This fixes canonicalization of {SharedFunctionInfo} objects in the
{Compiler::GetSharedFunctionInfo} method when bytecode is preserved.
Eager compilation is only triggered when no code is present.
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-638551
BUG=chromium:638551
Review-Url: https://codereview.chromium.org/2245263006
Cr-Commit-Position: refs/heads/master@{#38709}
Ensures SMI values have SMI type even if they have a dot (e.g., 1.0).
Adds SMI_WITH_DOT type to maintain this.
BUG=chromium:638134
Review-Url: https://codereview.chromium.org/2248693005
Cr-Commit-Position: refs/heads/master@{#38698}
This fixes the case where a module is instantiated twice via the same
closure when in the meantime another closure has destroyed and removed
the WASM data attached to the SharedFunctionInfo.
R=bradnelson@chromium.org
TEST=mjsunit/asm/asm-validation
BUG=v8:4203
Review-Url: https://codereview.chromium.org/2253613004
Cr-Commit-Position: refs/heads/master@{#38696}
Reason for revert:
WebGL tests have been updated and rolled (at https://codereview.chromium.org/2227023002), so this should no longer fail outdated tests.
Original issue's description:
> Revert of Amend DataView, ArrayBuffer, and TypedArray methods to use ToIndex. (patchset #8 id:140001 of https://codereview.chromium.org/2090353003/ )
>
> Reason for revert:
> Speculative revert to unblock roll: https://codereview.chromium.org/2107223003/
>
> Original issue's description:
> > Amend DataView, ArrayBuffer, and TypedArray methods to use ToIndex.
> >
> > The spec was modified to relax some requirements which implementors had not been
> > enforcing. Part of this process involved introducing a new abstract operation
> > ToIndex, which had partial overlap with our existing semantics as well as some
> > differences (most notably treating undefined as 0). Test262 tests were introduced to
> > check for the new semantics, some of which we were failing. This patch amends the
> > parts of our implementation corresponding to specification algorithms which use
> > ToIndex to follow its semantics precisely.
> >
> > BUG=v8:4784,v8:5120
> >
> > Committed: https://crrev.com/09720349ea058d178521ec58d0a5676443a5a132
> > Cr-Commit-Position: refs/heads/master@{#37406}
>
> TBR=littledan@chromium.org,adamk@chromium.org,bakkot@google.com
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:4784,v8:5120
>
> Committed: https://crrev.com/b1f7f1f4e41a723d5f997738a07e35a031713b8f
> Cr-Commit-Position: refs/heads/master@{#37417}
TBR=littledan@chromium.org,adamk@chromium.org,hablich@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:4784,v8:5120
Review-Url: https://codereview.chromium.org/2247073004
Cr-Commit-Position: refs/heads/master@{#38689}
Our previous per-arch instantiation thunks for asm.js
didn't support modules that had or were called with anything other
than 3 arguments. Adding support for this.
Addding a runtime test method to check if asm validation succeeded.
Adding a test of validation with different argument count combinations.
R=mstarzinger@chromium.org
TEST=mjsunit/asm/asm-validator.js
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
Review-Url: https://codereview.chromium.org/2229723002
Cr-Commit-Position: refs/heads/master@{#38688}
Async functions are implemented via special generator functions; special in the
sense that they generally do not immediately yield. However, our generators
implementation still assumed that every generator function initially yields
(concretely: before doing the state dispatch in a loop header). This CL fixes
that.
R=littledan@chromium.org, rmcilroy@chromium.org
BUG=chromium:638019
Review-Url: https://codereview.chromium.org/2253033002
Cr-Commit-Position: refs/heads/master@{#38684}
At the moment, two NumberConstant nodes get different type even if their
value is the same because we always allocate a new heap number for
each number constant. This can lead to replacing a node with a node of
disjoint type in value numbering, which can result in incorrect code
down the line because of inconsistent types.
This fix makes sure that we only replace a node with a sub-type
node. Once we introduce a proper type for number constants, we can
move back to the intersection typing in value numbering.
Unfortunately, it is quite hard to write a repro for this because we cache NumberConstant nodes. We only throw away cached values that have too many conflicts (>5), so the test has to contain values that fall into the same bucket. That's where the magic floating point numbers in the test come from (they have the same low 8-bits of their hashes).
BUG=chromium:633497
Review-Url: https://codereview.chromium.org/2251833002
Cr-Commit-Position: refs/heads/master@{#38675}
Properly deoptimize if the left hand side of a CheckedInt32Mod is
negative and the result of the operation is zero.
R=jarin@chromium.org
BUG=v8:5286
Review-Url: https://codereview.chromium.org/2243803002
Cr-Commit-Position: refs/heads/master@{#38615}
This bug was triggered by a very specific combination:
* A context-allocated variable at script scope.
* OSR optimization.
* A scheduled breakpoint, which triggers at stack checks.
Stack checks differ from other possible breakpoint locations in that
the context (among other things) may be in a register and not on the
stack, making it impossible to recover during deoptimization. The
frame_inspector then returns undefined when asked for the context.
In GetFrameDetails, handle this case by omitting all context-allocated
variables.
BUG=v8:5279
Review-Url: https://codereview.chromium.org/2245603002
Cr-Commit-Position: refs/heads/master@{#38611}
This adds a very first version of inlined Array.prototype.pop into
TurboFan optimized code. We currently limit the inlining to fast
object or smi elements, until the unclear situation around hole NaNs
is resolved and we have a clear semantics inside the compiler.
It's also probably overly defensive in when it's safe to inline
the call to Array.prototype.pop, but we can always extend that
later once we have sufficient trust in the implementation and see
an actual need to extend it.
BUG=v8:2229,v8:3952,v8:5267
R=epertoso@chromium.org
Review-Url: https://codereview.chromium.org/2239703002
Cr-Commit-Position: refs/heads/master@{#38578}
With this CL all kinds of Callable can imported into wasm. Please take a special look at the context that is used now in the WasmToJSWrapper.
BUG=633895
TEST=mjsunit/wasm/ffi.js
Review-Url: https://codereview.chromium.org/2208703002
Cr-Commit-Position: refs/heads/master@{#38569}
This patch adds additional tests for async functions and generators, in how
they interact with destructuring, default arguments and shadow parameter
copying.
BUG=v8:5167
Review-Url: https://codereview.chromium.org/2229243002
Cr-Commit-Position: refs/heads/master@{#38560}
This switches the interface of the runtime profiler to use frames as
opposed to functions for performing on-stack replacement. Requests for
such replacements need to target a specific frame. This will enable us
to activate bytecode as well as baseline code for the same function.
The existing %OptimizeOsr runtime function also had to adapted and now
takes an optional stack depth to target a specific stack frame.
R=bmeurer@chromium.org
BUG=v8:4764
Review-Url: https://codereview.chromium.org/2230783004
Cr-Commit-Position: refs/heads/master@{#38548}
The scopes of suspended generators can now be accessed through GeneratorMirror
(similar to FrameMirror).
BUG=v8:5235
Review-Url: https://codereview.chromium.org/2228393002
Cr-Commit-Position: refs/heads/master@{#38530}
We now deopt when the lhs of a mod is negative and the rhs is 1 too (previously, we erroneusly returned 0 instead of -0).
BUG=v8:5278
R=bmeurer@chromium.org
Review-Url: https://codereview.chromium.org/2233713002
Cr-Commit-Position: refs/heads/master@{#38525}
For holey/growing keyed stores, we need to check that there are no
setters in the prototype chain and protect against changes to that
via code dependencies.
R=verwaest@chromium.org
BUG=v8:5275,v8:5276
Review-Url: https://codereview.chromium.org/2231683002
Cr-Commit-Position: refs/heads/master@{#38514}
When we compile a growing store in TurboFan, we don't pass a (native)
context to the %GrowArrayElements fallback function, as the whole logic
is actually context independent. However, that means that we need to
bailout early in case the object is a prototype, which requires context
dependent checks in the array protector code.
R=cbruni@chromium.org
BUG=chromium:635798
Review-Url: https://codereview.chromium.org/2224253003
Cr-Commit-Position: refs/heads/master@{#38491}
While we might at some point want to explore if this is a win versus
whole modules, for now we have the Tables interface planned.
R=titzer@chromium.org,ahaas@chromium.org,mtrofin@chromium.org,rossberg@chromium.org
BUG=v8:5044
Review-Url: https://codereview.chromium.org/2226053002
Cr-Commit-Position: refs/heads/master@{#38461}
Introduces a new VariableLocation MODULE for variables that live in a
module's export table. Scope analysis sets this for the approriate variables.
Not yet supported by any backend.
Also, treats all imports as CONST bindings (including namespace imports), rather
than having new special variable modes.
BUG=
Review-Url: https://codereview.chromium.org/2199283002
Cr-Commit-Position: refs/heads/master@{#38426}
- Don't read .constructor when returning a Promise from an async function.
Instead, call out to the internals of Promise.resolve directly.
This is done by adding back in an "optimization" from an earlier form of
the async/await code written by Caitlin Potter.
- Async functions always return a new Promise with a distinct identity,
even if they simply return another Promise.
R=caitp@igalia.com
BUG=v8:4483
Review-Url: https://codereview.chromium.org/2219623002
Cr-Commit-Position: refs/heads/master@{#38404}
If we infer loop variable bounds, we need to insert a type rename node
(sigma) to make sure that simplified lowering can choose representations
consistently.
Review-Url: https://codereview.chromium.org/2222513002
Cr-Commit-Position: refs/heads/master@{#38391}
Unskip test which failed with Intl support disabled, and avoid using Intl
objects within the test.
BUG=chromium:634273,chromium:634357,v8:5162
NOTRY=true
R=mstarzinger@chromium.org
Review-Url: https://codereview.chromium.org/2218743003
Cr-Commit-Position: refs/heads/master@{#38384}
Reason for revert:
[Sheriff] Fails on nosnap debug:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosnap%20-%20debug/builds/8403
Original issue's description:
> [Interpreter] Collect type feedback for 'new' in the bytecode handler
>
> Collect type feedback in the bytecode handler for 'new' bytecode. The
> earlier cl (https://codereview.chromium.org/2153433002/) was reverted
> because that implementation did not collect allocation site feedback.
> This regressed delta blue by an order of magnitude. This implementation
> includes collection of allocation site feedback.
>
> BUG=v8:4280, v8:4780
> LOG=N
>
> Committed: https://crrev.com/9d5e6129c4c7f9cbfe81a5fad2a470f219fe137c
> Cr-Commit-Position: refs/heads/master@{#38364}
TBR=bmeurer@chromium.org,rmcilroy@chromium.org,balazs.kilvady@imgtec.com,mythria@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4280, v8:4780
Review-Url: https://codereview.chromium.org/2212343002
Cr-Commit-Position: refs/heads/master@{#38368}
Collect type feedback in the bytecode handler for 'new' bytecode. The
earlier cl (https://codereview.chromium.org/2153433002/) was reverted
because that implementation did not collect allocation site feedback.
This regressed delta blue by an order of magnitude. This implementation
includes collection of allocation site feedback.
BUG=v8:4280, v8:4780
LOG=N
Review-Url: https://codereview.chromium.org/2190293003
Cr-Commit-Position: refs/heads/master@{#38364}
This fixes the runtime profiler to no longer assume that seeing an
optimized frame on the stack implies the underlying function is not
being interpreted when entered normally. This no longer holds with code
generated for OSR directly from bytecode (not installed on function).
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-632800
BUG=chromium:632800
Review-Url: https://codereview.chromium.org/2208603005
Cr-Commit-Position: refs/heads/master@{#38360}
This makes sure we prevent a tier-up for function which also have an
optimized activation of OSR code on the stack. In case the OSR code
deoptimizes, it needs the bytecode to still be around.
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-5262
BUG=v8:5262
Review-Url: https://codereview.chromium.org/2206363004
Cr-Commit-Position: refs/heads/master@{#38359}
We don't need to add stability dependencies on JSObject prototypes when
storing to an element, because we do the map check (and thereby guard
the elements kind) and we also properly deoptimize on holes if the array
protector is not usable.
R=verwaest@chromium.org
BUG=chromium:616709
Review-Url: https://codereview.chromium.org/2198833002
Cr-Commit-Position: refs/heads/master@{#38355}
When parsing a eagerly-parsed-but-lazily-compiled function, we
used to put some of its AST nodes into a discardable Zone. This
CL puts the function Scope, its inner Scopes and the related AST
nodes (Declarations, VariableProxys) into the temporary Zone
too. This reduces peak memory usage and enables future work to
keep the temporary Zone around for later compilation.
BUG=
Review-Url: https://codereview.chromium.org/2210243002
Cr-Commit-Position: refs/heads/master@{#38348}
The contract is that the method is only invoked when there are no elements on
the prototype, and this elements type forbids accessor elements. So it is safe
to limit the search to the end of the backing store.
BUG=chromium:634269, v8:5162
R=cbruni@chromium.org, mstarzinger@chromium.org
Review-Url: https://codereview.chromium.org/2209273002
Cr-Commit-Position: refs/heads/master@{#38344}
This adds the possibility to address test cases in the
status file with the variant under which the test is running.
This is only allowed in top-level sections.
Example:
[{
'test-case': [PASS, SLOW],
}]
['variant == foo', {
'test-case': [FAIL],
}]
The test case "test-case" is marked as slow in all variants.
Additionally, in variant foo, it'll be expected to fail.
This CL also exemplifies the new feature with test cases
running under the ignition_turbofan variant. The
corresponding legacy flag is deprecated.
BUG=v8:5238
Review-Url: https://codereview.chromium.org/2203013002
Cr-Commit-Position: refs/heads/master@{#38342}
This adds the missing lazy bailout point when defining accessor pairs
within object literals via Runtime::kDefineAccessorPropertyUnchecked.
The runtime function in question can indeed trigger a lazy deopt due
to a DependentCode::kPrototypeCheckGroup dependency.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-633585
BUG=chromium:633585
Review-Url: https://codereview.chromium.org/2207413002
Cr-Commit-Position: refs/heads/master@{#38336}
An infinite recursion can be triggered when NoSideEffectToString is
called on an error object with its name property set to itself.
BUG=633998
Review-Url: https://codereview.chromium.org/2206313002
Cr-Commit-Position: refs/heads/master@{#38325}
These tests all called assertUnreachable within a try/catch block.
BUG=v8:5246
Review-Url: https://codereview.chromium.org/2209663003
Cr-Commit-Position: refs/heads/master@{#38323}
Avoids compiling baseline code when the function isn't able to be
optimized by crankshaft.
BUG=chromium:632289
Review-Url: https://codereview.chromium.org/2194453002
Cr-Commit-Position: refs/heads/master@{#38304}
In the parser, we desugar yield* with the help of a regular yield. One
particular implementation detail of this desugaring is that when the user calls
the generator's throw method, this throws an exception that we immediately
catch. This exception should not be visible to the user, but through Devtools'
"Pause on Caught Exceptions" feature it used to be.
This CL extends the type of catch predictions with a new value for such internal
exceptions and uses that for the offending try-catch statement in yield*. It
instruments the debugger to _not_ trigger an exception event in that case.
R=yangguo@chromium.orgTBR=littledan@chromium.org
BUG=v8:5218
Review-Url: https://codereview.chromium.org/2203803002
Cr-Commit-Position: refs/heads/master@{#38286}
This was being allowed due to the use of BindingFlags instead of VariableMode
to determine whether a looked-up binding was lexical. Because function
declarations are hoisted, they never need hole checks, and so were being
miscategorized as non-lexical.
This patch augments Context::Lookup with a VariableMode out param, which
allows this check to determine precisely whether the binding is lexical.
BUG=v8:4454, v8:5256
Review-Url: https://codereview.chromium.org/2206483004
Cr-Commit-Position: refs/heads/master@{#38260}
Reason for revert:
Broke Node.js tests (test-require-dot etc.)
Original issue's description:
> Put Scopes into temporary Zone
>
> When parsing a eagerly-parsed-but-lazily-compiled function, we
> used to put some of its AST nodes into a discardable Zone. This
> CL puts the function Scope, its inner Scopes and the related AST
> nodes (Declarations, VariableProxys) into the temporary Zone
> too. This reduces peak memory usage and enables future work to
> keep the temporary Zone around for later compilation.
>
> BUG=
>
> Committed: https://crrev.com/eaebdd858b466057ccc39894a172c9b66868e8f7
> Cr-Commit-Position: refs/heads/master@{#38232}
TBR=adamk@chromium.org,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2205013002
Cr-Commit-Position: refs/heads/master@{#38258}
We cannot just blindly make a representation selection for Phi or Select
based on the truncations, but we also need to consider the type of the
inputs (or actually of the Phi/Select node itself). We can only use
Word32 representation based on Word32 truncation if the inputs are
Number or Oddball, same for Float64.
R=epertoso@chromium.org
BUG=v8:5255
Review-Url: https://codereview.chromium.org/2206553002
Cr-Commit-Position: refs/heads/master@{#38241}
This type is not supposed to be constructable by users. Internally, we
use CallSiteUtils::Construct to create CallSite objects; and we simply
map a thrower builtin as the public CallSite constructor.
R=yangguo@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2201823002
Cr-Commit-Position: refs/heads/master@{#38234}
This makes sure we are not inserting {OsrPoll} instructions for any
statements that are not actually loops and have no back edges. Without
back edges the {BytecodeGraphBuilder} is unable to deduce loop ranges
and hence cannot construct a graph for OSR entry.
R=neis@chromium.org
TEST=mjsunit/regress/regress-5252
BUG=v8:5252
Review-Url: https://codereview.chromium.org/2200733002
Cr-Commit-Position: refs/heads/master@{#38233}
When parsing a eagerly-parsed-but-lazily-compiled function, we
used to put some of its AST nodes into a discardable Zone. This
CL puts the function Scope, its inner Scopes and the related AST
nodes (Declarations, VariableProxys) into the temporary Zone
too. This reduces peak memory usage and enables future work to
keep the temporary Zone around for later compilation.
BUG=
Review-Url: https://codereview.chromium.org/2193793002
Cr-Commit-Position: refs/heads/master@{#38232}
When we narrow a signed32 comparison to uint8 or uint16 representation,
we also need to change the condition to unsigned comparisons otherwise
the comparison will be done on int16/int8 which interprets the narrowed
bits wrong.
R=epertoso@chromium.org
BUG=v8:5254
Review-Url: https://codereview.chromium.org/2202803003
Cr-Commit-Position: refs/heads/master@{#38231}
The flag was introduced for ignition development. It can only
be used when running ignition tests in isolation on the bots.
The bots only use ignition_turbo in isolation since a while
and don't pass the --ignition flag anymore.
BUG=v8:5238
Review-Url: https://codereview.chromium.org/2197123002
Cr-Commit-Position: refs/heads/master@{#38206}
This CL fixes a long-standing bug with Object.keys where the enumerability
check was omitted if the [ownKeys] trap is not present. The only distinction the
KeyAccumulator needs is whether it collects keys for for-in (is_for_in_) or not.
ForInFilter performs a separate step to filter out non-enumerable keys later-on
while in all the other use-cases we have to filter keys.
BUG=v8:1543, v8:5250
Review-Url: https://codereview.chromium.org/2176113009
Cr-Commit-Position: refs/heads/master@{#38199}
This introduces a bunch of new tests that test various aspects of
accessor inlining in TurboFan (without the actual inlining), and does
the appropriate fixes to the AstGraphBuilder. The actual inlining CL
will land separately (so we don't need to revert the tests and fixes
if the accessor CL has to be reverted).
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2197913002
Cr-Commit-Position: refs/heads/master@{#38191}
Drive-by fix: actually match the hint in the IsSpeculativeBinopMatcher.
Review-Url: https://codereview.chromium.org/2191883002
Cr-Commit-Position: refs/heads/master@{#38176}
This adds preliminary support for on-stack replacement from Ignition to
optimized code generated by TurboFan to the runtime profiler. Involved
heuristics (e.g. code size allowance) have been taken from existing code
without any re-evaluation in the new setting.
R=rmcilroy@chromium.org
BUG=v8:4764
Review-Url: https://codereview.chromium.org/2182183005
Cr-Commit-Position: refs/heads/master@{#38159}
Previously, the stack property was set up in JS as read-only; but since
it had a JS setter, writability was ignored and writing to stack was
possible.
This is no longer the case now that stack is either an actual data
property, or is associated with C++ accessors. Explicitly set the
property as writable to preserve old behavior.
BUG=5245
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2190313002
Cr-Commit-Position: refs/heads/master@{#38158}
In the process also inline the stub into the appropriate interpreter bytecode
handler and make sure that the context register is preserved in hand-written
assembly code that calls the stub and expects the context register to be
preserved.
BUG=608675
Review-Url: https://codereview.chromium.org/2188993003
Cr-Commit-Position: refs/heads/master@{#38132}
This patch updates internal data structures used by V8 to support
multiple indirect function tables (WebAssembly/design#682). But, since
this feature is post-MVP, the functionality is not directly exposed and
parsing/generation of WebAssembly is left unchanged. Nevertheless, it
is being used in an experiment to implement fine-grained control flow
integrity based on C/C++ types.
BUG=
Review-Url: https://codereview.chromium.org/2174123002
Cr-Commit-Position: refs/heads/master@{#38110}
Objects that reside below the age mark could be on pages that have been moved
within new space. In this case mementos survived which can actually point to
already-collected allocation sites.
BUG=chromium:631050,chromium:581412
R=hpayer@chromium.org
Review-Url: https://codereview.chromium.org/2179033005
Cr-Commit-Position: refs/heads/master@{#38094}
This required the introduction of the CheckedNumberOrOddballAsWord32 use info, and a change in the RepresentationChanger to handle it.
BUG=
Review-Url: https://codereview.chromium.org/2184513003
Cr-Commit-Position: refs/heads/master@{#38086}