These slots are invalid and can result in a broken offset when slot index and start of object are equal and are at the beginning of a cell.
Moreover, make DCHECKs CHECKs to catch bugs in the wild.
BUG=chromium:473174
LOG=n
Review URL: https://codereview.chromium.org/1051243004
Cr-Commit-Position: refs/heads/master@{#27602}
- Fixed single float register type instruction en[de]coding in assembler and disassembler.
- Added max and min instructions for r6 and corresponding tests.
- Fixed selection instruction for boundary cases in simulator.
- Update assembler tests to be more thorough wrt boundary cases.
TEST=cctest/test-assembler-mips64/MIPS17, MIPS18
cctest/test-disasm-mips64/Type1
cctest/test-assembler-mips/MIPS16, MIPS17
cctest/test-disasm-mips/Type1
BUG=
Review URL: https://codereview.chromium.org/1057323002
Cr-Commit-Position: refs/heads/master@{#27601}
The number of generated instructions per table entry is reduced from six to
two, or four in worst-case scenario.
TEST=
BUG=
Review URL: https://codereview.chromium.org/1059213002
Cr-Commit-Position: refs/heads/master@{#27599}
port 16ee55097a (r27536)
original commit message:
Generate common StoreFastElementStubs ahead of time
BUG=
Review URL: https://codereview.chromium.org/1052413002
Cr-Commit-Position: refs/heads/master@{#27597}
port 7c347c545e (r27511)
original commit message:
A bug allows JSObject literals with elements to have the elements in the
boilerplate modified.
BUG=
Review URL: https://codereview.chromium.org/1057883004
Cr-Commit-Position: refs/heads/master@{#27595}
Remove unused macro-asm instruction and associated address patching.
On mips64, remove unused JumpLabelToJumpRegister(). On mips, rename
it appropriately (it's still used there for JR->J optimizations).
BUG=
Review URL: https://codereview.chromium.org/1059433003
Cr-Commit-Position: refs/heads/master@{#27593}
As with TF fix 94506cc3, correctly support absurdly large stack
adjustments.
TEST=mozilla/js/tests/js1_5/Regress/regress-396684.js
BUG=
Review URL: https://codereview.chromium.org/1057763002
Cr-Commit-Position: refs/heads/master@{#27592}
This keeps the length of the context chain tracked by the environment
in sync even for local control flow commands. It removes the need to
guess the correct chain length at Environment::Merge points.
R=titzer@chromium.org
Review URL: https://codereview.chromium.org/1045703003
Cr-Commit-Position: refs/heads/master@{#27588}
The original code will not update the IC info if one of parameter is SMI. It Can not handle Number + Smi.
BUG=
Review URL: https://codereview.chromium.org/1056663005
Cr-Commit-Position: refs/heads/master@{#27583}
Currently, this doesn't really help to generate better code,
nevertheless this is the right thing to do. When our type system(s)
are fixed, this should avoid falling back to floating point operations
in various cases.
Review URL: https://codereview.chromium.org/1057813002
Cr-Commit-Position: refs/heads/master@{#27578}
Could not encode the large slot number in opcode MiscField.
TEST=mozilla/js/tests/js1_5/Regress/regress-396684.js
BUG=
Review URL: https://codereview.chromium.org/1043393002
Cr-Commit-Position: refs/heads/master@{#27574}
In ES6 Object.getOwnPropertyDescriptor should call ToObject, which
means that primitive values will return descriptors from the wrapper.
BUG=v8:3964
LOG=N
R=adamk, rossberg@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/998163004
Cr-Commit-Position: refs/heads/master@{#27569}
Reason for revert:
Spike in OOM crashes: crbug.com/403113
Original issue's description:
> Remove promotion backup case and report OOM instead.
>
> There are no test cases for this piece of code and it is really hard to test. If this rare case triggers, we are anyway in an OOM situation and would crash probably soon afterwards.
>
> BUG=
>
> Committed: https://crrev.com/e813afaf127ab80290153ab676dc07212bdc8946
> Cr-Commit-Position: refs/heads/master@{#27026}
TBR=mstarzinger@chromium.org,hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review URL: https://codereview.chromium.org/1050113002
Cr-Commit-Position: refs/heads/master@{#27568}
The removed assertion consistently passes not because the invoked
`close` method internally throws a `TypeError` but because the `close`
method does not exist. The ES6 specification does not define a `close`
method on the GeneratorPrototype, so this test is a tautology.
BUG=None
LOG=N
R=arv
Review URL: https://codereview.chromium.org/1046963002
Cr-Commit-Position: refs/heads/master@{#27567}
The modified assertions targeted the property descriptor for the
template object's first "cooked" value. The code immediately preceeding
these statements asserts these values.
Update the assertions to instead target the property descriptor for the
template object's first "raw" value (which are otherwise untested).
BUG=
Review URL: https://codereview.chromium.org/1049523003
Cr-Commit-Position: refs/heads/master@{#27566}
Reason for revert:
Got one dev-channel with this. Should be enough.
Original issue's description:
> Add CHECKs when updating pointers from the slots and store buffers
>
> We want to verify that we always overwrite heap objects with heap
> objects, and non-heap objects with non-heap objects
>
> BUG=chromium:452095
> R=hpayer@chromium.org
> LOG=n
>
> Committed: https://crrev.com/58fbcfac8ae82b1241f07e1b8ea81a5973514c11
> Cr-Commit-Position: refs/heads/master@{#27479}
TBR=hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:452095
Review URL: https://codereview.chromium.org/1052713002
Cr-Commit-Position: refs/heads/master@{#27565}
[-h] [-g GIT_DIR] hash
positional arguments:
hash Hash of the commit to be searched.
optional arguments:
-h, --help show this help message and exit
-g GIT_DIR, --git-dir GIT_DIR
The path to your git working directory.
BUG=
Review URL: https://codereview.chromium.org/1033043002
Cr-Commit-Position: refs/heads/master@{#27563}
This commit is to fix the linking error:
../../v8/src/base/platform/platform-posix.cc:418: error: undefined reference to '__android_log_vprint'
Review URL: https://codereview.chromium.org/1037193003
Cr-Commit-Position: refs/heads/master@{#27559}
This reverts commit 992751d0dc.
The final spec for Object.getPrototypeOf calls ToObject on the
parameter, which means that it should only throw for null and
undefined. For other non object values the prototype of the wrapper
should be used.
Difference from last time: Updated .status and will disable Blink
side tests as needed.
BUG=v8:3964
LOG=N
R=adamk, rossberg@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1051523003
Cr-Commit-Position: refs/heads/master@{#27558}
It triggers once per context that calls observe (or attempts to access
any observation metadata, e.g. through Object.getNotifier).
Review URL: https://codereview.chromium.org/1048213002
Cr-Commit-Position: refs/heads/master@{#27557}
In DevTools we've already used sourceURL in inline scripts.
This CL makes the behavior of the V8 in the same for Error.stack property and v8::StackTrace.
BUG=v8:3920
LOG=Y
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/1044173002
Cr-Commit-Position: refs/heads/master@{#27554}
Lack of sign extension on simulator builds gives bad value for
RETRY and EXCEPTION codes.
TEST=mjsunit/regexp-stack-overflow, regress-crbug-467047
BUG=v8:3992
LOG=n
Review URL: https://codereview.chromium.org/1040753003
Cr-Commit-Position: refs/heads/master@{#27553}