e [builtins] Sort only up to a given length in Array.p.sort
Always return the given length (limit) for typed arrays in PrepareElementsForSort
since typed arrays do not have holes.

Bug: v8:6719
Change-Id: Ic455ceca6563fc66a4e4a78c7bf5df1ad17afb4a
Reviewed-on: https://chromium-review.googlesource.com/615104
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51588}
2018-02-27 10:17:03 +00:00
Adam Klein
8fa85efd27 [esnext] Remove always-disabled support for function.sent
This proposal has not moved beyoned stage 2 in two years, and has never
moved past the HARMONY_INPROGRESS state in flag-definitions.h.

It was originally added to aide in desugaring yield*, but is no longer
used for that purpose.

Bug: v8:4700, v8:7310
Change-Id: Ieca40d8e4bf565516bbe71e47b996daa70d2e835
Reviewed-on: https://chromium-review.googlesource.com/935297
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51582}
2018-02-26 20:01:41 +00:00
Peter Marshall
6b25ab2e8c [typedarray] Extend ElementsAccessor::CopyElements to all Object types
Previously, Strings without an iterator would go to the runtime path
and fail on because it expected a JSReceiver type. This was in-line
with what the elements accessor expected. We can actually handle all
object types in the final slow path (using LookupIterator) so it is no
problem to change the accept types.

Bug: chromium:816289
Change-Id: Iebb8de0bb7551aee3894c8a23836d079c93726a7
Reviewed-on: https://chromium-review.googlesource.com/937461
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51574}
2018-02-26 15:51:31 +00:00
Peter Marshall
ec5c342798 [typedarray] Fix failing DCHECK for TA.from with a length getter.
I loosened the DCHECKs here but I think they are still fundamentally
safe: `length` must be <= the actual length of the source (so that
there are actually enough elements to copy), and `length` must also be
<= the destination length, minus the offset (so there is enough space
to copy the elements into).

Bug: chromium:816317
Change-Id: Ice00ac60f4884363f6065ffee71f6ab1d1b32dbc
Reviewed-on: https://chromium-review.googlesource.com/937209
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51566}
2018-02-26 13:42:23 +00:00
Yang Guo
9a561c82af [debug] remove outdated regression test.
TBR=jgruber@chromium.org
NOTREECHECKS=true
NOTRY=true

Change-Id: Id5d81f863fa6d14ac86d49b6516e577c2da7a999
Reviewed-on: https://chromium-review.googlesource.com/936543
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51557}
2018-02-26 11:27:40 +00:00
Yang Guo
175fc49c6e [debug] remove legacy implementation for break points.
R=herhut@chromium.org, jgruber@chromium.org

Bug: v8:7310, v8:5510
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Icefd10b6cc210e5bb2684d18b091179ead387326
Reviewed-on: https://chromium-review.googlesource.com/934445
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51552}
2018-02-26 10:01:39 +00:00
Sigurd Schneider
bcb5d45210 [turbofan] Introduce StringSubstring operator
Adding the StringSubstring simplified operator is a precursor to
improve inlining of String.p.{substr,substring,slice}.
This also contains a drive-by renaming to normalize different
spellings of 'Substring'.

Bug: v8:7250, v8:7340
Change-Id: I89e0fbafeab80f5d2f3ef348a5303d32c0abfe0a
Reviewed-on: https://chromium-review.googlesource.com/919084
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51522}
2018-02-23 15:51:57 +00:00
Peter Marshall
aaa1d27153 [turbofan] Add a constructor frame state for promise constructors.
This fixes issues where the stack track contained 'Promise' but
not 'new'.

Bug: v8:7253
Change-Id: I840fcc0a76e2376aab0b64d321f5cf8ccc672956
Reviewed-on: https://chromium-review.googlesource.com/928762
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51516}
2018-02-23 14:06:17 +00:00
Sigurd Schneider
53e00e3900 Reland "[turbofan] Move String.* functions to JSCallReducer"
This is a reland of 3ff4b44735.

Original version did not handle V8_INTL_SUPPORT.

Original change's description:
> [turbofan] Move String.* functions to JSCallReducer
>
> Bug: v8:7250, v8:7340
> Change-Id: Ibb8d5badf89c66bd9bcb6bb390256ae81d0e899c
> Reviewed-on: https://chromium-review.googlesource.com/913208
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51505}

Bug: v8:7250, v8:7340
Change-Id: Id908cbcfaa9e9cf5459d6d3289e6ec00e387d287
Reviewed-on: https://chromium-review.googlesource.com/934268
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51514}
2018-02-23 13:43:28 +00:00
Sigurd Schneider
0ef07c95f4 Revert "[turbofan] Move String.* functions to JSCallReducer"
This reverts commit 3ff4b44735.

Reason for revert: Does not handle V8_INTL_SUPPORT correctly

Original change's description:
> [turbofan] Move String.* functions to JSCallReducer
> 
> Bug: v8:7250, v8:7340
> Change-Id: Ibb8d5badf89c66bd9bcb6bb390256ae81d0e899c
> Reviewed-on: https://chromium-review.googlesource.com/913208
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51505}

TBR=sigurds@chromium.org,bmeurer@chromium.org

Change-Id: I6efb3b758b0fcadc012a90c4175de3c1ebccee95
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7250, v8:7340
Reviewed-on: https://chromium-review.googlesource.com/934267
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51507}
2018-02-23 12:41:04 +00:00
Sigurd Schneider
3ff4b44735 [turbofan] Move String.* functions to JSCallReducer
Bug: v8:7250, v8:7340
Change-Id: Ibb8d5badf89c66bd9bcb6bb390256ae81d0e899c
Reviewed-on: https://chromium-review.googlesource.com/913208
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51505}
2018-02-23 12:22:13 +00:00
Sigurd Schneider
6be614fb2d Reland "[turbofan] Disable speculation for JSCall nodes by default"
This is a reland of ccbbdb93a1.

Original change's description:
> [turbofan] Disable speculation for JSCall nodes by default
>
> Change-Id: I7360601f4e1b419cf8d35480b068418bdd700be9
> Reviewed-on: https://chromium-review.googlesource.com/928649
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51467}

Bug: v8:7340

Change-Id: I5557afcdad0c7f9610a396dcfa45f8985a13c1ba
Reviewed-on: https://chromium-review.googlesource.com/931546
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51496}
2018-02-23 08:31:41 +00:00
Jakob Kummerow
ddc155d89f [bigint] Add CSA support for Big*64Array stores
Bug: v8:6791
Change-Id: I1423321552e50d9ccb40a94b73f393d6d46fa629
Reviewed-on: https://chromium-review.googlesource.com/927789
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51492}
2018-02-23 02:30:04 +00:00
Jakob Kummerow
3ef16185e4 Reland "[bigint] Implement DataView.{get,set}Big*64"
Originally reviewed at https://chromium-review.googlesource.com/929429
and landed as r51486 / d50c7731e8.

Update in reland: whitelisted new builtins as side effect free.

Bug: v8:6791
Change-Id: Iff45700c8a4eca23f3ee6fc9c0cb340dc027cbc6
Reviewed-on: https://chromium-review.googlesource.com/932802
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51491}
2018-02-23 00:57:38 +00:00
Adam Klein
f7d7b5c6a4 ToString of a Proxied function should not throw
Without --harmony-function-tostring, anything other than a JSFunction
or JSBoundFunction throw when Function.prototype.toString is called on
them. But with the toString revision, anything callable allows toString
(and for non-Functions returns the good old "function () { [native code] }"
string).

Bug: v8:7484
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I3540e213a40992151761b59666fe36e0510da908
Reviewed-on: https://chromium-review.googlesource.com/932825
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51489}
2018-02-22 22:55:50 +00:00
Michael Achenbach
56b4c41b6a Revert "[bigint] Implement DataView.{get,set}Big*64"
This reverts commit d50c7731e8.

Reason for revert: Fails on many bots, like:
https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/23331

Original change's description:
> [bigint] Implement DataView.{get,set}Big*64
> 
> Bug: v8:6791
> Change-Id: I4b5ad3cf68b5c2423d6e055332d7f0dfce7c1e99
> Reviewed-on: https://chromium-review.googlesource.com/929429
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51486}

TBR=jkummerow@chromium.org,neis@chromium.org

Change-Id: I95c260134d7d2671cd4cc0f8c07971af04d97546
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6791
Reviewed-on: https://chromium-review.googlesource.com/932801
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51487}
2018-02-22 21:29:12 +00:00
Jakob Kummerow
d50c7731e8 [bigint] Implement DataView.{get,set}Big*64
Bug: v8:6791
Change-Id: I4b5ad3cf68b5c2423d6e055332d7f0dfce7c1e99
Reviewed-on: https://chromium-review.googlesource.com/929429
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51486}
2018-02-22 20:10:10 +00:00
Clemens Hammacher
537885e829 [wasm][interpreter] Fix indirect calls to other instances
When calling a function through a function table, check whether the
instance of the called function differs from the current instance, and
in that case call the other function via a c-wasm-entry instead of
interpreting it.
The c-wasm-entry needs to pass the wasm context, so this CL changes
this to receive the wasm context as parameter instead of embedding the
context of the calling instance.

R=titzer@chromium.org

Bug: chromium:814562, v8:7400
Change-Id: Iea93f270542169f8aac4f8c81aacec559c716368
Reviewed-on: https://chromium-review.googlesource.com/930966
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51485}
2018-02-22 19:51:41 +00:00
Michael Achenbach
8d889e390b [foozzie] Migrate mjsunit harness adjustments to V8 repo
This migrates harness adjustments, to be loaded after mjsunit.js on
fuzzers for correctness fuzzing.

This is the first step adding deeper pretty printing. Other
adjustments will be added in follow ups.

Bug: chromium:813833
Change-Id: I51168a31e733d54808cb8853a1c90e897acf3791
Reviewed-on: https://chromium-review.googlesource.com/930565
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51481}
2018-02-22 18:33:59 +00:00
Kim-Anh Tran
6da59ee38c [wasm] Remove default value for is_liftoff
AddCode and AddOwnedCode (from NativeModule), as well as the WasmCode
constructor are using a default value (false) for determining whether
the code is liftoff-compiled or not. This CL removes the default
value and requires each call to these functions/constructors to explicitly
set the value.

Change-Id: Icd4187d1710c774826c9134078ec65845bc98dd7
Reviewed-on: https://chromium-review.googlesource.com/928921
Commit-Queue: Kim-Anh Tran <kimanh@google.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51475}
2018-02-22 13:59:17 +00:00
Benedikt Meurer
aa7ccc233c Revert "[turbofan] Disable speculation for JSCall nodes by default"
This reverts commit ccbbdb93a1.

Reason for revert: https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Linux%2F23316%2F%2B%2Frecipes%2Fsteps%2FBisect_50a6e301%2F0%2Fsteps%2FRetry_-_nosse3%2F0%2Flogs%2FJSCallReducerTest.Mat..%2F0

Original change's description:
> [turbofan] Disable speculation for JSCall nodes by default
> 
> Change-Id: I7360601f4e1b419cf8d35480b068418bdd700be9
> Reviewed-on: https://chromium-review.googlesource.com/928649
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51467}

TBR=sigurds@chromium.org,bmeurer@chromium.org

Change-Id: I5a1988902730be9e962b17a434251db82d834b98
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/931401
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51471}
2018-02-22 12:33:18 +00:00
Sigurd Schneider
ccbbdb93a1 [turbofan] Disable speculation for JSCall nodes by default
Change-Id: I7360601f4e1b419cf8d35480b068418bdd700be9
Reviewed-on: https://chromium-review.googlesource.com/928649
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51467}
2018-02-22 11:33:15 +00:00
Peter Marshall
aaa78c330e [typedarray] Fix IterableToList when Number has an iterator
IterableToListCanBeElided checked that the input was always a HeapObject
but this is not true when an iterator symbol is defined on the Number
prototype, meaning Smi and HeapNumber can also be passed in.

Added a regression test for the crash and some correctness tests for
smi and double input to TA.from.

Also factored out the tests in typedarray-from.js that modify global
state e.g. protector cells, so that one iteration of the top level
loop does not interfere with the next.

Bug: chromium:814643
Change-Id: I364d11f011faf8370446f905a35a945d47e4477f
Reviewed-on: https://chromium-review.googlesource.com/930962
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51461}
2018-02-22 10:23:32 +00:00
Sathya Gunasekaran
f3cfe09549 [class] Throw on private field access miss
Private fields should not return undefined on access miss, but instead
should throw a TypeError.

This patch uses a bit on v8::Symbol to mark if this symbol is a
private field or not.

This patch also changes the LookupIterator code path that deals with
LookupIterator::State::DATA to deal with JSReceiver instead of
JSObject.

Note: the error message doesn't output the field name, but that's a
WIP.

Bug: v8:5368
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I8ae960b478eb6ae1ebf9bc90658ce3654d687977
Reviewed-on: https://chromium-review.googlesource.com/905627
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51452}
2018-02-22 01:43:13 +00:00
Michael Achenbach
f991f3a40b [test] Skip test on deopt fuzzer
NOTRY=true
TBR=petermarshall@chromium.org

Bug: v8:7466
Change-Id: I1ac9735ee130c43cebf56f8b69528429c47a42f6
Reviewed-on: https://chromium-review.googlesource.com/929586
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51448}
2018-02-21 19:10:53 +00:00
Clemens Hammacher
093b771801 [testing] Remove isCrankshafted
Crankshaft is gone, and this function is not used anywhere.

R=mstarzinger@chromium.org

Bug: v8:7310,v8:6408
Change-Id: Ic1f859e659008c891cc35d20e95a8214de42bd21
Reviewed-on: https://chromium-review.googlesource.com/928981
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51445}
2018-02-21 18:16:43 +00:00
Clemens Hammacher
a677243034 [wasm] Enable more asm.js tests
They were disabled for some reason, but they are working, so reenable
them.

R=titzer@chromium.org

Change-Id: I24cab05d01060b9eae3d6191a978cdb04daf626b
Reviewed-on: https://chromium-review.googlesource.com/928648
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51440}
2018-02-21 15:42:22 +00:00
Sathya Gunasekaran
3da7cd3645 [class] Allow CallExpressions to access private fields
Bug: v8:5368
Change-Id: I92874d5ea190cd892f3cb5216e0f4bb5373d5350
Reviewed-on: https://chromium-review.googlesource.com/927345
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51436}
2018-02-21 15:27:13 +00:00
Ben L. Titzer
0c1b4c257b [wasm] Move indirect function tables into the WasmContext
This CL changes the WASM implementation to access indirect function
tables through the WasmContext, whereas previously indirect function
tables and their sizes were constants that were inlined into compiled
into code, requiring code patching. This is a necessary step for sharing
code between instances and eventually, isolates.

R=clemensh@chromium.org,mstarzinger@chromium.org

Bug: v8:7424
Change-Id: Ida4138ed92729730dfbc0a81a84d8484b233d808
Reviewed-on: https://chromium-review.googlesource.com/895683
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51427}
2018-02-21 12:29:21 +00:00
Sigurd Schneider
fb0144f6f9 [turbofan] Move Math.* builtins to JSCallReducer
This CL also adds speculation to all Math builtins,
and refactors the JSCallReducer.

Bug: v8:7250, v8:7240
Change-Id: Icdaddb767e875bb191939d907f65c7a8dcf79b8b
Reviewed-on: https://chromium-review.googlesource.com/873916
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51426}
2018-02-21 12:21:20 +00:00
Peter Marshall
9e855013ef [turbofan] Add a frame state for inlined Promise constructors.
This adds a frame state for the call to the executor in inlined promise
constructors. We provide a continuation function in case of deopts which
just returns the created promise. This is not totally correct yet: if
the executor function also throws, we need to catch it and call the
reject function instead.

We also still need to add a frame state for the isCallable check on the
executor, so that the stack is correct for the thrown TypeError.

Bug: v8:7253
Change-Id: I3ee042ec82f1a9a35d59e576f6c8efe9bc98698c
Reviewed-on: https://chromium-review.googlesource.com/926523
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51417}
2018-02-21 10:05:01 +00:00
Tobias Tebbi
07abe39aed [turbofan] simplified lowering: process DeadValue input
Without processing the input, a phi node can be flagged as unused and
replaced with {Dead}, although it is used by a {DeadValue} node.

Bug: chromium:808472
Change-Id: I7446883535b34770e31e4e26e1c242eb05673a91
Reviewed-on: https://chromium-review.googlesource.com/919362
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51395}
2018-02-20 15:13:28 +00:00
Camillo Bruni
da83b61848 [runtime] Fix overzealous check for derived constructor instance size
Bug: chromium:813427
Change-Id: Ie0b096b20f335648e7920c5ebe4ff0fa3b5ab9d5
Reviewed-on: https://chromium-review.googlesource.com/926003
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51393}
2018-02-20 13:28:37 +00:00
Yang Guo
18344ef408 [regexp] make lookbehind assertions non-quantifiable.
Until now lookbehind assertions have been quantifiable in non-unicode regexps.
This seems to be an oversight in the spec.

R=jgruber@chromium.org

Bug: v8:7462
Change-Id: Iad0db441089c7510dd2c42a861db92c05545ce1e
Reviewed-on: https://chromium-review.googlesource.com/926102
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51392}
2018-02-20 11:24:32 +00:00
Benedikt Meurer
e465a4f3be [turbofan] Support inlining of builtins based on SharedFunctionInfo.
This makes the inlining of the default resolve/reject closures generated
by the Promise constructor effective. To be really useful we still need
to have the Promise constructor inlined (work-in-progress) and eventually
track SharedFunctionInfo feedback in the CALL_IC.

Bug: v8:2206, v8:7253
Change-Id: I08fa8ca72754f459ae36027a55377ef57d411cdc
Reviewed-on: https://chromium-review.googlesource.com/926103
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51390}
2018-02-20 11:09:42 +00:00
Peter Marshall
46c199a5c7 [turbofan] Inline promise constructor in turbofan.
Inline the promise constructor when we have one argument and target
matches new_target.

This is not complete, and is sitting behind an experimental flag for
now. We need to fix deoptimization by providing proper frame states.

Create a unittest class for JSCallReducer - just assert whether there
was a change or not, rather than specify the exact graph that should be
produced.

Bug: v8:7253
Change-Id: Ib6886a8feb2799f47cd647853cabcf12a189bc25
Reviewed-on: https://chromium-review.googlesource.com/919282
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51389}
2018-02-20 09:01:51 +00:00
Benedikt Meurer
be6d129207 [turbofan] Optimize promise resolution.
This CL introduces new operators JSFulfillPromise and JSPromiseResolve,
corresponding to the specification operations with the same name, and
uses that to lower calls to Promise.resolve() builtin to JSPromiseResolve.

We also optimize JSPromiseResolve and JSResolvePromise further based on
information found about the value/resolution in the graph. This applies
to both Promise.resolve() builtin calls and implicit resolve operations
in async functions and async generators.

On a very simple microbenchmark like

  console.time('resolve');
  for (let i = 0; i < 1e8; ++i) Promise.resolve({i});
  console.timeEnd('resolve');

this CL reduces the execution time from around 3049ms to around 947ms,
which is a pretty significant 3x improvement. On the wikipedia benchmark
we observe an improvement around 2% with this CL.

Bug: v8:7253
Change-Id: Ic69086cdc1b724f35dbe83305795539c562ab817
Reviewed-on: https://chromium-review.googlesource.com/913488
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51387}
2018-02-20 08:10:01 +00:00
Clemens Hammacher
9ba71e656d [test] Skip fewer tests on endurance fuzzer
The "FreezeWasmLazyCompilation" runtime function can only be invoked if
--wasm-lazy-compilation is passed. Hence the "lazy-compilation.js" test
must be skipped. The other tests are not affected by this, thus un-skip
them.

R=machenbach@chromium.org

Bug: v8:7400
Change-Id: Id521938ae651b4a67510e42aa69e17b5e0b14a0a
Reviewed-on: https://chromium-review.googlesource.com/923967
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51380}
2018-02-19 17:53:39 +00:00
Camillo Bruni
539d6ffe03 [tests] Mark regression test as slow
Change-Id: Idbee9b7b8077a9fd2ffa4a2a010ae7d44b98e31e
Reviewed-on: https://chromium-review.googlesource.com/924198
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51378}
2018-02-19 17:32:29 +00:00
Peter Marshall
81a3742a88 [typedarray] Port TypedArray.from to CSA.
Factor out IterableToList into a helper stub to save space. There are
two callers now, TypedArrayFrom and ConstructByIterable, and it is
~2.5kb so we save space by doing this.

Increase test coverage to cover more of the branching in CSA.

This is doesn't follow the control flow in the spec exactly - see the
big code comment for an explanation.

Change-Id: Ief39e93c4202cb7bf0e28a39dc6aa81b8b9c59d2
Reviewed-on: https://chromium-review.googlesource.com/908755
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51377}
2018-02-19 16:49:39 +00:00
Clemens Hammacher
6ac2579f23 [Liftoff] Fix result type of f64 binops
The result of an f64 binop was marked as f32 on Liftoffs value stack.
This lead to errors and is fixed in this CL.
I plan to clean up all binop implementions in a follow-up CL.

R=titzer@chromium.org

Bug: chromium:812005, v8:6600
Change-Id: I5bcd5c2e7d2b6170ef60f5e83cf2876b3475c38a
Reviewed-on: https://chromium-review.googlesource.com/924025
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51375}
2018-02-19 16:12:30 +00:00
Caitlin Potter
e56eac022f [esnext] fix tagged template caching strategy for eval caching
Previously, eval caching was only disabled if the root eval body code
contained a tagged template. Per discussion on
https://github.com/tc39/ecma262/pull/890, this is incorrect.

This change tracks if eval caching is allowed during parsing, and
uses this information to decide to insert
new entries into the cache, or not.

This change also removes the TemplateObject feedback kind, as it's no
longer needed (behaves the same as Literal feedback).

BUG=v8:3230, v8:2891
R=littledan@chromium.org, yangguo@chromium.org, bmeurer@chromium.org,
rmcilroy@chromium.org

Change-Id: Ib75abe9159baf4d8ad10f8de99d2152714bd0094
Reviewed-on: https://chromium-review.googlesource.com/916945
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51373}
2018-02-19 15:15:01 +00:00
Jakob Kummerow
bd0b32f545 Reland "[bigint] Add BigInt64Array, BigUint64Array"
This is a reland of dda0419ecd.

Originally reviewed-on: https://chromium-review.googlesource.com/914513
and landed as refs/heads/master@{#51342}.

Bug: v8:6791
Change-Id: I3b3a069da7a0e64c38a81b3110dc5ece4887cb19
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/924665
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51352}
2018-02-19 10:23:18 +00:00
Michael Achenbach
cb7a15fede Revert "[bigint] Add BigInt64Array, BigUint64Array"
This reverts commit dda0419ecd.

Reason for revert: msvc unhappy:
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20msvc/builds/1434

Original change's description:
> [bigint] Add BigInt64Array, BigUint64Array
> 
> Bug: v8:6791
> Tbr: hpayer@chromium.org
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: I637e9084d2fe4869ad0be2fb996149ab9940f346
> Reviewed-on: https://chromium-review.googlesource.com/914513
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51342}

TBR=jkummerow@chromium.org,neis@chromium.org,hpayer@chromium.org

Change-Id: I49237fa323f0d3ea70e744d92d5cbdd4d5c4b39f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6791
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/924663
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51344}
2018-02-17 06:01:31 +00:00
Jakob Kummerow
dda0419ecd [bigint] Add BigInt64Array, BigUint64Array
Bug: v8:6791
Tbr: hpayer@chromium.org
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I637e9084d2fe4869ad0be2fb996149ab9940f346
Reviewed-on: https://chromium-review.googlesource.com/914513
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51342}
2018-02-17 04:52:29 +00:00
Adam Klein
5aad943dfe Remove mtrofin and rossberg from OWNERS
Tbr: jarin@chromium.org
Change-Id: I17477e2c82398b228a366a3d1fd8eb521dd51eae
Reviewed-on: https://chromium-review.googlesource.com/922270
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51317}
2018-02-15 23:48:43 +00:00
Georg Neis
a50bc8ac8d Reland "[ic] EmitElementStore: don't miss when hitting new space limit."
This is a reland of af677f29b1, fixing
an issue with negative indices.

Original change's description:
> [ic] EmitElementStore: don't miss when hitting new space limit.
>
> CSA::EmitElementStore used to bail out (IC miss) via
> CSA::CheckForCapacityGrow when the capacity hits the new space
> limit, causing the store IC to go megamorphic in my example (see
> referenced bug). With this CL, we do what TF'ed code does already:
> call into Runtime::kGrowArrayElements (in this situation), thus
> staying monomorphic.
>
> Here's a contrived test case:
>
> ////////////////////////
> let x = [];
>
> function bar() {
>   for (let i = 0; i < 50000; ++i) x[i] = i;
> }
>
> function foo() {
>   for (let i = x.length; i < 100e6; ++i) x[i] = i;
> }
>
> bar();
> foo();
> ////////////////////////
>
> This took about 4s on my machine, now it takes 3s.
>
> Bug: v8:7447
> Change-Id: I7f268fc55835f363d250613ce0357444a663051c
> Reviewed-on: https://chromium-review.googlesource.com/918723
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51297}

Bug: v8:7447, chromium:812451
Change-Id: I345b5e5b2437c4f50e42bbd87947630f24cd95eb
Reviewed-on: https://chromium-review.googlesource.com/921201
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51311}
2018-02-15 12:27:18 +00:00
Toon Verwaest
313e33a709 Remove %_ClassOf and SharedFunctionInfo::instance_class_name
instance_class_name takes up space unnecessarily, and %_ClassOf and
class_name implement [[Class]] which isn't part of ES2015+ anymore.

Bug: 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I3a73f732ad83a616817fde9992f4e4d584638fa8
Reviewed-on: https://chromium-review.googlesource.com/776683
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51309}
2018-02-15 11:52:08 +00:00
Marja Hölttä
841763bea0 [parser] Skipping inner funcs: Fix variable name debug mode check.
Apparently it can happen that the variable to which we're restoring to has a
two-byte name corresponding to the one-byte name we expect. Modify the debug-mode
name check to allow this.

BUG=v8:7428

Change-Id: I94c56a4b2de3c58b50246fecaead332b0f9679b4
Reviewed-on: https://chromium-review.googlesource.com/911801
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51304}
2018-02-15 08:16:38 +00:00
Michael Achenbach
d9c1dee446 [test] Skip test for endurance fuzzer
TBR=cbruni@chromium.org
NOTRY=true

Bug: v8:7438
Change-Id: Ibfd56a095a302782876b57e01325fadd2657d574
Reviewed-on: https://chromium-review.googlesource.com/919007
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51299}
2018-02-15 00:30:34 +00:00
Andreas Haas
97a2654633 [wasm] Update spec tests
I fixed some spec tests since the last update, so we can turn them on
again. The problem was in the spec test itself and not in V8.

R=titzer@chromium.org

Change-Id: Id2755138293d22d49e0393b884df797a1134b6f9
Reviewed-on: https://chromium-review.googlesource.com/919041
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51290}
2018-02-14 14:17:44 +00:00
Choongwoo Han
972f5d4b9d [typedarray] Port TA.p.filter to CSA
- Remove JS implementation of TA.p.filter
- Reimplement TA.p.filter as CSA
- This CL makes TA.p.filter 3x faster in microbenchmark
- Fix a spec bug: throw if buffer is detached while executing callback

Bug: v8:5929
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I2e14b6001d354ca6659cf65fff4ead2942ddc9ff
Reviewed-on: https://chromium-review.googlesource.com/912989
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51288}
2018-02-14 12:20:09 +00:00
Junliang Yan
5095d00323 PPC/s390: Skip regress/regress-crbug-808192
Change-Id: I7f89980ff9f6b17a7cc2513f18368642b70a5673
Reviewed-on: https://chromium-review.googlesource.com/917213
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#51279}
2018-02-14 00:17:30 +00:00
Benedikt Meurer
1f8dcc5d2e [builtins] Optimize PromiseResolveThenableJob for the common case.
The idea here is that in case the `thenable` is a JSPromise and `then`
is the initial `Promise.prototype.then` method, and the @@species lookup
chain is intact, we can skip creating the temporary promise and the
closures (with the shared context), and instead directly call into our
PerformPromiseThen. This is sound since - given above mentioned
conditions - our short-cut

  PerformPromiseThen(thenable, undefined, undefined, promise_to_resolve)

is not observably different from the actual

  resolve, reject = CreateResolvingFunctions(promise_to_resolve)
  result_capability = NewPromiseCapability(%Promise%)
  PerformPromiseThen(thenable, resolve, reject, result_capability)

except through PromiseHooks (and potentially via the async stack
traces). So we disable the fast-path if either promise hooks are enabled
or the debugger is active for now.

This improves the performance on the wikipedia benchmark by 20-25% and
the bluebird-doxbee benchmark by around 20%.

Bug: v8:7253
Change-Id: I23c92ad365c2b71d65057573f2d8febe2afe00b0
Reviewed-on: https://chromium-review.googlesource.com/911800
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51261}
2018-02-13 05:36:39 +00:00
Benedikt Meurer
c041296189 [builtins] Refactor the promise resolution and rejection logic.
This introduces dedicated builtins

  - FulfillPromise,
  - RejectPromise, and
  - ResolvePromise,

which perform the corresponding operations from the language
specification, and removes the redundant entry points and the
excessive inlining of these operations into other builtins. We
also add the same logic on the C++ side, so that we don't need
to go into JavaScript land when resolving/rejecting from the
API.

The C++ side has a complete implementation, including full support
for the debugger and the current PromiseHook machinery. This is to
avoid constantly crossing the boundary for those cases, and to also
simplify the CSA side (and soon the TurboFan side), where we only
do the fast-path and bail out to the runtime for the general handling.

On top of this we introduce %_RejectPromise and %_ResolvePromise,
which are entry points used by the bytecode and parser desugarings
for async functions, and also used by the V8 Extras API. Thanks to
this we can uniformly optimize these in TurboFan, where we have
corresponding operators JSRejectPromise and JSResolvePromise, which
currently just call into the builtins, but middle-term can be further
optimized, i.e. to skip the "then" lookup for JSResolvePromise when
we know something about the resolution.

In TurboFan we can also already inline the default PromiseCapability
[[Reject]] and [[Resolve]] functions, although this is not as effective
as it can be right now, until we have inlining support for the Promise
constructor (being worked on by petermarshall@ right now) and/or SFI
based CALL_IC feedback.

Overall this change is meant as a refactoring without significant
performance impact anywhere; it seems to improve performance of
simple async functions a bit, but otherwise is neutral.

Bug: v8:7253
Change-Id: Id0b979f9b2843560e38cd8df4b02627dad4b6d8c
Reviewed-on: https://chromium-review.googlesource.com/911632
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51260}
2018-02-13 04:18:12 +00:00
Camillo Bruni
7b27040e66 [runtime] Harden JSFunction::CalculateInstanceSizeHelper(...)
Bug: chromium:808192
Change-Id: I80136d291d5c21c311903bffc96d86d109f5cdc9
Reviewed-on: https://chromium-review.googlesource.com/902103
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51255}
2018-02-12 20:54:29 +00:00
Ben L. Titzer
73d6072166 [asm.js] Enforce maximum number of parameters for asm.js.
R=bradnelson@chromium.org

Bug: chromium:810973
Change-Id: I818c17ef03b27df72976048b1873fc3f3a368900
Reviewed-on: https://chromium-review.googlesource.com/914330
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51252}
2018-02-12 19:42:12 +00:00
Caitlin Potter
d3ca0d0050 [esnext] implement spec change to TaggedTemplate callsite caching
Implements the change outlined in https://github.com/tc39/ecma262/pull/890,
which has been ratified and pulled into the specification. In particular,
template callsite objects are no longer kept in a global, eternal Map, but
are instead associated with their callsite, which can be collected. This
prevents a memory leak incurred by TaggedTemplate calls.

Changes, summarized:

    - Remove the TemplateMap and TemplateMapShape objects, instead caching
      template objects in the feedback vector.
    - Remove the `hash` member of TemplateObjectDescriptor, and the Equals
      method (used by TemplateMap)
    - Add a new FeedbackSlotKind (kTemplateObject), which behaves similarly
      to FeedbackSlotKind::kLiteral, but prevents eval caching. This ensures
      that a new feedback vector is always created for eval() containing tagged
      templates, even when the CompilationCache is used.
    - GetTemplateObject bytecode now takes a feedback index, and only calls
      into the runtime if the feedback is Smi::kZero (uninitialized).

BUG=v8:3230, v8:2891
R=littledan@chromium.org, yangguo@chromium.org, bmeurer@chromium.org,
rmcilroy@chromium.org

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I7827bc148d3d93e2b056ebf63dd624da196ad423
Reviewed-on: https://chromium-review.googlesource.com/624564
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51248}
2018-02-12 17:06:18 +00:00
Andreas Haas
384ac3cde9 [wasm] Reexported wasm functions should be identical to imports
According to the spec, if an imported function gets exported, the
exported function has to be identical to to imported function.

With this CL we initialize the list of potential js_wrappers_ with all
wasm function we imported. Therefore no new wrappers are generated for
these functions.

R=clemensh@chromium.org

Bug: v8:7364
Change-Id: Ibcd47d8fcc4c2fb5740d57ea547fbd01c2a4e80a
Reviewed-on: https://chromium-review.googlesource.com/901626
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51244}
2018-02-12 14:27:18 +00:00
Michael Achenbach
5460f7f728 [test] Skip slow test on msan
The test is slower on msan than its own anticipated runtime, which the test
internally measures.

TBR=danno@chromium.org
NOTRY=true

Bug: v8:7439
Change-Id: Iba08f589697bcf17b1f4d2cedb1313ff9a34c082
Reviewed-on: https://chromium-review.googlesource.com/913468
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51239}
2018-02-12 13:26:56 +00:00
Dan Elphick
630b2a5f19 [builtins] Implement Array.from in CodeStubAssembler
This removes the Javascript version of Array.from in js/array.js and
adds a CodeStubAssembler version in src/builtins/builtins-array-gen.cc.

Also modify IteratorBuiltinsAssembler to allow querying the existence
of the iterator method without calling it so we can fall back to the
array-like behavior.

BUG=v8:1956

Change-Id: Ibfb3cef002d72d70bd30b4de676fd22becde006c
Reviewed-on: https://chromium-review.googlesource.com/887066
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51208}
2018-02-09 14:01:06 +00:00
Michael Achenbach
cb9984cf79 [test] Skip test on endurance fuzzer
TBR=cbruni@chromium.org
NOTRY=true

Bug: v8:7429
Change-Id: Id30d462792f062e8c1b21f622b949e5b7aa52907
Reviewed-on: https://chromium-review.googlesource.com/910889
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51197}
2018-02-09 08:55:25 +00:00
Michael Achenbach
99fad4115d [test] Forgive tests timing out on num-fuzzers
Timeouts on num-fuzzer only lead to false positives, as tests might
take unpredictably longer.

This CL forgives timeouts through a global override mechanism of the
expected outcomes. This allows to remove already existing scattered
code that allowed timeouts in some test suites only.

Bug: v8:6917
Change-Id: Ib131765d360e335789c1952bc6793ed051e016ea
Reviewed-on: https://chromium-review.googlesource.com/908454
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51188}
2018-02-08 23:08:05 +00:00
Adam Klein
3916401e4b Revert "[builtins] Mega-revert to address the Dev blocker in crbug.com/808911."
This reverts commit 14108f4c2e.

Reason for revert: Not the culprit for Canary microtask crashes

Original change's description:
> [builtins] Mega-revert to address the Dev blocker in crbug.com/808911.
> 
> - Revert "[builtins] Save one word in contexts for Promise.all."
>   This reverts commit 7632da067b.
> - Revert "[builtins] Also use the Promise#then protector for Promise#finally()."
>   This reverts commit d4f072ced3.
> - Revert "[builtins] Don't mess with entered context for MicrotaskCallbacks."
>   This reverts commit 6703dacdd6.
> - Revert "[debugger] Properly deal with settled promises in catch prediction."
>   This reverts commit 40dd065823.
> - Revert "[builtins] Widen the fast-path for Promise builtins."
>   This reverts commit db0556b7e8.
> - Revert "[builtins] Unify PerformPromiseThen and optimize it with TurboFan."
>   This reverts commit a582199c5e.
> - Revert "[builtins] Remove obsolete PromiseBuiltinsAssembler::AppendPromiseCallback."
>   This reverts commit 6bf8885290.
> - Revert "[builtins] Turn NewPromiseCapability into a proper builtin."
>   This reverts commit 313b490ddd.
> - Revert "[builtins] Inline InternalPromiseThen into it's only caller"
>   This reverts commit f7bd6a2fd6.
> - Revert "[builtins] Implement Promise#catch by really calling into Promise#then."
>   This reverts commit b23b098fa0.
> - Revert "[promise] Remove incorrect fast path"
>   This reverts commit 0f6eafe855.
> - Revert "[builtins] Squeeze JSPromise::result and JSPromise::reactions into a single field."
>   This reverts commit 8a677a2831.
> - Revert "[builtins] Refactor promises to reduce GC overhead."
>   This reverts commit 8e7737cb58.
> 
> Tbr: hpayer@chromium.org
> Bug: chromium:800651, chromium:808911, v8:5691, v8:7253
> Change-Id: I8c8ea5ed32ed62f6cd8b0d027a3707ddd891e5f1
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/906991
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Adam Klein <adamk@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51158}

Change-Id: I09d958cbebd635a325809072a290f2f53df8c5d4
Tbr: adamk@chromium.org,yangguo@chromium.org,bmeurer@chromium.org
Bug: chromium:800651, chromium:808911, v8:5691, v8:7253
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/908988
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51181}
2018-02-08 17:25:13 +00:00
Clemens Hammacher
3c47499881 [Liftoff] Fix caller frame slots generated from stack values
Because of missing parentheses, the computation of the "half index" was
wrong, and always produced 0 or 1.
Also, for non-pairs, we were still passing kHighWord for the
RegPairHalf.

R=ahaas@chromium.org

Bug: v8:7422, v8:6600
Change-Id: If056aa8005d4b44e667b7d76b9be49ec0191d0eb
Reviewed-on: https://chromium-review.googlesource.com/908554
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51175}
2018-02-08 13:47:20 +00:00
Taketoshi Aono
4455377fca Reland: Reimplement Object.entries/values as CSA to optimize performance.
Original CL is https://chromium-review.googlesource.com/c/v8/v8/+/810504
Reverted issue is https://bugs.chromium.org/p/chromium/issues/detail?id=804159

Fix Object.entries descriptor array value index.

This reverts commit e5ecb24859.

Bug: v8:6804, chromium:804159
Change-Id: I73a5a5f670c5b36e0c5cc7984d5979ecec43d969
Reviewed-on: https://chromium-review.googlesource.com/892684
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51170}
2018-02-08 10:12:32 +00:00
Junliang Yan
19a3a44da0 PPC/s390: ignore wasm/regress-808980 on ppc and s390
wasm code manager is known to have issue on reloc tagging and
also constant pool. Ignore until fix go in.

Change-Id: I4d7ddafba3cf8bc81c73a7b156cba39985bce48d
Reviewed-on: https://chromium-review.googlesource.com/906950
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#51160}
2018-02-07 20:43:09 +00:00
Benedikt Meurer
14108f4c2e [builtins] Mega-revert to address the Dev blocker in crbug.com/808911.
- Revert "[builtins] Save one word in contexts for Promise.all."
  This reverts commit 7632da067b.
- Revert "[builtins] Also use the Promise#then protector for Promise#finally()."
  This reverts commit d4f072ced3.
- Revert "[builtins] Don't mess with entered context for MicrotaskCallbacks."
  This reverts commit 6703dacdd6.
- Revert "[debugger] Properly deal with settled promises in catch prediction."
  This reverts commit 40dd065823.
- Revert "[builtins] Widen the fast-path for Promise builtins."
  This reverts commit db0556b7e8.
- Revert "[builtins] Unify PerformPromiseThen and optimize it with TurboFan."
  This reverts commit a582199c5e.
- Revert "[builtins] Remove obsolete PromiseBuiltinsAssembler::AppendPromiseCallback."
  This reverts commit 6bf8885290.
- Revert "[builtins] Turn NewPromiseCapability into a proper builtin."
  This reverts commit 313b490ddd.
- Revert "[builtins] Inline InternalPromiseThen into it's only caller"
  This reverts commit f7bd6a2fd6.
- Revert "[builtins] Implement Promise#catch by really calling into Promise#then."
  This reverts commit b23b098fa0.
- Revert "[promise] Remove incorrect fast path"
  This reverts commit 0f6eafe855.
- Revert "[builtins] Squeeze JSPromise::result and JSPromise::reactions into a single field."
  This reverts commit 8a677a2831.
- Revert "[builtins] Refactor promises to reduce GC overhead."
  This reverts commit 8e7737cb58.

Tbr: hpayer@chromium.org
Bug: chromium:800651, chromium:808911, v8:5691, v8:7253
Change-Id: I8c8ea5ed32ed62f6cd8b0d027a3707ddd891e5f1
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/906991
Commit-Queue: Yang Guo <yangguo@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51158}
2018-02-07 19:46:59 +00:00
Adam Klein
f1a551800f [parser] More carefully handle destructuring in arrow params
This patch attempts to reduce the special handling of destructuring
assignments in arrow function parameters by "adopting" them from
wherever they were initially parsed into the arrow function's
FunctionState/Scope. This avoids incorrectly re-setting the
Scope of such assignments multiple times for arrow functions
that are nested inside other arrow params themselves.

It also generally seems better, in that we now only rewrite
destructuring assignments for a single function at a time.

Bug: chromium:807096
Change-Id: I6bef5613f99e3e8c130fc0aa2ee5d6fcf2efd34b
Reviewed-on: https://chromium-review.googlesource.com/900168
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Caitlin Potter <caitp@igalia.com>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51155}
2018-02-07 18:14:28 +00:00
Sathya Gunasekaran
e1ce6ab582 [class] Fix lazy parsing of private fields
Declare the private field variable in the preparser as well, to be
consistent with the parser.

Bug: v8:5386
Change-Id: I961ddf14e47b99701e2463cab0f4d4de140e1e3a
Reviewed-on: https://chromium-review.googlesource.com/905843
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51154}
2018-02-07 18:12:50 +00:00
Mike Stanton
03efbd4cd4 [TurboFan] Array.prototype.reduce[Right] was missing a deopt point
We need a deopt point for the case when we fail to find an initial
element from which to begin the reduction step.

Bug: v8:7384
Change-Id: I5e476ddc433be690577677b018639c4c0c70809b
Reviewed-on: https://chromium-review.googlesource.com/906508
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51146}
2018-02-07 14:20:37 +00:00
Choongwoo Han
756c8c4e1b [typedarray] Migrate %TypedArray%.of to CSA
- Remove %TypedArray%.of in js/typedarray.js
- Implement %TypedArray%.of in builtins/builtins-typedarray-gen.cc
- This CL makes TA.of 1.5x faster

Bug: v8:5929
Change-Id: Ie165114a0ab9b4ec9ed70840c4c6a42d1eeed101
Reviewed-on: https://chromium-review.googlesource.com/897227
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51141}
2018-02-07 12:45:37 +00:00
Sathya Gunasekaran
ec434d6767 [class] Ban #constructor as a private field name
Bug: v8:5368
Change-Id: Idcb13e039614167da8b5be879e5644dbcb9df271
Reviewed-on: https://chromium-review.googlesource.com/899881
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51128}
2018-02-06 18:58:37 +00:00
Peter Marshall
cf9b487355 [typedarray] Port ConstructByIterable by CSA.
This is the last piece of the TypedArray constructors that was still
written in JS.

Bug: v8:7102
Change-Id: I7c4dc867b09408caa4eec2873ea7185b6c61a525
Reviewed-on: https://chromium-review.googlesource.com/888751
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51122}
2018-02-06 17:06:43 +00:00
Benedikt Meurer
d4f072ced3 [builtins] Also use the Promise#then protector for Promise#finally().
Add a fast-path to Promise#finally, which skips the "then" lookup of the
Promise#then lookup chain is intact, similar to what we already do for
Promise#catch.

Drive-by-fix: Also use the @@species protector to speed up the lookup
of the SpeciesConstructor in Promise#finally.

Bug: v8:7253
Change-Id: If77e779a0188904effc4528beffc8f0bdd7c2efe
Reviewed-on: https://chromium-review.googlesource.com/902283
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51116}
2018-02-06 11:41:12 +00:00
Yang Guo
d17b4bfb27 Reland "[regexp] fix Latin1 ignore-case bug."
Bug: v8:6703
Change-Id: I225cd78bedf2c0c123aedd3deeb1cd6d442f7697
Reviewed-on: https://chromium-review.googlesource.com/901522
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51114}
2018-02-06 10:34:12 +00:00
Michael Starzinger
61391f366b [wasm] Ensure WasmCode always has protected instructions.
R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-808012
BUG=chromium:808012

Change-Id: Ia1e4527c6c845ffd01ecf5c7fa13b8b484d6ef6e
Reviewed-on: https://chromium-review.googlesource.com/899122
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51103}
2018-02-05 22:01:56 +00:00