There were two separate bugs here. First, a signed/unsigned mismatch
where we took the result of PositiveNumberToUint32 and treated it as a
signed int. Second, AdvanceStringIndex did not handle large input
values correctly.
Both are fixed by using uint64_t consistently.
Bug: chromium:799813, v8:7258
Change-Id: If2819f87986d0ca732bc24df290f6dc7614083e8
Reviewed-on: https://chromium-review.googlesource.com/854272
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50432}
This adds support for direct calls in Liftoff.
Drive-by: Fix / extend two tests for calls which were helpful for
developing this CL.
R=ahaas@chromium.org
Bug: v8:6600
Change-Id: I20a98d9dd330da9a020c8c9b5c10b04e94af684d
Reviewed-on: https://chromium-review.googlesource.com/847579
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50427}
This is a reland of 9c79b37aa7
Original change's description:
> [wasm] use allocation tracker to track reserved address space
>
> This is a step towards falling back on bounds checks when there are too many
> guarded Wasm memories.
>
> Bug: v8:7143
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: I01916cbdd5ddb08fe1d946ab83b801f37a8fe1c6
> Reviewed-on: https://chromium-review.googlesource.com/832944
> Commit-Queue: Eric Holk <eholk@chromium.org>
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50390}
Bug: v8:7143
Change-Id: Iaf0d22d300a3f2da22649552a17162dcf7bc608b
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/853142
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50418}
This is just a rebased version of
https://chromium-review.googlesource.com/c/v8/v8/+/571453 with
no functional changes
Bug: v8:6889
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ia082cc09ca527505b288ac88e68e0b74eae94765
Reviewed-on: https://chromium-review.googlesource.com/849423
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50417}
The tests generated by --wasm-fuzzer-gen-test did not encode the locals
of functions yet. This CL fixes that.
A bit of care has to be taken to ensure that the locals are generated
in exactly the same order as in the module generated by the fuzzer.
This requires calling {addLocals} several times.
R=ahaas@chromium.org
Change-Id: I95237b0baef0731b6c164fddc8f12fa6f478e220
Reviewed-on: https://chromium-review.googlesource.com/848832
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50402}
This reverts commit 9c79b37aa7.
Reason for revert: breaks TSAN
https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Linux64_TSAN%2F18959%2F%2B%2Frecipes%2Fsteps%2FCheck%2F0%2Flogs%2Finstance-gc%2F0
Original change's description:
> [wasm] use allocation tracker to track reserved address space
>
> This is a step towards falling back on bounds checks when there are too many
> guarded Wasm memories.
>
> Bug: v8:7143
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: I01916cbdd5ddb08fe1d946ab83b801f37a8fe1c6
> Reviewed-on: https://chromium-review.googlesource.com/832944
> Commit-Queue: Eric Holk <eholk@chromium.org>
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50390}
TBR=bbudge@chromium.org,gdeepti@chromium.org,eholk@chromium.org,eholk@google.com
Change-Id: I207b9466377ba50be17794e71407b0ebc8eb88e2
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7143
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/853140
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50392}
This is a step towards falling back on bounds checks when there are too many
guarded Wasm memories.
Bug: v8:7143
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I01916cbdd5ddb08fe1d946ab83b801f37a8fe1c6
Reviewed-on: https://chromium-review.googlesource.com/832944
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50390}
Create a new function kind for initializer functions and ban arguments
if used in such a function.
Bug: v8:5367, v8:7183
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Id3089e587b3d6a25f27224045f250e032b831818
Reviewed-on: https://chromium-review.googlesource.com/850547
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50369}
The initial fast array may change, invalidating assumptions.
Bug: chromium:798026
Change-Id: Iddcc40867221a2a58aef33b64e7399e0f2784e89
Reviewed-on: https://chromium-review.googlesource.com/850356
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50363}
DeadValue was a constant node of type None. This is unsound in the
presence of re-scheduling. This CL adds a value input to DeadValue,
which preserves the dependency on the original node of type None.
This reland addresses the bug that the EffectControlLinearizer could destroy dependencies of DeadValue by attaching DeadValue nodes to the effect chain in the EffectControlLinearizer.
Bug: chromium:796041 chromium:798938
Change-Id: If47b54a7986d257eb63b437f855769b503679ff5
Reviewed-on: https://chromium-review.googlesource.com/850392
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50360}
Array.prototype.{forEach, filter, map, every} get this support
with the help of a new opcode NumberIsFloat64Hole.
Bug: v8:1956
Change-Id: Ic6a785590cec66bae4c1462c19d6843c0aa5473b
Reviewed-on: https://chromium-review.googlesource.com/847435
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50358}
Add an early exit if the control op is Dead to prevent failing the
DCHECK.
BUG=chromium:797596, v8:5940, v8:3018
R=bmeurer@chromium.org, jarin@chromium.org
Change-Id: I6090380ea69c3205740b6c7a41d7c066d18d6a9f
Reviewed-on: https://chromium-review.googlesource.com/844978
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50312}
This patch implements https://github.com/tc39/proposal-class-fields/pull/65
and https://github.com/tc39/proposal-static-class-features/ by
splitting out instance and static field declarations into separate
flags for the separate proposals. Instance class fields is currently
at Stage 3 whereas static class fields is currently at Stage 2.
Bug: v8:5367
Change-Id: I133c945fd0b22dc5718c7bb61b10f22348087acd
Reviewed-on: https://chromium-review.googlesource.com/839778
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50293}
Fixes a regression causing a seg fault instead of the
expected stack overflow.
Bug: chromium:796427, v8:6005
Change-Id: Ifc752a4009a25f447f5e87745dcc1bb83722c34e
Reviewed-on: https://chromium-review.googlesource.com/838854
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50265}
This patch updates the instruction selector and code generator to pad arguments
for arm64 and drop an even number of slots when dropping the arguments. It also
updates the builtins that handle arguments. These changes need to be made at
the same time.
It also adds some tests for forwarding varargs, as this was affected by the
builtin changes and the existing tests did not catch all issues.
Bug: v8:6644
Change-Id: I81318d1d1c9ab2568f84f2bb868d2a2d4cb56053
Reviewed-on: https://chromium-review.googlesource.com/829933
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50259}
When shared memory is defined in the module bytes, and not imported/exported
underlying memory should be a SharedArrayBuffer. This was missing in the
allocate flow during instantiation. Fixed to use a SharedArrayBuffer.
BUG=v8:6532
Change-Id: Ic62ed3fd578a0e03124ee40b273e6a4ea474bba4
Reviewed-on: https://chromium-review.googlesource.com/835348
Reviewed-by: Eric Holk <eholk@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50255}
In a benchmark that I'm looking at, the numbers quickly overflow our
current limit.
This patch increases kMaxLength to the greatest value that's possible
without requiring further code changes.
Bug: v8:6791
Change-Id: I7a0d126dcd566d536375a294fa4dcf10b8823ed7
Reviewed-on: https://chromium-review.googlesource.com/833876
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50240}
Previously, FrameFunctionIterator::next() assumed that the frame summary
was non-empty. It's now possible for the list not to be empty, if the
JS microtask pump invokes a builtin function which uses
FrameFunctionIterator directly. While this is unlikely to show up in
real world code, it is necessary to handle it to prevent crashes.
BUG=chromium:794744
R=mstarzinger@chromium.org, cbruni@chromium.org, verwaest@chromium.org
Change-Id: Ie95c2228544f57730d1c6c1ff955b2c94ff1c06b
Reviewed-on: https://chromium-review.googlesource.com/833266
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#50221}
Move the object and array literal flag and depth initialization to when
they are visited by the bytecode generator. This avoids issues with
doing this initialization before we know whether the (syntactic) literal
is actually a literal value or a destructuring assignment.
Bug: chromium:795922
Bug: v8:7178
Change-Id: I022178ab4bc9e71f80560f3b78a759d95d4d0584
Reviewed-on: https://chromium-review.googlesource.com/833882
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50204}
Update tests to work with new behavior.
This feature is shipping in Firefox 54, so compatibility risk is low.
R=littledan@chromium.org, adamk@chromium.org, caitp@igalia.com
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
Bug: v8:4958
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ib16d19468cf935f961d7bcd856ebbeb5692d3e61
Reviewed-on: https://chromium-review.googlesource.com/546941
Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50178}
This CL passes feedback from the element kind deopt points
in Array.push to the deoptimizer. If the deopt points are
triggered, further speculation on Array.push is disallowed.
Bug: v8:7127, v8:7204
Change-Id: Ie91dee598bd8b8797110c8f468406327226893a4
Reviewed-on: https://chromium-review.googlesource.com/831523
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50171}
Make sure that a continue still executed the increment part of a for
loop by adding another nested block for the body, which is the break
target for a continue in the body. The increment code lives outside
this block, in the original loop.
R=bradnelson@chromium.orgCC=mstarzinger@chromium.org
Bug: chromium:788916
Change-Id: I178b874ffac16d9237a0f4da097d2742bd93335a
Reviewed-on: https://chromium-review.googlesource.com/832447
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50169}
See https://github.com/tc39/proposal-regexp-named-groups/pull/40.
The spec is being changed to always create a 'groups' property on
regexp result objects. Its value is undefined if no named captures
exist, and the object containing named captures otherwise.
Bug: v8:7192, v8:5437
Change-Id: I1fb00ffc186c7effd84b5692dcbed420581855c3
Reviewed-on: https://chromium-review.googlesource.com/829137
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50154}
Instruction selector computes the range of case statement labels
to choose between a table or lookup based switch. We need to special
case this when there are no case statements.
Bug: chromium:794825
Change-Id: I46ef57d17f5e2b99a3570f7f3c4ff06e75d78fab
Reviewed-on: https://chromium-review.googlesource.com/830013
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50153}
The irregexp compiler expects RegExpCharacterClass instances to
contain at least one range. This preserves that invariant when parsing
the negated \P{Any} unicode property.
Bug: chromium:793588
Change-Id: If71fdce014a7e64d8af559084ee88108303d694b
Reviewed-on: https://chromium-review.googlesource.com/827010
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Erik Corry <erikcorry@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50146}
Add feedback to GrowFastElements operator and thread it
through to the deoptimize node it the lowering. The CL
uses the feedback to allow Array.push to disable speculation
if the grow operation deopts.
Bug: v8:7127, v8:7204
Change-Id: Ib5850a93759b9194c0fc2f191f6adf5d49cb7f55
Reviewed-on: https://chromium-review.googlesource.com/827128
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50145}
Support inlining Array.prototype.findIndex in Turbofan.
Depending on array size, quick benchmarks show a >2x
improvement: https://github.com/peterwmwong/v8-perf/blob/master/array-find-findIndex-tf/README.md
Bug: chromium:791045, v8:1956, v8:7165
Change-Id: I250554885f924c97b0072e09ee289713df5cbe63
Reviewed-on: https://chromium-review.googlesource.com/824382
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50133}
The unicode property escape syntax restricts unicode property names and
unicode property values to consist only of characters taken from the
[a-zA-Z0-9_] character class. See the spec at:
https://tc39.github.io/proposal-regexp-unicode-property-escapes/
In most cases, we do not actually need to validate that this is the
case, since subsequent property lookup in ICU will fail (and throw a
SyntaxError) if the given property does not exist.
However, there one special case. The ICU lookup takes the property name
as a null-terminated string, so it will accept carefully malformed
property names (e.g. '\p{Number\0[}'). This can end up confusing the
regexp parser.
With this CL, we explicitly restrict potential property names / values
to the character set as specified.
Bug: v8:4743, chromium:793793
Change-Id: Ic97deea8602571ec6793b79c4bb858e1c7597405
Reviewed-on: https://chromium-review.googlesource.com/824272
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50130}
In a generator containing loops, there are always certain control flow
paths that are impossible, due to the way we represent generators at the
bytecode level. Unfortunately, the graph builder can't tell that these
paths are impossible. In combination with dead code, it can then happen
that we build a subgraph (for unreachable code) whose incoming context
is the undefined oddball. JSContextSpecialization did not expect that.
Bug: chromium:794822
Change-Id: I259be5ae6c5f5adc8fca19c64bf71285ee922b7a
Reviewed-on: https://chromium-review.googlesource.com/828954
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50129}
This makes sure the builtin lowering of Object.create doesn't invalidate
any previously taken dependencies. Aborting compilation after such cases
would lead to repeating optimization attempts without learning, hence we
disallow such situations.
R=verwaest@chromium.org
BUG=chromium:794394,chromium:786723
Change-Id: I6b6928cab19692bbbe3cd241ade862a2306eb0c7
Reviewed-on: https://chromium-review.googlesource.com/827066
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50128}
This reverts commit 917b9cb9fc.
In this CL, we canonicalize the fixed array when allocating storage for
empty fixed array. During initialization, we also make sure that we do
not write to the empty fixed array. This is quite hacky, but it
seems to be the least intrusive change.
Bug: chromium:793863
Change-Id: I1449ebac7c1e390467566a759bf70e7e2fabda31
Reviewed-on: https://chromium-review.googlesource.com/827013
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50119}
This CL also adds support for "lookup on dictionary receivers" to store ICs.
Bug: v8:7206, v8:5561
Change-Id: Icebbc2d52c71f5d25b43f2f2a8adf674e4ec2cbc
Reviewed-on: https://chromium-review.googlesource.com/819232
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50113}
The IsPromise brand check is now replaced with an IsObject check.
The spec was changed here:
a1628886f8
Bug: v8:7095
Change-Id: I5668083c888f9efcdfc1491c919c810c75d73ac7
Reviewed-on: https://chromium-review.googlesource.com/826606
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50108}
Add support for disallowing speculation upon deoptimize from
a CheckBound node, and use this in the case of array builtins
in js-call-reducer to prevent deoptimization loops.
Bug: v8:7127
Change-Id: I04cf655b10178d2938d2f0ee6b336601fab6463b
Reviewed-on: https://chromium-review.googlesource.com/822195
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50097}
Port bd732f7ddd
Original Commit Message:
The original CL introduced a test which uses a random number generator.
I disable the test for now, which is okay because this CL adds to a
work-in-progress feature anyways, and I will fix the problem in another
CL.
Original description:
Add the ability to return (multiple) return values on the stack:
- Extend stack frames with a new buffer region for return slots.
This region is located at the end of a caller's frame such that
its slots can be indexed as caller frame slots in a callee
(located beyond its parameters) and assigned return values.
- Adjust stack frame constructon and deconstruction accordingly.
- Extend linkage computation to support register plus stack returns.
- Reserve return slots in caller frame when respective calls occur.
- Introduce and generate architecture instructions ('peek') for
reading back results from return slots in the caller.
- Aggressive tests.
- Some minor clean-up.
So far, only ia32 and x64 are implemented.
R=ahaas@chromium.org, joransiu@ca.ibm.com, jbarboza@ca.ibm.com
BUG=
LOG=N
Change-Id: I8d63286aa5af5f52cc2eeaf2adeee13d0ff19e7d
Reviewed-on: https://chromium-review.googlesource.com/823084
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50091}
This ensures that MigrateFastToFast does not overflow the length of the
property array.
Bug: chromium:789393
Change-Id: I77adc319c1c8c469ea482bad35ead8661d535192
Reviewed-on: https://chromium-review.googlesource.com/824167
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50086}
- All testcase/testsuite/variant generator subclasses renamed to
just TestCase/TestSuite/VariantGenerator since they're private
implementation.
- All `testcase` variables renamed to `test` to not conflict with
a module name.
- No more two statements in the same line.
- Removed some unused testsuite methods.
Bug: v8:6917
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I7710f3419f738a5f9ddca73765dd2cad2e35b952
Reviewed-on: https://chromium-review.googlesource.com/823964
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michał Majewski <majeski@google.com>
Cr-Commit-Position: refs/heads/master@{#50076}
This disallows speculation after deoptimization from any of
Array.{forEach,map,filter,find} due to CheckMap fails. Such
CheckMap fails happen if the builtins' function argument
causes the map of the array to change. The js-call-lowering
refrains from optimizing builtins for which speculation was
disallowed.
Bug: v8:6898, v8:7127
Change-Id: Ied6696f8fb023ee404fb82e9d37bfb061f293854
Reviewed-on: https://chromium-review.googlesource.com/819354
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50069}
- create testcase subclass for each test
- move get_command, get_source from suite to test
- promises-aplus tests are broken
- moving expected outcomes etc. is still in progress
Bug: v8:6917
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I006e64ecf51dda95c41dff88c68b24f17a638566
Reviewed-on: https://chromium-review.googlesource.com/798331
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50065}
If an initializer is a NaryOperation, its position ends up as a start position
of a Scope, and a DCHECK used to fire.
Interestingly, this was not caught by our existing tests.
BUG=chromium:791256
Change-Id: Id47f850c7ad17ca580352f9bd56c9567b485c3b8
Reviewed-on: https://chromium-review.googlesource.com/822093
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50051}
This is a reland of c3bd741efd
Original change's description:
> Fix "this" value in lazily-parsed module functions.
>
> When preparsing top-level functions in a module, we didn't track
> unresolved variables. Consequently, "this" ended up referencing
> the global "this", which has the wrong value (in a module "this"
> is supposed to be the undefined value).
>
> This patch fixes that. This also lets us stop forcing context
> allocation of all variables in module scopes, which the patch
> takes care of as well.
>
> Bug: chromium:791334
> Change-Id: Ifac1f1adc033f3facfb3d29dd4bca32ee27bffcf
> Reviewed-on: https://chromium-review.googlesource.com/808938
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50025}
TBR=adamk@chromium.orgTBR=kozyatinskiy@chromium.org
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Bug: chromium:791334
Change-Id: I57acc7b84a345565b36cbb55924fa2ff9b449eec
Reviewed-on: https://chromium-review.googlesource.com/822341
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50045}
This reverts commit c3bd741efd.
Reason for revert: Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/20384
Original change's description:
> Fix "this" value in lazily-parsed module functions.
>
> When preparsing top-level functions in a module, we didn't track
> unresolved variables. Consequently, "this" ended up referencing
> the global "this", which has the wrong value (in a module "this"
> is supposed to be the undefined value).
>
> This patch fixes that. This also lets us stop forcing context
> allocation of all variables in module scopes, which the patch
> takes care of as well.
>
> Bug: chromium:791334
> Change-Id: Ifac1f1adc033f3facfb3d29dd4bca32ee27bffcf
> Reviewed-on: https://chromium-review.googlesource.com/808938
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50025}
TBR=adamk@chromium.org,marja@chromium.org,neis@chromium.org,kozyatinskiy@chromium.org
Change-Id: I81f69334ed2ce104c00e6205d50001e4bdf07d15
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:791334
Reviewed-on: https://chromium-review.googlesource.com/822258
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50036}
The original CL introduced a test which uses a random number generator.
I disable the test for now, which is okay because this CL adds to a
work-in-progress feature anyways, and I will fix the problem in another
CL.
Original description:
Add the ability to return (multiple) return values on the stack:
- Extend stack frames with a new buffer region for return slots.
This region is located at the end of a caller's frame such that
its slots can be indexed as caller frame slots in a callee
(located beyond its parameters) and assigned return values.
- Adjust stack frame constructon and deconstruction accordingly.
- Extend linkage computation to support register plus stack returns.
- Reserve return slots in caller frame when respective calls occur.
- Introduce and generate architecture instructions ('peek') for
reading back results from return slots in the caller.
- Aggressive tests.
- Some minor clean-up.
So far, only ia32 and x64 are implemented.
Change-Id: I8b03fc4e53946daaa0e14a34603f4824a04fad7e
Reviewed-on: https://chromium-review.googlesource.com/819557
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50031}
When preparsing top-level functions in a module, we didn't track
unresolved variables. Consequently, "this" ended up referencing
the global "this", which has the wrong value (in a module "this"
is supposed to be the undefined value).
This patch fixes that. This also lets us stop forcing context
allocation of all variables in module scopes, which the patch
takes care of as well.
Bug: chromium:791334
Change-Id: Ifac1f1adc033f3facfb3d29dd4bca32ee27bffcf
Reviewed-on: https://chromium-review.googlesource.com/808938
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50025}
Some refactor moved from
https://chromium-review.googlesource.com/c/v8/v8/+/798331.
Bug: v8:6917
Change-Id: I8cae6cfca7a0d7d8e234052c0ab0bfe252355e60
Reviewed-on: https://chromium-review.googlesource.com/819550
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50020}
This reverts commit 1e49864fa7.
Reason for revert: Crashing test on the waterfall https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Linux_gcc_4.8%2F16871%2F%2B%2Frecipes%2Fsteps%2FCheck%2F0%2Flogs%2FReturnMultipleRandom%2F0
Original change's description:
> [turbofan] Implement on-stack returns (Intel)
>
> Add the ability to return (multiple) return values on the stack:
>
> - Extend stack frames with a new buffer region for return slots.
> This region is located at the end of a caller's frame such that
> its slots can be indexed as caller frame slots in a callee
> (located beyond its parameters) and assigned return values.
> - Adjust stack frame constructon and deconstruction accordingly.
> - Extend linkage computation to support register plus stack returns.
> - Reserve return slots in caller frame when respective calls occur.
> - Introduce and generate architecture instructions ('peek') for
> reading back results from return slots in the caller.
> - Aggressive tests.
> - Some minor clean-up.
>
> So far, only ia32 and x64 are implemented.
>
> Change-Id: I9532ad13aa307c1dec40548c5b84600fe2f762ce
> Reviewed-on: https://chromium-review.googlesource.com/766371
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49994}
TBR=titzer@chromium.org,rossberg@chromium.org,ahaas@chromium.org
Change-Id: Ib257e92448942f8ef07d5ef246f9381f4784f014
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/819637
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50000}
Add the ability to return (multiple) return values on the stack:
- Extend stack frames with a new buffer region for return slots.
This region is located at the end of a caller's frame such that
its slots can be indexed as caller frame slots in a callee
(located beyond its parameters) and assigned return values.
- Adjust stack frame constructon and deconstruction accordingly.
- Extend linkage computation to support register plus stack returns.
- Reserve return slots in caller frame when respective calls occur.
- Introduce and generate architecture instructions ('peek') for
reading back results from return slots in the caller.
- Aggressive tests.
- Some minor clean-up.
So far, only ia32 and x64 are implemented.
Change-Id: I9532ad13aa307c1dec40548c5b84600fe2f762ce
Reviewed-on: https://chromium-review.googlesource.com/766371
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49994}
Moving a register to itself is not only unnecessary overhead, it also
breaks invariants in the StackTransferRecipe.
R=ahaas@chromium.org
Bug: v8:6600, chromium:793551
Change-Id: I659fd66b4f2d4564c437ed9fb048322af4299d97
Reviewed-on: https://chromium-review.googlesource.com/819231
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49992}
This relands commit e71b802279.
This can now back in as the fix for chromium:787301 had enough time to
be tested in Canary.
Original change's description:
> [deoptimizer] Staged materialization of objects.
>
> The existing object materialization in the deoptimizer has the following problems:
>
> - Objects do not necessarily verify during materialization (because during the
> depth first walk we might have inconsistent objects).
>
> - Stack can overflow (because we just materialize using recursive calls).
>
> - We generalize object fields.
>
>
> This CL re-implements the materialization algorithm to solve this problem. The
> new implementation creates the objects in two steps:
>
> 1. We allocate space for all the objects. In general, we allocate ByteArrays
> of the right size. For leaf objects that cannot participate in cycles,
> we build and initialize the materialized objects completely.
>
> For JS objects, we insert markers into the byte array at the positions
> where unboxed doubles are expected.
>
> 2. We initialize all the objects with the proper field values and change the
> map from the ByteArray map to the correct map. This requires some sync
> with the concurrent marker (Heap::NotifyObjectLayoutChange).
>
> When initializing the JS object fields, we make sure that we respect
> the unboxed double marker.
>
> Bug: chromium:770106, v8:3836
> Change-Id: I1ec466a9d19db9538df4ba915516d4c3ca825632
> Reviewed-on: https://chromium-review.googlesource.com/777559
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49821}
Bug: chromium:770106, v8:3836
Change-Id: Ied6c4e0fbae52713e55ae6dc13794a7521dbb8a5
Reviewed-on: https://chromium-review.googlesource.com/817745
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49982}
This moves the verify-predictable logic from the test runner into
a python wrapper script.
This revealed two more tests that don't print allocations, which are
now skipped.
Bug: v8:7166, v8:7177
Change-Id: Ie4a541cb2a20900414ffe1caf4b3fccc4a5edb52
Reviewed-on: https://chromium-review.googlesource.com/808971
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49964}
Bug: chromium:780819
Change-Id: I07c5ff3cf955edb087a175ea2d71a35e0f520ec3
Reviewed-on: https://chromium-review.googlesource.com/813839
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49953}
This reverts commit 59f221740c.
Reason for revert: android build issue (https://build.chromium.org/p/client.v8.fyi/builders/Android%20Release%20%28Nexus%205X%29/builds/3583)
Original change's description:
> [wasm] Fix wasm-to-wasm handling in 'native heap' lazy compile
>
> Wasm-to-wasm uses a tail call mechanism to reach the target
> function. This means there is no frame for it. This CL ports
> the fix for that for the WasmCodeManager case, akin the current
> fix for the GC case.
>
> Bug: v8:7140
> Change-Id: I04c8a8da1de9cb837a0423493216d2226c53e756
> Reviewed-on: https://chromium-review.googlesource.com/814498
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49942}
TBR=bradnelson@chromium.org,titzer@chromium.org,mtrofin@chromium.org,clemensh@chromium.org
Change-Id: Iae0e43b386f08d2d56aeef70e9fa0af141232023
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7140
Reviewed-on: https://chromium-review.googlesource.com/815180
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49943}
Wasm-to-wasm uses a tail call mechanism to reach the target
function. This means there is no frame for it. This CL ports
the fix for that for the WasmCodeManager case, akin the current
fix for the GC case.
Bug: v8:7140
Change-Id: I04c8a8da1de9cb837a0423493216d2226c53e756
Reviewed-on: https://chromium-review.googlesource.com/814498
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49942}
When enabling any coverage mode (other than best-effort), we trigger
deoptimization of all functions on the heap.
Prior to the recent removal of the weak list of optimized functions [0],
we'd unlink optimized code from all relevant JSFunctions during the call
to DeoptimizeAll.
After the weak-list-removal, this was no longer the case, hence this [1]
change which attempts to reset the code object from the
SharedFunctionInfo for all found JSFunction objects.
But this can create a situation in which JSFunctions are set up
incorrectly s.t. they have unoptimized code but no feedback vector.
This CL fixes that by leaving JSFunction objects untouched and relying
on self-healing mechanisms (CompileLazyDeoptimizedCode) to fix up
JSFunction::code.
[0] https://crrev.com/f0acede9bb05155c25ee87e81b4b587e8a76f690
[1] https://crrev.com/c/647596/5/src/debug/debug-coverage.cc
Bug: chromium:786784, chromium:791940, v8:6637
Change-Id: I13191f4c8800a0d72894b959105189dc09ca693e
Reviewed-on: https://chromium-review.googlesource.com/813615
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49932}
Ensure that the type is always stored correctly.
R=titzer@chromium.org
Bug: v8:6600, chromium:791810
Change-Id: Id3a3c20b14f8730b9550c548dec49ac47121e691
Reviewed-on: https://chromium-review.googlesource.com/811188
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49924}
Exposing the existing Context::AllowCodeGenerationFromStrings(false) API
to the command line.
Bug: v8:7134
Change-Id: I062ccff0b03c5bcf6878c41c455c0ded37a1d743
Reviewed-on: https://chromium-review.googlesource.com/809631
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49911}
- When a global object changes, invalidate its validity cell.
- The global object prototypes don't need to be gathered into an array in InitPrototypeChecks.
Bug: v8:7159
Change-Id: I3621c914d08b83e49e8a391800a92eb53ba19feb
Reviewed-on: https://chromium-review.googlesource.com/808588
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49901}
We cannot remove a speculative operation when it's type relies on it to deopt.
Fix this by only relying on the lowering to remove operations.
Bug: chromium:786521
Change-Id: I2cf45e8d45b76cfeb06e6329f323cade74719124
Reviewed-on: https://chromium-review.googlesource.com/793043
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49882}
For "top digit" (of the result) comparison to be applicable, we must
also check that there are no further digits in the source.
The included regression test flushes out another bug in "TruncateToNBits",
so that gets fixed here too (in contrast to the first landing attempt).
This reverts commit cb9e7af4e5.
Bug: v8:7150
Change-Id: Id631b1ae79e60b8e85ed4667e246a64c46765f2b
Reviewed-on: https://chromium-review.googlesource.com/807348
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49877}
The proper fix would be to make TruncatingUseInfoFromRepresentation
respect tagged signed use representation, but requires extra work
to refine typing for all values that are stored into Smi fields.
Bug: chromium:791245
Change-Id: I83965bcc18a836d2c758a6a8b1477a4aa2c6133d
Reviewed-on: https://chromium-review.googlesource.com/808866
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49870}
- When a dictionary mode prototype changes, invalidate the validity cell.
- The dictionary mode prototypes don't need to be gathered into an array in InitPrototypeChecks.
Bug: v8:7159
Change-Id: I1c7bbaf4b20556f44df18be1463d38fa4fbabe05
Reviewed-on: https://chromium-review.googlesource.com/793732
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49857}
This unblocks the checks in the SimplifiedLowering that whenever we
store something as TaggedSigned, the input type should at least be
Type::SignedSmall.
Bug: chromium:791245
Change-Id: Ice6e55c2c6584c0ff60c1e033ba755c8863af32a
Reviewed-on: https://chromium-review.googlesource.com/808104
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49856}
- Removes JS implementation and InnerArrayFind/InnerArrayFindIndex
- Adds TFJ, with TFS for slow continuation path
Some quick benchmarks show ~2x improvement for unoptimized code
and up to 16% improvement against optimized code (diminishes with
larger arrays as iterating dominates).
https://github.com/peterwmwong/v8-perf/blob/master/array-find-findIndex/README.md
Bug: chromium:791045, v8:1956, v8:5049, v8:7165
Change-Id: Ie16252ed495bbd91fe548b16d5ef6764de791a50
Reviewed-on: https://chromium-review.googlesource.com/804704
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49851}
Eventually, we want to fix this also for tagged pointers (tracking bug: https://crbug.com/v8/7162).
Bug: chromium:791245
Change-Id: I93d6deff36cedcc9a4665fab0abe6fffdae9b61b
Reviewed-on: https://chromium-review.googlesource.com/806457
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49850}
This reverts commit e110b59cc7.
Reason for revert: Breaks arm debug on chromebook hardware:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/5335
Original change's description:
> [bigint] Fix early-return in asIntN
>
> For "top digit" (of the result) comparison to be applicable, we must
> also check that there are no further digits in the source.
>
> Bug: v8:7150
> Change-Id: I6ad317f6f600e11fef59b9907da1055e5586a3a8
> Reviewed-on: https://chromium-review.googlesource.com/804639
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49846}
TBR=jkummerow@chromium.org,neis@chromium.org
Change-Id: I5dae82696d3ecb9602f73a2ff4760ed7bbcef1c5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7150
Reviewed-on: https://chromium-review.googlesource.com/806838
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49847}
For "top digit" (of the result) comparison to be applicable, we must
also check that there are no further digits in the source.
Bug: v8:7150
Change-Id: I6ad317f6f600e11fef59b9907da1055e5586a3a8
Reviewed-on: https://chromium-review.googlesource.com/804639
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49846}
- Implement RunMicrotasks in CSA to prevent a potentially large number
of jumps between C++ and JS code while consuming te queue. Appears to
provide a ~60% speedup in microtask-heavy code, which from limited
testing appears to scale linearly.
The code-stub microtask pump bails out to the old C++ microtask pump
if it encounters a CallHandlerInfo microtask, and remains in C++ for
the remainder of the queue (returning to the JS/stub implementation
after the bailed out queue is exhausted).
- Add a variation of JSEntryStub which enters the new RunMicrotasks code
stub.
- Add a new RunMicrotasks helper to Execution, which uses the
RunMicrotasks entry stub.
Bug:
Change-Id: I4667d4dd633d24455ea5d7cef239da0af1a7365e
Reviewed-on: https://chromium-review.googlesource.com/650486
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49842}
This reverts commit e71b802279.
Reason for revert: Need to have a back-mergeable fix.
Original change's description:
> [deoptimizer] Staged materialization of objects.
>
> The existing object materialization in the deoptimizer has the following problems:
>
> - Objects do not necessarily verify during materialization (because during the
> depth first walk we might have inconsistent objects).
>
> - Stack can overflow (because we just materialize using recursive calls).
>
> - We generalize object fields.
>
>
> This CL re-implements the materialization algorithm to solve this problem. The
> new implementation creates the objects in two steps:
>
> 1. We allocate space for all the objects. In general, we allocate ByteArrays
> of the right size. For leaf objects that cannot participate in cycles,
> we build and initialize the materialized objects completely.
>
> For JS objects, we insert markers into the byte array at the positions
> where unboxed doubles are expected.
>
> 2. We initialize all the objects with the proper field values and change the
> map from the ByteArray map to the correct map. This requires some sync
> with the concurrent marker (Heap::NotifyObjectLayoutChange).
>
> When initializing the JS object fields, we make sure that we respect
> the unboxed double marker.
>
> Bug: chromium:770106, v8:3836
> Change-Id: I1ec466a9d19db9538df4ba915516d4c3ca825632
> Reviewed-on: https://chromium-review.googlesource.com/777559
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49821}
TBR=ulan@chromium.org,mstarzinger@chromium.org,jarin@chromium.org
Change-Id: I0657fb75330700dd7883c600dacb25676ebb47f9
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:770106, v8:3836
Reviewed-on: https://chromium-review.googlesource.com/806160
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49834}
The existing object materialization in the deoptimizer has the following problems:
- Objects do not necessarily verify during materialization (because during the
depth first walk we might have inconsistent objects).
- Stack can overflow (because we just materialize using recursive calls).
- We generalize object fields.
This CL re-implements the materialization algorithm to solve this problem. The
new implementation creates the objects in two steps:
1. We allocate space for all the objects. In general, we allocate ByteArrays
of the right size. For leaf objects that cannot participate in cycles,
we build and initialize the materialized objects completely.
For JS objects, we insert markers into the byte array at the positions
where unboxed doubles are expected.
2. We initialize all the objects with the proper field values and change the
map from the ByteArray map to the correct map. This requires some sync
with the concurrent marker (Heap::NotifyObjectLayoutChange).
When initializing the JS object fields, we make sure that we respect
the unboxed double marker.
Bug: chromium:770106, v8:3836
Change-Id: I1ec466a9d19db9538df4ba915516d4c3ca825632
Reviewed-on: https://chromium-review.googlesource.com/777559
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49821}
Since we have this d8 directory now, we can also use it.
R=machenbach@chromium.org
Bug: v8:7109
Change-Id: I595ceb30e1c9350ad00d5cfaf998e40294602103
Reviewed-on: https://chromium-review.googlesource.com/803214
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49817}
Flush the icache after JIT-ing using the WasmCodeManager. Also, re-enable
tests that were previously failing on Linux ARM.
Bug: v8:7138
Change-Id: I8e18b80dba58df173a2360f8ac365ee5daaf3239
Reviewed-on: https://chromium-review.googlesource.com/802961
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49800}
Adds new API function to request code cache. Earlier code cache was
produced along with compile requests. This new API allows us to request
code cache after executing. Also adds support in the code serializer to
serialize after executing the script.
Bug: chromium:783124,chromium:789694
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Id4e6a967e176e3e979dc4ccb9a37a353c70c3890
Reviewed-on: https://chromium-review.googlesource.com/797036
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49793}
These now pass even when forcing optimization.
TBR=jkummerow@chromium.org
Bug: v8:6791
Change-Id: I4d7c7d37b48e6e970d33474fa7fd637e34b0bda0
Reviewed-on: https://chromium-review.googlesource.com/803374
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49781}
It reflects the semantics of ToBoolean, so it must be adapted for
bigints.
Bug: v8:6791
Change-Id: I18931df21528463dacf5ad50fa8264b1c968c6b5
Reviewed-on: https://chromium-review.googlesource.com/799831
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49776}
This reverts commit e42e7fc800.
Reason for revert: Speculative revert for:
https://crbug.com/v8/7149
Original change's description:
> [objects] No longer create short external strings.
>
> This fixes String::MakeExternal() to bail out if the subject string
> doesn't fit a regular ExternalString, instead of creating a short
> external string. The observation here is that for short external strings
> the overhead of having to have the StringResource plus going to the
> runtime/C++ for each and every character access from JavaScript land
> is probably bigger than the anticipated benefits.
>
> If this turns out to be wrong and there's a real benefit, we should make
> use of ThinStrings instead of having a separate way to represent
> external strings.
>
> Bug: v8:6621, v8:7109, v8:7145
> Change-Id: I4b75da08b82a72027c782a69de9c8eaf3cca1d4d
> Reviewed-on: https://chromium-review.googlesource.com/799750
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49735}
TBR=yangguo@chromium.org,bmeurer@chromium.org
Change-Id: I3f5cfa9ab5c99ddce1d61ede9ed9515cb3936cdd
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6621, v8:7109, v8:7145, v8:7149
Reviewed-on: https://chromium-review.googlesource.com/801675
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49770}
Finally address that long-standing TODO where ConsString allocation in
TurboFan would always go for the two byte map instead of choosing the
one byte map if the inputs are one byte strings.
Bug: v8:5269, v8:7109
Change-Id: Ibcfceaf499ceebef0ef928ebc5f204bcacf29bc0
Reviewed-on: https://chromium-review.googlesource.com/799700
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49744}
This CL fixes an issue with --enable-tracing which was introduced
recently where the tracing file was closed too early. In addition it
adds a test for --enable-tracing to avoid such an issue in the future.
R=machenbach@chromium.org, rmcilroy@chromium.org
Change-Id: I1b3699a4dfbe27230ac1d21d5f6bc7b2ee9ed435
Reviewed-on: https://chromium-review.googlesource.com/796214
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49742}
This test expects certain functions to be optimized, which does not
happen if we force array objects onto the slow path.
Bug: v8:7122
Change-Id: I716954fff564f1c4f0782b3452557ec89a3b4307
Reviewed-on: https://chromium-review.googlesource.com/796860
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49736}
This fixes String::MakeExternal() to bail out if the subject string
doesn't fit a regular ExternalString, instead of creating a short
external string. The observation here is that for short external strings
the overhead of having to have the StringResource plus going to the
runtime/C++ for each and every character access from JavaScript land
is probably bigger than the anticipated benefits.
If this turns out to be wrong and there's a real benefit, we should make
use of ThinStrings instead of having a separate way to represent
external strings.
Bug: v8:6621, v8:7109, v8:7145
Change-Id: I4b75da08b82a72027c782a69de9c8eaf3cca1d4d
Reviewed-on: https://chromium-review.googlesource.com/799750
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49735}
In order to test that we don't repeatedly go through the
WasmCompileLazy runtime function, add a flag to the
LazyCompilationOrchestrator to "freeze" it, i.e. disallow any further
lazy compilation.
In tests, use this flag to first call a method, then freeze lazy
compilation, then call the method again to assert that no further lazy
compilation is triggered.
This test currently fails with --wasm-jit-to-native, so disable it for
that variant.
R=titzer@chromium.orgCC=mtrofin@chromium.org
Bug: v8:7140, chromium:788441, v8:5991
Change-Id: I18a40d302c24041740d8a54351d06ed968f4beec
Reviewed-on: https://chromium-review.googlesource.com/796430
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49734}
In the presence of bigints, this optimization is no longer valid.
Bug: v8:6791
Change-Id: I996ac78f8ae4aef5494dd0089374d04c6db6e72f
Reviewed-on: https://chromium-review.googlesource.com/796070
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49725}
This reverts commit 5d4a090377.
Reason for revert: Speculative revert due to timeouts on testing with
--isolates:
https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/21889https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/18138
Original change's description:
> Add support to produce code cache after execute.
>
> Adds new API function to request code cache. Earlier code cache was
> produced along with compile requests. This new API allows us to request
> code cache after executing. Also adds support in the code serializer to
> serialize after executing the script.
>
> Bug: chromium:783124
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: Id7b972a2b4c8dcf7a6d9f5ea210890ae968320bd
> Reviewed-on: https://chromium-review.googlesource.com/781767
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Mythri Alle <mythria@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49717}
TBR=ulan@chromium.org,rmcilroy@chromium.org,yangguo@chromium.org,mythria@chromium.org
Change-Id: Id9e0285e73bbc3ea3908b4b7bbf6599e4f7cd76e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:783124
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/796870
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49722}
This reduces the overhead of calling the builtin.
Quick measurements show >5x improvement. As the
typed array's size grows, iterating dominates
and the performance gap closes.
https://github.com/peterwmwong/v8-perf/blob/master/typedarray-findIndex/README.md
Bug: v8:5929
Change-Id: I27d67776c83cbe28f4f9f5ef479a7eeabf594654
Reviewed-on: https://chromium-review.googlesource.com/792394
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49720}
Adds new API function to request code cache. Earlier code cache was
produced along with compile requests. This new API allows us to request
code cache after executing. Also adds support in the code serializer to
serialize after executing the script.
Bug: chromium:783124
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Id7b972a2b4c8dcf7a6d9f5ea210890ae968320bd
Reviewed-on: https://chromium-review.googlesource.com/781767
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49717}
When exporting an imported wasm function, we generate a js-to-wasm
wrapper which calls the wasm-to-wasm wrapper (which then tail-calls
the WasmCompileLazy stub).
This wasm-to-wasm wrapper also needs to be patched.
R=titzer@chromium.org
Bug: chromium:788441, v8:5991
Change-Id: Ibf27618a0511851cb55714b720fe7299a21c2959
Reviewed-on: https://chromium-review.googlesource.com/795990
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49715}
This addresses two TODOs in Ignition where the Construct and the
ConstructWithSpread bytecodes didn't collect JSBoundFunction
new.target feedback. This is fairly trivial to add now with the
existing machinery and the TurboFan side of this was already fixed
before, so we can leverage the new feedback.
Bug: v8:5267, v8:7109
Change-Id: Iae257836716c14f05f5d301326cbe8b2acaeb38b
Reviewed-on: https://chromium-review.googlesource.com/793048
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49712}
This reverts commit 0269965b37.
Reason for revert: Successfully got some stack traces:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/5274
Original change's description:
> V8: Temporary run wasm_traps on native arm debug
>
> This will break the bot. This is for getting a stack trace and then
> revert.
>
> TBR=mtrofin@chromium.org
>
> Bug: v8:7138
> Change-Id: I244492ca81f817d64ef7c12e291a6ed9b97e68de
> Reviewed-on: https://chromium-review.googlesource.com/795718
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49698}
TBR=machenbach@chromium.org,mtrofin@chromium.org
Change-Id: Id81736508fd7eb2b9220bf41188f7687c4046960
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7138
Reviewed-on: https://chromium-review.googlesource.com/796290
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49707}
This reduces the overhead of calling the builtin.
Quick measurements show >5x improvement. As the
typed array's size grows, iterating dominates
and the performance gap closes.
https://github.com/peterwmwong/v8-perf/blob/master/typedarray-find/README.md
Bug: v8:5929
Change-Id: Ia74546bb46d446c6161c8956e350d4b5cdc1b328
Reviewed-on: https://chromium-review.googlesource.com/792454
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49706}
In TurboFan we can easily recognize calls to String.prototype.slice
where the start parameter is -1 and the end parameter is either
undefined or not present. These calls either return an empty string if
the input string is empty, or the last character of the input string
as a single character string. So we can just make use of the existing
StringCharAt operator.
This reduces the overhead of the String.prototype.slice calls from
optimized code in the chai test of the web-tooling-benchmark
significantly. We observe a 2-3% improvement on the test.
Bug: v8:6936, v8:7137
Change-Id: Iebe02667446880f5760e3e8c80f8b7cc712df663
Reviewed-on: https://chromium-review.googlesource.com/795726
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49704}
This will break the bot. This is for getting a stack trace and then
revert.
TBR=mtrofin@chromium.org
Bug: v8:7138
Change-Id: I244492ca81f817d64ef7c12e291a6ed9b97e68de
Reviewed-on: https://chromium-review.googlesource.com/795718
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49698}
It was shipped in Chrome 62.
Bug: v8:5546, v8:4829
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I3ac318639f1f7483d4d4f4fe5606387a856be98a
Reviewed-on: https://chromium-review.googlesource.com/777940
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49687}
These tests are failing with OOM.
Bug: v8:6924
Change-Id: I988814350c6199ca5c1976e3f09d3b96e42ec0ff
Reviewed-on: https://chromium-review.googlesource.com/793044
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49686}
And also ensure that it doesn't allocate when that's avoidable.
Bug: v8:6791
Change-Id: Ied2d2c9c5718aed9839f17739d743353cbadee88
Reviewed-on: https://chromium-review.googlesource.com/786170
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49683}
We'd sometimes forget that the input was not originally a numeric.
Bug: v8:7135
Change-Id: I8bc690cc0c2dfac8a2a218ca56352b6a569825dc
Reviewed-on: https://chromium-review.googlesource.com/793039
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49667}
Properly handle known JSBoundFunction instances as targets to
JSConstruct by inlining the construction of the eventual target.
Also if the target is the result of a JSCreateBoundFunction call,
where we can also fold the construction and construct the bound
target function directly instead.
This addresses half of the TODO in the JSConstruct lowering in the
JSCallReducer where so far we didn't handle bound functions.
Bug: v8:5267, v8:7109
Change-Id: I022dc7d4fbbe2c9972472e78a6d64f51e3134c94
Reviewed-on: https://chromium-review.googlesource.com/792947
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49664}
Change the existing uses of the harmony-class-fields flag to
harmony-public-fields so that we can stage this separately
from the upcoming harmony-private-fields to get some
clusterfuzz coverage.
Bug: v8:5367
Change-Id: I76cdefa4faf34eae73d3a5f6d6089cf75677732a
Reviewed-on: https://chromium-review.googlesource.com/792940
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49661}
1) Make sure we don't enable prototype setup mode for parent class and its prototype
objects.
2) Make sure we create builtins and their prototypes with completed setup mode.
3) Drive-by-fix: setup typed array classes in bootstrapper.cc instead of typedarray.js,
and drop %FunctionSetPrototype().
Bug: v8:7115, v8:5902
Change-Id: I58ac091d85647abc3307bd47baf48e378e3695c5
Reviewed-on: https://chromium-review.googlesource.com/790992
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49655}
This extends the typing rule for NumberTrunc to deal with general number
inputs properly, thus addressing a long-standing TODO. We also add test
cases to ensure that the typing rule gets the corner cases for NaN and
-0 right.
Bug: v8:5267, v8:7109
Change-Id: Iedc541a0f4619f37da37ea36940f92472034cdf2
Reviewed-on: https://chromium-review.googlesource.com/792932
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49652}
This extends the typing rule for NumberRound to deal with general number
inputs properly, thus addressing a long-standing TODO. We also add test
cases to ensure that the typing rule gets the corner cases for NaN and
-0 right.
Bug: v8:5267, v8:7109
Change-Id: Ia865ec1d6f8d96f20641bee96891740a9fc6e627
Reviewed-on: https://chromium-review.googlesource.com/792931
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49651}
This extends the typing rule for NumberCeil to deal with general number
inputs properly, thus addressing a long-standing TODO. We also add test
cases to ensure that the typing rule gets the corner cases for NaN and
-0 right.
Bug: v8:5267, v8:7109
Change-Id: I9154e47e58ad106791613db0030051f2a802a981
Reviewed-on: https://chromium-review.googlesource.com/792930
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49650}
Pull most JSTypedArray source arguments onto the fast path.
Same source & target elements-kinds simply call memmove. Other
combinations call directly into C and reuse ElementsAccessor logic.
Only overlapping source & target args with differing elements-kinds
remain on the slow runtime path.
Bug: v8:7123, v8:3590
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I80284b61478b0e3266b8f16bde8a56bd90f080b0
Reviewed-on: https://chromium-review.googlesource.com/788857
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49643}
Implement the new spec behavior that says construction from a neutered
buffer should throw after the ToIndex call on the length argument.
Bug: v8:6216
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I219a107730b53fca639bc813f68f7ddc27e79017
Reviewed-on: https://chromium-review.googlesource.com/789847
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49639}
