The stack check at the beginning of each function maps to the wasm byte
offset 0. For asm.js functions, this byte offset is mapped further to an
asm.js source position. For most functions, we explicitly add an entry
to this side table for offset 0. This was missing for the start
function.
R=ahaas@chromium.org
BUG=v8:4203,chromium:703568
Change-Id: I05bc4a8cfa666864bb7a0b23f75186abe0be9bee
Reviewed-on: https://chromium-review.googlesource.com/458437
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44037}
This adds optimization and deoptimization counts to the Web UI. Also, the function timeline
now shows optimization and deoptimization marks.
Review-Url: https://codereview.chromium.org/2753543006
Cr-Commit-Position: refs/heads/master@{#44033}
Add a check to appendToTable to catch illegal input, and fix a test
case triggering this check.
Also removing unused variables and fix indentation.
R=ahaas@chromium.org
Change-Id: I0eaa48ab95ef710530a3cfbe94ed4dd419618cda
Reviewed-on: https://chromium-review.googlesource.com/458436
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44027}
This fixes a corner case where the "instance prototype" diverges from
the "non-instance prototype" that we store on the initial map of a
constructor function.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-703610
BUG=chromium:703610
Change-Id: I30a19ae621e10b512215ffb191ce00d030941440
Reviewed-on: https://chromium-review.googlesource.com/458396
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44008}
This CL makes the interpreter reentrant by allowing different
activations to be live at the same time. The wasm interpreter keeps a
list of activations and stores the stack height at the start of each
activation. This information is used to unwind just one activation, or
show the right portion of the interpreter stack for each interpreter
entry frame.
The WasmDebugInfo object stores a mapping from frame pointer (of the
interpreter entry) to the activation id in order to identify the
activation based on the physical interpreter entry frame.
R=titzer@chromium.org, ahaas@chromium.org
BUG=v8:5822
Change-Id: Ibbf93f077f907213173a92e0a2f7f3556515e8eb
Reviewed-on: https://chromium-review.googlesource.com/453958
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43976}
Collect type information of return values.
Use *one* feedback slot per function for all its return
statements. For assignments, we currently use
several slots per function, because not all
assignments refer to the same variable.
Instead of the variable names, pass the
source location and print the function name.
Add an integration test for --type-profile that checks
for crashes.
Remove type feedback for assignments for now as it convolutes the output.
************ Function with 2 return statements ********
function testFunction(param, flag) {
// We want to test 2 different return positions in one function.
if (flag) {
var first_var = param;
return first_var;
}
var second_var = param;
return second_var;
}
testFunction({});
testFunction(123, true);
testFunction('hello');
testFunction(undefined);
*******************************************************
************* Sample Output ***************************
Function: testFunction
424: Object
374: number
424: string
424: undefined
*******************************************************
Missing work:
* Handle fall-off returns
* Collect types for parameters
* Remove duplicates from the list of collected types and use a common base class.
BUG=v8:5935
Review-Url: https://codereview.chromium.org/2755973002
Cr-Commit-Position: refs/heads/master@{#43956}
When instantiating the wasm interpreter, pass the start address of the
global variables. This was nullptr before, leading to a crash if
debugging a program which accesses globals.
With test.
R=ahaas@chromium.org, titzer@chromium.org
BUG=v8:5822
Change-Id: I5f419790042ef9a00787df093a07e5e5835d55bd
Reviewed-on: https://chromium-review.googlesource.com/456219
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43948}
This fixes a bug where an exported function is being specialized, but
the callsite inside the JS_TO_WASM function was patched to call an
interpreter entry instead. We would not identify the call site as the
one to be patched during specialization, and would thus fail a DCHECK.
R=ahaas@chromium.org
BUG=v8:5822, chromium:702839
Change-Id: I148d98333051c399a4cb11bd9620b396f4eb261d
Reviewed-on: https://chromium-review.googlesource.com/456282
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43942}
If an exception is thrown and the wasm interpreter entry frame is
unwound, also the internal frames in the interpreter need to be unwound.
We did not do so before, leaving a corrupted internal state of the wasm
interpreter. Thus reusing it would fail.
This CL fixes this and adds a test which reenters a previously unwound
wasm interpreter. It checks that this works and the correct stack is
returned.
This test also requires support for calling an imported function which
throws, so this change is also included here.
R=ahaas@chromium.org, titzer@chromium.org
BUG=v8:5822
Change-Id: I12fb843f7a371a4e618b4ac63ed3299667a03a82
Reviewed-on: https://chromium-review.googlesource.com/453938
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43937}
We use LoadFromPrototype also for direct global loads. InitPrototypeChecks did not support this though, and would create a prototype chain check for objects beyond the direct global. This tries to ensure the property on the global itself doesn't exist, which is invalid.
Additionally this CL deletes duplicate code.
BUG=chromium:702798,v8:5561
Change-Id: I318a5b6cd5f7c3efdb3a003e34edd37d5d3f880b
Reviewed-on: https://chromium-review.googlesource.com/457369
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43935}
Don't ignore IfException (and IfSuccess) projections on JSForInNext
nodes during JSTypedLowering::ReduceJSForInNext, but instead rewrire
the IfException projection to the ForInFilter stub call, which can
throw exceptions in case of proxies.
R=yangguo@chromium.org
BUG=v8:6121
Review-Url: https://codereview.chromium.org/2761703002
Cr-Commit-Position: refs/heads/master@{#43925}
BUG=chromium:702793
Change-Id: Ia52823968a757f8f7fc8802deab60f570ffdb58c
Reviewed-on: https://chromium-review.googlesource.com/456280
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43920}
There are at least 3 mechanisms for detecting duplicate parameters.
- ExpressionClassifier
- Scope::DeclareParameter checking IsDeclaredParameter
- PatternRewriter::VisitVariableProxy failing to declare a duplicate parameter
The conditions for when duplicate parameters are allowed and when not are pretty
involved too. They are allowed when
- the function is not an arrow function and not a concise method *and*
- when the parameter list is simple *and*
- we're in sloppy mode (incl. the function doesn't declare itself strict).
In addition, we don't recognize some of the early errors, and it's
non-trivial to see which ones are recognized and which not (see bug
v8:6108). E.g., (dup, dup) => {}; is recognized but (dup, [dup]) => {} is
not. And (dup, [dup]) => 1; is.
We do have tests for some aspects of duplicate parameters (e.g., arrow function
duplicate parameters are included in arrow function tests), but it's hard to see
whether all combinations of the relevant conditions are tested.
This CL adds more structured tests which hopefully enables reducing the
duplicate parameter detection mechanisms to 2 or maybe even to 1.
BUG=v8:6092
Change-Id: Idd3db43b380aae4b9a89be5f1ed0755d39bfb36d
Reviewed-on: https://chromium-review.googlesource.com/456336
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43895}
Since TrapIf has been implemented on all platforms, there is no need
anymore for the old WasmTrapHelper code. This CL also removes
TrapIf-specific tests.
R=titzer@chromium.org, clemensh@chromium.org
Change-Id: Ic069598441b7bd63bde2e66f4e536abea5ecebe6
Reviewed-on: https://chromium-review.googlesource.com/452380
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43887}
Note that this also modifies mjsunit.js to allow the {failWithMessage} method to be monkey-patched by a test. This is necessary because assertions which fail in a promise's then-clause would normally only throw an exception, which is swallowed by the promise, causing the test to silently pass. Instead, patching this {failWithMessage} functionality allows then clauses to use the full assertion machinery of mjsunit.js.
R=ulan@chromium.org, gsathya@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2752043002
Cr-Commit-Position: refs/heads/master@{#43875}
- Implement C++ builtins and ElementsAccessor for
%TypedArray%.prototype.lastIndexOf
- Remove TypedArrayLastIndexOf in src/js/typedarray.js
- Combine InnerArrayLastIndexOf and ArrayLastIndexOf in src/js/array.js
BUG=v8:5929
Review-Url: https://codereview.chromium.org/2744283002
Cr-Commit-Position: refs/heads/master@{#43870}
This behaviour was missing before. If a trap is encountered in the
interpreter, we now throw the right error. With test.
R=titzer@chromium.org, ahaas@chromium.org
BUG=v8:5822
Change-Id: I09c23d15fcde32ec586fb6d3094a5ec49155a9a2
Reviewed-on: https://chromium-review.googlesource.com/453839
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43859}
When instantiating the wasm interpreter for debugging, we unwrap all
wasm-to-js wrappers and store the callable objects. The handles are
stored in a DeferredHandleScope and deleted when the InterpreterHandle
(store in WasmDebugInfo) is freed.
A call to an imported function reads the arguments from the stack,
converts them to JS objects, calls the callable, converts back the
return value and pushes it onto the stack.
Reentering the interpreter from the calles JS code is not permitted
yet, but will be in a follow-up CL.
Also, indirect calls to imported functions will have to follow.
R=titzer@chromium.org, ahaas@chromium.org
BUG=v8:5822
Change-Id: I66c35053bccb6cf8d416606e4f840d888ccb3b65
Reviewed-on: https://chromium-review.googlesource.com/453838
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43855}
The fast-path for Array.prototype.indexOf first checks whether the
receiver is a fast-mode JSArray (and there are no elements in the
prototype chain in case of holey arrays), then loads the known
JSArray::length, and afterwards calls ToInteger on the fromIndex.
But this ToInteger(fromIndex) call can cause arbitrary side effects if
the fromIndex is a JSReceiver, in particular it can invalidate the
assumptions about the fast-mode of the receiver and the length. In the
worst case this leads to OOB memory access.
Quick-fix is to bailout to the runtime if the fromIndex is neither a Smi
nor undefined, which represents the common cases.
R=jarin@chromium.org
BUG=chromium:702058
Review-Url: https://codereview.chromium.org/2756663002
Cr-Commit-Position: refs/heads/master@{#43843}
When generating the code for an illegal (non-js-compliant) wrapper for
a js function, we were generating a zero constant of the return type.
This failed on ia32 if the return type is i64.
The correct thing to do is to return two i32 zero constants.
R=titzer@chromium.org
BUG=v8:6104, v8:6096
Change-Id: Idc0dd8d3eef901c22d5278d97f1879b000a18588
Reviewed-on: https://chromium-review.googlesource.com/455857
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43835}
The function "foo" in "base_getter_test" was picking up a left-over
optimised code object from foo's code map, the third time that
base_getter_test was run, instead of optimising it itself. This
broke the assumptions of the test, that each case was functionally
independent from the others, and had started off with empty feedback
and no optimised code.
This breaks the test though, so we have to blacklist it pending a fix
to the root cause (http://crbug.com/v8/6101).
Review-Url: https://codereview.chromium.org/2750623004
Cr-Commit-Position: refs/heads/master@{#43828}
When compiling a wasm to js wrapper for a signature which is not JS
compatible, we generate a runtime call to throw a type error and return
immediately afterwards. We were using the return value of the runtime
call as return value for the wrapper.
This worked for integer return values, since the same registers are
used for tagged values and integer values. For float values, however,
it failed, since the return value needs to be stored in another
register.
R=titzer@chromium.org
BUG=v8:6096
Change-Id: I8f39ea132cd150c3044673d25fa3c3588b4266bf
Reviewed-on: https://chromium-review.googlesource.com/455816
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43821}
Mark slow tests discovered by manual audit of reported durations.
Slow tests will run first, which will lead to higher test runner throughput.
Also some tests have flaky timeouts occasionally.
BUG=chromium:601468
Change-Id: If9aeb5422e79ff25b867b01c50386a5fdebeb494
Reviewed-on: https://chromium-review.googlesource.com/455736
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43819}
Removes the --ignition-staging flag since it is no longer used
by anything and won't be a shipping configuration. Also removes
ignition_turbo variant from testrunner, since it is now
the same as the turbofan variant.
BUG=v8:4280
Change-Id: I3b96e986879fc70b8e202fe9496334828acdd0ba
Reviewed-on: https://chromium-review.googlesource.com/452621
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43806}
These tests fail with the new asm.js parser, because they are invalid under
a more strict reading of the spec.
NOTE: These also fail to validate when run in Firefox.
BUG=v8:4203
BUG=v8:6090
R=aseemgarg@chromium.org,eholk@chromium.org
Review-Url: https://codereview.chromium.org/2745393002
Cr-Commit-Position: refs/heads/master@{#43803}
This fixes a corner-case in {KeyAccumulator::CollectOwnJSProxyKeys}
where the keys returned by {JSReceiver::OwnPropertyKeys} for an array
are not internalized and hence have a diverging identity from keys
returned by the "ownKeys" trap of a proxy.
R=cbruni@chromium.org
TEST=mjsunit/regress/regress-crbug-700678
BUG=chromium:700678
Change-Id: I5efd012eade14bd45c69e4abb0aeda684baf38f0
Reviewed-on: https://chromium-review.googlesource.com/452979
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43775}
This reverts the previous revert, commit
5a04f4fd68.
Previously reverted changes:
> Revert "[SAB] Move Atomics builtins to C++"
>
> This reverts commit 2b9840d86f.
>
> Revert "[SAB] Remove unreachable Uint8Clamped atomics paths"
>
> This reverts commit d1160fb14f.
>
> Revert "Remove tiny unit test for MinSimple/MaxSimple"
>
> This reverts commit 837760ecb7.
>
> Revert "Remove infrastructure for experimental JS natives"
>
> This reverts commit 8cfe45b6f1.
These changes were reverted to improve a perf regression on a Chrome
bot. Since then, the regression has reappeared, then disappeared again
all from seemingly unrelated changes.
BUG=v8:6033
TBR=adamk@chromium.org,hpayer@chromium.org,yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2732213005
Cr-Commit-Position: refs/heads/master@{#43758}
Part of the performance and refactoring work to move the TypedArray
constructors into CSA. This CL moves ConstructByArrayBuffer from JS
to CSA.
BUG=v8:5977
Change-Id: I0a200e6b3f6261ea2372ea9c3d3ca98e313cf2c5
Reviewed-on: https://chromium-review.googlesource.com/451620
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43747}
Test regress-694088.js is adapted for execution on big endian platforms.
TEST=test/mjsunit/compiler/regress-694088.js
BUG=
Review-Url: https://codereview.chromium.org/2739403002
Cr-Commit-Position: refs/heads/master@{#43746}
Now that the --turbo flag is on by default, this implication makes it
impossible to disable the runtime profiler to prevent functions from
being considered hot. Essentially the --nocrankshaft flag was borked.
R=machenbach@chromium.org
Change-Id: I698008b4b69038e8bfab6d8ec3ccf57e2fd71701
Reviewed-on: https://chromium-review.googlesource.com/452619
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43720}
- lower the cutoff-threshold for bottom up graphs to 1%
- show all builtins/stubs/ics by default
R=jkummerow@chromium.org
Change-Id: I522173155b817ae20a37c40ecf411f2b55d82105
Reviewed-on: https://chromium-review.googlesource.com/452482
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43717}
The optimization
NumberFloor(NumberDivide(lhs, rhs))
to
NumberToInt32(NumberDivide(lhs, rhs))
for potentially negative lhs is not valid, since Math.floor rounds
towards -infinity, whereas ToInt32 truncates.
BUG=chromium:699282
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2743673002
Cr-Commit-Position: refs/heads/master@{#43699}
This fixes an incorrect usage of String::Flatten in EscapeRegExpSource.
It also adds %ConstructConsString (to easily and reliably construct cons
strings in tests) and Factory::NewConsString (to enable guaranteed cons
string construction without preemptive flattening attempts).
BUG=chromium:698790
Review-Url: https://codereview.chromium.org/2736383003
Cr-Commit-Position: refs/heads/master@{#43686}
This fixes various allocator methods to properly propagate {nullptr} to
callers without accidentally dereferencing it. We also disable one test
case for stress mode as it runs out of memory due to inlining limits
being lifted in the stress mode.
R=bmeurer@chromium.org
TEST=mjsunit/array-natives-elements
BUG=v8:6061
Change-Id: Id0a7b826a8612d00b4f4ae8aa0bea011c50890ca
Reviewed-on: https://chromium-review.googlesource.com/451365
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43672}
