Without this fix, AssignmentExpressions that happen to be arrow functions
would lead to unbalanced Enter/Leave calls on the fni_, causing thrashing
while trying to infer function names. Symptoms include slow parsing
or OOM (when we create too many AstConsStrings).
To try to keep this from happening in the future, added an RAII helper
class to handle Entering/Leaving FNI state.
The included regression test crashes on my workstation without the patch.
Note that it's too slow in debug mode (as well as under TurboFan),
so I've skipped it there.
BUG=v8:4595
LOG=y
Review URL: https://codereview.chromium.org/1507283003
Cr-Commit-Position: refs/heads/master@{#32768}
This is in preparation for turning the flag off by default.
BUG=chromium:552100
LOG=n
Review URL: https://codereview.chromium.org/1511293002
Cr-Commit-Position: refs/heads/master@{#32729}
- Add JSReceiver::SetIntegrityLevel, with a fast path for regular objects.
- Make Object.{freeze,seal} call this via %Object{Freeze,Seal}, thus no longer
using broken or deprecated functions from v8natives.js.
- Add JSReceiver::OwnPropertyKeys convenience function.
- Reenable harmony/proxies-hash.js test.
R=rossberg
BUG=v8:1543
LOG=N
Review URL: https://codereview.chromium.org/1489423002
Cr-Commit-Position: refs/heads/master@{#32651}
The backing store is only held alive indirectly via the array buffer
referenced by the holder (typed array), so it's not enough to keep the
elements alive (or even just the external pointer loaded from the
elements).
R=mstarzinger@chromium.org,bmeurer@chromium.org
LOG=n
BUG=v8:1827
Review URL: https://codereview.chromium.org/1493983004
Cr-Commit-Position: refs/heads/master@{#32644}
Reason for revert:
[Sheriff] Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/3266
Please request rebase upstream first.
Original issue's description:
> Clean up promises and fix an edge case bug
>
> This patch builds on previous Promise spec compliance work by
> cleaning out some old code which existed to support
> Promise.prototype.chain, rephrasing some code to correspond more
> closely to the specification, and removing some incorrect brand
> checking. A test is added for a bug in an edge case which was fixed.
>
> R=rossberg
> BUG=v8:3641
> LOG=Y
>
> Committed: https://crrev.com/1deb89c8fd3cb69714ae0a24e3b5a4e78f6b73b4
> Cr-Commit-Position: refs/heads/master@{#32627}
TBR=rossberg@chromium.org,caitpotter88@gmail.com,littledan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3641
Review URL: https://codereview.chromium.org/1501763004
Cr-Commit-Position: refs/heads/master@{#32629}
This patch builds on previous Promise spec compliance work by
cleaning out some old code which existed to support
Promise.prototype.chain, rephrasing some code to correspond more
closely to the specification, and removing some incorrect brand
checking. A test is added for a bug in an edge case which was fixed.
R=rossberg
BUG=v8:3641
LOG=Y
Review URL: https://codereview.chromium.org/1488783002
Cr-Commit-Position: refs/heads/master@{#32627}
Reason for revert:
Blocks the roll:
https://codereview.chromium.org/1497763004/
Original issue's description:
> [es6] Correctify and unify ArrayBuffer and SharedArrayBuffer constructors.
>
> The ArrayBuffer and SharedArrayBuffer constructors should raise an
> exception when called with no arguments or undefined length. Also
> unified the ArrayBuffer and SharedArrayBuffer implementations as C++
> builtins, and removed some (now) obsolete runtime entries.
>
> R=yangguo@chromium.org
>
> Committed: https://crrev.com/3235ccbb7826ceec2188f6ebab98fc851b54f60e
> Cr-Commit-Position: refs/heads/master@{#32590}
TBR=yangguo@chromium.org,cbruni@chromium.org,adamk@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1501673002
Cr-Commit-Position: refs/heads/master@{#32606}
The ArrayBuffer and SharedArrayBuffer constructors should raise an
exception when called with no arguments or undefined length. Also
unified the ArrayBuffer and SharedArrayBuffer implementations as C++
builtins, and removed some (now) obsolete runtime entries.
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/1500543002
Cr-Commit-Position: refs/heads/master@{#32590}
non-constructors are not allowed to have initial maps. The optimizing compilers used to add initial maps unconditionally to functions used as right-hand-side in instanceof.
BUG=
Review URL: https://codereview.chromium.org/1490003003
Cr-Commit-Position: refs/heads/master@{#32497}
This fixes a corner-case in redeclaration handling, where the ES2015
early error case got mixed up with legacy const handling in the parser.
Redeclaration using ES2015 'let' and 'const' should be early errors,
but legacy 'const' redeclaration has historically been a runtime error,
and should stay that way until legacy 'const' is gone.
The fix here is uglier than it might be due to
https://code.google.com/p/v8/issues/detail?id=4577, which keeps us
from simplifying the mess of if/else-if in the current code.
BUG=v8:4576
LOG=n
Review URL: https://codereview.chromium.org/1485943002
Cr-Commit-Position: refs/heads/master@{#32429}
This replaces internal GetConstructorName with toStringTag, .constructor's name
and class_name. This entirely changes how the name is computed for use in
devtools.
BUG=chromium:529177
LOG=n
Review URL: https://codereview.chromium.org/1435273002
Cr-Commit-Position: refs/heads/master@{#32374}
We currently assume that all prototype maps are stable, which is
not guaranteed for certain keyed access patterns. So we explicitly
disallow optimizing the element access there for now.
BUG=chromium:557807, v8:4470
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1456973004
Cr-Commit-Position: refs/heads/master@{#32101}
This is in preparation for the addition of --harmony-destructuring-assignment.
BUG=v8:811
LOG=n
Review URL: https://codereview.chromium.org/1450193002
Cr-Commit-Position: refs/heads/master@{#32098}
When adding properties to the result object, that object's prototype chain should be ignored.
Review URL: https://codereview.chromium.org/1458873002
Cr-Commit-Position: refs/heads/master@{#32085}
This fixes the array literal expression stack tracking in the presence
of spread expressions. Deoptimization within a spread expression was
borked.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-deopt-in-array-literal-spread
Review URL: https://codereview.chromium.org/1455953002
Cr-Commit-Position: refs/heads/master@{#32079}
With do-expressions any expression used within literals can turn into an
OSR entry-point. This means the literal object being constructed is then
renamed to an OSR value and needs to be reloaded from the environment.
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-osr-in-literal
Review URL: https://codereview.chromium.org/1453733002
Cr-Commit-Position: refs/heads/master@{#32050}
With do-expressions any expression used within literals can turn into an
OSR entry-point. This means the literal object being constructed is then
renamed to an OSR value and needs to be reloaded from the environment.
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-osr-in-literal
Review URL: https://codereview.chromium.org/1452193003
Cr-Commit-Position: refs/heads/master@{#32048}
With do-expressions any expression used within literals can turn into an
OSR entry-point. This means the literal object being constructed is then
renamed to an OSR value and needs to be reloaded from the environment.
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-osr-in-literal
Review URL: https://codereview.chromium.org/1451423002
Cr-Commit-Position: refs/heads/master@{#32047}
With do-expressions any expression used as a case label can turn into an
OSR entry-point. This means the value being switched over is renamed to
an OSR value and needs to be reloaded from the environment at each case.
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-osr-in-case-label
Review URL: https://codereview.chromium.org/1438123007
Cr-Commit-Position: refs/heads/master@{#31986}
This makes sure that inlining a constructor call to a function which
cannot be used as a constructor (e.g. strong mode function) still does
throw correctly when the implicit receiver is created.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-inline-strong-as-construct
BUG=v8:4544
LOG=n
Review URL: https://codereview.chromium.org/1447443002
Cr-Commit-Position: refs/heads/master@{#31982}
JSRegExp's properties backing stores must not be shared.
BUG=chromium:548580
LOG=N
Review URL: https://codereview.chromium.org/1429743006
Cr-Commit-Position: refs/heads/master@{#31867}
We forgot to add the number of arguments parameter in
JSFrameSpecialization, which was added before the context.
R=jarin@chromium.org
BUG=chromium:552304
LOG=n
Review URL: https://codereview.chromium.org/1429233004
Cr-Commit-Position: refs/heads/master@{#31856}
This fixes receiver conversion since the Call builtin does it correctly.
BUG=v8:4526
LOG=n
Review URL: https://codereview.chromium.org/1407373007
Cr-Commit-Position: refs/heads/master@{#31823}
The %_CallFunction doesn't implement the call sequence properly, it
doesn't do the receiver wrapping, nor does it check for
classConstructor. Also the eager deoptimization for %_CallFunction was
seriously b0rked (we must have been lucky with TurboFan so far).
R=yangguo@chromium.org
BUG=v8:4413
LOG=n
Review URL: https://codereview.chromium.org/1419813010
Cr-Commit-Position: refs/heads/master@{#31821}
Original issue's description:
> [es6] Fix Function and GeneratorFunction built-ins subclassing.
>
> BUG=v8:3101, v8:3330
> LOG=Y
>
> Committed: https://crrev.com/99e7f872d3d0a5fb799dcbafb05537cda491314a
> Cr-Commit-Position: refs/heads/master@{#31708}
The problem was in another CL, this is a clean reland with improved tests.
BUG=v8:3101, v8:3330
LOG=Y
Review URL: https://codereview.chromium.org/1415683007
Cr-Commit-Position: refs/heads/master@{#31756}
This fixes [NAMED|KEYED]_SUPER_PROPERTY_CALL to perform a method call
instead of a function call. The difference is visible for sloppy mode
targets that convert primitive receivers.
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-4525
BUG=v8:4525
LOG=n
Review URL: https://codereview.chromium.org/1419173004
Cr-Commit-Position: refs/heads/master@{#31664}
This refactors the handling of calls of type Call::PROPERTY_CALL to
super properties in AstGraphBuilder::VisitCall. It ensures that the
operand stack is kept in sync with full-codegen so that deopts while
evaluating sub-expressions behave as expected.
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-4521
BUG=v8:4521
LOG=n
Review URL: https://codereview.chromium.org/1426893003
Cr-Commit-Position: refs/heads/master@{#31652}
This fixes a missing SSA-renaming of the callee value used in the frame
state of a call node. An OSR-entry within do-expressions contained in
one of the argument expression can trigger that renaming.
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-crbug-546968
BUG=chromium:546968
LOG=n
Review URL: https://codereview.chromium.org/1430483002
Cr-Commit-Position: refs/heads/master@{#31613}
Previously ChangeLowering would always box float64 values when going to
tagged representation, but that introduces a lot of deoptimizer loops
and polymorphism into TurboFan, which is unfortunate and unnecessary.
This adds some logic to ChangeFloat64ToTagged to try harder to create a
Smi when going from Float64 to Tagged, instead of always allocating a
HeapNumber. This might need some additional tweaking, but at least it
makes it possible to start comparing TurboFan and Crankshaft for some
regular JavaScript.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1420913003
Cr-Commit-Position: refs/heads/master@{#31609}
This fixes the representation type for values in JSArray::length fields
when JSNativeContextSpecialization lowers loads. Only arrays with fast
elements kind are guaranteed to have a Smi represented length.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-4515
BUG=v8:4515, v8:4493, v8:4470
LOG=n
Review URL: https://codereview.chromium.org/1410393006
Cr-Commit-Position: refs/heads/master@{#31558}
It is not always safe to allocate new heap objects in the JSGraph. We
might have to revisit this later once we do the canonicalization for
HeapConstants.
R=jarin@chromium.org
BUG=chromium:545364
LOG=n
Review URL: https://codereview.chromium.org/1413373002
Cr-Commit-Position: refs/heads/master@{#31421}
This patch refactors array methods to have the
InnerArray{Map,Filter} methods convert to a GlobalArray
rather than the callers.
BUG=chromium:544991
R=yangguo,adamk
CC=mstarzinger,jochen
LOG=Y
Review URL: https://codereview.chromium.org/1408213004
Cr-Commit-Position: refs/heads/master@{#31403}
This introduces an explicit lazy bailout. It is wrapped in the call
node, mostly because the lazy deoptimization processing is married
to the call processing in the instruction selector and the code generator.
It is still a terrible hack.
R=bmeurer@chromium.org,mstarzinger@chromium.org
BUG=chromium:543994,v8:4195
LOG=n
Review URL: https://codereview.chromium.org/1412443003
Cr-Commit-Position: refs/heads/master@{#31353}
This is in preparation to enabling --turbo-inlining by default, fixing
various issues when general purpose inlining is running against our
entire test suite.
R=bmeurer@chromium.org
BUG=v8:4493
LOG=n
Review URL: https://codereview.chromium.org/1407533004
Cr-Commit-Position: refs/heads/master@{#31294}
For an edge case like the following in sloppy mode
with ({}) function f() {}
a lexical scope needs to be created around the body in order
to hold the function declaration, so it can be hoisted according
to a loose interpretation of Annex B 3.3 (loose because ES2015
does not permit a function declaration as the body of a with
statement). This patch adds that scope.
BUG=chromium:542100
LOG=N
R=adamk
Review URL: https://codereview.chromium.org/1404803002
Cr-Commit-Position: refs/heads/master@{#31269}
This patch fixes an obscure edge case for functions defined as the
direct body of a for-of/for-in loop, such as the following:
for (foo in []) function foo() { return foo; }
Here, the first occurrence of foo should point to the outer scope;
however, before this patch, it pointed to the inner foo in an
invalid way which caused an assertion about the scope chain to fail.
This patch fixes the scope chain by inserting an extra scope for
the body of the loop, not including the header.
BUG=chromium:542099
LOG=N
R=rossberg
Review URL: https://codereview.chromium.org/1396663004
Cr-Commit-Position: refs/heads/master@{#31268}
The flag for deactivating break points also affects stepping, since both
are implemented via debug break slots. Fixing this by introducing a new
flag solely responsible for deactivating actual break points.
R=mvstanton@chromium.org
BUG=chromium:119800
LOG=N
Review URL: https://codereview.chromium.org/1402913002
Cr-Commit-Position: refs/heads/master@{#31236}
Looking up 'name' and 'message' properties at the same time and loading
the properties later can cause assertion failure if one of the properties
is an accessor and calling it changes the holder map. That may invalidate
the other lookup.
R=jkummerow@chromium.org
BUG=chromium:542101
LOG=N
Review URL: https://codereview.chromium.org/1403923002
Cr-Commit-Position: refs/heads/master@{#31229}
Clusterfuzz testing discovered that sloppy-mode block-scoped function
declarations introduce lexically-scoped variables in scopes that were
thrown away under the expectation that no lexically-scoped variables
were introduced. These cases are:
for (;;) function foo() {}
for (x in y) function foo() {}
This patch ensures that a block is created in those cases to hold the
lexically scoped variable. Usually, scope analysis should discover that
that block is not important, and it should not have a runtime
representation.
BUG=chromium:536750,chromium:536751
LOG=Y
R=adamk
Review URL: https://codereview.chromium.org/1382123002
Cr-Commit-Position: refs/heads/master@{#31109}
This name makes it clear that the flag (also the variant in the Compiler)
is talking about specializing to the function context instead of i.e. the
native context.
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/1372513003
Cr-Commit-Position: refs/heads/master@{#30934}
Whenever a generalization is computed, the inputs must be checked for being cleared, and if they are, the generalization must be Type::Any.
Hopefully this fixes Chromium issue 527994 as well.
BUG=v8:4325,chromium:527994
LOG=n
Review URL: https://codereview.chromium.org/1361103002
Cr-Commit-Position: refs/heads/master@{#30887}
This CL also renames wrongly named test for v8:4173.
BUG=v8:4121
LOG=Y
Review URL: https://codereview.chromium.org/1353363002
Cr-Commit-Position: refs/heads/master@{#30879}
The ES6 specification says that "Built-in functions that are ECMAScript
function objects must be strict mode functions", which in particular
means that you can never test for them using the "caller" field of a
sloppy mode function.
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_layout_dbg,v8_linux_nosnap_dbg
R=mstarzinger@chromium.org
BUG=v8:105
LOG=n
Review URL: https://codereview.chromium.org/1347663002
Cr-Commit-Position: refs/heads/master@{#30750}
The assumption that every function body produces a value does not hold
for functions that e.g. unconditionally throw or endlessly loop. This
fixes the inlining logic to handle such cases.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-530598
BUG=chromium:530598
LOG=n
Review URL: https://codereview.chromium.org/1333193005
Cr-Commit-Position: refs/heads/master@{#30738}
When looking up a special accessor for known TypedArray fields
("length", "byteLength", "byteOffset"), consider the entire prototype
chain, not only the direct prototype.
This allows subclasses of TypedArrays to benefit from fast specialized
accesses.
Review URL: https://codereview.chromium.org/1313493005
Cr-Commit-Position: refs/heads/master@{#30678}
Update the consolidated load case to carefully chose the load mode
based on the consolidated elements kind.
BUG=v8:4380
LOG=N
Review URL: https://codereview.chromium.org/1329793003
Cr-Commit-Position: refs/heads/master@{#30659}
This makes the C++ fallback implementations for the two intrinsics,
%Arguments and %ArgumentsLength composable with respect to inlining.
Using deoptimization information gives us accurate data here.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-4374
BUG=v8:4374
LOG=n
Review URL: https://codereview.chromium.org/1328363002
Cr-Commit-Position: refs/heads/master@{#30654}
This switches Isolate::ComputeLocation to use baseline code when
computing message locations. This unifies locations between optimized
and non-optimized code by always going through the FrameSummary for
location computation.
R=bmeurer@chromium.org
TEST=message/regress/regress-4266
BUG=v8:4266
LOG=n
Review URL: https://codereview.chromium.org/1331603002
Cr-Commit-Position: refs/heads/master@{#30635}
- Move fast paths from builtins.cc ArraySlice to ElementsAccessor
- Handle more argument types in the fast path
BUG=
Review URL: https://codereview.chromium.org/1321773002
Cr-Commit-Position: refs/heads/master@{#30471}
This patch changes the switch scope desugaring to create blocks which
propagate their 'return value' for eval.
BUG=v8:4399
R=adamk
LOG=Y
Review URL: https://codereview.chromium.org/1309303006
Cr-Commit-Position: refs/heads/master@{#30454}
Switch statements introduce their own scope for cases, but this scope
is not necessarily executed in order, as the following function shows:
switch (x) {
case 1:
let y = 1;
case 2:
y = 2;
case 3:
print(y);
}
If x = 2 or x = 3, the code should throw a ReferenceError. However,
FullCodeGen's hole check elimination used the simple algorithm of
assuming that if the initializer was in the same scope, then it was
reached before the use, and therefore the hole check could be
eliminated.
This patch adds an extra bit to scopes, to track if they may
nonlinearly. The parser marks the scope that switch introduces as
nonlinear. FullCodeGen does not eliminate the hole check from
a scope which is nonlinear. This patch refactors FullCodeGen to
put the hole check elimination in one place, rather than in each
backend.
BUG=v8:3926
LOG=Y
R=adamk
Review URL: https://codereview.chromium.org/1312613003
Cr-Commit-Position: refs/heads/master@{#30453}
This fixes broken dynamic hole-checks for the temporal dead zone of
non-initializing assignments to {let} and {const} declared variables.
Also note that this exemplifies a case where the dynamic check for such
assignments to {let} declared variables can no longer be elided as the
comment suggested.
R=rossberg@chromium.org
TEST=mjsunit/regress/regress-4388
BUG=v8:4388
LOG=n
Review URL: https://codereview.chromium.org/1318693002
Cr-Commit-Position: refs/heads/master@{#30375}
The previous hack with HInstanceOfKnownGlobal was not only slower,
but also very brittle and required a lot of weird hacks to support it. And
what's even more important it wasn't even correct (because a map check
on the lhs is never enough for instanceof).
The new implementation provides a sane runtime implementation
for InstanceOf plus a fast case in the InstanceOfStub, combined with
a proper specialization in the case of a known global in CrankShaft,
which does only the prototype chain walk (coupled with a code
dependency on the known global).
As a drive-by-fix: Also fix the incorrect Object.prototype.isPrototypeOf
implementation.
BUG=v8:4376
LOG=y
Review URL: https://codereview.chromium.org/1304633002
Cr-Commit-Position: refs/heads/master@{#30342}
The ES2015 specification for switch statements 13.12.11 specifies that
they get their own lexical scope. This patch introduces such a scope
through a complex desugaring in terms of blocks, done so that Crankshaft
does not have to be updated to support multiple constructs providing
scopes.
Recommitting this patch after a bug fix in Crankshaft to allow a
desugaring with certain elements missing a source location:
https://codereview.chromium.org/1313443002
BUG=v8:4377
LOG=Y
R=adamk
Review URL: https://codereview.chromium.org/1309163003
Cr-Commit-Position: refs/heads/master@{#30340}
The simulator uses a separate JS stack, exhaustion of the C stack
however is not caught by JS limit checks. This change now lowers the
limit of the JS stack accordingly on function calls.
R=mvstanton@chromium.org
BUG=chromium:522380
TEST=mjsunit/regress/regress-crbug-522380
LOG=n
Review URL: https://codereview.chromium.org/1314623002
Cr-Commit-Position: refs/heads/master@{#30334}
Reason for revert:
Breaks cctest/test-cpu-profiler/SourceLocation on nosnap
Original issue's description:
> Add a separate scope for switch
>
> The ES2015 specification for switch statements 13.12.11 specifies that
> they get their own lexical scope. This patch introduces such a scope
> through a complex desugaring in terms of blocks, done so that Crankshaft
> does not have to be updated to support multiple constructs providing
> scopes.
>
> BUG=v8:4377
> LOG=Y
> R=adamk
>
> Committed: https://crrev.com/9edbc1f21eb1050cabbe3b8bc9aebf89ada7ebd7
> Cr-Commit-Position: refs/heads/master@{#30314}
TBR=adamk@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4377
Review URL: https://codereview.chromium.org/1309043004
Cr-Commit-Position: refs/heads/master@{#30316}
The parser has special behavior with respect to the bindings
of inner functions in sloppy mode which are not at the top
level of scopes. This behavior should be turned off when the
--harmony-sloppy-function flag is set, as lexical scoping
rules are used instead. Previously, the incorrect flag
--harmony-sloppy was used, resulting in a crashing bug.
BUG=chromium:520029
LOG=Y
R=adamk
Review URL: https://codereview.chromium.org/1303033003
Cr-Commit-Position: refs/heads/master@{#30315}
The ES2015 specification for switch statements 13.12.11 specifies that
they get their own lexical scope. This patch introduces such a scope
through a complex desugaring in terms of blocks, done so that Crankshaft
does not have to be updated to support multiple constructs providing
scopes.
BUG=v8:4377
LOG=Y
R=adamk
Review URL: https://codereview.chromium.org/1293283002
Cr-Commit-Position: refs/heads/master@{#30314}
This avoids many back-and-forth calls to the runtime.
This also slightly changes the way we avoid getters. Previously, we circumvent getting the name property of ReferenceError, SyntaxError and TypeError due to crbug/69187 (in order to avoid leaking information from those errors through a 'name' getter installed on their prototypes). Now we do that for all errors created by V8.
R=jkummerow@chromium.org, rossberg@chromium.org
BUG=crbug:513472, crbug:69187
LOG=N
Review URL: https://codereview.chromium.org/1281833002
Cr-Commit-Position: refs/heads/master@{#30105}
To avoid tanking context startup performance, only the actual installation of the
JS-exposed API is flag-guarded. The remainder of the implementation still
resides in the snapshot.
Review URL: https://codereview.chromium.org/1257063003
Cr-Commit-Position: refs/heads/master@{#30017}
This introduces a CopyFixedArrayAndGrow method on Factory that takes
the "grow amount" instead of the "new size" as an argument. The new
interface is safer because it allows for mutations by the GC that
potentially trim the source array.
This also fixes a bug in SharedFunctionInfo::AddToOptimizedCodeMap
where the aformentioned scenario led to unused entries within the
optimized code map.
Note that FixedArray::CopySize is hereby deprecated because it is
considered unsafe and should no longer be used.
R=hpayer@chromium.org
TEST=mjsunit/regress/regress-crbug-513507
BUG=chromium:513507
LOG=n
Review URL: https://codereview.chromium.org/1255173006
Cr-Commit-Position: refs/heads/master@{#30012}
The calculation now takes into account the size of the arguments object
if it is present in the optimized frame.
(Yang, many thanks for the awesome repro!)
BUG=chromium:514362
LOG=N
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/1264483008
Cr-Commit-Position: refs/heads/master@{#29973}
When the main thread terminates, it forcibly terminates all Worker threads.
When this happens, the threads objects were only half-created; they had a
JavaScript Worker object, but not a C++ worker object.
This CL fixes that bug, as well as some other fixes:
* Signatures on Worker methods
* Use SetAlignedPointerFromInternalField instead of using an External.
* Remove state_ from Worker. Simplify to atomic bool running_.
BUG=chromium:511880
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1255563002
Cr-Commit-Position: refs/heads/master@{#29911}
When a prototype object migrates from a slow to a fast map, where the slow map
was registered as a user of its own prototype, then the registration must be
transferred to the new map (just like MigrateToMap does for all other cases).
BUG=chromium:513602
LOG=y
NOTREECHECKS=true
Review URL: https://codereview.chromium.org/1263543004
Cr-Commit-Position: refs/heads/master@{#29898}
Previous to this CL, ICs used a slightly different code idiom
to get to C++ code from generated code than runtime intrinsics,
using an IC_Utility class that in essence provided exactly
the same functionality as Runtime::FunctionForId, but in its
own quirky way.
This CL unifies the two mechanisms, folding IC_Utility
away by making all IC entry points in C++ code, e.g. IC
miss handlers, full-fledged runtime intrinsics. This makes
it possible to eliminate a bunch of ad-hoc declarations and
adapters that the IC system had to needlessly re-invent.
As a bonus and the original reason for this yak-shave:
IC-related C++ runtime functions are now callable from
TurboFan.
Review URL: https://codereview.chromium.org/1248303002
Cr-Commit-Position: refs/heads/master@{#29811}
A sloppy mode eval call that establishes strict mode will leak that strictness
into the sloppy surrounding scope on recompile. This changes the structure
of the type feedback vector for the function and crashes follow.
The fix is straightforward.
BUG=491536, 503565
LOG=N
Review URL: https://codereview.chromium.org/1231343003
Cr-Commit-Position: refs/heads/master@{#29671}
--debug-code causes full-codegen on arm64 to emit different number
of calls, which confuses the debugger when on-stack replacing code
with recompiled debug version on-stack.
BUG=chromium:507070
TBR=mstarzinger@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/1228353004
Cr-Commit-Position: refs/heads/master@{#29638}
The new implemtation counts the number of calls (or continuations)
before the PC to find the corresponding PC in the new code.
R=mstarzinger@chromium.org
BUG=chromium:507070
LOG=N
Review URL: https://codereview.chromium.org/1235603002
Cr-Commit-Position: refs/heads/master@{#29636}
When quit() is called, d8 shell exits without cleanup. If a worker is running,
it might be holding the context_mutex_, which if destroyed will DCHECK.
BUG=4279
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1231473002
Cr-Commit-Position: refs/heads/master@{#29557}
This one occurred when serializing an object. When the property getter threw an
exception, that value was skipped, but the property count wasn't updated. The
deserializer then tried to deserialize the wrong value.
BUG=chromium:506549
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1220193004
Cr-Commit-Position: refs/heads/master@{#29541}
Smi immediates are not supported, so instructions with Smi representations need their constants in a register. LAddI has already been doing this. The manifestation of the bug was that an operation would compute 0 instead of the correct result.
BUG=chromium:478612
LOG=y
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/1224623017
Cr-Commit-Position: refs/heads/master@{#29529}
The context constant cannot be materialized from the frame when we are
compiling for OSR, because the context spill slot contains the current
instead of the outermost context in full-codegen.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1220013003
Cr-Commit-Position: refs/heads/master@{#29472}
This is more consistent with the DOM API, and is clearer w.r.t. which values
are available in the lexical environment of the Worker.
BUG=chromium:497295
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1218553004
Cr-Commit-Position: refs/heads/master@{#29426}
v8::Internal::List will DCHECK when indexing out of the array, even if just to
get the address, and the value is never used. So this construct will fail:
memcpy(p, &data[0], length);
When data is empty and length is 0.
BUG=chromium:505778
R=mstarzinger@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1216853003
Cr-Commit-Position: refs/heads/master@{#29388}
This makes sure that the exit control flow that merges the try-block
with the catch-block after a try-catch-statement creates a new merge
node in cases where it has to. Otherwise dangling phi nodes might have
the wrong number of value inputs.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-505354
BUG=chromium:505354
LOG=N
Review URL: https://codereview.chromium.org/1213183003
Cr-Commit-Position: refs/heads/master@{#29362}
Dumb typo introduced in refs/heads/master@{#29306}. I thought I was turning on
report_exceptions in Shell::ExecuteString, but instead I turned on print_result
(which assumes an interactive debugger and a HandleScope for the
utility_context_).
BUG=chromium:504727,chromium:504728
R=mstarzinger@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1219563002
Cr-Commit-Position: refs/heads/master@{#29350}
Note that prior to having canonical shared function infos, this has
been a source of duplicate shared function infos.
R=bmeurer@chromium.org
BUG=chromium:504787
LOG=N
Review URL: https://codereview.chromium.org/1209383002
Cr-Commit-Position: refs/heads/master@{#29326}
The issue is that Worker.prototype.terminate was deleting the C++ Worker
object, and then Worker.prototype.getMessage was trying to read messages from
the queue.
The simplest solution is to keep workers in a zombie state when they have been
terminated. They won't be reaped until Shell::CleanupWorkers is called.
I've also fixed some threading issues with Workers:
* Workers can be created by another Worker, so the Shell::workers_ variable
must be protected by a mutex.
* An individual Worker can typically only be accessed by the isolate that
created it, but the main thread can always terminate it, so the Worker::state_
must be accessed in a thread-safe way.
BUG=chromium:504136
R=jochen@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1208733002
Cr-Commit-Position: refs/heads/master@{#29306}
Shell::SerializeValue was using a HandleScope, but was also storing Handles in
an ObjectList. The ObjectList handles would persist after the function had
returned, but will have already been destroyed by the HandleScope, so there is
a use-after-free.
This change removes the HandleScope in Shell::SerializeValue and relies on the
caller's HandleScope.
BUG=chromium:503968
R=jochen@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1211433003
Cr-Commit-Position: refs/heads/master@{#29265}
Speculative revert in the hopes of fixing serializer crashes seen in canary.
This reverts commit c166945083, as well as
followup change "Do not look for existing shared function info when compiling a new script."
(commit 7c43967bb7).
BUG=chromium:503552,v8:4132
TBR=yangguo@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1207583002
Cr-Commit-Position: refs/heads/master@{#29241}
Each Script object now keeps a WeakFixedArray of SharedFunctionInfo
objects created from this script.
This way, when compiling a function, we do not create duplicate shared
function info objects when recompiling with either compiler.
This fixes a class of issues in the debugger, where we set break points
on one shared function info, but functions from duplicate shared function
infos are not affected.
LOG=N
BUG=v8:4132
Review URL: https://codereview.chromium.org/1183733006
Cr-Commit-Position: refs/heads/master@{#29151}
We block constant pool up to the call stub instruction, but the check for code size
includes the next instruction after the call instruction. That instruction can
emit constant pool.
BUG=chromium:500831
LOG=NO
TEST=mjsunit/regress/regress-500831
Review URL: https://codereview.chromium.org/1189123003
Cr-Commit-Position: refs/heads/master@{#29132}
RegExpExecStub pushes callee-saved registers without setting up a frame. This confuses the stack iterator.
Other architectures do not save these registers.
BUG=chromium:487981
LOG=NO
TEST=mjsunit/regress/regress-487981
Review URL: https://codereview.chromium.org/1183593005
Cr-Commit-Position: refs/heads/master@{#29120}
This fixes a bug where new-space GC could be triggered by non-folded allocations for some of the in-object properties, while the object was only partially initialized.
BUG=chromium:500497
LOG=y
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/1182113007
Cr-Commit-Position: refs/heads/master@{#29079}
According to the ES6 spec, the main methods and getters shouldn't
be properties of the individual TypedArray objects and prototypes
but instead on %TypedArray% and %TypedArray%.prototype. This
difference is observable through introspection. This patch moves
some methods and getters to the proper place, with the exception
of %TypedArray%.prototype.subarray and harmony methods. These will
be moved in follow-on patches.
BUG=v8:4085
LOG=Y
R=adamk
Review URL: https://codereview.chromium.org/1186733002
Cr-Commit-Position: refs/heads/master@{#29057}
This invariant will save us some head ache.
The changes to test-debug/DebugStub is due to the fact that it abuses
the ability to set break points in code that has no debug break slots.
This is now no longer possible.
R=ulan@chromium.org
BUG=v8:4132
LOG=N
Review URL: https://codereview.chromium.org/1181013007
Cr-Commit-Position: refs/heads/master@{#29038}
This change rewrites regexps like (ab|ac|z|ad|ae|af) into (a[b-f]|z). We can only reorder disjunctions like this for case-dependent regexps. For case-independent regexps, the disjunctions should be pre-sorted for best results.
R=yangguo@chromium.org
BUG=chromium:482998
LOG=n
Review URL: https://codereview.chromium.org/1180433003
Cr-Commit-Position: refs/heads/master@{#28902}
Don't DCHECK when neutering that the buffer is not a SharedArrayBuffer;
instead, just return early.
BUG=chromium:498142,chromium:497295
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1174753002
Cr-Commit-Position: refs/heads/master@{#28892}
For top-level code the closure passed into context allocation methods
needs to be replaced with a sentinel to canonicalize is to the empty
function object.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-4169
BUG=v8:4169
LOG=N
Review URL: https://codereview.chromium.org/1172013002
Cr-Commit-Position: refs/heads/master@{#28888}
These values were computed by the parser and hence out of sync with any
visitor over the AST. Our AST visitor aborts visitation of statement
lists as soon as a jump statement has been reached. Now handler tables
are guaranteed to be dense and fully populated.
R=ishell@chromium.org
TEST=mjsunit/regress/regress-crbug-493290
BUG=chromium:493290
LOG=N
Review URL: https://codereview.chromium.org/1157213004
Cr-Commit-Position: refs/heads/master@{#28846}
This also fixes issues with
- kMaxUint32 being a valid length but not index cornercases
- exotic integer objects masking "exotic indexes" even though its in the prototype chain
- concating of holey sloppy arguments
BUG=v8:4137
LOG=n
Review URL: https://codereview.chromium.org/1159433003
Cr-Commit-Position: refs/heads/master@{#28754}
The point of this change is so that when emitting code for a call in
FullCodegen::VisitCall, the statement position is not associated to
any code that loads the function, but to the actual CallIC.
R=mvstanton@chromium.org
BUG=chromium:481896
LOG=N
Review URL: https://codereview.chromium.org/1157543004
Cr-Commit-Position: refs/heads/master@{#28701}
If there had been no debug listener v8::Debug::GetDebugContext would have created new context and wouln't have kept reference to it. This way we may well end up with several debug contexts and disabled debugger.
As a side effect this change allows to efficiently distinguish debug context from blink contexts by simply comparing handles.
BUG=chromium:482290
LOG=Y
Review URL: https://codereview.chromium.org/1136733002
Cr-Commit-Position: refs/heads/master@{#28356}
This introduces a bailout point for class literals right after the
%DefineClass function has been called. Otherwise the FrameState after
class literal evaluation might contain the literal itself.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-480819
BUG=chromium:480819
LOG=N
Review URL: https://codereview.chromium.org/1104673004
Cr-Commit-Position: refs/heads/master@{#28043}
This is a workaround to make the debugger happy about TurboFan frames
when the debugger causes frame inspection. Note that this can happen
because the debugger can be activated while there still are optimized
TurboFan activations on the stack.
R=ishell@chromium.org
BUG=chromium:465298
TEST=mjsunit/regress/regress-crbug-465298
LOG=N
Review URL: https://codereview.chromium.org/1074793003
Cr-Commit-Position: refs/heads/master@{#27717}
The motivation is that we prefer to avoid creating internal properties, and we have a usable field on maps ("transitions", which is not used for prototype maps).
This CL also ensures the invariant that prototype maps are never shared, even if they are in dictionary mode.
Review URL: https://codereview.chromium.org/1033653002
Cr-Commit-Position: refs/heads/master@{#27617}
Optimistically pushing a lot of arguments can run into the stack limit of the process, at least on operating systems where this limit is close to the limit that V8 sets for itself.
BUG=chromium:469768
LOG=y
Review URL: https://codereview.chromium.org/1056913003
Cr-Commit-Position: refs/heads/master@{#27614}
A bug allows JSObject literals with elements to have the elements in the
boilerplate modified.
BUG=466993
LOG=N
Review URL: https://codereview.chromium.org/1037273002
Cr-Commit-Position: refs/heads/master@{#27511}
Also fix Debug.showBreakPoints for multiple break points at the same location.
BUG=v8:3960
LOG=N
Review URL: https://codereview.chromium.org/998253005
Cr-Commit-Position: refs/heads/master@{#27444}
This switches full-codegen to no longer push and pop StackHandler
markers onto the operand stack, but relies on a range-based handler
table instead. We only use StackHandlers in JSEntryStubs to mark the
transition from C to JS code.
Note that this makes deoptimization and OSR from within any try-block
work out of the box, makes the non-exception paths faster and should
overall be neutral on the memory footprint (pros).
On the other hand it makes the exception paths slower and actually
throwing and exception more expensive (cons).
R=yangguo@chromium.org
TEST=cctest/test-run-jsexceptions/DeoptTry
Review URL: https://codereview.chromium.org/1010883002
Cr-Commit-Position: refs/heads/master@{#27440}
The test demonstrates a bad interaction between arguments object
materialization, escape analysis and exception handling.
We can return a wrong arguments object if we materialize arguments
object (using f.arguments) and then throw around f's frame so that f
does not clean up the materialized frame information (see the
MaterializedObjectStore in deoptimizer.h/.cc). If we enter another
function that has the same frame pointer and request an arguments object
of (or lazily deoptimize) that function, we can get the materialized
object of the original function.
We should clean up the materialized object store when we unwind the
stack.
BUG=v8:3985
LOG=n
Review URL: https://codereview.chromium.org/1032623003
Cr-Commit-Position: refs/heads/master@{#27406}
The problem manifests itself when parsing manages to return something
meaningful in the presence of a stack overflow. This happens because
calling ParserBase::Next() will still return one valid token on stack
overflow, before starting to return invalid tokens.
Take the following input as example:
a.map(v => v + 1);
| |
already next token
parsed (which will be an invalid token
(identifier) because of a stack overflow)
The "v" may have been already parsed into a VariableProxy, then if a
stack overflow occurs, next token will be an invalid token (instead
of Token::ARROW), but the parser will return the VariableProxy.
This always happens when lazy-parsing arrow functions, so the position
in the input stream where the the arrow function code ends is known.
This fix adds a check that ensures that parsing ended at the end
position of the arrow function.
BUG=465671
LOG=N
Review URL: https://codereview.chromium.org/1023483003
Cr-Commit-Position: refs/heads/master@{#27325}
This ensures that there is only one stub that deals with unwinding the
stack. Having more than one place containing that logic is brittle and
error prone, especially when it is a corner case only for RangeErrors.
R=titzer@chromium.org
TEST=mjsunit/regress/regress-crbug-467047
BUG=chromium:467047
LOG=N
Review URL: https://codereview.chromium.org/1012103002
Cr-Commit-Position: refs/heads/master@{#27243}
The evaluation order of receiver versus arguments is not properly
defined by C++. This caused issues with Clang where the environment
changed after the receiveing environment was already loaded.
R=jarin@chromium.org
BUG=chromium:467531
TEST=mjsunit/regress/regress-crbug-467531
LOG=N
Review URL: https://codereview.chromium.org/1015683002
Cr-Commit-Position: refs/heads/master@{#27238}
ES6 specs the function length property (it was not part of ES5) and
it makes it configurable.
BUG=v8:3045
LOG=N
R=mstarzinger@chromium.org, adamk@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/993073002
Cr-Commit-Position: refs/heads/master@{#27190}
This involved renaming apart a few more intrinsics. In the long run,
we want to clean up redundant intrinsics which just delegate.
BUG=v8:3947
LOG=n
Review URL: https://codereview.chromium.org/984963002
Cr-Commit-Position: refs/heads/master@{#27043}
Function name property is now standardized in ES6. It was a Mozilla proprietary
extension before. With ES6, the property was made configurable, so that it can
be used instead of another proprietary property, displayName.
This is a revert of revert c791d84112.
Last time this broke a Chrome browser test which has since been updated:
5f75a3be4c
BUG=v8:3333
LOG=N
R=mstarzinger@chromium.org,verwaest@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/977003004
Cr-Commit-Position: refs/heads/master@{#26996}
This is partially based on r21609 but that CL was incomplete.
Function name is still non writable so one has to use defineProperty
to change the actual value.
BUG=v8:3333
LOG=N
R=adamk, mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/960343002
Cr-Commit-Position: refs/heads/master@{#26924}
It must always populate int32_value_, even if that's lossy, because other code (specifically, constant folding for truncating operations) relies on it.
BUG=v8:3865
LOG=y
Review URL: https://codereview.chromium.org/897263002
Cr-Commit-Position: refs/heads/master@{#26453}
Both SameValue and SameValueZero consider different NaNs equal, so we
better assign the same hash value to all NaNs.
BUG=v8:3859
LOG=y
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/897593002
Cr-Commit-Position: refs/heads/master@{#26391}
Arrow function parameter lists are parsed as expressions. When an identifier
is found a VariableProxy is created and added to the list of unresolved
variables for the scope. When parsing a function lazily, the scope has been
already resolved, so with this patch only the VariableProxy is created,
without adding it as an unresolved variable in the scope.
BUG=v8:3501
LOG=Y
Review URL: https://codereview.chromium.org/880253004
Cr-Commit-Position: refs/heads/master@{#26328}
The whole logic in DoMul makes me cry, so I made only the minimal
change to fix the issue...
BUG=v8:451322
LOG=y
Review URL: https://codereview.chromium.org/873703002
Cr-Commit-Position: refs/heads/master@{#26261}
Also fix mjsunit/regress/regress-undefined-nan to ensure that we are
testing transfer via xmm registers by forcing the transfer to be in an
optimized function.
BUG=v8:3839
LOG=n
R=jkummerow@chromium.org
Review URL: https://codereview.chromium.org/863153002
Cr-Commit-Position: refs/heads/master@{#26213}
This time we simply undo the change introduced by the PPC port for
this test. No idea why it should be necessary, and Windows XP
obviously doesn't give us that much stack, anyway.
TBR=machenbach@chromium.org
Review URL: https://codereview.chromium.org/826833003
Cr-Commit-Position: refs/heads/master@{#26093}
The test fails on XP only, so let's tentatively raise the stack limit more. We probably need to investigate what a tighter limit might be and (more importantly) what the underlying reason for the failure is.
Hopefully 1800kB is enough, we can't test this via try jobs, because we don't have XP try bots. :-/
R=machenbach@chromium.org
Review URL: https://codereview.chromium.org/791693005
Cr-Commit-Position: refs/heads/master@{#26092}
The bug would occur when we try to Reset() to a position already at the end.
This happens e.g., when the regexp ends with \u. What used to happen in that
case: 1) Advance past \ and u (to the end) (which wouldn't increase next_pos_
enough) 2) Try to parse 4 hex digits 3) When that failed, Reset() to the
position which should've been at the end but wasn't.
To be able to properly Reset() to a position at the end, we need to allow
next_pos_ to move beyond the end (since position() is next_pos_ - 1).
Minimal repro case:
var r = /foo\u/
r.test("foou") // should be true, was false.
(Note that \u not followed by 4 hex didits should be interpreted as an identity
escape. It already worked unless \u was at the end of the regexp.)
BUG=v8:3756
LOG=NO
Review URL: https://codereview.chromium.org/802313003
Cr-Commit-Position: refs/heads/master@{#25838}
The %OptimizeFunctionOnNextCall sledgehammer can cause a function to be
marked for optimization before it's ever been compiled by fullcode.
This can lead to the situation where a function doesn't have optimization
disabled until we try to compile it optimized.
Basically, the assert should just handle this case more gracefully.
R=yangguo@chromium.org
BUG=436893
LOG=Y
Review URL: https://codereview.chromium.org/760063002
Cr-Commit-Position: refs/heads/master@{#25528}
Per TC39 Nov 2014 decision.
This patch also changes behavior for "legacy const": assignments to sloppy const in strict mode is now also a type error. This fixes v8:2243 and also brings us in compliance with other engines re assignment to function names (see updated webkit test), but might have bigger implications.
That change can easily be reverted by changing Variable::IsSignallingAssignmentToConst.
BUG=v8:3713,v8:2243
LOG=N
Review URL: https://codereview.chromium.org/749633002
Cr-Commit-Position: refs/heads/master@{#25516}
Resets the scaled exponent to 0 when the scaling match fails.
BUG=
Review URL: https://codereview.chromium.org/756643002
Cr-Commit-Position: refs/heads/master@{#25491}
The bug was an error when copying arrays in crankshaft. If it's a holey smi
array, the copy must be done as FAST_HOLEY_ELEMENTS to prevent representation
changes from being inserted that deopt on encountering the hole.
Also, prevent inlining array pop() and shift() if the length is read-only.
BUG=435073
LOG=N
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/737383002
Cr-Commit-Position: refs/heads/master@{#25455}
if there is not enough type-feedback to detect that f is Function.prototype.apply.
BUG=v8:3709
LOG=N
TEST=mjsunit/regress/regress-3709
Review URL: https://codereview.chromium.org/736043002
Cr-Commit-Position: refs/heads/master@{#25447}
With Int32Add we lose the int/uint distinction, so later, in simplified lowering we can make a wrong decision. E.g., see the attached test case, where we lower NumberAdd -> Int32Add because inputs are Uint32, but during simplified lowering we change the inputs to Int32, so we get a wrong result.
Simplified lowering will lower the NumberAdd operations anyway, so we should lose performance.
BUG=
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/721723004
Cr-Commit-Position: refs/heads/master@{#25368}
Revert "Fix for an assertion failure in Map::FindTransitionToField(...). Appeared after r25136."
This revert is made in order to revert r25099 which potentially causes renderer hangs.
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/722873004
Cr-Commit-Position: refs/heads/master@{#25332}
