This refactors the handling of calls of type Call::PROPERTY_CALL to
super properties in AstGraphBuilder::VisitCall. It ensures that the
operand stack is kept in sync with full-codegen so that deopts while
evaluating sub-expressions behave as expected.
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-4521
BUG=v8:4521
LOG=n
Review URL: https://codereview.chromium.org/1426893003
Cr-Commit-Position: refs/heads/master@{#31652}
For..in introduces 3 new bytecodes ForInPrepare, ForInNext, and
ForInDone to start a for..in loop, get the next element, and check if
the loop is done.
For..in builds upon new LoopBuilder constructs for conditionally
breaking and continuing during iteration: BreakIf{Null|Undefined}
and ContinueIf{Null|Undefined}. New conditional jump bytecodes
support this succinctly: JumpIfNull and JumpIfUndefined.
Add missing check to BytecodeLabel that could allow multiple
forward referencess to the same label which is not supported.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1422033002
Cr-Commit-Position: refs/heads/master@{#31651}
Ensure that we save the BytecodeArray register in the InterpreterEntryTrampoline
before calling out to the kStackGuard runtime function.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1426863005
Cr-Commit-Position: refs/heads/master@{#31650}
Add support for stores that transition to writable data fields,
based on the BeginRegion/FinishRegion mechanism for atomic regions
in the scheduler.
This is early work and still a bit rough around the edges, and similar
to regular stores, we don't support transitioning stores to double
fields yet.
R=jarin@chromium.org
BUG=v8:4470
LOG=n
Review URL: https://codereview.chromium.org/1406153010
Cr-Commit-Position: refs/heads/master@{#31645}
Many places in the JavaScript standard library are changed in ES2015 from
getting an integer using ToUint32 to using ToLength. This patch stages
the flag turning on those new semantics.
BUG=v8:3087,v8:4244
LOG=Y
R=adamk
Review URL: https://codereview.chromium.org/1426673003
Cr-Commit-Position: refs/heads/master@{#31641}
This patch wraps callsites to %AddElement to fall back to adding a
named property in case it is given an argument of 2**32 or greater.
The change is needed because %AddElement is called by Array functions
in various places, and ES2015 changes these Array functions to use
ToLength rather than ToUint32, so several callsites of %AddElement
which used to be reliable array indices may be larger numbers. While
the proper long-term solution may be to call out to
Object.defineProperty, this fix should allow the ToLength semantics
to be shipped while preserving correctness and not requiring a
rewrite.
BUG=v8:4516
LOG=Y
R=adamk
TEST=Interactively ran Array.prototype.slice on an Array-like which
exceeded array bounds, and found that this did not check-fail at
runtime as it did before.
Microbenchmarked this technique against the previous version on a
simple reverse implementation and found at most a 1% slowdown, as
opposed to other techniques, like calling %DefineDataPropertyUnchecked,
which had a 20% slowdown or Object.defineProperty with a 80% slowdown.
Review URL: https://codereview.chromium.org/1420663003
Cr-Commit-Position: refs/heads/master@{#31640}
Now that we have a C++ implementation, calling into JS builtins is needlessly inefficient.
Review URL: https://codereview.chromium.org/1410553006
Cr-Commit-Position: refs/heads/master@{#31637}
For platforms that use function descriptors (currently AIX and
PPC64BE), log an external callback's entrypoint address rather than
its function descriptor address. This allows proper lookup in the
tick processor's symbol table.
R=jkummerow@chromium.org, michael_dawson@ca.ibm.com
BUG=
Review URL: https://codereview.chromium.org/1409993006
Cr-Commit-Position: refs/heads/master@{#31633}
Rename ZoneTypeCache to TypeCache and use a single shared (immutable)
instance consistently to cache the most commonly used types. Also serves
as a chokepoint for defining those types, so we don't repeat the
definition (and possible bugs) in various places.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1409763004
Cr-Commit-Position: refs/heads/master@{#31631}
Only mark the last fallthrough control as deferred, otherwise the
splintering will ruin the code generation for the (maybe likely)
polymorphic cases.
Drive-by-fix: Reduce overall code duplication between JSLoadNamed
and JSStoreNamed specialization.
R=jarin@chromium.org
BUG=v8:4470
LOG=n
Review URL: https://codereview.chromium.org/1424733002
Cr-Commit-Position: refs/heads/master@{#31623}
Float(32|64)Min:
// (a < b) ? a : b
fcmp da, db
fcsel dd, da, db, lo
Float(32|64)Max:
// (b < a) ? a : b
fcmp db, da
fcsel dd, da, db, lo
BUG=
Review URL: https://codereview.chromium.org/1360603003
Cr-Commit-Position: refs/heads/master@{#31621}
Adds support for delete operator, it's implementation and tests.
Adds tests for the following unary operators
-BitwiseNot
-Add
-Sub
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1410953003
Cr-Commit-Position: refs/heads/master@{#31620}
This lowers JSCreateArguments nodes within inline (i.e. non-outermost)
frames that create "mapped arguments objects" to inline allocations.
The arguments count as well as each value is statically known and can be
directly stored into the arguments object. Note that the object is still
context-dependent and the map is loaded from the current context. The
object size is not taken into account for now, we might want to limit it
later though to keep code size bounded.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1403363004
Cr-Commit-Position: refs/heads/master@{#31619}
Typed lowering can lower JSConvertReceiver either based on the operator
hints or the (statically) known receiver type.
R=jarin@chromium.org
BUG=chromium:548557, v8:4493, v8:4470
LOG=n
Review URL: https://codereview.chromium.org/1426893002
Cr-Commit-Position: refs/heads/master@{#31618}
When == is invoked on a Symbol or SIMD vector and an object, the object should
be converted to a primitive with ToPrimitive and then compared again. This means,
for example, that for a Symbol or SIMD vector s, s == Object(s). This patch makes
that change in the implementation of ==. Only the runtime function needed to be
changed, as the code stubs and compiler specializations don't operate on Symbols
or SIMD vectors, and on these types, a fallback to the runtime function is always
used.
BUG=v8:3593
LOG=Y
R=adamk
Review URL: https://codereview.chromium.org/1421413002
Cr-Commit-Position: refs/heads/master@{#31614}
This fixes a missing SSA-renaming of the callee value used in the frame
state of a call node. An OSR-entry within do-expressions contained in
one of the argument expression can trigger that renaming.
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-crbug-546968
BUG=chromium:546968
LOG=n
Review URL: https://codereview.chromium.org/1430483002
Cr-Commit-Position: refs/heads/master@{#31613}
Scavenger should not attempt to visit ArrayBuffer's storage, it is a
user-supplied pointer that may have any alignment. Visiting it, may
result in a crash.
BUG=
R=jochen
Review URL: https://codereview.chromium.org/1406133003
Cr-Commit-Position: refs/heads/master@{#31611}
Reason for revert:
The test failure was unrelated; relanding.
Original issue's description:
> Revert of Check that array length stays a safe integer in Array.prototype.push (patchset #7 id:120001 of https://codereview.chromium.org/1428483002/ )
>
> Reason for revert:
> Caused for-in-opt test to fail
>
> Original issue's description:
> > Check that array length stays a safe integer in Array.prototype.push
> >
> > This patch adds a check in Array.prototype.push to assert that the new
> > length does not become greater than 2**53-1. Such a length would be
> > dangerous because integer arithmetic becomes imprecise after the
> > boundary. The check is also required by a test262 test.
> >
> > R=adamk
> > LOG=Y
> > BUG=v8:3087
> >
> > Committed: https://crrev.com/e68adf4548dd101dc08fcbff14444152fb1b7fe7
> > Cr-Commit-Position: refs/heads/master@{#31588}
>
> TBR=adamk@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:3087
>
> Committed: https://crrev.com/78abedb94431a233842fcb2f7a910805a05bed09
> Cr-Commit-Position: refs/heads/master@{#31590}
TBR=adamk@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3087
Review URL: https://codereview.chromium.org/1424823005
Cr-Commit-Position: refs/heads/master@{#31610}
Previously ChangeLowering would always box float64 values when going to
tagged representation, but that introduces a lot of deoptimizer loops
and polymorphism into TurboFan, which is unfortunate and unnecessary.
This adds some logic to ChangeFloat64ToTagged to try harder to create a
Smi when going from Float64 to Tagged, instead of always allocating a
HeapNumber. This might need some additional tweaking, but at least it
makes it possible to start comparing TurboFan and Crankshaft for some
regular JavaScript.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1420913003
Cr-Commit-Position: refs/heads/master@{#31609}
Full-codegen prepared for the bailout in the wrong place, causing side
effects to be replayed when they shouldn't. Crankshaft and Turbofan are
in agreement about where the deopt should jump to.
TEST=mjsunit/for-in-opt
R=jarin@chromium.org
BUG=v8:4381
LOG=y
Review URL: https://codereview.chromium.org/1413923005
Cr-Commit-Position: refs/heads/master@{#31607}
