Commit Graph

6090 Commits

Author SHA1 Message Date
jgruber
300f4413eb Do not call into JS from WasmDebugInfo::GetFunctionScript
This disables notification of wasm script 'compilation' since
OnAfterCompile actually triggers a JS call (which is disallowed during
stack trace collection).

BUG=641065

Review-Url: https://codereview.chromium.org/2304943002
Cr-Commit-Position: refs/heads/master@{#39139}
2016-09-02 14:56:56 +00:00
jgruber
64c518d06d Do not include Error.captureStackTrace in the trace
BUG=v8:5342

Review-Url: https://codereview.chromium.org/2307783002
Cr-Commit-Position: refs/heads/master@{#39124}
2016-09-02 09:51:42 +00:00
mythria
7e5b8feed3 [Interpreter] Collect type feedback for 'new' in the bytecode handler
Collect type feedback in the bytecode handler for 'new' bytecode. The
earlier cl (https://codereview.chromium.org/2153433002/) was reverted
because that implementation did not collect allocation site feedback.
This regressed delta blue by an order of magnitude. This implementation
includes collection of allocation site feedback.

Reland of https://codereview.chromium.org/2190293003/ with a bug fix.

BUG=v8:4280, v8:4780
LOG=N

Review-Url: https://codereview.chromium.org/2225923003
Cr-Commit-Position: refs/heads/master@{#39120}
2016-09-02 08:26:57 +00:00
nikolaos
628e9e3eb8 Fix bug with nested spreads as patterns
R=adamk@chromium.org, littledan@chromium.org
BUG=v8:5337
LOG=N

Review-Url: https://codereview.chromium.org/2297303003
Cr-Commit-Position: refs/heads/master@{#39118}
2016-09-02 07:53:00 +00:00
bmeurer
86af343749 [test] Add regression test for http://crbug.com/642056.
The bug itself was already fixed in ToT as part of
http://crrev.com/2263273003.

R=machenbach@chromium.org
BUG=chromium:642056

Review-Url: https://codereview.chromium.org/2306913002
Cr-Commit-Position: refs/heads/master@{#39117}
2016-09-02 07:08:29 +00:00
machenbach
d67fedb12c Revert of Allow lexically declared "arguments" in function scope in sloppy mode. (patchset #5 id:100001 of https://codereview.chromium.org/2290753003/ )
Reason for revert:
Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/9470

Original issue's description:
> Allow lexically declared "arguments" in function scope in sloppy mode.
>
> Lexically declared "arguments" in sloppy mode will throw redeclaration error
> currently, this patch fixes it by delaying the declaration of arguments until we
> fully parse parameter list and function body.
>
> BUG=v8:4577
> LOG=N
>
> Committed: https://crrev.com/70a613dd0a5f5d205b46559b55702764464851fa
> Cr-Commit-Position: refs/heads/master@{#39109}

TBR=adamk@chromium.org,mythria@chromium.org,lpy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4577

Review-Url: https://codereview.chromium.org/2304853002
Cr-Commit-Position: refs/heads/master@{#39115}
2016-09-02 06:23:57 +00:00
gdeepti
53cb7e5ffc Populate relocation information correctly for RelocatableInt32Constants.
BUG=v8:5304
R=ahaas@chromium.org, titzer@chromium.org

Review-Url: https://codereview.chromium.org/2277443009
Cr-Commit-Position: refs/heads/master@{#39112}
2016-09-02 01:39:21 +00:00
lpy
70a613dd0a Allow lexically declared "arguments" in function scope in sloppy mode.
Lexically declared "arguments" in sloppy mode will throw redeclaration error
currently, this patch fixes it by delaying the declaration of arguments until we
fully parse parameter list and function body.

BUG=v8:4577
LOG=N

Review-Url: https://codereview.chromium.org/2290753003
Cr-Commit-Position: refs/heads/master@{#39109}
2016-09-01 22:10:34 +00:00
jarin
25504a220f [turbofan] Fix typing rule for Math.sign.
Review-Url: https://codereview.chromium.org/2306583002
Cr-Commit-Position: refs/heads/master@{#39103}
2016-09-01 20:06:27 +00:00
jgruber
7711b1a16f [regexp] Port RegExp getters and setters
BUG=v8:5339

Committed: https://crrev.com/ac0eb5e05af40e16ae9402bb8a62600b32cc2ec9
Review-Url: https://codereview.chromium.org/2305573002
Cr-Original-Commit-Position: refs/heads/master@{#39076}
Cr-Commit-Position: refs/heads/master@{#39088}
2016-09-01 13:41:28 +00:00
machenbach
6c25d789ba Revert of [regexp] Port RegExp getters and setters (patchset #4 id:60001 of https://codereview.chromium.org/2305573002/ )
Reason for revert:
Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/9437

Original issue's description:
> [regexp] Port RegExp getters and setters
>
> BUG=v8:5339
>
> Committed: https://crrev.com/ac0eb5e05af40e16ae9402bb8a62600b32cc2ec9
> Cr-Commit-Position: refs/heads/master@{#39076}

TBR=bmeurer@chromium.org,jgruber@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5339

Review-Url: https://codereview.chromium.org/2301963002
Cr-Commit-Position: refs/heads/master@{#39085}
2016-09-01 12:50:40 +00:00
jgruber
ac0eb5e05a [regexp] Port RegExp getters and setters
BUG=v8:5339

Review-Url: https://codereview.chromium.org/2305573002
Cr-Commit-Position: refs/heads/master@{#39076}
2016-09-01 11:22:21 +00:00
jarin
39d65198ed [turbofan] Fix Math.sign.
Review-Url: https://codereview.chromium.org/2294143004
Cr-Commit-Position: refs/heads/master@{#39073}
2016-09-01 10:26:12 +00:00
bmeurer
432790c92c [turbofan] Only check semantic axis for Type::None.
R=jarin@chromium.org
BUG=chromium:643073

Review-Url: https://codereview.chromium.org/2299903002
Cr-Commit-Position: refs/heads/master@{#39065}
2016-09-01 07:11:21 +00:00
bmeurer
64a7bd3877 [turbofan] Don't treat the hole NaN as constant inside the compiler.
We use a signaling NaN to represent the hole in
FAST_HOLEY_DOUBLE_ELEMENTS backing stores, but on Intel processors, the
C++ compiler may decide to (or be forced to due to calling conventions)
use X87 registers for double values. However transfering to X87
registers automatically quietens the NaNs and there's no way to disable
this. Therefore we should just always load the hole NaN from the canonical
place identified by the address_of_hole_nan external reference instead,
which might even be more efficient in some cases.

R=jarin@chromium.org, jkummerow@chromium.org
BUG=v8:5332

Review-Url: https://codereview.chromium.org/2303643002
Cr-Commit-Position: refs/heads/master@{#39062}
2016-09-01 06:02:19 +00:00
bakkot
8d5a267b19 Refactor object/class literal property name parsing
This patch arranges that property names are parsed in a single pass,
reporting the name as well as the type of the property, instead of
parsing qualifiers like 'static' or 'get' initially as names and then
re-parsing. This change is easier to reason about, very slightly (4%)
faster in some cases (although slower in other, less common ones, though
this slowdown will be fixed in an upcoming patch), and is a prerequisite
for separating the parsing of object and class literal properties, which
will become increasingly important as ECMAScript adds more class features.

This is a reland of https://codereview.chromium.org/2278153004/,
which fixes the issue causing the revert and adds more tests.

Review-Url: https://codereview.chromium.org/2300503002
Cr-Commit-Position: refs/heads/master@{#39056}
2016-08-31 21:14:14 +00:00
jkummerow
e1cb562224 [elements] Fix GetEntryForIndexImpl to honor array length
Previously, fast holey elements accessors would detect element presence
by simply doing a hole check on any slot within the backing store's
capacity. This relied on the (mostly-true but brittle) assumption that
slots beyond the length are always correctly zapped with The Hole.

Review-Url: https://codereview.chromium.org/2297253002
Cr-Commit-Position: refs/heads/master@{#39051}
2016-08-31 17:46:34 +00:00
bmeurer
7b79224b21 [crankshaft] Disable further folding already folded allocations.
When we try to further fold previously folded allocations in Crankshaft
GVN we don't properly transform the allocations involved, which causes
the mechanism to leave holes in the new/old space (and thereby violate
the iterability property of the new/old space).

BUG=chromium:621868
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2297983003
Cr-Commit-Position: refs/heads/master@{#39040}
2016-08-31 09:48:45 +00:00
adamk
9c00c88902 Remove duplicated code from comma-separated Expression parsing
This removes two bits of duplication:
  - Parsing of each AssignmentExpression, which previously was called
    first outside the loop and then inside the loop.
  - Parsing of arrow rest parameters, which previously was handled
    separately for the one-arg and N-arg cases.

The only change in behavior is in a few error messages.

Review-Url: https://codereview.chromium.org/2279363002
Cr-Commit-Position: refs/heads/master@{#39030}
2016-08-31 01:24:19 +00:00
mtrofin
03f3da45e1 [wasm] mjsunit support for I32 globals and test
Test ensuring globals are isolated between instances. Also
added support for globals section to mjsunit's
WebModuleBuilder as a prerequisite.

BUG=

Review-Url: https://codereview.chromium.org/2296993002
Cr-Commit-Position: refs/heads/master@{#39028}
2016-08-31 00:36:18 +00:00
ahaas
9f747be5a7 [wasm] Check the input of grow-memory before calling the runtime.
If the input of grow-memory was not representable as a SMI, then the
input was not passed correctly to the runtime, which caused a crash.
With this CL the input of grow-memory is checked before the runtime is
called.

R=titzer@chromium.org, gdeepti@chromium.org
TEST=mjsunit/wasm/grow-memory.js:testGrowMemoryTrapsWithNonSmiInput()

Review-Url: https://codereview.chromium.org/2288773002
Cr-Commit-Position: refs/heads/master@{#39022}
2016-08-30 17:00:24 +00:00
epertoso
bdf5566281 [turbofan] Treat the INT32 state of a truncating binary op IC as number or oddball on 32-bit machines.
This was causing a few unexpected deopt loops.

BUG=v8:5320

Review-Url: https://codereview.chromium.org/2292873002
Cr-Commit-Position: refs/heads/master@{#39019}
2016-08-30 14:13:34 +00:00
ahaas
510246f6e2 [wasm] Use the native_context for the TypeError in ToJS()
With this CL we use isolate->native_context() to provide a context for
the CEntryStub of the runtime call. The native_context() is sufficient
here because Runtime::kWasmThrowTypeError does not use the context.

R=titzer@chromium.org
TEST=mjsunit/wasm/ffi-error.js
BUG=chromium:639492

Review-Url: https://codereview.chromium.org/2291043002
Cr-Commit-Position: refs/heads/master@{#39014}
2016-08-30 12:46:02 +00:00
bmeurer
864cdc124c [test] Speed-up regression test for growing stores.
TBR=machenbach@chromium.org
BUG=chromium:635798,chromium:638295

Review-Url: https://codereview.chromium.org/2288813003
Cr-Commit-Position: refs/heads/master@{#38991}
2016-08-30 04:04:32 +00:00
littledan
5af4cd9840 Disallow tail calls from async functions and generators
Tail calls don't make sense from async functions and generators, as
each activation of these functions needs to make a new, distnict,
non-reused generator object. These tail calls are not required per
spec. This patch disables both syntactic and implicit tail calls
in async functions and generators.

R=neis
BUG=v8:5301,chromium:639270

Review-Url: https://codereview.chromium.org/2278413003
Cr-Commit-Position: refs/heads/master@{#38986}
2016-08-29 18:31:35 +00:00
bgeron
791118fca5 [turbofan] Also inline into try blocks.
This removes test/webkit/fast/js/stack-overflow-arrity-catch.js, which tests that the stack overflows in a very particular way. It doesn't seem to test anything important, and only used to work because we didn't inline into try-blocks.

BUG=
R=jarin

Review-Url: https://codereview.chromium.org/2216353002
Cr-Commit-Position: refs/heads/master@{#38976}
2016-08-29 11:27:06 +00:00
bgeron
d90d76bdb5 [turbofan] Improve inline-exception tests.
- Make constants more interesting.
- Add an addition to be done after the inlined call in the try-block.
- On command line, have a bit more output.
- New alternative that deopts from unoptimized code.

BUG=
R=jarin

Review-Url: https://codereview.chromium.org/2285743002
Cr-Commit-Position: refs/heads/master@{#38974}
2016-08-29 11:17:16 +00:00
verwaest
5558a50878 Merge DeclarationScope::temps_ and Scope::ordered_variables_ into Scope::locals_
BUG=v8:5209

Review-Url: https://codereview.chromium.org/2272083003
Cr-Commit-Position: refs/heads/master@{#38920}
2016-08-25 19:12:00 +00:00
jarin
2a97b1bcb1 Reland of [turbofan] Insert dummy values when changing from None type.
This reverts commit a55fdb1e7c, relands
https://codereview.chromium.org/2266823002/.

BUG=chromium:638132

Review-Url: https://codereview.chromium.org/2277283002
Cr-Commit-Position: refs/heads/master@{#38917}
2016-08-25 16:58:13 +00:00
bgeron
244d9ccd40 [turbofan] Tests for inlining calls, constructors, property access inside try..catch..finally.
These tests were spliced out of changelist 2216353002 and extended.

BUG=

Review-Url: https://codereview.chromium.org/2245263003
Cr-Commit-Position: refs/heads/master@{#38906}
2016-08-25 12:50:48 +00:00
bmeurer
a55fdb1e7c Revert of [turbofan] Insert dummy values when changing from None type. (patchset #5 id:80001 of https://codereview.chromium.org/2266823002/ )
Reason for revert:
Octane/Mandreel aborts with an exception now:

TypeError: __FUNCTION_TABLE__[(r2 >> 2)] is not a function

Original issue's description:
> [turbofan] Insert dummy values when changing from None type.
>
> Currently we choose the MachineRepresentation::kNone representation for
> values of Type::None, and when converting values from the kNone representation
> we use "impossible" conversions that will crash at runtime. This
> assumes that the impossible conversions should never be hit (the only
> way to produce the impossible values is to perform an always-failing
> runtime check on a value, such as Smi-checking a string). Note that
> this assumes that the runtime check is executed before the impossible
> convesrion.
>
> Introducing BitwiseOr type feedback broke this in two ways:
>
> - we always pick Word32 representation for bitwise-or, so the
>   impossible conversion does not trigger (it only triggers with
>   None representation), and we could end up with unsupported
>   conversions from Word32.
>
> - even if we inserted impossible conversions, they are pure conversions.
>   Since untagging, bitwise-or operations are also pure, we could hoist
>   all these before the smi check of the inputs and we could hit the
>   impossible conversions before we get to the smi check.
>
> This CL addresses this by just providing dummy values for conversions
> from the Type::None type. It also removes the impossible-to-* conversions.
>
> BUG=chromium:638132
>
> Committed: https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe
> Cr-Commit-Position: refs/heads/master@{#38883}

TBR=mstarzinger@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:638132

Review-Url: https://codereview.chromium.org/2280613002
Cr-Commit-Position: refs/heads/master@{#38893}
2016-08-25 08:50:23 +00:00
bmeurer
b471d4ab5c [turbofan] Disable LoadElimination completely for asm.js.
There's no point in running the LoadElimination on asm.js functions and
it would take serious amount of effort to actually make it correct for
the deprecated parts of the pipeline.

R=jarin@chromium.org
BUG=v8:5308

Review-Url: https://codereview.chromium.org/2276273002
Cr-Commit-Position: refs/heads/master@{#38884}
2016-08-25 06:14:59 +00:00
jarin
c83b21ab75 [turbofan] Insert dummy values when changing from None type.
Currently we choose the MachineRepresentation::kNone representation for
values of Type::None, and when converting values from the kNone representation
we use "impossible" conversions that will crash at runtime. This
assumes that the impossible conversions should never be hit (the only
way to produce the impossible values is to perform an always-failing
runtime check on a value, such as Smi-checking a string). Note that
this assumes that the runtime check is executed before the impossible
convesrion.

Introducing BitwiseOr type feedback broke this in two ways:

- we always pick Word32 representation for bitwise-or, so the
  impossible conversion does not trigger (it only triggers with
  None representation), and we could end up with unsupported
  conversions from Word32.

- even if we inserted impossible conversions, they are pure conversions.
  Since untagging, bitwise-or operations are also pure, we could hoist
  all these before the smi check of the inputs and we could hit the
  impossible conversions before we get to the smi check.

This CL addresses this by just providing dummy values for conversions
from the Type::None type. It also removes the impossible-to-* conversions.

BUG=chromium:638132

Review-Url: https://codereview.chromium.org/2266823002
Cr-Commit-Position: refs/heads/master@{#38883}
2016-08-25 06:06:58 +00:00
littledan
aae17eb31b Do not trigger ExceptionEvents for another forwarding case
This patch fixes up one last case of redundant ExceptionEvents being
triggered in the debugger for Promises--it makes the default reject
handler for Promises (e.g., if the second argument for
Promise.prototype.then is missing) appear to the debugger as a
rethrow.

R=adamk@chromium.org,jgruber@chromium.org
BUG=v8:5167

Review-Url: https://codereview.chromium.org/2278643002
Cr-Commit-Position: refs/heads/master@{#38876}
2016-08-24 20:38:13 +00:00
jarin
dc330f2bd3 [turbofan] Fix merging of empty and non-empty state in load elimination.
Unfortunately, I was unable to produce a repro without asm.js. In normal
JavaScript, the bounds check renaming saves us.

I have not done anything about the index variable aliasing and handling
of differently sized elements yet!

BUG=chromium:639210, v8:5266

Review-Url: https://codereview.chromium.org/2270793004
Cr-Commit-Position: refs/heads/master@{#38874}
2016-08-24 17:14:24 +00:00
mstarzinger
b52aecac7e [compiler] Make Compiler::EnsureBytecode not switch tiers.
This preserves the original shared code of the underlying function when
bytecode is provided. The method in question should only ensure bytecode
is present, but should avoid switching compilation tiers of the given
function. It might be that the function was fast-tracked to baseline by
inlining without going through the interpreted tier first.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-635923
BUG=chromium:635923

Review-Url: https://codereview.chromium.org/2278543002
Cr-Commit-Position: refs/heads/master@{#38866}
2016-08-24 14:09:59 +00:00
bmeurer
6646d73b6f [turbofan] Use ObjectIsReceiver directly for inlining.
Don't bother using %_IsJSReceiver, which immediately gets lowered to
ObjectIsReceiver anyways (by the JSIntrinsicLowering), but requires
some complicated rewiring of effect/control chains.

R=mstarzinger@chromium.org
BUG=chromium:640369

Review-Url: https://codereview.chromium.org/2271973003
Cr-Commit-Position: refs/heads/master@{#38864}
2016-08-24 11:09:32 +00:00
littledan
013e49f73c Change which ExceptionEvents are triggered by Promises
To make async/await catch prediction work well, this patch regularizes
the exception events sent to DevTools from various places in the Promise
lifecycle. The core is that there should be an exception event when the
rejection first starts, rather than when it is propagated.

- Several cases within Promise code which propagate errors are
  modified to not trigger a new ExceptionEvent in that case, such
  as .then on a rejected Promise and returning a rejected Promise
  from .then, as well as Promise.race and Promise.all.
- Make Promise.reject() create an ExceptionEvent, subject to catch
  prediction based on the Promise stack. This is important
  so that, e.g., if "await Promise.reject()" will trigger a new
  throw (rather than a silent rethrow of something that never
  triggered an event in the first place).

BUG=v8:5167

Review-Url: https://codereview.chromium.org/2244003003
Cr-Commit-Position: refs/heads/master@{#38847}
2016-08-24 00:20:50 +00:00
mstarzinger
09a7ac5fca [deoptimizer] Potentially deopt into debug bytecode.
This makes sure the deoptimizer picks bytecode prepared for debugging
when materializing an interpreted frame if one is available. This is
normally done by the interpreter entry trampoline and hence needs to be
replicated by the deoptimizer.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2271443003
Cr-Commit-Position: refs/heads/master@{#38815}
2016-08-23 11:55:47 +00:00
bradnelson
e5f5ac7d2b [wasm] asm.js - Remove Wasm.instantiateModuleFromAsm, use asm.js directly.
Make use of %IsAsmWasmCode in place of Wasm.instantiateModuleFromAsm,
in order to reduce the surface area of the Wasm object,
and to focus on testing asm.js coming in via the parser.

Ignore extra CONST_LEGACY assignment introduced by the parser
when modules have the form:
(function Foo(a, b, c) {..});
This requires both a validator and AsmWasmBuilder change.

Move stdlib use collection to import time,
to reject modules that import a function, even if not used.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=jpp@chromium.org,titzer@chromium.org

Review-Url: https://codereview.chromium.org/2264913002
Cr-Commit-Position: refs/heads/master@{#38806}
2016-08-23 04:07:23 +00:00
littledan
b2a257f9ff Remove --promise-extra flag
This flag was shipped on in 52, so it's due for removal. The patch includes
removing the deprecated and unused-in-Blink API Promise::Chain, and many
test updates.

R=adamk@chromium.org
BUG=v8:4633

Review-Url: https://codereview.chromium.org/2267033002
Cr-Commit-Position: refs/heads/master@{#38804}
2016-08-22 21:35:06 +00:00
mattloring
da5d713d73 [builtins] Array indexOf in TurboFan/Runtime
Includes fast paths in the runtime for
DictionaryElementsAccessor, FastSmiOrObjectElementsAccessor,
FastDoubleElementsAccessor, TypedElementsAccessor, and
SloppyArgumentsElementsAccessor.

BUG=

Review-Url: https://codereview.chromium.org/2232063002
Cr-Commit-Position: refs/heads/master@{#38800}
2016-08-22 18:37:08 +00:00
bradnelson
2d46ef23b1 [wasm] asm.js - Check stdlib functions are valid.
Check remaining asm.js stdlib functions for validitity at instatiation.

Fail when a member is referenced, even if not used.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=jpp@chromium.org,titzer@chromium.org

Review-Url: https://codereview.chromium.org/2267633002
Cr-Commit-Position: refs/heads/master@{#38796}
2016-08-22 17:17:57 +00:00
franzih
6e665b094e [turbofan] Induction variable bound analysis for decrements.
This detects loops with integer decrements.

Drive-by fix: Add lower bounds to lower_bounds
zone vector instead of upper_bounds.

BUG=

Review-Url: https://codereview.chromium.org/2260153002
Cr-Commit-Position: refs/heads/master@{#38772}
2016-08-22 09:21:42 +00:00
bradnelson
561bfcb70d [wasm] asm.js - Check stdlib.NaN is valid, prepare for the rest.
Record which asm.js stdlib members are used and add a check that NaN is actually correctly set. Other stdlib members to be added in a later change.

Also add a stdlib argument to Wasm.instantiateModuleFromAsm, in preparation for that function to be replaced by normal asm.js instantiation.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=jpp@chromium.org,titzer@chromium.org

Review-Url: https://codereview.chromium.org/2251433002
Cr-Commit-Position: refs/heads/master@{#38760}
2016-08-19 18:26:24 +00:00
verwaest
10c72887b5 Move asm_module_ and asm_function_ down to DeclarationScope
BUG=v8:5209

Review-Url: https://codereview.chromium.org/2253913002
Cr-Commit-Position: refs/heads/master@{#38753}
2016-08-19 13:29:34 +00:00
bmeurer
99edc1b8e7 [turbofan] Unify Int32Add/Sub representation selection rules.
Unify the representation selection rules for NumberAdd/Subtract and
SpeculativeNumberAdd/Subtract wrt. Int32Add/Sub selection. We can
safely use Int32Add/Sub as long as the inputs are in the safe additive
integer range and the output is either truncated to Word32 or provably
in Signed32 or Unsigned32 range.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2253293005
Cr-Commit-Position: refs/heads/master@{#38746}
2016-08-19 09:50:22 +00:00
ahaas
bb187a106e [wasm] Add stack checks at the beginning of each function.
TEST=mjsunit/wasm/stack.js:testStackOverflow

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2256603002
Cr-Commit-Position: refs/heads/master@{#38742}
2016-08-19 08:54:39 +00:00
mtrofin
d64bd5f506 [wasm] removed redundant load line from mjsunit test
BUG=

Review-Url: https://codereview.chromium.org/2261643002
Cr-Commit-Position: refs/heads/master@{#38735}
2016-08-19 06:13:12 +00:00
ahaas
92b7c728e2 [wasm] Throw a type error if an I64 is exported to JS.
As required by the spec, ToJS now throws a TypeError fit I64 values
instead of truncating the I64 value to I32. To throw a TypeError I
introduced a new runtime function because the existing
Runtime::kThrowWasmError does not throw a TypeError. Since we have calls
to two runtime functions now, and an additional one is needed for stack
checks, I extracted the call to runtime functions into a helper function.

R=titzer@chromium.org

TEST=mjsunit/wasm/ffi-error.js:I64InSignatureThrows

Review-Url: https://codereview.chromium.org/2254803002
Cr-Commit-Position: refs/heads/master@{#38718}
2016-08-18 14:33:08 +00:00