V8 doesn't build on Ubuntu 16.04 (with GCC 5.3). Seems to be
a known regression on newer GCC version. It emits incorrect
"error: array subscript is above array bounds" message. Adding
explicit array bound check fixes the issue.
R=hablich@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2256113002
Cr-Commit-Position: refs/heads/master@{#38721}
The machine types were incorrect for the runtime function and argument
count parameters. The latter was introduced in 3e2085eb, while the
former seems to always have been wrong.
This was not an issue so far because GetRuntimeCallDescriptor was only
called after the representation selection phase and thus the machine
type was ignored.
R=jarin@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2250863004
Cr-Commit-Position: refs/heads/master@{#38720}
Initialize Code::builtin_index to -1. This ensures that it is
non-negative for builtin code objects (since it is set by
Builtins::SetUp), and -1 for everything else.
BUG=
Review-Url: https://codereview.chromium.org/2254193002
Cr-Commit-Position: refs/heads/master@{#38719}
As required by the spec, ToJS now throws a TypeError fit I64 values
instead of truncating the I64 value to I32. To throw a TypeError I
introduced a new runtime function because the existing
Runtime::kThrowWasmError does not throw a TypeError. Since we have calls
to two runtime functions now, and an additional one is needed for stack
checks, I extracted the call to runtime functions into a helper function.
R=titzer@chromium.org
TEST=mjsunit/wasm/ffi-error.js:I64InSignatureThrows
Review-Url: https://codereview.chromium.org/2254803002
Cr-Commit-Position: refs/heads/master@{#38718}
Adds support for dumping the stack on Windows. Also enables in-process
stack dumping in d8 to dump the stack on exceptions and signals.
This CL changes the format of stack dumps from:
1: V8_Fatal
2: 0x1ac6ba5
3: v8::internal::interpreter::BytecodeGenerator::Visit(v8::internal::AstNode*)
4: v8::internal::interpreter::BytecodeGenerator::VisitForAccumulatorValue(v8::internal::Expression*)
...
To:
./out/x64.debug/d8(v8::base::debug::StackTrace::StackTrace()+0x1e) [0x1c6ee5e]
./out/x64.debug/d8() [0x1c6ede5]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x10330) [0x7fa01193e330]
./out/x64.debug/d8(v8::base::OS::Abort()+0x12) [0x1c6cea2]
./out/x64.debug/d8() [0x1c67538]
./out/x64.debug/d8() [0x1ac80b5]
./out/x64.debug/d8(v8::internal::interpreter::BytecodeGenerator
::Visit(v8::internal::AstNode*)+0x3cb) [0x1ac323b]
./out/x64.debug/d8(v8::internal::interpreter::BytecodeGenerator
::VisitForAccumulatorValue(v8::internal::Expression*)+0x40) [0x1ac2570]
Review-Url: https://codereview.chromium.org/2248393002
Cr-Commit-Position: refs/heads/master@{#38717}
Removes all accesses to the Isolate during bytecode generation and the
bytecode pipeline. Adds an DisallowIsolateAccessScope which is used to
enforce this invariant within the BytecodeGenerator.
BUG=v8:5203
Review-Url: https://codereview.chromium.org/2242193002
Cr-Commit-Position: refs/heads/master@{#38716}
- Avoid unmapping of new space pages while sweeping using a delayed list that
gets emptied upon the next call to the unmapper.
BUG=chromium:628984
R=hpayer@chromium.org
This reverts commit 4a1f2807d6.
Review-Url: https://codereview.chromium.org/2255153002
Cr-Commit-Position: refs/heads/master@{#38715}
Reason for revert:
The barrier in newspace is still needed.
Original issue's description:
> [heap] Don't unmap new space pages while sweeping is active
>
> - The barrier for scavenge only checked for whether new space pages were swept.
> This is not enough as a concurrent task could still hang right before trying to
> lock the page for sweeping. Remove the barrier completely.
> - Avoid unmapping of new space pages while sweeping using a delayed list that
> gets emptied upon the next call to the unmapper.
>
> BUG=chromium:628984
> R=hpayer@chromium.org
>
> Committed: https://crrev.com/982b399423e6bd941cabb2b825031cd8d5eb4980
> Cr-Commit-Position: refs/heads/master@{#38710}
TBR=hpayer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:628984
Review-Url: https://codereview.chromium.org/2244233007
Cr-Commit-Position: refs/heads/master@{#38712}
We were missing this optimization in a few cases because TruncateInt64ToInt32 was also interfering.
Also removed the equivalent from simplified-lowering.cc, as the arm64 instruction selector has a similar optimization.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2252333002
Cr-Commit-Position: refs/heads/master@{#38711}
- The barrier for scavenge only checked for whether new space pages were swept.
This is not enough as a concurrent task could still hang right before trying to
lock the page for sweeping. Remove the barrier completely.
- Avoid unmapping of new space pages while sweeping using a delayed list that
gets emptied upon the next call to the unmapper.
BUG=chromium:628984
R=hpayer@chromium.org
Review-Url: https://codereview.chromium.org/2250423002
Cr-Commit-Position: refs/heads/master@{#38710}
This fixes canonicalization of {SharedFunctionInfo} objects in the
{Compiler::GetSharedFunctionInfo} method when bytecode is preserved.
Eager compilation is only triggered when no code is present.
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-638551
BUG=chromium:638551
Review-Url: https://codereview.chromium.org/2245263006
Cr-Commit-Position: refs/heads/master@{#38709}
Rebuilding (after touching certain files) is crazy slow because
includes are out of control.
Fixing it:
- Don't include stuff in headers unless necessary.
- Include the stuff you need, not some other stuff that happens to include the
stuff you need.
BUG=v8:5294
Review-Url: https://codereview.chromium.org/2246203005
Cr-Commit-Position: refs/heads/master@{#38708}
This moves the module_descriptor_ field to that subclass, as well as other module-only methods.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2252223002
Cr-Commit-Position: refs/heads/master@{#38703}
Reason for revert:
Performance regressions in Gameboy, Life, CodeLoad and others. See crbug.com/638210.
Original issue's description:
> Refactor data structures for simple stack traces
>
> Simple stack traces are captured through Isolate::CaptureSimpleStackTrace.
> Captured frames are stored in a FixedArray, which in turn is stored as a
> property (using a private symbol) on the error object itself. Actual formatting
> of the textual stack trace is done lazily when the user reads the stack
> property of the error object.
>
> This would involve many conversions back and forth between index-encoded raw
> data (receiver, function, offset and code), JS CallSite objects, and C++
> CallSite objects.
>
> This commit refactors the C++ CallSite class into a Struct class called
> StackTraceFrame, which is the new single point of truth frame information.
> Isolate::CaptureSimpleStackTrace stores an array of StackTraceFrames, and JS
> CallSite objects (now created only when the user specifies custom stack trace
> formatting through Error.prepareStackTrace) internally only store a reference
> to a StackTraceFrame.
>
> BUG=
>
> Committed: https://crrev.com/b4c1aefb9c369f1a33a6ca94a5de9b06ea4bf5c4
> Cr-Commit-Position: refs/heads/master@{#38645}
TBR=yangguo@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=
Review-Url: https://codereview.chromium.org/2252783007
Cr-Commit-Position: refs/heads/master@{#38700}
They were not using it for anything. Block and FunctionLiteral need the
Zone, others don't.
BUG=
Review-Url: https://codereview.chromium.org/2249783004
Cr-Commit-Position: refs/heads/master@{#38699}
Ensures SMI values have SMI type even if they have a dot (e.g., 1.0).
Adds SMI_WITH_DOT type to maintain this.
BUG=chromium:638134
Review-Url: https://codereview.chromium.org/2248693005
Cr-Commit-Position: refs/heads/master@{#38698}
Fixed ExtraICStateField which used 1 bits more than were available
BUG=
Review-Url: https://codereview.chromium.org/2258473002
Cr-Commit-Position: refs/heads/master@{#38697}
This fixes the case where a module is instantiated twice via the same
closure when in the meantime another closure has destroyed and removed
the WASM data attached to the SharedFunctionInfo.
R=bradnelson@chromium.org
TEST=mjsunit/asm/asm-validation
BUG=v8:4203
Review-Url: https://codereview.chromium.org/2253613004
Cr-Commit-Position: refs/heads/master@{#38696}
Rolling v8/build to 388e658306466650ee4ad4b3d6d7b230c9cad64c
Rolling v8/third_party/icu to 2341038bf72869a5683a893a2b319a48ffec7f62
Rolling v8/tools/mb to f3036b2e34d746db3635afa0841f51019b2b8d38
TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org
Review-Url: https://codereview.chromium.org/2259703002
Cr-Commit-Position: refs/heads/master@{#38695}
Language tags with Unicode extensions can have multiple subtags
for a key (e.g. -ca-ismalic-civil has 'islamic-civi' for 'ca').
BUG=v8:4749
TEST=intl/date-format/calendar-with-multiple-type-subtags.js
Review-Url: https://codereview.chromium.org/2248563003
Cr-Commit-Position: refs/heads/master@{#38692}
Reason for revert:
WebGL tests have been updated and rolled (at https://codereview.chromium.org/2227023002), so this should no longer fail outdated tests.
Original issue's description:
> Revert of Amend DataView, ArrayBuffer, and TypedArray methods to use ToIndex. (patchset #8 id:140001 of https://codereview.chromium.org/2090353003/ )
>
> Reason for revert:
> Speculative revert to unblock roll: https://codereview.chromium.org/2107223003/
>
> Original issue's description:
> > Amend DataView, ArrayBuffer, and TypedArray methods to use ToIndex.
> >
> > The spec was modified to relax some requirements which implementors had not been
> > enforcing. Part of this process involved introducing a new abstract operation
> > ToIndex, which had partial overlap with our existing semantics as well as some
> > differences (most notably treating undefined as 0). Test262 tests were introduced to
> > check for the new semantics, some of which we were failing. This patch amends the
> > parts of our implementation corresponding to specification algorithms which use
> > ToIndex to follow its semantics precisely.
> >
> > BUG=v8:4784,v8:5120
> >
> > Committed: https://crrev.com/09720349ea058d178521ec58d0a5676443a5a132
> > Cr-Commit-Position: refs/heads/master@{#37406}
>
> TBR=littledan@chromium.org,adamk@chromium.org,bakkot@google.com
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:4784,v8:5120
>
> Committed: https://crrev.com/b1f7f1f4e41a723d5f997738a07e35a031713b8f
> Cr-Commit-Position: refs/heads/master@{#37417}
TBR=littledan@chromium.org,adamk@chromium.org,hablich@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:4784,v8:5120
Review-Url: https://codereview.chromium.org/2247073004
Cr-Commit-Position: refs/heads/master@{#38689}
Our previous per-arch instantiation thunks for asm.js
didn't support modules that had or were called with anything other
than 3 arguments. Adding support for this.
Addding a runtime test method to check if asm validation succeeded.
Adding a test of validation with different argument count combinations.
R=mstarzinger@chromium.org
TEST=mjsunit/asm/asm-validator.js
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
Review-Url: https://codereview.chromium.org/2229723002
Cr-Commit-Position: refs/heads/master@{#38688}
The "version 0" format did not deal with references, and used a stack model to
deserialize objects (conceptually, a postorder tree traversal). This requires
an explicit stack, so special logic is added to decode this format.
All subsequent versions also put an object marker at the beginning, which is
equivalent to how the current version serializes.
BUG=chromium:148757
Review-Url: https://codereview.chromium.org/2248893003
Cr-Commit-Position: refs/heads/master@{#38686}
Async functions are implemented via special generator functions; special in the
sense that they generally do not immediately yield. However, our generators
implementation still assumed that every generator function initially yields
(concretely: before doing the state dispatch in a loop header). This CL fixes
that.
R=littledan@chromium.org, rmcilroy@chromium.org
BUG=chromium:638019
Review-Url: https://codereview.chromium.org/2253033002
Cr-Commit-Position: refs/heads/master@{#38684}
As part of this CL, object reference tracking is implemented (and tested with a
self-referential object). This sort of reference tracking will be shared with
other receivers (array, date, regexp and host objects).
Not included in this CL is compatibility with version-0 objects (which don't
support a non-tree object graph, and require a little stack to correctly
deserialize).
BUG=chromium:148757
Review-Url: https://codereview.chromium.org/2246093003
Cr-Commit-Position: refs/heads/master@{#38683}
The Smi case was updating the feedback with a bitwise AND instead of a bitwise OR. This was causing feedback that should have been 'kAny' to be erroneusly reported as 'kSignedSmall'.
R=rmcilroy@chromium.org
Review-Url: https://codereview.chromium.org/2251863004
Cr-Commit-Position: refs/heads/master@{#38682}
We mark an object allocated as uninitialized. If we happen to have a GC before
fields of a map are written, msan will observe access to unitialized memory and
crash.
This also unifies the handling as we now deal with all spaces in the same way.
In future we could parallelize clearing.
BUG=chromium:638226
R=hpayer@chromium.org
Review-Url: https://codereview.chromium.org/2251993002
Cr-Commit-Position: refs/heads/master@{#38681}
Fix 2cf2eef77b
Fix test failures with tests working on external Uint32 arrays. Problem
started to appear because Uint32 value was compared using Int32 compare
operators in ChangeUint32ToTagged. On MIPS64. Uint32 value is not sign-
extended, so upper 32 bits of this value are zero. MIPS64 doesn't have
Word32Compare instructions but uses Word64Compare instructions in
combination with properly sign-extended Int32 values.
BUG=cctest/test-api/Uint32Array,cctest/test-api/SharedUint32Array,
cctest/test-api/FixedUint32Array,mjsunit/compiler/uint32
Review-Url: https://codereview.chromium.org/2231053002
Cr-Commit-Position: refs/heads/master@{#38680}
This removes the representation axis from the type of {Load/StoreField}
operators representing a property load/store. The representation would
be narrowed to {None} which causes problems for all places where we use
the type to reason about the value representation. Instead we should
fully switch to {MachineRepresentation}. This is just a stop-gap fix.
R=jarin@chromium.org
BUG=chromium:636716
Review-Url: https://codereview.chromium.org/2255533003
Cr-Commit-Position: refs/heads/master@{#38678}
1, restrict use of LiteralBuffers to the tokens that actually need it.
- E.g., previously the Token::FUNCTION would have a literal buffer
containing "function", which was never actually used.
- This eliminates copies of the string data for every call to
PeekAhead or SetBookmark.
2, document & enforce the "secret" Scanner API contract w/ DCHECK
- Document & check the correspondence of token value and literal buffer.
- Document & check preconditions for calling PeekAhead, ScanRegExp*,
ScanTemplate*.
BUG=v8:4947
Review-Url: https://codereview.chromium.org/2240513003
Cr-Commit-Position: refs/heads/master@{#38677}
Now that all backends use the source position builder to record source
positions, simplify the code line logging events to take a source
position table on code creation. This means that the source position
table builder no longer needs to access the isolate until the table is
generated. This is required for off-thread bytecode generation.
BUG=v8:5203
Review-Url: https://codereview.chromium.org/2248673002
Cr-Commit-Position: refs/heads/master@{#38676}
At the moment, two NumberConstant nodes get different type even if their
value is the same because we always allocate a new heap number for
each number constant. This can lead to replacing a node with a node of
disjoint type in value numbering, which can result in incorrect code
down the line because of inconsistent types.
This fix makes sure that we only replace a node with a sub-type
node. Once we introduce a proper type for number constants, we can
move back to the intersection typing in value numbering.
Unfortunately, it is quite hard to write a repro for this because we cache NumberConstant nodes. We only throw away cached values that have too many conflicts (>5), so the test has to contain values that fall into the same bucket. That's where the magic floating point numbers in the test come from (they have the same low 8-bits of their hashes).
BUG=chromium:633497
Review-Url: https://codereview.chromium.org/2251833002
Cr-Commit-Position: refs/heads/master@{#38675}
This CL removes the optional operator flag of Float64Max and Float64Min.
Additionally it renames the instruction codes on x64 and ia32 because
the old instructions codes (e.g. SSEFloat64Max) do not match the
generated code anymore.
R=bmeurer@chromium.org
Review-Url: https://codereview.chromium.org/2237813002
Cr-Commit-Position: refs/heads/master@{#38674}
Rolling v8/build to 9a1647ec813695da7960692f711a1cebc948d551
Rolling v8/third_party/WebKit/Source/platform/inspector_protocol to b53e3af6bfca3333fc2dd69302dac6667a8c6418
Rolling v8/tools/clang to b5889296bac50b31f1d2806633fe99dfc2b26b54
Rolling v8/tools/mb to c5a112880d83d509e88c01d524c988845a3a3ba6
TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org
Review-Url: https://codereview.chromium.org/2247183004
Cr-Commit-Position: refs/heads/master@{#38672}
