The current behavior for generating match indices simply stashes a
pointer to the match info and then constructs the indices lazily.
However, it turns out the match info object used to create the result
object is the regexp_last_match_info living on native context, and thus
it can change between the creation of the result object and the generation
of indices. This cl clones the match info which will be safer.
Bug: v8:9548
Change-Id: Ia6f26f88fbc22fd09671bf4c579d39a1510b552d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864585
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64356}
The serializer doesn't correctly propagate environment information
from try blocks into their catch handlers, and this impedes
optimizations that fire when we compile concurrently.
function bar(x) {
try {
boom(); // throws
} catch(_) {
return x.a;
}
}
function foo() { return bar({a: 42}); }
When foo is optimized, we can normally return the constant 42
directly. This CL makes that work for concurrent inlining.
Bug: v8:7790
Change-Id: Id1c5fd06d51ec6fe69ab10fbd65afd6fa7e76820
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863193
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64352}
This extends existing table support to be able to store 'exnref' in
addition to 'anyref' types. Tools can use this to maintain data
structures for exception packages.
R=ahaas@chromium.org
TEST=mjsunit/wasm/exceptions-anyref
BUG=v8:8091
Change-Id: Iccbcfdc328db81a366921bcdd98c2256f66e7fc8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781046
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64323}
With the recent removal of the --wasm-shared-code flag, it became
effectively impossible to turn off this flag. Hence its functionality
became mandatory and the ability to turn off sharing of {WasmEngine}
process-wide has to be removed as well.
R=clemensb@chromium.org
Change-Id: I7c25e909e49134a226d6a9fe9c42f0ecd9d02a69
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864935
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64322}
It turns out that because we are *subtracting* from fp, we need to
*subtract less* to get a higher address. Who knew.
R=jkummerow@chromium.org
Bug: v8:9830, chromium:1014798
Change-Id: I5b9782dd0be27f4c3efbd306ec6c3450b249cb55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864933
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64321}
Updates CSA::TryToIntptr to handle array indices that are less than
INT_MAX which allows to handle string keys in the ICs.
Updates ICs to go monomorphic for string keys that are array indices.
Updates Turbofan to handle array indices when lowering element access.
Change-Id: Ibdde20130e075d0d645ab4a8266a968335eaad84
Bug: v8:9449
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1813018
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64320}
This prevents the branch table iterator's has_next() method to trigger a
DCHECK when the decoder fails before the end of table decoding.
R=clemensb@chromium.org
Change-Id: I2258886501b77cd4c8fe98bc8a4ed0b66fb23066
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864931
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64312}
This fixes a bug where coverage for the inline script
<script>function foo() {}<script>
started to get deterministically reported as covered
after crrev.com/c/1771776, while before it, we most of
the time reported it as uncovered (depending on heap
order of SFIs). The correct result is to report `foo`
as uncovered as it is never called.
The problem arose from the fact that v8:9212 needed to
handle extra-wrappers around scripts correctly. Those
wrappers have the same source range as the wrapped
script and a call count of zero even if the wrapped
script is executed. To filter them out, we previously
determined nesting for identical source ranges by
ascending call count. However, in the script case above,
the script has call count one, while `foo` (which has
the same source range) has call count zero. In this
case, nesting is decreasing order of call counts.
This CL is a minimal change that sorts SFIs which are
top-level to the front, only then considers call counts
in descending order. This preserves the behavior that
node's extra wrappers are sorted to the front (and
then filtered out by existing logic), but also ensures
that for the example above, we report the script's
coverage before the coverage for `foo`.
Bug: v8:9857, v9:9212
Change-Id: Id224b0d8f12028b1f586ee5039e126bb5b8d8d36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863197
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64307}
Named capture properties on the groups object should be ordered by the
capture index (and not alpha-sorted). This was accidentally broken in
https://crrev.com/c/1687413.
Bug: v8:9822,v8:9423
Change-Id: Iac6f866f077a1b7ce557ba47e8ba5d7e7014b3ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864829
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64306}
AsmJs does not support SharedArrayBuffers. This CL adds a check in
instantiation and reports a proper error.
Bug: chromium:1013920
Change-Id: Id7159f23ddcc2bde139c4c97bdb67ef3dc7f0e22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1862563
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64291}
Fix uses of cached descriptors arrays used in loops that map-check
to ensure validity of the cache to also reload the descriptor in
case there are missed in-place representation updates.
As a drive-by, introduce inner HandleScopes for these loops.
Bug: chromium:1012301
Change-Id: I17273caf629a181b846d3c09777b5c08fd8cbb0e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1859621
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64287}
With exception handling enabled new call paths open up, which will
perform environment merging while a "call" or "call_indirect" is
currently being emitted. This will lead to double-use of the buffer
returned by calls to {Buffer} or {Realloc}. In general we should
transition away from this optimization to safer constructs such as
{base::SmallVector} to avoid such bugs.
R=clemensb@chromium.org
TEST=mjsunit/regress/regress-9832
BUG=v8:9832
Change-Id: I4c862ac1bc7dc34ad62279c82f6414153e8cbddb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1856006
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64271}
Increase the embedded vector size to 91 as that is the max size needed to print
a s128 as a 32x4.
- max value of uint32_t has 10 digits in decimal, 1 for a potential sign,
3 spaces in between 4 of them -> 3 + 4 * 11 = 47
- max value of uint32_t has 8 digits in hex, 3 spaces in between -> 3 + 4 * 8 = 35
- the prefix "v128:" -> 5
- " / " to separate the decimal and hex representation -> 3
- null byte
47 + 35 + 5 + 3 + 1 = 91
Bug: v8:9754
Change-Id: I153c30738fa8862b44fb5103cbe62ea0bcea9718
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1814885
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64256}
This patch implements https://github.com/tc39/proposal-class-fields/pull/269
and makes sure we always throw TypeError when there is invalid private
name access in computed property keys.
Before this patch, private name variables of private fields and methods
are initialized together with computed property keys in the order they
are declared. Accessing undefined private names in the computed property
keys thus fail silently.
After this patch, we initialize the private name variables of private
fields before we initialize the computed property keys, so that invalid
access to private fields in the computed keys can be checked in the IC.
We now also initialize the brand early, so that invalid access to private
methods or accessors in the computed keys throw TypeError during brand
checks - and since these accesses are guarded by brand checks, we can
create the private methods and accessors after the class is
defined, and merge the home object setting with the creation
of the closures.
Bug: v8:8330, v8:9611
Change-Id: I01363f7befac6cf9dd28ec229b99a99102bcf012
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1846571
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64225}
While removing dead code, v8 currently removes jump targets, but leaves
suspend points, resulting in bytecode analysis issues. This cl simply
removes the suspend point if the remainder of the block is dead.
Bug: v8:9825
Change-Id: Ib147ca01cf64c695c0316017852d61f52fd10cf4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1849197
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64223}
This patch refactors the declaration and allocation of the class variable, and
implements static private methods:
- The class variable is declared in the class scope with an explicit
reference through class_scope->class_variable(). Anonymous classes
whose class variable may be accessed transitively through static
private method access use the dot string as the class name. Whether
the class variable is allocated depending on whether it is used.
Other references of the class variable in the ClassLiteral AST node
and the ClassInfo structure are removed in favor of the reference
through the class scope.
- Previously the class variable was always (stack- or context-)
allocated if the class is named. Now if the class variable is only
referenced by name, it's stack allocated. If it's used transitively
by access to static private methods, or may be used through eval,
it's context allocated. Therefore we now use 1 less context slots
in the class context if it's a named class without anyone referencing
it by name in inner scopes.
- Explicit access to static private methods or potential access to
static private methods through eval results in forced context
allocation of the class variables. In those cases, we save its index
in context locals in the ScopeInfo and deserialize it later, so that
we can check that the receiver of static private methods is the class
constructor at run time. This flag is recorded as
HasSavedClassVariableIndexField in the scope info.
- Classes that need the class variable to be saved due to
access to static private methods now save a
ShouldSaveClassVariableIndexField in the preparse data so that the
bits on the variables can be updated during a reparse. In the case
of anonymous classes that need the class variables to be saved,
we also re-declare the class variable after the reparse since
the inner functions are skipped and we need to rely on the preparse
data flags to remember declaring it.
Design doc: https://docs.google.com/document/d/1rgGRw5RdzaRrM-GrIMhsn-DLULtADV2dmIdh_iIZxlc/edit
Bug: v8:8330
Change-Id: Idd07803f47614e97ad202de3b7faa9f71105eac5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781011
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64219}
CheckedInt32ToTaggedSigned -> ChangeTaggedSignedToCompressedSigned was
being simplified to CheckedInt32ToCompressedSigned. However, sometimes
the effect chain is not propagated correctly. Since we have plans to
remove the Compressed MachineRepresentation, we can remove this
optimization now.
Bug: v8:7703, chromium:1011980
Change-Id: I9198c73666848f89db96928259af68400d442229
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847363
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64178}
This brings our constants back in line with the changed spec text. We
already use kExprTableGet and kExprTableSet, but for locals and globals
we still use the old wording.
This renaming is mostly mechanical.
PS1 was created using:
ag -l 'kExpr(Get|Set)Global' src test | \
xargs -L1 sed -E 's/kExpr(Get|Set)Global\b/kExprGlobal\1/g' -i
PS2 contains manual fixes.
R=mstarzinger@chromium.org
Bug: v8:9810
Change-Id: I064a6448cd95bc24d31a5931b5b4ef2464ea88b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847355
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64163}
This brings our constants back in line with the changed spec text. We
already use kExprTableGet and kExprTableSet, but for locals and globals
we still use the old wording.
This renaming is mostly mechanical.
PS1 was created using:
ag -l 'kExpr(Get|Set|Tee)Local' src test | \
xargs -L1 sed -E 's/kExpr(Get|Set|Tee)Local\b/kExprLocal\1/g' -i
PS2 contains manual fixes.
R=mstarzinger@chromium.org
Bug: v8:9810
Change-Id: I1617f1b2a100685a3bf56218e76845a9481959c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847354
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64161}
The particular combination of (1) having callee-saved registers in
the stub per the C++ calling convention, (2) passing arguments to
the callee on the stack, and (3) that callee throwing an exception,
caused the saved registers to be restored to bogus values.
To fix this, the stack unwinder needs to compute the stub's frame
size correctly (i.e. without stack parameters).
Bug: chromium:1007608
Change-Id: Iadd99f10764f49f9e3c620c05723e09172c73cf7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847352
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64160}
Empty slow element dictionary had the sticky bit set. This bit was
used to indicate that the dictionary cannot go to the fast mode either
because the dictionary had elements with attributed or elements at large
indices. There is no reason for the empty dictionary to have this bit set.
This causes bugs in some corner cases.
Bug: chromium:1003732
Change-Id: Ib29e1cda784869b9deb9361d8e6b5539f7154a38
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1833686
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64158}
The test creates 10000 modules, which runs in less then one second in
release builds, but can take much longer with stress flags and on
special bots.
It timed out on the tsan isolates bot in a variant passing
--stress-wasm-code-gc.
Since the test should only verify that we support more than 1000
modules in a single isolate, we do not need to run it in that variant.
Thus just skip it.
R=fgm@chromium.org
Bug: v8:9814
Change-Id: Ie3a4f62a053b1f7cff2c2206f39ddd71a533ae3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1845229
Reviewed-by: Francis McCabe <fgm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64153}
... and make sure that the arm64 ptr-compr bots proceed testing V8 without
pointer compression in order to keep testing the other config.
Bug: v8:7703
Change-Id: I0017345273d5328d95a338064dd80b44974c1c53
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1844780
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64132}
This deletes unresolved VariableProxy objects created for labels in the
preparser which prevents shadowed variables in enclosing scopes from
being context-allocated.
Previously this was only done in the full parser, which leads to
bytecode mismatches with lazy source positions.
Bug: chromium:1009728, v8:8510
Change-Id: If2d0c345346116a7f5aacbcd0cf3638e9f7e04cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1836258
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64104}
Fix corner case where we would try to read a property when having a
pending or scheduled exception.
Re-add tests.
Bug: chromium:1006640
Change-Id: I2fc84ee0f6145db2d200a8b9abf57fdc4b12a5a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1835531
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64083}
This is a reland of cfb60d430b
Original change's description:
> [regexp] Eagerly tier-up for very long strings
>
> For very long subject strings, the regexp interpreter is currently much slower
> than the native machine code execution. This CL implements eager tier-up to the
> compiler to avoid the performance penalty for subject strings of length greater
> than 1000.
>
> Change-Id: I244ccbd60255e0f3bedc493b1cc3d25cdd42133e
> Bug: v8:9566
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1829273
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Ana Pesko <anapesko@google.com>
> Cr-Commit-Position: refs/heads/master@{#64046}
Bug: v8:9566
Change-Id: I81a10728c64ce3b35258c31eb8178e458d3de205
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1832167
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Ana Pesko <anapesko@google.com>
Cr-Commit-Position: refs/heads/master@{#64063}
Since slow handler was previously not a Smi. The DCHECK assumed any
Smi Handler on this path should be a proxy handler. Now it Checks for
both, and should continue if the current handler is a slow handler.
Bug: chromium:1008632
Change-Id: I079960894d7320d8d658d0990e8c32db51703206
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1828480
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Suraj Sharma <surshar@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#64052}
This reverts commit cfb60d430b.
Reason for revert: Several bots timing out, e.g.
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/24717
Original change's description:
> [regexp] Eagerly tier-up for very long strings
>
> For very long subject strings, the regexp interpreter is currently much slower
> than the native machine code execution. This CL implements eager tier-up to the
> compiler to avoid the performance penalty for subject strings of length greater
> than 1000.
>
> Change-Id: I244ccbd60255e0f3bedc493b1cc3d25cdd42133e
> Bug: v8:9566
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1829273
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Ana Pesko <anapesko@google.com>
> Cr-Commit-Position: refs/heads/master@{#64046}
TBR=yangguo@chromium.org,petermarshall@chromium.org,anapesko@google.com
TBR=yangguo@chromium.org
Change-Id: Id8dd362617988c8c5efa87ae157ee91c96cb1fdf
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9566
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1832163
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Ana Pesko <anapesko@google.com>
Cr-Commit-Position: refs/heads/master@{#64047}
For very long subject strings, the regexp interpreter is currently much slower
than the native machine code execution. This CL implements eager tier-up to the
compiler to avoid the performance penalty for subject strings of length greater
than 1000.
Change-Id: I244ccbd60255e0f3bedc493b1cc3d25cdd42133e
Bug: v8:9566
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1829273
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Ana Pesko <anapesko@google.com>
Cr-Commit-Position: refs/heads/master@{#64046}
This is a short-term fix to prevent any merging of feedback slots for
dynamic globals, while we work on a longer term solution to make it
consistent between eager and lazy compilation.
Bug: chromium:1008414, v8:8510
Change-Id: I4a5977046f53454d6f8a6ea2f41046abdf73418f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1829270
Commit-Queue: Dan Elphick <delphick@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64041}
This fixes a bug in the optimization concerning detached
or re-attached global proxies.
Bug: v8:7790
Change-Id: Ifd30b88361914430bb373d4b64a76e33ccde37e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1809361
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64035}
This is a reland of c70de45c6a
Original change's description:
> [TurboProp] Add MidTierMachineLoweringPhase to avoid Late/MemoryOptimizationPhases
>
> Adds a MidTierMachineLoweringPhase which does select and memory lowering to machine
> nodes. This allows TurboProp to avoid the LateOptimizationPhase and
> MemoryOptimizationPhase phases while still lowering all simplified nodes to
> machine nodes before instruction selection.
>
> BUG=v8:9684
>
> Change-Id: I60533db93152ff044a2fa8c1c31adedeb3747856
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815130
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63981}
TBR=neis@chromium.org
Bug: v8:9684
Change-Id: I9cf3d087b81bb81a09a725168da9dc19238da91f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1826726
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64003}
The current implementation only supports arrays and proxies as
multi-return values in Wasm to JS calls. This adds support for any
iterable including generators, as specified by the multi-value proposal
(https://github.com/WebAssembly/multi-value/).
R=mstarzinger@chromium.org
Bug: v8:9492
Change-Id: I2c9be1f7e03824b1aabba525244e5b7f76a98f99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1824938
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63996}
This reverts commit c70de45c6a.
Reason for revert: speculative revert
Original change's description:
> [TurboProp] Add MidTierMachineLoweringPhase to avoid Late/MemoryOptimizationPhases
>
> Adds a MidTierMachineLoweringPhase which does select and memory lowering to machine
> nodes. This allows TurboProp to avoid the LateOptimizationPhase and
> MemoryOptimizationPhase phases while still lowering all simplified nodes to
> machine nodes before instruction selection.
>
> BUG=v8:9684
>
> Change-Id: I60533db93152ff044a2fa8c1c31adedeb3747856
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815130
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63981}
TBR=rmcilroy@chromium.org,neis@chromium.org
Change-Id: I99cddb2c435ad6347bdc9b61b95d48dca94294c7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9684
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1826720
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63984}
Adds a MidTierMachineLoweringPhase which does select and memory lowering to machine
nodes. This allows TurboProp to avoid the LateOptimizationPhase and
MemoryOptimizationPhase phases while still lowering all simplified nodes to
machine nodes before instruction selection.
BUG=v8:9684
Change-Id: I60533db93152ff044a2fa8c1c31adedeb3747856
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815130
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63981}
R=adamk@chromium.org
No-Try: true
Change-Id: Idedb3d80382c876f09c545cf0f1cc7387b9ad805
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1825242
Auto-Submit: Clemens Backes [né Hammacher] <clemensb@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63979}
Allows JS functions returning array-like objects to be imported as
multi-return functions in WebAssembly modules. Importing a generator
does not work as required by the specification yet.
R=mstarzinger@chromium.org
Bug: v8:9492
Change-Id: Iaf61a0f718eb50676913aa1486fb39cebecfc090
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815246
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63965}
Always unmark arrowhead parameters as assigned directly after their
initialization as the parser doesn't know when it first sees the
"assignment" that it may be in an arrowhead.
Bug: chromium:1003403, v8:8510
Change-Id: Iad5a4136d5ec06331fc43b81a809fd72cee2dd65
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815131
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63947}
Adds support for parsing top level await to V8, as well as
many tests.
This is the final cl in the series to add support for top level
await to v8.
Spec is here:
https://tc39.es/proposal-top-level-await/#sec-execute-async-module
Bug: v8:9344
Change-Id: Ie8f17ad8c7c60d1f6996d134ae154416cc1f31e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1703878
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63946}
This introduces a limit for the interpreter's BacktrackStack to match
the limit used by generated code (RegExpStack::kMaximumStackSize).
Bug: chromium:1006670
Change-Id: I0b7613698e61257aecca89535ad9109c7e454692
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1821458
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63945}
This reduces the number of label indices accepted by {br_table} from the
full function body size to specifically 65520 labels. Note that TurboFan
already had a similar limitation on switches, but caused a crash during
compilation up until now. This change just makes the limit explicit and
avoids the crash during compilation.
R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-9759
BUG=v8:9759
Change-Id: I3a9a4406b19a7f98fc36707b3b946be846170a15
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1821457
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Backes [né Hammacher] <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63944}
This fixes how arguments of a call to {fround} are being parsed. It now
accepts a single "AssignmentExpression" only instead of an "Expression"
which could potentially be a whole comma-separated list of expressions.
R=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-1006592
BUG=chromium:1006592
Change-Id: Ifaf0c2b048e4ec18429cc6039c0e7dcdecc1d0bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815255
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63926}
This loads the call builtin from the Isolate root instead of embedding
it into the instruction stream. This can be more efficient, but more
importantly it fixes an issue with tracing and eventually allows for
background compilation of these wrappers.
R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-crbug-1006631
BUG=chromium:1006631
Change-Id: Ife1bc513340d233a3c01789c7b56126fe3b87f6f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815245
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63924}
Change Parser::AllowsLazyParsingWithoutUnresolvedVariables to return
false if it may be parsing an arrow function.
Bug: v8:9758, v8:8510
Change-Id: Ic5d213d4358ff954a169c03e449197c3f050880c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1816510
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63920}
This cl adds support for top level await to d8, but still
does not allow top level await through parsing.
Unfortunately, due to that restriction this cl has no automated
tests, but I added a 'top-level-await' variant and manually
confirmed it passes locally.
Bug: v8:9344
Change-Id: I3528442768107f5ad1ed1e9e947cfceae91c0cc6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1808483
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63909}
The predictable platform can make tasks deadlock if the spawning task
is holding a lock that the spawn task also wants to take. This is
because the spawned task is just executed immediately within the
"context" of the spawning task.
The wasm async compile tests deadlock because the
{BackgroundCompileTask}s hold the shared {BackgroundCompileToken}
(reader lock) while spawning new tasks via {OnBackgroundTaskStopped} ->
{RestartBackgroundTasks}. The new tasks might want to cancel
compilation via {BackgroundCompileToken::Cancel}, which takes the
writer lock and hence deadlocks.
This can not happen on any other platform, since tasks are not nested
that way.
R=ahaas@chromium.org
Bug: v8:9760
No-Try: true
Change-Id: I9fc34d5de386aa5c6fdd64a1570fddcff872ec95
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1816502
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63904}
With --wasm-far-jump-table, it will be possible to create 10k (and
more) modules in one process. So far, we hit the virtual address space
limit around 1k modules, because each module makes a reservation of
{kMaxWasmCodeMemory} upfront. After this change, each module will only
reserve the estimated needed code size (if --wasm-far-jump-table is
set).
The test is carefully optimized to not execute too much code in the
loop, so it can still run in simulators in reasonable time. Note that
the time for actually compiling the module is spent in C++, which is
fast in simulator builds.
R=mstarzinger@chromium.org
Bug: v8:9477, v8:9651
Change-Id: If74a825d272a65b82ca5433cb648b6a2271872e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1811038
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63903}
This adds an additional V8 API to get the backing store of an array
buffer. Unlike the existing API, the backing store comes wrapped
in a std::shared_ptr, making lifetime management with the embedder
explicit. This obviates the need for the old GetContents() and
Externalize() APIs, which will be deprecated in a future CL.
Contributed by titzer@chromium.org
Bug: v8:9380
Change-Id: I8a87f5dc141dab684693fe536b636e33f6e45173
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807354
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63883}
ArrayBuffer tracking has landed, turning on GrowMemory for Shared
WebAssembly.memory on by default. Enable all variants of tests based
on the new implementation.
Bug: v8:8564, v8:9221, v8:8832
Change-Id: I0ff8688636303896450b788b2ff5a7268d386050
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1808106
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63855}
The element segment encoding in the bulk memory proposal changed
recently. With this CL the V8 implementation gets up to date again.
R=thibaudm@chromium.org
Bug: v8:9658
Change-Id: I4f45d04369400356a6f3aaed9570c7870f5f97bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1778022
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63836}
Adding a %SimulateNewspaceFull runtime function speeds up this test
from 7m21s to 0.3s (on arm.optdebug with --jitless).
Bonus content:
- speed up mjsunit/md5 by 23x (5m25s -> 7.5s)
- speed up mjsunit/string-replace-gc by 8x (1m37s -> 12s)
Bug: v8:9700, v8:9396
Change-Id: Id00d0b83b51192edf1d5493b49b79b5d76e78087
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1807355
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63829}
We used to have two special cases for named accesses on the global
proxy, one based on seeing the global proxy constant in the graph and
on based on seeing the global proxy map either in the feedback or in
the graph. A change I made a while ago accidentally disabled the second
one. This CL restores that.
Moreover, given how things are set up now (this might have been
different before), the first optimization is subsumed by the second
one, so this CL also removes the first one.
Finally, this CL records an accumulator hint in the case of a load,
which improves precision of the serializer for concurrent inlining.
Tbr: tebbi@chromium.org
Bug: v8:7790
Change-Id: I255afc6c79e5c5c900b3ccfcd8459d836d21e42b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1801954
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63806}
This randomizes new memory allocations and reservations. It's currently
used to test far jump tables in wasm better, but might be helpful
generally for testing arbitrary virtual memory layouts.
R=mstarzinger@chromium.org
Bug: v8:9477
Change-Id: Ie60b7c6dd3c4cd0f3b9eb8e2172912e0851c357d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803340
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63802}
This CL adds a flag to reduce the initial code space reservation size
(--wasm-max-initial-code-space-reservation), and adds a test which creates at
least four separate code spaces and calls between them.
R=mstarzinger@chromium.org
Bug: v8:9477
Change-Id: I1b4c430266962eb94dbe4b381f46b03c2ec07fc2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1782999
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63797}
Changes the Array(Includes|IndexOf)(Holey|Packed)Doubles builtins to
first check the input array is not empty before attempting to cast it to
a FixedDoubleArray as an empty array of doubles can be backed by a
FixedArray.
Bug: chromium:1004061
Change-Id: I12f302afa9596fb8a5581849662cd67fcc06f92b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1806676
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63794}
The current JSObject type is too specific as it can also be passed proxy
objects.
BUG=chromium:1003919,v8:6949
Change-Id: I2766868543827fc5ee6f99f3b120c7ffe9cfed39
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803651
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63787}
This reimplements the "--time" option of run-tests.py to print the
20 slowest tests, on top of json_test_results infrastructure just
like the bots do it.
Additionally this CL speeds up a bunch of slow tests.
Bug: v8:9396
Change-Id: I40797d2c8c3bfdd310b72f15cd1a035844b7c6f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803635
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63786}
This reverts commit 9ce6792630.
Reason for revert: This was never intended to stay.
Original change's description:
> [turbofan] temporarily disable const-based load elimination
>
> This is a safe to merge hot-fix to tackle https://crbug.com/983764.
> To be reverted after merging to M77.
>
> Bug: chromium:983764
> Change-Id: I3cd27481f224b352ef6bcf9dde21a8f77616acff
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1786285
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63570}
TBR=tebbi@chromium.org,mslekova@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: chromium:983764
Change-Id: I9c07eab384818aaeecab0224cec0f6b5310e9e09
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1801839
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63743}
The point of this test is to check for OOB access traps, the read/write
of the entire backing buffer is not useful to this test, and causes the
test to be really slow, especially on arm simulator. This change cuts
the runtime of the test from ~7.5min to ~1.5min.
Bug: v8:7783
Bug: v8:9396
Change-Id: Id57648e920b7631d8c481d2a43ded1c16cd2d1d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1793905
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63726}
Case statements have a list of statements associated with them, but are
not blocks, and were hence not fixed-up correctly for code coverage.
This CL also applies the fix-up to the "body" of case statements,
in this way removing ranges reported as uncovered between the final
break/return in a case and the next case (or end of function).
Drive-by: Add optional pretty printing to code coverage test results.
Change-Id: I5f4002d4e17b7253ed516d99f7c389ab2264be10
Bug: v8:9705
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1798426
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63719}
This fixes the case where a table entry contains a function constructed
via {WebAssembly.Function} and is then read out via a runtime function
from the table.
R=ahaas@chromium.org
TEST=mjsunit/regress/wasm/regress-crbug-1002388
BUG=chromium:1002388
Change-Id: Ic0a9a544baaf37e68cd22eb91f2ef0bdf5fa5842
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1795352
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63709}
Current GetIterator bytecode loads and calls @@iterator property on a
given object. This change extends the bytecode functionality to check
whether the value returned after calling @@iterator property is a valid
JSReceiver. The bytecode throws SymbolIteratorInvalid exception if the
returned value is not a valid JSReceiver. This change absorbs the
functionality of additional two bytecodes - JumpIfJSReceiver and
CallRuntime, that are part of the iterator protocol in the GetIterator
bytecode.
Bug: v8:9489
Change-Id: I9e84cfe85eeb9a1b8a97ca0595375ac26ba1bbfd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1792905
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Swapnil Gaikwad <swapnilgaikwad@google.com>
Cr-Commit-Position: refs/heads/master@{#63704}
This reduces the runtime from ~20m to ~2m (very unscientific measure
based on running the entire asm-wasm-i32 test with and without this
change).
I removed most of the constants that looked uninteresting, e.g. testing
for 10, 20, 30, isn't that interesting. The edge cases are left
untouched, min/max signed positive/negative ints and +/- 1 from both.
Bug: v8:7783
Bug: v8:9396
Change-Id: Ice363fc3f786dd55ff118ffa42f9ecea07880338
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1791632
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63695}
This adds a new API function and provides a simple implementation
of performance.measureMemory() in d8. The implementation currently
immediately resolves the result promise with the current heap size.
Bug: chromium:973627
Change-Id: Ia8e1963a49b7df628b5487a2c0d601473f0cb039
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1796502
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63694}
This speeds up the check by ~10x.
This was tested by writing a simple test that compares a for-loop and
array.every():
for (var i = 0; i < kMemSize; i++) {
assertEquals(0, array[i]);
}
assertTrue(array.every((e => e == 0)));
The for-loop takes ~180s, every() takes ~19s.
Numbers above are for arm.debug build (simulator). On x64.debug builds
we can see a similar 10x improvement, from ~6s to ~400ms.
Bug: v8:7783
Bug: v8:9396
Change-Id: I83d46c7ec4a634612032c1d79585339cadb8b641
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1793904
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63691}
Change-Id: Ie0bd818c629bed3011212fb7c8ab81202a462501
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1798424
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63678}
This patch uses a bit in the Variable bit fields to distinguish
static private names from instance private names, so that we
can check the conflicts of private accessors that are complementary
but with different staticness in the parser, and use this
information later when generating code for checking static brands
for private method access.
Design doc: https://docs.google.com/document/d/1rgGRw5RdzaRrM-GrIMhsn-DLULtADV2dmIdh_iIZxlc/edit
Bug: v8:8330
Change-Id: I8d70600e594e3d07f77ea519751b7ca2e0de87b5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781010
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#63677}
Do not assume that the MaybeHandle that is returned when fetching for a property
is valid and instead check for its contents. Treat an empty handle as not
finding the right property.
Bug: chromium:1002827
Change-Id: Iac158086ec5f66cd9602f4a73ae78de367dd3e77
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1796556
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63672}
After https://crrev.com/c/1793065 the test should be fast enough to
execute it everywhere.
R=mslekova@chromium.org
Bug: v8:9696, v8:7783
Change-Id: I2485d703d6e973217eddde2f2814e31f7fcd8a61
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1795343
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63647}
We don't handle all cases for stores to typed arrays in the builtins
related to storing a property. Bailout to runtime when storing into
a typed array if the property is not found on the object.
Bug: chromium:996161
Change-Id: I684c7c4f526b15cdfb5bfe3fd23218910486a59e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1789396
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63639}
When analyzing functions scopes with the script_scope as parent, don't
skip migrating unresolved variables upwards if we could still be inside
an arrow head, which means accesses to those variables will be
correctly context allocated.
Bug: v8:8510, chromium:1000094
Change-Id: I684f2f8bc692de420203990f93e5c943b5b769c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1789705
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63635}
It looks like the loop is there to create objects and trigger GC. It's
also tailored to Crankshaft, which was removed long ago.
This code currently times out on some arm bots, and it's hard to see
any value in it. Thus remove it.
R=mslekova@chromium.org
Change-Id: Ia47d4f70d679f79cfea523f467ff7adc3360cf6c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1793065
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63630}
This CL implements the tier-up strategy where the interpreter can be used for
an arbitrary number of executions for every regex, before tiering-up to the
compiler. The only exception is for functional global replaces, where we
eagerly tier-up to native code right away.
To use the tier-up logic --regexp-tier-up=value needs to be set. It is
currently set to 0 by default.
Change-Id: I770857e5eae710a952fe47661cb42957c53848b4
Bug: v8:9566
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1789299
Commit-Queue: Ana Pesko <anapesko@google.com>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63623}
The fuzzer found a crash when we want to execute the {valueOf} function
of an imported value for an i64-global. The problem is that we cannot
execute JavaScript at that moment (I did not check why, I guess we open
some scope at some point). I checked the WebAssembly spec now, and it
defines that only numbers are valid values for imported globals. I
adjust our bigint implementation accordingly with this CL, i.e. that
only bigint values are valid as imported i64-globalsl.
I also created github issues to discuss this problem.
R=jkummerow@chromium.org
Bug: chromium:1001804
Change-Id: I47f0b31fab53163346f341ad290fd3c58e7707bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1792167
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63621}
This reverts commit 9da3483136
Original change's description:
> "Reland x4 [arraybuffer] Rearchitect backing store ownership"
>
> This is a reland of bc33f5aeba
>
> Contributed by titzer@chromium.org
>
> Original change's description:
> > [arraybuffer] Rearchitect backing store ownership
> >
> > This CL completely rearchitects the ownership of array buffer backing stores,
> > consolidating ownership into a {BackingStore} C++ object that is tracked
> > throughout V8 using unique_ptr and shared_ptr where appropriate.
> >
> > Overall, lifetime management is simpler and more explicit. The numerous
> > ways that array buffers were initialized have been streamlined to one
> > Attach() method on JSArrayBuffer. The array buffer tracker in the
> > GC implementation now manages std::shared_ptr<BackingStore> pointers,
> > and the construction and destruction of the BackingStore object itself
> > handles the underlying page or embedder-allocated memory.
> >
> > The embedder API remains unchanged for now. We use the
> > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> > keep the backing store alive properly, even in the case of aliases
> > from live heap objects. Thus the embedder has a lower chance of making
> > a mistake. Long-term, we should move the embedder to a model where they
> > manage backing stores using shared_ptr to an opaque backing store object.
>
> TBR=yangguo@chromium.org
>
> BUG=v8:9380,v8:9221,chromium:986318
>
> Change-Id: If671a4a9ca0476e8f084efae46e0d2bf99ed99ef
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731005
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63041}
TBR=yangguo@chromium.org
Change-Id: I3cc4bb80081c662b1751234bc16a821c20e744be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1792166
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63617}
This is a reland of 8b89a7c32d
Reland after disabling the test getting deadlocked with '--gc_stress' flag.
The CL was reverted because of the 'wasm/grow-shared-memory' test from
the mjsunit test suite deadlocked for the 'gc_stress' variant. This is
the known issue (v8:9221) and the deadlocking test is now disabled (
1c8981e3f4).
Original change's description:
> Update GetIterator bytecode to load and call object[Symbol.iterator]
>
> The functionality of the GetIterator bytecode introduced previously is
> now extended from loading the @@iterator property to calling the property
> as well. This change basically absorbs the functionality of additional
> two bytecodes - Star, CallProperty0 in the GetIterator bytecode.
> Importantly, this change handles the cases of eager and lazy deoptimization
> in the middle of the bytecode, i.e., lazy deopt for LdaNamedProperty and
> eager deopt of the CallProperty0 bytecode, using the continuation builtins.
> This mechanism can work as a template for the future bytecode that require
> handling such inter-bytecode deopt scenario. The tests evaluating the eager
> and lazy deopt scenarios are also included.
>
> Bug: v8:9489
> Change-Id: I93eb022bbc3d37582407820aa8482a343cac6c12
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758313
> Commit-Queue: Swapnil Gaikwad <swapnilgaikwad@google.com>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63528}
Bug: v8:9489,v8:9221
Change-Id: I4286255aef457bfdbbe5eb50fc6dabdf9c0955b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1787427
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Swapnil Gaikwad <swapnilgaikwad@google.com>
Cr-Commit-Position: refs/heads/master@{#63599}
