Previously we enforced that all lengths for ArrayLike objects must
be within Smi range, but all negative numbers should actually be first
converted to +0.
Bug: chromium:740372
Change-Id: If50de9ce0eeb7cb09e14b8e8803f434350d00508
Reviewed-on: https://chromium-review.googlesource.com/566867
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46615}
Insertion into a collection changes the map because of the addition of
the hash value property. Check the root map, not the current map.
Fixes: https://github.com/nodejs/node/issues/14139
Change-Id: Iabcea5337323b9b6deffa1a06892c1cb749f2065
Reviewed-on: https://chromium-review.googlesource.com/566833
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46614}
Didn't seem to help and caused a couple of regressions.
BUG=v8:6243,chromium:740124
Change-Id: I72887ba245a524211dbf181c77d0cdc6d917d090
Reviewed-on: https://chromium-review.googlesource.com/568480
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46608}
When we abort preparsing, we have to reset the Scope state, to ensure
re-parsing will leave us in the proper Zone. Resetting of rare_data_
was missing, causing this to fail in some cases.
Bug: chromium:740803
Change-Id: I7ce70f9c4670eaf1b76745ae8231eb95625b0f4b
Reviewed-on: https://chromium-review.googlesource.com/568784
Reviewed-by: Caitlin Potter <caitp@igalia.com>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46607}
This turns on collection of function size bytes, and decode time for functions in all cases (both background and foreground).
Bug: v8:6361
Change-Id: I5d982ec4452596210b3ea9858126820ad0c3eacf
Reviewed-on: https://chromium-review.googlesource.com/568781
Commit-Queue: Karl Schimpf <kschimpf@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46605}
Follow up on https://codereview.chromium.org/2740353002. Created
PosixDefaultTimezoneCache which is a subclass of PosixTimezoneCache
containing definition of LocalTimezone and LocalTimeOffset which is
separate for different OS.
R=littledan@chromium.org, ulan@chromium.org
BUG=v8:6578
LOG=N
Change-Id: I58342893aeefe79ac50e1df041d614fc473f15bf
Reviewed-on: https://chromium-review.googlesource.com/568686
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Jaideep Bajwa <bjaideep@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#46604}
By creating the boilerplate only on the second instantiation we cannot
propagate back the elements transitions early enough. The resulting literals
would change the initial ElementsKind one step too late and already pollute
ICs that went to monomorphic state.
- Disable lazy AllocationSites for literals containing arrays
- Introduce new ComplexLiteral class to share code between ObjectLiteral
and ArrayLiteral
- RegexpLiteral now no longer needs a depth_ field
Bug: v8:6517, v8:6519, v8:6211
Change-Id: Ia88d1878954e8895c3d00a7dda8d71e95bba005c
Reviewed-on: https://chromium-review.googlesource.com/563305
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46603}
This is a reland of f720d024dc
Original change's description:
> [mjsunit] Improve mjsunit stracktrace readability
>
> Format the function name and file-position into proper columns to easily spot
> where the test code ends and the mjsunit framework code starts.
>
> BEFORE:
> Stack: Error
> at new MjsUnitAssertionError (test/mjsunit/mjsunit.js:36:18)
> at failWithMessage (test/mjsunit/mjsunit.js:310:11)
> at fail (test/mjsunit/mjsunit.js:327:12)
> at assertEquals (test/mjsunit/mjsunit.js:398:7)
> at closure (test/mjsunit/regress/regress-4121.js:20:7)
> at literals_sharing_test (test/mjsunit/regress/regress-4121.js:27:3)
> at test (test/mjsunit/regress/regress-4121.js:37:5)
> at eval (eval at <anonymous> (test/mjsunit/regress/regress-4121.js:49:6), <anonymous>:1:1)
> at test/mjsunit/regress/regress-4121.js:49:6
> at Array.forEach.call (test/mjsunit/regress/regress-4121.js:50:7)
> throw new MjsUnitAssertionError(message);
>
> AFTER:
> Stack: MjsUnitAssertionError
> at assertEquals test/mjsunit/mjsunit.js 398:7
> at closure test/mjsunit/regress/regress-4121.js 20:7
> at literals_sharing_test test/mjsunit/regress/regress-4121.js 27:3
> at test test/mjsunit/regress/regress-4121.js 37:5
> at eval eval at <anonymous> (test/mjsunit/regress/regress-4121.js:49:6)
> at test/mjsunit/regress/regress-4121.js 49:6
> at Array.forEach.call test/mjsunit/regress/regress-4121.js 50:7
> throw new MjsUnitAssertionError(message);
>
>
> Change-Id: Iad3460a648e26effb43c00426ab043743ee6a138
> Reviewed-on: https://chromium-review.googlesource.com/563627
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46589}
Change-Id: I44bf07f7be4114369315605542cafd17345b4397
Reviewed-on: https://chromium-review.googlesource.com/567063
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46602}
JSFunction::SetName can fail if it tries to create a string with
length > String::kMaxLength (either by prepending "set "/"get " or
by surrounding a Symbol descriptor with "["/"]").
This patch propagates that exception to the surrounding code rather
than CHECK-failing.
Bug: chromium:740398
Change-Id: I394943af481f3147387dd82ec5862d7071d57827
Reviewed-on: https://chromium-review.googlesource.com/566092
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46601}
The JSTypedLowering reducer was returning Changed(node) when it
did not change the node, in case the node was a speculative number
comparison node.
Bug:
Change-Id: I2082e4c2e45078b343e427f54d61d4e0a323a64f
Reviewed-on: https://chromium-review.googlesource.com/568036
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Alexandre Talon <alexandret@google.com>
Cr-Commit-Position: refs/heads/master@{#46600}
The problem popped up when passing the constants by reference
(https://chromium-review.googlesource.com/c/565141).
It's a bit ugly, but, the C++11 standard requires a definition
additionally to the existing declaration in the body of the class:
9.4.2/4: If a static data member is of const literal type, its
declaration in the class definition can specify a
brace-or-equal-initializer in which every initializer-clause that is
an assignment-expression is a constant expression. A static data
member of literal type can be declared in the class definition with
the constexpr specifier; if so, its declaration shall specify a
brace-or-equal-initializer in which every initializer-clause that i
an assignment-expression is a constant expression. [Note: In both
these cases, the member may appear in constant expressions. — end
note] The member shall still be defined in a namespace scope if it is
odr-used (3.2) in the program and the namespace scope definition shall
not contain an initializer.
Drive-by: Make the static constants constexpr.
R=bmeurer@chromium.org
Change-Id: Idc3d20bf2adf31d874c23ff8bfec52437789160a
Reviewed-on: https://chromium-review.googlesource.com/567506
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46599}
In branch elimination phase, control paths are updated when visiting
the nodes. We first create a control path and then check if it is
same as the exisiting one. If it is the same we discard the newly
created one. Since these are created in the zone memory the memory
will not be released till the entire pass is over. This cl changes
it to first check if the control path has changed and create a new
path only if it has changed.
Bug: chromium:725664,v8:6150
Change-Id: I67fbea13036f85999c7ed366c571f8dc1c17a023
Reviewed-on: https://chromium-review.googlesource.com/563406
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46598}
This makes it possible for automated tests to distinguish between CHECK
failures and DCHECK failures, the latter of which will continue to run
in release builds after the assertion failure point.
Change-Id: Ie26978c0342d401a8c85f3261749739195087579
Reviewed-on: https://chromium-review.googlesource.com/565515
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46596}
This makes sure we leave some gap on the stack whenever compilation jobs
are being finalized. Such a finalization can trigger assembling back on
the main thread, hence requiring a non-negligible amount of stack. This
is in sync with other {Runtime_CompileFoo} methods.
R=ishell@chromium.org
BUG=chromium:740400,chromium:741599
Change-Id: I96fbd524c3cd443a1f5a8e22925b92407fadfb63
Reviewed-on: https://chromium-review.googlesource.com/568142
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46595}
- Update InitializeAllocationMemento to use newer CSA helper
- Fix AllocateJSArray to create AllocationMementos for empty arrays as well
Bug: v8:6211
Change-Id: I8731b04cdd500b877a54dee67f00f2899d91d86d
Reviewed-on: https://chromium-review.googlesource.com/566810
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46594}
This reverts commit f720d024dc.
Reason for revert: Bot failure at
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20custom%20snapshot%20-%20debug/builds/15690
Original change's description:
> [mjsunit] Improve mjsunit stracktrace readability
>
> Format the function name and file-position into proper columns to easily spot
> where the test code ends and the mjsunit framework code starts.
>
> BEFORE:
> Stack: Error
> at new MjsUnitAssertionError (test/mjsunit/mjsunit.js:36:18)
> at failWithMessage (test/mjsunit/mjsunit.js:310:11)
> at fail (test/mjsunit/mjsunit.js:327:12)
> at assertEquals (test/mjsunit/mjsunit.js:398:7)
> at closure (test/mjsunit/regress/regress-4121.js:20:7)
> at literals_sharing_test (test/mjsunit/regress/regress-4121.js:27:3)
> at test (test/mjsunit/regress/regress-4121.js:37:5)
> at eval (eval at <anonymous> (test/mjsunit/regress/regress-4121.js:49:6), <anonymous>:1:1)
> at test/mjsunit/regress/regress-4121.js:49:6
> at Array.forEach.call (test/mjsunit/regress/regress-4121.js:50:7)
> throw new MjsUnitAssertionError(message);
>
> AFTER:
> Stack: MjsUnitAssertionError
> at assertEquals test/mjsunit/mjsunit.js 398:7
> at closure test/mjsunit/regress/regress-4121.js 20:7
> at literals_sharing_test test/mjsunit/regress/regress-4121.js 27:3
> at test test/mjsunit/regress/regress-4121.js 37:5
> at eval eval at <anonymous> (test/mjsunit/regress/regress-4121.js:49:6)
> at test/mjsunit/regress/regress-4121.js 49:6
> at Array.forEach.call test/mjsunit/regress/regress-4121.js 50:7
> throw new MjsUnitAssertionError(message);
>
>
> Change-Id: Iad3460a648e26effb43c00426ab043743ee6a138
> Reviewed-on: https://chromium-review.googlesource.com/563627
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46589}
TBR=machenbach@chromium.org,cbruni@chromium.org,ishell@chromium.org
Change-Id: I631cec7f318637ce2f60500e2bf0ab7fe1f6d09e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/567062
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46592}
Previously, the serializer would share mutable heap numbers between
contexts. The workaround was to disable double field tracking entirely
during bootstrapping of isolates preparing to be serialized.
This does not cover custom scripts run between bootstrapping and
serialization, and can cause race conditions when writing to the flag.
This no longer seems necessary since we can correctly tell mutable and
immutable heap numbers apart by instance type now.
Bug: v8:6585
Change-Id: I7a59ffaad9d96f1c2b08813e19505f4fda95e555
Reviewed-on: https://chromium-review.googlesource.com/566861
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46591}
This CL moves collected source range information out of AST nodes
and into a side table stored on ParseInfo. The side table is only
created if block coverage is enabled, so there's almost no memory
overhead in the standard case.
Change-Id: I41871b8425ebbc6217d82d3ad26b5fc9e5d68ecb
Reviewed-on: https://chromium-review.googlesource.com/566808
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46590}
Format the function name and file-position into proper columns to easily spot
where the test code ends and the mjsunit framework code starts.
BEFORE:
Stack: Error
at new MjsUnitAssertionError (test/mjsunit/mjsunit.js:36:18)
at failWithMessage (test/mjsunit/mjsunit.js:310:11)
at fail (test/mjsunit/mjsunit.js:327:12)
at assertEquals (test/mjsunit/mjsunit.js:398:7)
at closure (test/mjsunit/regress/regress-4121.js:20:7)
at literals_sharing_test (test/mjsunit/regress/regress-4121.js:27:3)
at test (test/mjsunit/regress/regress-4121.js:37:5)
at eval (eval at <anonymous> (test/mjsunit/regress/regress-4121.js:49:6), <anonymous>:1:1)
at test/mjsunit/regress/regress-4121.js:49:6
at Array.forEach.call (test/mjsunit/regress/regress-4121.js:50:7)
throw new MjsUnitAssertionError(message);
AFTER:
Stack: MjsUnitAssertionError
at assertEquals test/mjsunit/mjsunit.js 398:7
at closure test/mjsunit/regress/regress-4121.js 20:7
at literals_sharing_test test/mjsunit/regress/regress-4121.js 27:3
at test test/mjsunit/regress/regress-4121.js 37:5
at eval eval at <anonymous> (test/mjsunit/regress/regress-4121.js:49:6)
at test/mjsunit/regress/regress-4121.js 49:6
at Array.forEach.call test/mjsunit/regress/regress-4121.js 50:7
throw new MjsUnitAssertionError(message);
Change-Id: Iad3460a648e26effb43c00426ab043743ee6a138
Reviewed-on: https://chromium-review.googlesource.com/563627
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46589}
This patch teaches the parser that async functions are not valid
destructuring targets so that it can cleanly exit with a SyntaxError.
Previously, async functions used in the wrong position would lead
to a check failure.
Bug: chromium:740366
Change-Id: Ie5b0cf50326c3f96174c6b29d0ccedb5da4f75a2
Reviewed-on: https://chromium-review.googlesource.com/567002
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Caitlin Potter <caitp@igalia.com>
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46587}
In most cases, this does not matter, especially if assigning to the
source variable again:
x = Abs(x)
But there are cases where it matters, e.g. when being used as argument
to a template function:
DCHECK_EQ(x, Abs(x));
which would currently *not* fail for x==kMinInt.
R=tebbi@chromium.org
Change-Id: Ia5abfe164db602b80a34548e0bf9b22033b77c6e
Reviewed-on: https://chromium-review.googlesource.com/568028
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46586}
This makes sure the inline allocation of generator objects only shrinks
initial maps when slack tracking is actually in progress. Shrinking all
unused properties unconditionally is bogus because instances using them
might have become unreachable and collected by the GC.
R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-741078
BUG=chromium:741078
Change-Id: Iaf2f08a4fa82c820a945bf012d24c760a6b4f514
Reviewed-on: https://chromium-review.googlesource.com/567982
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46585}
In certain timezones, being at noon UTC doesn't guarantee that
you'll be the same day in local time. This patch fixes that
false assumption. Thanks to Holmes He for reporting the issue.
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I7432c0eb1e13fdf11c665e59dabaebeb79bff8c8
Reviewed-on: https://chromium-review.googlesource.com/568021
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46584}
This is a reland of 66b54ab152
Original change's description:
> [compiler] Move the main pipeline's code assembly pass into the background.
>
> R=bmeurer@chromium.org
>
> Bug: v8:6048
> Change-Id: I60bc35c02b5460416c3b0e2872fc72ebf9b808a5
> Reviewed-on: https://chromium-review.googlesource.com/563386
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46499}
TBR=bmeurer@chromium.org
Bug: v8:6048
Change-Id: Ifcdd660dd69c6c4c1bc628961f4180a0b6ea4d9f
Reviewed-on: https://chromium-review.googlesource.com/567061
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46582}
TF will instantiate the Assembler when we're already on a background
thread, so it's not safe to read out the heap's max_old_generation_size
(it can change). This CL simply removes the use of that value from the
assembler. If the buffer gets too large we will fail when creating the
actual code object.
Bug: v8:6048
Change-Id: Ifb8a64c90222e4516117d237b001779fae060d28
Reviewed-on: https://chromium-review.googlesource.com/567921
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46581}
It seems there was a typo which meant we didn't generate any code for 32 and 128
bit slot to slot moves.
Bug:
Change-Id: Ia6982ec92471d16541d8ee873e1de33e4f46e77a
Reviewed-on: https://chromium-review.googlesource.com/566812
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#46579}
Various Scavenger fixes for smaller issues that accumulated over the
last years.
Bug: chromium:738865
Change-Id: I7573e438eba030944b99c65807944c662526a171
Reviewed-on: https://chromium-review.googlesource.com/567190
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46578}
This introduces 2^16 as an upper limit for the allowed value range of a
table switch on all architectures. It also fixes several overflows in
the table size calculation.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-736633
BUG=chromium:736633
Change-Id: I931bd226c99eb8a1ae1770c159fc314ff650bf57
Reviewed-on: https://chromium-review.googlesource.com/566829
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46575}
Previously (since f0e95769), this toLowerCase fast-path assumed
it would only see one-byte flat contents. Unfortunately, it's
possible to have a one-byte sliced string that has a two-byte parent.
This CL ensures that String.p.toLowerCase handles such cases
correctly.
BUG=chromium:736451
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Iae056b3db5535bb5665439a5cc8282a51571a548
Reviewed-on: https://chromium-review.googlesource.com/565559
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46574}
This patch changes the backing store of slow properties to be a
new instance type called PropertyArray.
Currently the only difference between this and a FixedArray is
the map. A future patch will change the length property to store
the hash code.
Bug: v8:5717, v8:6404
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Iaebc98f42e6d93c1392772e6f837787beb64afec
Reviewed-on: https://chromium-review.googlesource.com/539028
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46569}