Commit Graph

3446 Commits

Author SHA1 Message Date
Michael Starzinger
47f3a53f70 [wasm] Fix bogus uses of {WasmGraphBuilder::Buffer}.
With exception handling enabled new call paths open up, which will
perform environment merging while a "call" or "call_indirect" is
currently being emitted. This will lead to double-use of the buffer
returned by calls to {Buffer} or {Realloc}. In general we should
transition away from this optimization to safer constructs such as
{base::SmallVector} to avoid such bugs.

R=clemensb@chromium.org
TEST=mjsunit/regress/regress-9832
BUG=v8:9832

Change-Id: I4c862ac1bc7dc34ad62279c82f6414153e8cbddb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1856006
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64271}
2019-10-14 09:32:37 +00:00
Ng Zhi An
727668298e [wasm-simd] Implement memory tracing for kSimd128 data types
Increase the embedded vector size to 91 as that is the max size needed to print
a s128 as a 32x4.

- max value of uint32_t has 10 digits in decimal, 1 for a potential sign,
  3 spaces in between 4 of them -> 3 + 4 * 11 = 47
- max value of uint32_t has 8 digits in hex, 3 spaces in between -> 3 + 4 * 8 = 35
- the prefix "v128:" -> 5
- " / " to separate the decimal and hex representation -> 3
- null byte

47 + 35 + 5 + 3 + 1 = 91

Bug: v8:9754
Change-Id: I153c30738fa8862b44fb5103cbe62ea0bcea9718
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1814885
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64256}
2019-10-11 20:45:21 +00:00
Leszek Swirski
947a124e47 [runtime] Fix CloneObject for all in-place repr changes
Bug: chromium:1012301
Change-Id: I805affc8b18130d9d4de995eed8a905d7fcd4d75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1856005
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64249}
2019-10-11 16:09:45 +00:00
Joshua Litt
f796f861e6 [async] Fix bug with await in for 'next' position.
While removing dead code, v8 currently removes jump targets, but leaves
suspend points, resulting in bytecode analysis issues. This cl simply
removes the suspend point if the remainder of the block is dead.

Bug: v8:9825
Change-Id: Ib147ca01cf64c695c0316017852d61f52fd10cf4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1849197
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64223}
2019-10-10 18:06:07 +00:00
Santiago Aboy Solanes
fabfa417b4 [ptr-compr] Remove ChangeTaggedSignedToCompressedSigned optimization
CheckedInt32ToTaggedSigned -> ChangeTaggedSignedToCompressedSigned was
being simplified to CheckedInt32ToCompressedSigned. However, sometimes
the effect chain is not propagated correctly. Since we have plans to
remove the Compressed MachineRepresentation, we can remove this
optimization now.

Bug: v8:7703, chromium:1011980
Change-Id: I9198c73666848f89db96928259af68400d442229
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847363
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64178}
2019-10-09 09:58:01 +00:00
Jakob Kummerow
ac94b07ade Fix broken test after 421fd392
Tbr: clemensb@chromium.org
No-Tree-Checks: true
No-Try: true
Change-Id: Id4ca5f618d035de13174e54ff4d617b03d839033
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847364
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64164}
2019-10-08 16:02:02 +00:00
Clemens Backes
1876767992 [wasm] Rename {Get,Set}Global to Global{Get,Set}
This brings our constants back in line with the changed spec text. We
already use kExprTableGet and kExprTableSet, but for locals and globals
we still use the old wording.

This renaming is mostly mechanical.

PS1 was created using:
ag -l 'kExpr(Get|Set)Global' src test | \
  xargs -L1 sed -E 's/kExpr(Get|Set)Global\b/kExprGlobal\1/g' -i

PS2 contains manual fixes.

R=mstarzinger@chromium.org

Bug: v8:9810
Change-Id: I064a6448cd95bc24d31a5931b5b4ef2464ea88b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847355
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64163}
2019-10-08 14:27:50 +00:00
Clemens Backes
421fd3929d [wasm] Rename {Get,Set,Tee}Local to Local{Get,Set,Tee}
This brings our constants back in line with the changed spec text. We
already use kExprTableGet and kExprTableSet, but for locals and globals
we still use the old wording.

This renaming is mostly mechanical.

PS1 was created using:
ag -l 'kExpr(Get|Set|Tee)Local' src test | \
  xargs -L1 sed -E 's/kExpr(Get|Set|Tee)Local\b/kExprLocal\1/g' -i

PS2 contains manual fixes.

R=mstarzinger@chromium.org

Bug: v8:9810
Change-Id: I1617f1b2a100685a3bf56218e76845a9481959c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847354
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64161}
2019-10-08 14:14:40 +00:00
Jakob Kummerow
f1e5488a7f [wasm] Fix stack args in CWasmEntry stub
The particular combination of (1) having callee-saved registers in
the stub per the C++ calling convention, (2) passing arguments to
the callee on the stack, and (3) that callee throwing an exception,
caused the saved registers to be restored to bogus values.
To fix this, the stack unwinder needs to compute the stub's frame
size correctly (i.e. without stack parameters).

Bug: chromium:1007608
Change-Id: Iadd99f10764f49f9e3c620c05723e09172c73cf7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847352
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64160}
2019-10-08 13:57:46 +00:00
Mythri A
90d161ff79 [runtime] Don't set sticky bit on empty_slow_element_dictionary
Empty slow element dictionary had the sticky bit set. This bit was
used to indicate that the dictionary cannot go to the fast mode either
because the dictionary had elements with attributed or elements at large
indices. There is no reason for the empty dictionary to have this bit set.
This causes bugs in some corner cases.

Bug: chromium:1003732
Change-Id: Ib29e1cda784869b9deb9361d8e6b5539f7154a38
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1833686
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64158}
2019-10-08 11:49:25 +00:00
Dan Elphick
427a2fd5a9 [parser] Fix preparsing of modules containing labels
Fixes spurious DCHECK triggering due to bug introduced in
https://chromium-review.googlesource.com/c/v8/v8/+/1836258.

Bug: chromium:1011596
Change-Id: Ia3b1eb25d326e465b3239f191aad11d90a2e56a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1844777
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64125}
2019-10-07 10:18:14 +00:00
Dan Elphick
58761221af [parser] Delete unresolved variables created for labels
This deletes unresolved VariableProxy objects created for labels in the
preparser which prevents shadowed variables in enclosing scopes from
being context-allocated.

Previously this was only done in the full parser, which leads to
bytecode mismatches with lazy source positions.

Bug: chromium:1009728, v8:8510
Change-Id: If2d0c345346116a7f5aacbcd0cf3638e9f7e04cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1836258
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64104}
2019-10-04 10:41:31 +00:00
Michael Lippautz
38c901614e GCExtension: Properly support exceptions
Fix corner case where we would try to read a property when having a
pending or scheduled exception.

Re-add tests.

Bug: chromium:1006640
Change-Id: I2fc84ee0f6145db2d200a8b9abf57fdc4b12a5a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1835531
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64083}
2019-10-02 12:14:02 +00:00
Michael Lippautz
a12bfa9e04 GCExtension: Bail out on proxy parameter
Bug: chromium:1006640
Change-Id: I0f38ed9c44b6a2a6cfd52fdd9e177768f57beb11
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1833692
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64077}
2019-10-02 07:41:38 +00:00
Suraj Sharma
1e3c3876f8 Modify the DCHECK in when computing KeyedAccessStoreMode.
Since slow handler was previously not a Smi. The DCHECK assumed any
Smi Handler on this path should be a proxy handler. Now it Checks for
both, and should continue if the current handler is a slow handler.

Bug: chromium:1008632
Change-Id: I079960894d7320d8d658d0990e8c32db51703206
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1828480
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Suraj Sharma <surshar@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#64052}
2019-09-30 18:59:48 +00:00
Z Nguyen-Huu
c721203615 Add missing null condition in Proxy GetPrototypeof
Bug: v8:9781
Change-Id: I1f82a828f103cc2aa3f9553214f6b4867ffc3b17
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1829897
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64049}
2019-09-30 17:56:34 +00:00
Dan Elphick
8de672cbe8 [parser] Prevent feedback slot merging for dynamic globals
This is a short-term fix to prevent any merging of feedback slots for
dynamic globals, while we work on a longer term solution to make it
consistent between eager and lazy compilation.

Bug: chromium:1008414, v8:8510
Change-Id: I4a5977046f53454d6f8a6ea2f41046abdf73418f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1829270
Commit-Queue: Dan Elphick <delphick@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64041}
2019-09-30 11:57:09 +00:00
Dan Elphick
f674045458 [parser] Fix destructured parameters in arrowheads
Always unmark arrowhead parameters as assigned directly after their
initialization as the parser doesn't know when it first sees the
"assignment" that it may be in an arrowhead.

Bug: chromium:1003403, v8:8510
Change-Id: Iad5a4136d5ec06331fc43b81a809fd72cee2dd65
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815131
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63947}
2019-09-24 14:11:52 +00:00
Jakob Gruber
256a81671b [regexp] Adhere to the stack limit in the interpreter
This introduces a limit for the interpreter's BacktrackStack to match
the limit used by generated code (RegExpStack::kMaximumStackSize).

Bug: chromium:1006670
Change-Id: I0b7613698e61257aecca89535ad9109c7e454692
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1821458
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63945}
2019-09-24 13:33:09 +00:00
Michael Starzinger
cf3421008a [wasm] Limit number of labels for {br_table} instruction.
This reduces the number of label indices accepted by {br_table} from the
full function body size to specifically 65520 labels. Note that TurboFan
already had a similar limitation on switches, but caused a crash during
compilation up until now. This change just makes the limit explicit and
avoids the crash during compilation.

R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-9759
BUG=v8:9759

Change-Id: I3a9a4406b19a7f98fc36707b3b946be846170a15
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1821457
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Backes [né Hammacher] <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63944}
2019-09-24 12:54:49 +00:00
Ulan Degenbaev
39ecc997eb Fix construction of empty backing stores for SharedArrayBuffers
Bug: chromium:1006629,v8:9380
Change-Id: I8e45759fe3ad1b0ef8f1ebdb33919c84e1e8a044
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815244
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63928}
2019-09-23 13:42:29 +00:00
Michael Starzinger
d1e9b884ae [asm.js] Fix parsing of float coercion arguments.
This fixes how arguments of a call to {fround} are being parsed. It now
accepts a single "AssignmentExpression" only instead of an "Expression"
which could potentially be a whole comma-separated list of expressions.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-1006592
BUG=chromium:1006592

Change-Id: Ifaf0c2b048e4ec18429cc6039c0e7dcdecc1d0bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815255
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63926}
2019-09-23 12:26:26 +00:00
Michael Starzinger
ca02d58b34 [wasm] Load call builtin in JS-to-JS wrappers.
This loads the call builtin from the Isolate root instead of embedding
it into the instruction stream. This can be more efficient, but more
importantly it fixes an issue with tracing and eventually allows for
background compilation of these wrappers.

R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-crbug-1006631
BUG=chromium:1006631

Change-Id: Ife1bc513340d233a3c01789c7b56126fe3b87f6f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815245
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63924}
2019-09-23 10:43:51 +00:00
Dan Elphick
4921821b2f [parser] Prevent lazy parsing of arrow functions
Change Parser::AllowsLazyParsingWithoutUnresolvedVariables to return
false if it may be parsing an arrow function.

Bug: v8:9758, v8:8510
Change-Id: Ic5d213d4358ff954a169c03e449197c3f050880c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1816510
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63920}
2019-09-23 08:59:18 +00:00
Suraj Sharma
99188fc477 [ic] Add support for StoreSlow() in Global Dispatcher
Global Objects now use the Smi handler StoreSlow() to perform
StoreGlobalIC_Slow.

Bug: chromium:1004037
Change-Id: I365ab918383525278590ca4369a4b1b0d9636d29
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1812657
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Suraj Sharma <surshar@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#63912}
2019-09-20 17:05:09 +00:00
Igor Sheludko
ecafe04b37 [ic] Fix accessor to data reconfiguration case
... in object literals.

Bug: chromium:997056
Change-Id: Ifc210ff53b751c6ef26f16b73c9ac52426a845fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1813021
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63894}
2019-09-19 14:35:46 +00:00
Ross McIlroy
513c75116d [CSA] Ensure we only call ToName once in KeyedLoadICGeneric.
BUG=v8:6949,v8:9396,chromium:1005400

Change-Id: I18f50fc385dd83c8f1c551d1a3dc32714122eb00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1813022
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63888}
2019-09-19 12:39:46 +00:00
Ross McIlroy
b946521f18 [CSA][cleanup] Use Name instead of String type for var_name in KeyedLoadICGeneric.
BUG=v8:6949,v8:9396,chromium:1004912

Change-Id: Ifa8207283aadad258281bffda6d49da574402a24
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1809370
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63865}
2019-09-18 11:22:28 +00:00
Dan Elphick
bec49d81df [csa] Fix parameter casting on empty arrays
Changes the Array(Includes|IndexOf)(Holey|Packed)Doubles builtins to
first check the input array is not empty before attempting to cast it to
a FixedDoubleArray as an empty array of doubles can be backed by a
FixedArray.

Bug: chromium:1004061
Change-Id: I12f302afa9596fb8a5581849662cd67fcc06f92b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1806676
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63794}
2019-09-16 13:49:21 +00:00
Maya Lekova
2f9d2fc1ce [turbofan] Add a missing object to the broker
Bug: chromium:1003730
Change-Id: Id8ca302b0b17ce08821507bb686bf241416eee67
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1806913
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63789}
2019-09-16 12:39:26 +00:00
Ross McIlroy
61085f2cb3 [CSA] Update TryLookupProperty to JSReceiver type.
The current JSObject type is too specific as it can also be passed proxy
objects.

BUG=chromium:1003919,v8:6949

Change-Id: I2766868543827fc5ee6f99f3b120c7ffe9cfed39
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803651
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63787}
2019-09-16 12:20:31 +00:00
Jakob Kummerow
b823bf1ba6 [test][cleanup] Revive --time, speed up some tests
This reimplements the "--time" option of run-tests.py to print the
20 slowest tests, on top of json_test_results infrastructure just
like the bots do it.
Additionally this CL speeds up a bunch of slow tests.

Bug: v8:9396
Change-Id: I40797d2c8c3bfdd310b72f15cd1a035844b7c6f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1803635
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63786}
2019-09-16 11:24:11 +00:00
Michael Starzinger
7da8f2c959 [wasm] Fix WebAssembly.Table#get for constructed functions.
This fixes the case where a table entry contains a function constructed
via {WebAssembly.Function} and is then read out via a runtime function
from the table.

R=ahaas@chromium.org
TEST=mjsunit/regress/wasm/regress-crbug-1002388
BUG=chromium:1002388

Change-Id: Ic0a9a544baaf37e68cd22eb91f2ef0bdf5fa5842
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1795352
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63709}
2019-09-12 09:40:55 +00:00
Michael Lippautz
3569a4febe [heap] Fix parameter parsing on GC builtin
Do not assume that the MaybeHandle that is returned when fetching for a property
is valid and instead check for its contents. Treat an empty handle as not
finding the right property.

Bug: chromium:1002827
Change-Id: Iac158086ec5f66cd9602f4a73ae78de367dd3e77
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1796556
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63672}
2019-09-11 10:13:16 +00:00
Mythri A
ecf178a159 Fix EmitGenericPropertyStore to bailout on stores to TypedArrays
We don't handle all cases for stores to typed arrays in the builtins
related to storing a property. Bailout to runtime when storing into
a typed array if the property is not found on the object.

Bug: chromium:996161
Change-Id: I684c7c4f526b15cdfb5bfe3fd23218910486a59e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1789396
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63639}
2019-09-10 10:13:38 +00:00
Dan Elphick
6f17f5d1ae [parser] Fix arrowhead parsing in the script scope
When analyzing functions scopes with the script_scope as parent, don't
skip migrating unresolved variables upwards if we could still be inside
an arrow head, which means accesses to those variables will be
correctly context allocated.

Bug: v8:8510, chromium:1000094
Change-Id: I684f2f8bc692de420203990f93e5c943b5b769c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1789705
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63635}
2019-09-10 09:11:07 +00:00
Clemens Hammacher
fba03abcfa Correctly handlify two frame {Summarize} methods
{JavaScriptFrame::GetParameters} allocates a new {FixedArray}, hence
all object references need to be handified to survive that allocation.

R=mstarzinger@chromium.org

Bug: chromium:1000635
Change-Id: I76df5ac109bdb6999fe897bdafaf2175344ecca4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1787429
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63583}
2019-09-05 15:42:59 +00:00
Leszek Swirski
470e68570e Reland^2 "[ic] In-place Double -> Tagged transitions""
This is a reland of 981aafaf97

It adds double checks to LoadFieldByIndex in the optimizing compiler, which
are likely the source of the crashes.

Original change's description:
> Reland "[ic] In-place Double -> Tagged transitions"
>
> This is a reland of 0736599a69.
> This is a reland of 7e1fbe8f34.
>
> Original change description:
> > [ic] In-place Double -> Tagged transitions
> >
> > With no more MutableHeapNumber, we can make Double -> Tagged transitions
> > in-place, at the cost of an extra map check when accessing double fields
> > to make sure they are still doubles.
> >
> > Bug: v8:9606
> > Change-Id: I74ff39ed6fba62ee223cd37dfe761f7d73020e1c
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743973
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#63374}
>
> TBR=verwaest@chromium.org, tebbi@chromium.org
>
> Bug: v8:9606
> Change-Id: I2d1b7416064d743582f4983fb868316b7e8a4cf2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1777661
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63499}

TBR=verwaest@chromium.org

Bug: v8:9606
Bug: chromium:997989
Change-Id: Iccfff8e5c6306c9ee4f6c62767dce883b1c6f743
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1784288
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63582}
2019-09-05 15:20:19 +00:00
Dan Elphick
a35a705983 [parser] Don't mark const variables as assigned
Since const variables are  immutable, ignore SetMaybeAssigned for them.

Bug: chromium:999450, chromium:1000170, v8:8510
Change-Id: Idc1b71677b3d03bb63cc025017c119710b8f392d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1782170
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63579}
2019-09-05 14:44:29 +00:00
Leszek Swirski
b293533ed8 Revert "Reland "[ic] In-place Double -> Tagged transitions""
This reverts commit 981aafaf97.

Reason for revert: Still crashing on Canary.

Original change's description:
> Reland "[ic] In-place Double -> Tagged transitions"
>
> This is a reland of 0736599a69.
> This is a reland of 7e1fbe8f34.
>
> Original change description:
> > [ic] In-place Double -> Tagged transitions
> >
> > With no more MutableHeapNumber, we can make Double -> Tagged transitions
> > in-place, at the cost of an extra map check when accessing double fields
> > to make sure they are still doubles.
> >
> > Bug: v8:9606
> > Change-Id: I74ff39ed6fba62ee223cd37dfe761f7d73020e1c
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743973
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#63374}
>
> TBR=verwaest@chromium.org, tebbi@chromium.org
>
> Bug: v8:9606
> Change-Id: I2d1b7416064d743582f4983fb868316b7e8a4cf2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1777661
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63499}

TBR=leszeks@chromium.org, verwaest@chromium.org, tebbi@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9606
Bug: chromium:997989
Change-Id: Ic95166e67df68e84a524dffd8155121c3ff6aa13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1784283
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63550}
2019-09-04 11:39:43 +00:00
Dan Elphick
afca89f848 [parser] Improve hole check elision in async arrow funcs
Use the position of commas in async arrow expressions to mark the
initializer position of any parameters that might have been set in the
preceding parameter.

This extends https://chromium-review.googlesource.com/c/v8/v8/+/1710671
to async arrow heads.

Bug: v8:8510, chromium:997320
Change-Id: I98e0ac817c7f53fbf1dced98fb6891a386ee7803
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781057
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63542}
2019-09-04 09:13:03 +00:00
Michael Starzinger
369e0d587a [wasm] Enable optimization of Math.pow intrinsic.
R=clemensh@chromium.org
TEST=mjsunit/wasm/asm-wasm-math-intrinsic
BUG=v8:8505

Change-Id: I883c9ad174f7fda5ec5dd24e71ca674de51239b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1782160
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63521}
2019-09-03 11:57:20 +00:00
Leszek Swirski
981aafaf97 Reland "[ic] In-place Double -> Tagged transitions"
This is a reland of 0736599a69.
This is a reland of 7e1fbe8f34.

Original change description:
> [ic] In-place Double -> Tagged transitions
>
> With no more MutableHeapNumber, we can make Double -> Tagged transitions
> in-place, at the cost of an extra map check when accessing double fields
> to make sure they are still doubles.
>
> Bug: v8:9606
> Change-Id: I74ff39ed6fba62ee223cd37dfe761f7d73020e1c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743973
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63374}

TBR=verwaest@chromium.org, tebbi@chromium.org

Bug: v8:9606
Change-Id: I2d1b7416064d743582f4983fb868316b7e8a4cf2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1777661
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63499}
2019-09-02 10:18:34 +00:00
Dan Elphick
3e545f38cb [coverage] Collect source positions when toggling mode
When changing the code coverage or type profiler modes, first ensure
there are source positions for all BytecodeArrays as regenerating the
source positions after toggling the mode will result in a bytecode
mismatch.

Bug: v8:9656, v8:8510
Change-Id: Ic6cf3afec1588f11e5ce5fcbea2fd13e4452e15f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1774721
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63484}
2019-08-30 17:58:30 +00:00
Leszek Swirski
f6057ff1e3 [scopes] Push sloppy eval check through eval scopes
Sloppy eval extends the outer declaration scope's context. This is also
true for sloppy eval inside of other sloppy evals -- the outer declaration
scope's context is extended rather than the outer sloppy eval's
declaration scope. However, we consider eval scopes to also be declaration
scopes, for the purposes of strict eval and caching lookup variables. So,
we need to make sure that we skip through sloppy eval scopes when marking
a scope as calls_sloppy_eval.

In fact, we implement this rather as never marking sloppy eval scopes as
calls_sloppy_eval, under the assumption that the parent scope will already
have been marked calls_sloppy_eval by the outer eval.

As a drive-by, fix a TODO to move this logic from calls_sloppy_eval() to
RecordEvalCall(), rename the variable to something more meaningful, and
make Snapshotting to use a new calls_eval bit on Scope.

Bug: chromium:996751
Change-Id: I27ccc7ef429a7ce60b3bb02bf64a3820ae4a2c36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773247
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63455}
2019-08-29 14:49:28 +00:00
Leszek Swirski
e39c701963 Revert "[ic] In-place Double -> Tagged transitions"
This reverts commit 0736599a69.
This reverts commit 7e1fbe8f34.

Reason for revert: Still some crashes, reverting to unblock dev.

TBR=ishell@chromium.org,tebbi@chromium.org

Bug: v8:9606
Bug: chromium:997485
Bug: chromium:997989
Change-Id: I9a0cb5440bf4fce06c9e6134dacf5c03d512f049
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773271
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63441}
2019-08-29 09:50:08 +00:00
Z Nguyen-Huu
1f4bec2775 Add new nonextensible element kinds
Currently the backing store and elements kind might not aligned aka
backing store can be dictionary where elements kind is frozen/sealed
element kinds or the other way around. The reason is that
Object.preventExtensions change elements kind to DICTIONARY while
Object.seal/freeze change elements kind to SEALED/FROZEN element kind.
Apply both these operations can lead to that problem as in
chromium:992914

To solve this issue, we avoid Object.preventExtensions to change backing
store to dictionary by introducing new nonextensible elements kind.
These new nonextensible elements kind are handled similar to frozen,
sealed element kinds. This change not only fixes the problem but also
optimize the performance of nonextensible objects.

Change-Id: Iffc7f14eb48223c11abf3c577f305d2d072eb65b
Bug: chromium:992914, v8:6831
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760976
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63432}
2019-08-28 17:24:49 +00:00
Sigurd Schneider
4477097489 [runtime] Throw range error on too many properties
This change allows the KeyAccumulator to throw a range error if there
are too many properties to be enumerated.

This CL introduces extensive checks during key enumeration in the run-time,
and might introduce regressions. If so, feel free to revert.

Bug: chromium:918301
Change-Id: I6166c0b15f1a05eac7116a979f12ba4833d1d1b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545902
Auto-Submit: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63430}
2019-08-28 15:58:04 +00:00
Jakob Gruber
1990b1e14e [regexp] Dont attempt to match '^' before the start of the string
This fixes an invalid assumption when emitting code for matching '^'
(start of line) in multiline regexps and '\b', '\B' in general.

What we used to do: if the current trace's cp_offset (the offset from
the current position) was non-zero, we assumed that we were looking at
subject string index 1 or greater (i.e.: not at the start of the string
or before).

This is no longer valid since cp_offsets can now be negative.

This CL changes the logic to omit start- and bounds-checks only for
strictly positive cp_offsets, where the above assumption still holds.

Bug: chromium:996391
Change-Id: I79be4fc295c6f0b63e41c13d1e91fdd00f2f2b42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771794
Commit-Queue: Erik Corry <erikcorry@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Erik Corry <erikcorry@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63424}
2019-08-28 14:23:39 +00:00
Toon Verwaest
864cacd65a [json] Don't consume sibling feedback from objects with detached maps
By marking maps detached from the transition tree as prototypes, we'll
automatically stop tracking transitions from those detached fast maps. That
allows us to quickly check whether a map is detached (or the initial map
anyway); and saves memory. We can use this information to ignore sibling type
feedback when parsing a JSON array with many distinctly shaped json objects.

Bug: chromium:993980
Change-Id: I86d493ac2cabec2c31c6e322ad5c5a7ace059dfc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771778
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63403}
2019-08-26 15:57:52 +00:00
Leszek Swirski
7e1fbe8f34 [ic] Check Double representation on store
For stores with Double feedback, StoreIC needs to check that the
representation is still Double before doing the store, in case it
accidentally tries to write to an object or worse, mutate a non-mutable
HeapNumber.

Bug: v8:9606
Bug: chromium:997485
Change-Id: I51e0953b40f752648c5e86b8644c23baf636367e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768373
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63402}
2019-08-26 15:40:12 +00:00
Georg Schmid
7fd1922823 [turbofan] Relax double const store invariant in load elim. for literals
Even when a field is marked const, we may emit multiple consecutive in-literal stores to that field. That is, in 'JSNativeContextSpecialization::BuildPropertyStore', when the access mode is 'kStoreInLiteral' and we are accessing a const field, we may produce a StoreField node, even though another StoreField (that stores something other than 'Uninitialized') to the same const field dominates it. This appears to be sound, since earlier stores to literals cannot be observed anyways.

Unfortunately this behavior conflicts with the double const store invariant in load elimination: Roughly speaking, we assume that load elimination may never observe two consecutive const stores to the same field on the same object.

The apparent solution would be to treat 'kStoreInLiteral' accesses like regular 'kStore' accesses: For consecutive stores to const properties we don't emit StoreField, but instead emit code that checks whether the value about to be written is equivalent to the previously written one, and otherwise deopt ('DeoptimizeReason::kWrongValue'). Unfortunately this turns out impractical, since for 'kStoreInLiteral' accesses we can't easily decide whether we're dealing with the first such store or one of the consecutive ones. Also see this abandoned CL: https://chromium-review.googlesource.com/c/v8/v8/+/1762020.

This CL instead adds an exception to the invariant in load elimination. We track whether a store arose from a 'kStoreInLiteral' access, and use this information when visiting StoreField nodes in load elimination.

R=neis@chromium.org, tebbi@chromium.org

Bug: chromium:987205
Change-Id: I8829752aa0637e9599677d20aad2d706d40d7fe6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763535
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#63385}
2019-08-23 17:10:48 +00:00
Joshua Litt
48c9ca4462 [names] Fix some test262 name tests to conform with spec changes
In order to reflect web reality, TC39 has made some slight changes to
name descriptors, see https://github.com/tc39/ecma262/pull/1490 for
details. V8 was mostly already in compliance with these changes, but
ThrowTypeError and anonymous classes needed some slight changes.

Bug: v8:9646
Change-Id: I163238954938f0c005e3adbc61b90498e01436da
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1764622
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63373}
2019-08-23 15:04:31 +00:00
Maya Lekova
f16a3a7436 [turbofan] Fix memory corruption
Bug: chromium:997057
Change-Id: I821b91ff51f82e6325dae5719e1669142c82b05e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768579
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63369}
2019-08-23 14:03:01 +00:00
Ana Peško
c317f606bd [regexp] Print correct kind of regexp code (native/bytecode) when tier-up
is enabled.

Change-Id: Iab87b9c7a0d0600782b02537844338ff065622ab
Bug: chromium:996234
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1765531
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Ana Pesko <anapesko@google.com>
Cr-Commit-Position: refs/heads/master@{#63360}
2019-08-23 09:24:22 +00:00
Leszek Swirski
489e7deb7e [object] Remove MutableHeapNumber
Since the mutability of HeapNumbers is determined by their owning
object's descriptor array, we can remove the MutableHeapNumber type
entirely, at the cost of a few fewer DCHECKs and a couple of TODOs
to use the descriptor array information.

This is a necessary step towards a follow-up which allows in-place
Double -> Tagged transitions

Design doc: https://docs.google.com/document/d/1VeKIskAakxQFnUBNkhBmVswgR7Vk6T1kAyKRLhqerb4/

Bug: v8:9606
Change-Id: I13209f9c86f1f204088f6fd80089e17d956b4a50
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743972
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63294}
2019-08-20 19:04:04 +00:00
Dan Elphick
dd54736795 [parser] Fix bytecode mismatch for this
Fixes bytecode mismatch between lazy and non-lazy where "this" was
marked as maybe assigned in constructors that called the super
constructor. Since this will return the hole in cases where it was not
yet initialized by super (and the hole is explicitly handled by
JSContextSpecialization::ReduceJSLoadContext), it's safe to treat it as
a constant in all cases. In the case of lazy compilation case, "this"
is never added to the ScopeInfo so is never seen as mutable.

Bug: chromium:994719
Change-Id: I43478fbc626b19eb1533aa9dec61b7f276ae140b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762025
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63283}
2019-08-20 15:21:24 +00:00
Z Nguyen-Huu
bc1c36ee56 Reland "[builtins] Port RegExpTest to Torque"
This is a reland of f54f92dda1.

Fix IsFastRegExpPermissive to call BranchIfFastRegExp_Permissive.

Original change's description:
> [builtins] Port RegExpTest to Torque
>
> Bug: v8:8976
> Change-Id: Ia4dc120a31eb363599b47b22b749a3146a9c7c73
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1746083
> Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63211}

Bug: v8:8976, chromium:994041
Change-Id: I86c9c66b060f47164515e29f914b95456c233d30
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1756390
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63255}
2019-08-19 16:44:55 +00:00
Georg Schmid
f85826eaf2 [turbofan] Track field owner maps during load elimination
This CL adds additional information in PropertyAccessInfos and FieldAccesses about the map that introduced the accessed field. We use this information to prevent load elimination from incorrectly optimizing certain accesses marked const.

Prior to this CL, load elimination simply stored information about eliminatable field accesses based on objects (identified by nodes in the graph) and offsets (i.e., statically known ones). In the presence of const stores and loads this is insufficient, since a single object (in the above sense) may contain distinct *const* properties at the same offset throughout its lifetime. As an example, consider the following piece of code:

    let obj = {};
    obj.a = 0;
    obj[1024] = 1;  // An offset of >=1024 forces an elements-kind transition
    delete obj.a;
    obj.b = 2;
    assertEquals(obj.b, 2);

In this scenario, *both* the first ('obj.a = 0') and the second ('obj.b = 2') store to a field will be marked const by the runtime. The reason that storing to 'a' above ends up being marked const, is that 'a' before and after the elements-kind transition is encoded in separate transition trees. Removing 'a' ('delete obj.a') only invalidates const-ness in the dictionary-elements transition tree; not the holey-elements one used at the time of 'obj.a = 0'.

The above situation on its own violates an invariant in load elimination. Namely, we assume that for the same object and offset, we will never encounter two const stores. One can extend the above snippet to coax load-elimination into producing incorrect results. For instance, by "hiding" 'obj.b = 2' in an unoptimized function call, the consecutive load from 'b' will incorrectly produce 0, violating the assert.

R=neis@chromium.org, tebbi@chromium.org

Bug: chromium:980183, chromium:983764
Change-Id: I576a9c7efd416fa9db6daff1f42d483e4bd369b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751346
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63226}
2019-08-16 16:08:45 +00:00
Dan Elphick
cfe6ceae3f Fix crash Code::DropStackFrameCacheCommon
Fixes DCHECK failure in DropStackFrameCacheCommon by returning early if
the source_position_table is Exception.

Bug: chromium:990582, v8:8510
Change-Id: I671f3e0cdc9f880dedf8ecd2fffb1083229dc6dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752856
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63209}
2019-08-14 15:03:27 +00:00
Ross McIlroy
8c4609fdee [Parser] Don't mark receiver as MaybeAssigned since it can't be assigned.
Otherwise there is a mismatch between eager parsing (where the reciever
is marked as MaybeAssigned) and lazy parsing (where the receiver is
deserialized and not marked MaybeAssigned) for arrow functions that
have an inner scope that calls eval.

BUG=chromium:989914

Change-Id: I8b8b78140858985a75a971b0e0a95bd61463457b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752851
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63206}
2019-08-14 11:15:11 +00:00
Patrick Thier
52c7565de8 [regexp] Fix dirty read in regexp interpreter.
When GC triggered while an exception is pending, a read to
memory that was no longer valid could happen while backtracking in the
regexp interpreter (introduced with commit fb0df2c).
This CL prevents this dirty read, that could have been a security issue.

Bug: chromium:992389, v8:9575
Change-Id: Ie1acd6faa16665e211666c6a8dcf2a9d74e0c886
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751342
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63195}
2019-08-13 16:08:18 +00:00
Ross McIlroy
69b1f07229 [Parsing] Fix a bug in UpdateBufferPointers where it incorrectly updated the buffer range.
When a RelocatingCharacterStream is Seeked, it's buffer_pos_ could be set a non-zero value.
However, UpdateBufferPointers was assuming the position was zero to relocate the buffer_start_
and buffer_end_, which would lead to the stream becoming misaligned. Fix this and add a
unittest and the clusterfuzz script which highlighted the issue.

BUG=chromium:991133

Change-Id: I20dd510b3dcc5df6df058b7e06d2c8a838aef855
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751782
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63190}
2019-08-13 14:20:17 +00:00
Peter Marshall
5577c69d27 [debug] Report line numbers for Function constructor functions correctly
The spec says we have to insert some wrapper code with extra line breaks
in it, but this confuses users when they see stack traces as the line
numbers come from the code with the wrapper, instead of the original.

This CL sets line_offset on the script to indicate that line numbers
should be offset by the 2 extra line breaks when reading them out e.g.
for the purpose of stack traces.

Bug: chromium:109362
Change-Id: Ib608e1043c38b595b1466766f7592e993ee3b996
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741660
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63127}
2019-08-08 13:49:17 +00:00
Joshua Litt
b6731abef0 [turbofan] Revert algorithm simplification in Math.hypot
When a fast path was added for Math.hypot, the algorithm was also
simplified. This simplification turns out to be incorrect in some rare
edge cases. This cl reverts back to the original algorithm and converts it to torque.

Original cl: https://chromium-review.googlesource.com/c/v8/v8/+/1684178

Bug: v8:9546
Change-Id: If4e21504732f46081a8de823f50f499917f1a20c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1725200
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63070}
2019-08-05 11:12:58 +00:00
Leszek Swirski
9cf089e968 [scopes] Skip dynamic vars in eval scopes during lookup
For variable proxies in a function inside an eval scope that point to
a dynamic variable in the eval scope, the current scope resolution will
find this variable only when the function is eagerly compiled, as the
eval scope only exists during top-level eval compilation. This causes
a mismatch between lazy- and eager- compiled functions.

With this patch, we skip these dynamic variables during lookup, so that
the lookup for the variable proxy always finds a kDynamicLocal or
kDynamicGlobal, both when compiled lazily and eagerly. This is a minor
pessimisation of performance (as we know that the lookup has to be
dynamic), but unblocks other improvements which require idempotent
bytecode generation (such as lazy source positions).

Note that the alternative, of simply not tracking dynamic variables on
the eval scope at all, is not viable due to needing this information
during conflict detection.

Bug: v8:8510
Bug: v8:9511
Change-Id: Ifa72ec05e9a97b7be418912340081b9656765fd4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1733077
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63051}
2019-08-02 14:55:13 +00:00
Maya Lekova
5a624dc465 [turbofan] Fix crash with --trace-turbo-inlining
When the flag is on and some of the functions don't have bytecode,
we should gracefully print "no bytecode" instead of crashing.

Bug: chromium:983267
Change-Id: Id4e3385cd871a2dd5bead38c29a41b38319cc8d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731003
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63031}
2019-08-01 12:56:05 +00:00
Seth Brenith
bea0ffd0dd Reland "[regexp] Better quick checks on loop entry nodes"
This is a reland of 4b15b984ad

Updates since original: fix an arithmetic overflow bug, remove an invalid
DCHECK, add a unit test that would trigger that DCHECK.

Original change's description:
> [regexp] Better quick checks on loop entry nodes
>
> Like the predecessor change https://crrev.com/c/v8/v8/+/1702125 , this
> change is inspired by attempting to exit earlier from generated RegExp
> code, when no further matches are possible because any match would be
> too long. The motivating example this time is the following expression,
> which tests whether a string of Unicode playing cards has five of the
> same suit in a row:
>
> /([🂡-🂮]{5})|([🂱-🂾]{5})|([🃁-🃎]{5})|([🃑-🃞]{5})/u
>
> A human reading this expression can readily see that any match requires
> at least 10 characters (5 surrogate pairs), but the LoopChoiceNode for
> each repeated option reports its minimum distance to the end of a match
> as zero. This is correct, because the LoopChoiceNode's behavior depends
> on additional state (the loop counter). However, the preceding node, a
> SET_REGISTER action that initializes the loop counter, could confidently
> state that it consumes at least 10 characters. Furthermore, when we try
> to emit a quick check for that action, we could follow only paths from
> the LoopChoiceNode that are possible based on the minimum iteration
> count. This change implements both of those "could"s.
>
> I expect this improvement to apply pretty broadly to expressions that
> use minimum repetition counts and that don't meet the criteria for
> unrolling. In this particular case, I get about 12% improvement on the
> overall UniPoker test, due to reducing the execution time of this
> expression by 85% and the execution time of another similar expression
> that checks for n-of-a-kind by 20%.
>
> Bug: v8:9305
>
> Change-Id: I319e381743967bdf83324be75bae943fbb5dd496
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1704941
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62963}

Bug: v8:9305
Change-Id: I992070d383009013881bf778242254c27134b650
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1726674
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#63009}
2019-07-31 14:34:20 +00:00
Toon Verwaest
19810c489c [ic] Remove broken DCHECK and clean up naming
The DCHECK related to a time when dictionary mode prototypes were the payload
of complex data driven handlers. Now the additional data is used to hold
entirely different kinds of objects. The DCHECK made no sense anymore. Cleaning
up the names makes this clearer.

Bug: chromium:986187
Change-Id: I7173d7d2824396c04c01acb4ceb74693ee9ce6b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1724215
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62993}
2019-07-30 16:22:08 +00:00
Toon Verwaest
a4dd93bf29 [parser] Validate the target of property access assignment as expression
This drops possible remaining pattern errors from the access target. This is
necessary since sub patterns with default values (assignment expression) aren't
otherwise identifiable as being property accesses.

Bug: v8:9560
Change-Id: Ie6781c0d161e00790268f7d9db81377d045f93b6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1725624
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62982}
2019-07-30 11:41:59 +00:00
Maya Lekova
d978b5c00c [turbofan] Fix wrong serialization for Function.bind
Bug: v8:7790
Change-Id: I31502a8023564e88e0a28a421e3c7fb3404847dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722566
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62973}
2019-07-30 07:55:12 +00:00
Dan Elphick
4189da7b0e [parsing] Fix bytecode mismatch for arrow funcs
Fixes a bytecode mismatch for arrow functions with default arguments
between eager and lazy compilation. In the former case, parameters with
default values are marked as assigned even if the value never changes
within the function because the parser does not know it's an
arrow-function at the point it sees the assignment.

So this changes ArrowHeadParsingScope::ValidateAndCreateScope to clear
the is_assigned flag on its parameter VariableProxies before it binds
them.

Bug: chromium:988304, v8:8510
Change-Id: I68bf205c73471386181e5fdcec6c8c3b2e527c8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1724384
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62962}
2019-07-29 16:30:10 +00:00
Dan Elphick
f47cbb28ab [parsing] Improve elision of hole checks for default parameters
Use the position of commas in arrow expressions to mark the initializer
position of any parameters that might have been set in the preceding
parameter.

To enable this, this makes variable_list_ in ExpressionParsingScope a
ScopedList<pair<VariableProxy*, int>> and changes ScopedList::at to
return references so its elements can be modified in place.

This fixes a source of bytecode mismatches when collecting source
positions lazily and is a second attempt at fixing this after
https://chromium-review.googlesource.com/c/v8/v8/+/1683267 introduced
problems due to destructuring.

Bug: chromium:980422, chromium:981701, v8:8510
Change-Id: I948f89f34fb75d7463a13183e363f7f96ad09d13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710671
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62936}
2019-07-26 12:15:31 +00:00
Mythri A
b62a7166c7 Fix flaky failure in mjsunit/regress/regress-unlink-closures-on-deopt
This is short-term fix for flaky failures on GC fuzzer. The closures
g1 and g2 have the same SFI and pending optimzed table treats them as
a single entry. This cl, adds %PrepareFunctionForOptimize after one of
them is optimized.

Bug: v8:9556
Change-Id: I1fd72da1baa5de2f7650e080f9b6d04b69dd6a16
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719188
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62934}
2019-07-26 12:00:11 +00:00
Mythri A
21f796df44 [ic] Pass the converted value to the runtime when storing to a typed array
Preparing the value for storing into a typed array is user visible
operation in some cases (for ex: calling ToNumber). To avoid doing this
conversion twice pass the converted to the runtime when bailing out
from the handlers.

Bug: chromium:981236
Change-Id: I3de23d317d22cd6c201fe8a4db30014f4cf76251
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1692932
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62879}
2019-07-23 15:53:56 +00:00
Maya Lekova
b9d3651e3c [turbofan] Fix wrong expectation when serializing API calls
Bug: v8:7790, chromium:985660
Change-Id: I4e931a4a23421982f05e16c8ffa2ccc68fb34b63
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709423
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62862}
2019-07-23 08:54:54 +00:00
Adam Klein
40624b5b41 [runtime] Always throw when asked to make an array's length configurable
Previously, if the new length was less than the current length, we ignored
the "configurable" value and set the length as requested. We already threw
if the new length was greater than or equal to the current length.

New behavior matches the spec and other implementations.

Bug: v8:9460
Change-Id: Idb92fd121bdaa707f6abd2d2082628bbf3541b83
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709336
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62855}
2019-07-22 17:16:10 +00:00
Toon Verwaest
9c766330e0 Reland "[runtime] Fix protector invalidation"
This is a reland of e55e0aa5bd

Original change's description:
> [runtime] Fix protector invalidation
>
> Protectors trigger when special properties are modified or masked. Previously
> we would check whether the property stored on the holder would invalidate the
> protector. Stores to to the receiver rather than the holder, however, so this
> CL changes holder for receiver, and adds additional checks that were missing.
>
> Bug: v8:9466
> Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62805}

Tbr: leszeks@chromium.org
Bug: v8:9466
Change-Id: I693c73577ca9a35a271f509770cc1c87e5cc4b73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709420
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62829}
2019-07-19 13:32:25 +00:00
Michael Starzinger
224ca74ae4 [asm.js] Propagate language mode to exported functions.
This makes sure the language mode of the module is correctly propagated
through the WebAssembly module, so that exported functions are allocated
with the correct language mode. It extends the existing {ModuleOrigin}
enum to consist of three values now.

R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-985154
BUG=chromium:985154

Change-Id: Id7b566738b1e710cc5001b894022bcd0f2c01bc3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708484
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62826}
2019-07-19 11:47:48 +00:00
Sathya Gunasekaran
050ad1d840 Revert "[runtime] Fix protector invalidation"
This reverts commit e55e0aa5bd.

Reason for revert: speculative revert for tsan breakage
https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket.appspot.com/8907588363297935904/+/steps/Check__flakes_/0/logs/regress-437713/0

Original change's description:
> [runtime] Fix protector invalidation
> 
> Protectors trigger when special properties are modified or masked. Previously
> we would check whether the property stored on the holder would invalidate the
> protector. Stores to to the receiver rather than the holder, however, so this
> CL changes holder for receiver, and adds additional checks that were missing.
> 
> Bug: v8:9466
> Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62805}

TBR=leszeks@chromium.org,verwaest@chromium.org

Change-Id: Id8fc36525b7c5631589a67073ad1fd5815ea2775
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9466
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708482
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62807}
2019-07-18 14:51:03 +00:00
Toon Verwaest
e55e0aa5bd [runtime] Fix protector invalidation
Protectors trigger when special properties are modified or masked. Previously
we would check whether the property stored on the holder would invalidate the
protector. Stores to to the receiver rather than the holder, however, so this
CL changes holder for receiver, and adds additional checks that were missing.

Bug: v8:9466
Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62805}
2019-07-18 13:48:52 +00:00
Ross McIlroy
b06a134c24 [Compile] Ensure we don't reuse a feedback vector with a different layout than expected.
If we flush the bytecode from a SFI we might recompile a JSFunction while the function
still has its old feedback vector. This should usually be fine since the new and old
feedback vectors have the same layout, however some bugs in the parser mean that it's
possible for eagerly and lazily compiled eval functions to have different bytecode and
so potentially different feedback vector layouts.

For now reset the feedback vector if it doesn't have the same size when we compile the
JSFunction, and recreate a new one of the correct layout. This will be replaced with a
CHECK once the parser bugs are fixed.

BUG=chromium:984344,v8:9511

Change-Id: Ib8976f2541516f7a07e4d4ab7dc3c750dfe9b5d4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708474
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62800}
2019-07-18 12:33:52 +00:00
Igor Sheludko
00ed3a2df5 [classes] Properly handle properties count slack
Bug: chromium:979401
Change-Id: I99ab2fd04bd2e23b4d7a494cecc056ec74cb9d04
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1687422
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62674}
2019-07-12 11:57:17 +00:00
Sathya Gunasekaran
0461a2ac29 [ic] Fix private field lookup in generic case
Previously, we didn't have access checks for the megamorphic case cause
we'd never get to this IC state for a receiver that doesn't hold the
right private field. But now with lazy feedback allocation we share
the megamorphic case code paths for the uninitialized loads as well,
which exposes our bug.

Bug: chromium:982702
Change-Id: I419406bcfc52575260a85d05520c1662735e15f8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1697256
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62668}
2019-07-12 09:42:11 +00:00
Ben Smith
cc71e231f7 [wasm][threads] Fix alignment of i64.atomic.wait
The alignment should be 3 (i.e. 8 bytes), but was specified as 2 (i.e. 4
bytes).

Bug: v8:9425
Change-Id: I0beb09df25fe0281ed604909e894afd804f5411e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1693836
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62657}
2019-07-11 18:18:36 +00:00
Mythri A
b086cb7b9a Check that function was prepared before optimizing using manually
With lazy feedback allocation and bytecode flushing we need to call
%PrepareFunctionForOptimize before we call %OptimizeFunctionOnNextCall/
%OptimizeOsr. This cl:
1. Adds an additional state in pending optimized table to check if the
optimization was triggered manually.
2. Changes the compilation pipeline to delete the entry from pending
optimized table only if the optimization was triggered through
%OptimizeFunctionOnNextCall / %OptimizeOsr.
3. Adds a check to enforce %PrepareFunctionForOptimize was called.
4. Adds a new run-time flag to only check in the d8 test runner. We
don't want this check enabled in other cases like clusterfuzz that doesn't
ensure %PrepareFunctionForOptimize is called.

Bug: v8:8394, v8:8801, v8:9183
Change-Id: I9ae2b2da812e313c746b6df0b2da864c2ed5de51
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1664810
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62653}
2019-07-11 14:57:49 +00:00
Mythri A
b048429ec3 [runtime] Remove try_fast path from GetOwnPropertyNames builtin
GetOwnPropertyNameTryFast uses ENUMERABLE_STRINGS filter to trigger fast
path in KeyAccumulator::GetKeys conditionally when all properties on the
receiver are enumerable. It is not easy to verify if all properties are
enumerable and the current check is incorrect in some cases.
For ex: when we have non-enumerable properties when we have elements on
the receiver. This cl removes this try_fast path from the builtin. This
could impact performance. The long term fix for this would be to fix
KeyAccumulator::GetKeys to use fast path for more cases.


Bug: chromium:977870
Change-Id: Iecde730739c2c452ffa0d893d0d1b3612a45d1b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1679499
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62649}
2019-07-11 14:06:09 +00:00
Michael Starzinger
f71ccd7a2b [wasm] Fix importing of re-exported JavaScript callable.
This fixes a corner-case where a {WasmExportedFunction} that represents
a re-export of a JavaScript callable from another module was identified
correctly, but not all corner-cases were correctly covered. Concretely
we failed to check for function signatures incompatible with JavaScript.

R=ahaas@chromium.org
TEST=mjsunit/regress/wasm/regress-9447
BUG=v8:9447

Change-Id: Ia6c73c82f4c1b9c357c08cde039be6af100727d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1690941
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62632}
2019-07-11 09:12:54 +00:00
Dan Elphick
a61ce8a0d0 Revert "[parsing] Improve elision of hole checks for default parameters"
This reverts commit e8d865973f.

Reason for revert: crbug.com/981701

Original change's description:
> [parsing] Improve elision of hole checks for default parameters
> 
> Use the position of the next parameter to be declared as the end of the
> initializer for default parameters, so that hole checks can be elided
> for initializers using previous parameters in arrow functions.
> 
> This fixes a source of bytecode mismatches when collecting source
> positions lazily.
> 
> Bug: chromium:980422, v8:8510
> Change-Id: I5ab074231248b661156e7d8e47c01685448b56d5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1683267
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62525}

TBR=verwaest@chromium.org,delphick@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:980422, v8:8510
Change-Id: I3abd70a1fb00967e58b46177655a0078e24db720
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1697242
Reviewed-by: Dan Elphick <delphick@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62630}
2019-07-11 09:07:29 +00:00
Z Nguyen-Huu
bebca70960 TryPrototypeChainLookup: Bailout for Smi receiver
a77323416a missed a case when receiver is
Smi in TryPrototypeChainLookup.

Bug: chromium:980292, chromium:980226
Change-Id: Ife6be4541d6b280253a7e87cf6f57c96efe8300f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1687283
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62608}
2019-07-09 20:12:24 +00:00
Z Nguyen-Huu
bf1ab278e1 Remove unnecessary DCHECK
This DCHECK is unnecessary because the object can be sealed or frozen
before it is set as a prototype map.

The repro is
Object.seal(Object);// Object is HOLEY_FROZEN_ELEMENTS
const v3 = Object();
v3.__proto__ = Object; // Set prototype map bit and dictionary map bit
const v6 = Object.seal(Object); // Turn Object to DICTIONARY_ELEMENTS

Bug: chromium:980168
Change-Id: Iec50249d0ff0c5ed959201707b837871fcb88a02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1687280
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62606}
2019-07-09 15:41:13 +00:00
Jakob Gruber
1b06c23b14 [regexp] Handle large named capture groups object
The name dictionary allocated to store named captures on the regexp
result object could be too large for regular heap spaces and
ConstructNewResultFromMatchInfo must thus also handle the large object
case.

Bug: chromium:980891
Change-Id: Ia1dbecd0a9d9d6b39f80e77680386c385d95c97c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691907
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62591}
2019-07-09 09:28:46 +00:00
Ross Kirsling
7fc00d8aa6 Reland "Reland "Let all early errors be SyntaxErrors.""
This is a reland of 89d93e3851

Original change's description:
> Reland "Let all early errors be SyntaxErrors."
> 
> This is a reland of 99fd5b9b9d which includes a missed update to
> test/test262/test262.status.
> 
> Implement the spec change from the following TC39 PR:
> https://github.com/tc39/ecma262/pull/1527
> 
> Bug: v8:9326
> Change-Id: Ie3aac60db550e90fb648fc30886a05419fa41afe
> TBR: adamk@chromium.org
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1682989
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62500}

Bug: v8:9326
Change-Id: Ic30280400dfa5b83a4a397888e563eee479446c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1688271
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62553}
2019-07-08 10:15:46 +00:00
Simon Zünd
7e0f961e4d [deoptimizer] Handle continuation frames that are not preceded by adapter frames
This CL teaches the deoptimizer about JavaScriptBuiltinContinuation
frames that are not preceded by argument adapter frames. This pattern
is used when calling C++ API functions from TurboFan.

This CL fixes a crash when the deoptimizer encounters the pattern
described above. The crash was caused when the deoptimizer tried to
read the arguments of the continuation frame. As no adapter frame
was present, the argument count was read from the SharedFunctionInfo
which had the kDontAdaptArgumentsSentinel value. This translated to
an argument count of ~65000 later down the line, which caused a
FATAL error when the deoptimizer tried to re-construct ~65000
non-existent values.

Bug: chromium:980529
Change-Id: Id2de3bf7607102ab5a16de344c649015e968b185
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1687417
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62547}
2019-07-08 08:39:04 +00:00
Dan Elphick
e8d865973f [parsing] Improve elision of hole checks for default parameters
Use the position of the next parameter to be declared as the end of the
initializer for default parameters, so that hole checks can be elided
for initializers using previous parameters in arrow functions.

This fixes a source of bytecode mismatches when collecting source
positions lazily.

Bug: chromium:980422, v8:8510
Change-Id: I5ab074231248b661156e7d8e47c01685448b56d5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1683267
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62525}
2019-07-04 13:10:29 +00:00
Clemens Hammacher
356b4602da Revert "Reland "Let all early errors be SyntaxErrors.""
This reverts commit 89d93e3851.

Reason for revert: Breaks layout tests: https://ci.chromium.org/p/v8/builders/ci/V8-Blink%20Linux%2064/32929

Original change's description:
> Reland "Let all early errors be SyntaxErrors."
> 
> This is a reland of 99fd5b9b9d which includes a missed update to
> test/test262/test262.status.
> 
> Implement the spec change from the following TC39 PR:
> https://github.com/tc39/ecma262/pull/1527
> 
> Bug: v8:9326
> Change-Id: Ie3aac60db550e90fb648fc30886a05419fa41afe
> TBR: adamk@chromium.org
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1682989
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62500}

TBR=adamk@chromium.org,gsathya@chromium.org,verwaest@chromium.org,rkirsling@gmail.com

Change-Id: Ia56dcda6780a2b1249749e1e7978b35b5e33fbcf
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9326
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1687678
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62509}
2019-07-03 12:47:41 +00:00
Leszek Swirski
f690334b7f [ic] Fix accessor set after map update transitioning to dict
Bug: chromium:979023
Change-Id: Ief42ed100478c0b741051a5ca123dc807e2a6dca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1687671
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62501}
2019-07-03 10:00:17 +00:00
Ross Kirsling
89d93e3851 Reland "Let all early errors be SyntaxErrors."
This is a reland of 99fd5b9b9d which includes a missed update to
test/test262/test262.status.

Implement the spec change from the following TC39 PR:
https://github.com/tc39/ecma262/pull/1527

Bug: v8:9326
Change-Id: Ie3aac60db550e90fb648fc30886a05419fa41afe
TBR: adamk@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1682989
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62500}
2019-07-03 09:54:07 +00:00
Clemens Hammacher
a420d20c07 [ubsan] Fix integer overflow in compiler
Negating the maximum int32 failed in ubsan. Use
{base::NegateWithWraparound} to avoid UB.

R=jkummerow@chromium.org

Bug: chromium:980007
Change-Id: If52a3bb3158eb5b465e7bd29deaffc0b18660360
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1683993
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62470}
2019-07-01 14:34:45 +00:00
Michael Starzinger
f03430fe4c [asm.js] Fix undefined cast from double to float.
This fixes undefined behavior in the implicit cast from double to float
when a double literal is passed through {fround} while declaring a local
variable.

R=jkummerow@chromium.org
TEST=mjsunit/regress/regress-crbug-976934
BUG=chromium:976934

Change-Id: I0efa2bf3f89d32c445f0b9bf719880d17fe9743c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1683999
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62469}
2019-07-01 14:27:05 +00:00
Jakob Kummerow
afdda80099 [test] Speed up regress-crbug-319860.js
This reduces the time it takes to run this test in --jitless mode
from 32s to 0.7s.

Bug: v8:9416
Change-Id: Ie9a7465b604b28ff8ccaa50f0918c62e3128ac08
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1682575
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62464}
2019-07-01 09:37:37 +00:00
Jakob Gruber
bc4cbe927a [regexp] Fix BoyerMooreLookahead behavior at submatches
Since https://codereview.chromium.org/2777583003, the Boyer-Moore
lookahead (used by the irregexp engine) also looks inside submatches
to narrow down its range of accepted characters at specific offsets.

But the end of a submatch, designated by a PositiveSubmatchSuccess
action node, was not handled correctly. When a submatch terminates,
we have no knowledge of what may follow, and thus must accept any
character at following positions. This is done by the SetRest call
added in this CL.

An example, since this is fairly obscure:

/^.*?Y(((?=B?).)*)Y$/s

The initial non-greedy loop, together with the s flag,
will trigger an attempted Boyer-Moore lookahead. After this follows
an unconditional Y, a *-quantified loop matching any char and
containing a lookahead that matches either 1 B or 0 B's, and an
unconditional trailing Y.

When the BM lookahead scans the subject string for the beginning of
this pattern after the non-greedy loop, it should look for: a Y at
offset 0, and either a B, a Y, or '.' (-> any character) at offset 1.

Prior to this CL this was not the case:

- The lookaround is internally generated as a submatch.
- The optional 'B?' is unrolled into 'either B followed by submatch
  end' or 'submatch end'.
- Filling in BM infos terminates when encountering a submatch end.
  Thus in the former case we added B to the set of accepted characters
  and terminated, while in the latter case we simply terminated.o

This CL ensures that BM will accept any character at any offset at or
exceeding the first encountered submatch end.

Bug: v8:8770
Change-Id: Iff998ba307cd9669203846a9182798b8cf6a85dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1679506
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Erik Corry <erikcorry@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62460}
2019-07-01 07:14:17 +00:00
Leszek Swirski
fc4bcce132 [parser] Mark maybe_assigned recursively for shadowing vars
The previous fix for this bug (crrev.com/c/1678365) pessimistically
would mark all shadowed variables as maybe_assigned. Unfortunately,
this doesn't work across a parse/preparse boundary, where the shadowing
variable is found via Scope::AnalyzePartially while the shadowed
variable is outside of the preparser entry point. In those cases, the
referencing proxy is copied to the outer scope, in which case the
dynamicness of the original lookup is lost and the maybe_assigned
pessimisation no longer applies.

This means that maybe_assigned status of a variable is dependent on
which function is being parsed. In particular, it can cause bytecode
to change on recompilation, causing issues for lazy source positions.

This patch allows SetMaybeAssigned to walk its shadowed variables,
and recursively set them to maybe_assigned too. Checking for
maybe_assigned changing prevents this recursion from having a
quadratic performance failure mode.

Bug: v8:8510
Bug: v8:9394
Change-Id: Id19fe1fad5ec8f0f9aa03b00eb24497f88f71216
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1677265
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62458}
2019-07-01 06:53:37 +00:00
Francis McCabe
06f8463004 Revert "Let all early errors be SyntaxErrors."
This reverts commit 99fd5b9b9d.

Reason for revert: fails presubmit test:
https://ci.chromium.org/p/v8/builders/ci/V8%20Presubmit/5238
and a nosnap test
https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20nosnap%20-%20shared/34143

Original change's description:
> Let all early errors be SyntaxErrors.
> 
> Implement the spec change from the following TC39 PR:
> https://github.com/tc39/ecma262/pull/1527
> 
> Bug: v8:9326
> Change-Id: I9639903b12e7621e323990e2335f00e0313a59c3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1643171
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Adam Klein <adamk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62451}

TBR=adamk@chromium.org,verwaest@chromium.org,rkirsling@gmail.com

Change-Id: If63b97725e9737ad5a98800e1194caf8e9c1c43d
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9326
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1682393
Reviewed-by: Francis McCabe <fgm@chromium.org>
Commit-Queue: Francis McCabe <fgm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62452}
2019-06-28 23:36:59 +00:00
Ross Kirsling
99fd5b9b9d Let all early errors be SyntaxErrors.
Implement the spec change from the following TC39 PR:
https://github.com/tc39/ecma262/pull/1527

Bug: v8:9326
Change-Id: I9639903b12e7621e323990e2335f00e0313a59c3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1643171
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62451}
2019-06-28 22:38:43 +00:00
Z Nguyen-Huu
a77323416a Add GetPropertyWithReceiver stub for proxy get trap
GetPropertyWithReceiver is similar to GetProperty, except that additional receiver parameter is used in TryPrototypeChainLookup to support GetPropertyWithReceiver stub.
We only use this stub in ProxyGetProperty builtin for now.

Bug: v8:8958
Change-Id: Ied60e4f6ee6e09bca2f161048b481a0bf37a78a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1676879
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62431}
2019-06-27 21:44:25 +00:00
Mathias Bynens
5c2c5ce133 [test] Remove module pragma in favor of .mjs
d8 treats files with the .mjs extension as modules instead of
classic scripts. Thus, the `// MODULE` pragma and its corresponding
logic in test runners can be removed in favor of explicitly adding
the extension.

Bug: v8:7950, v8:9395, v8:9406
Also-By: tmrts@chromium.org
Change-Id: Ic74328dc5c5f176bb4bdf6d74bdd4d3966279ba5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1675958
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Auto-Submit: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62421}
2019-06-27 13:25:48 +00:00
Leszek Swirski
e79751b3c1 [parser] Always mark shadowed vars maybe_assigned
If there was an assignment to a maybe-shadowing dynamic variable,
then the shadowing variable would be marked maybe_assigned, but the
maybe-shadowed variable would stay unchanged. This meant that in
non-shadowing cases, the not-actually-shadowed variable would have
the wrong maybe_assigned state, and e.g. would break context
specialization.

This patch pessimistically unconditionally sets maybe_assigned on
variables shadowed by a dynamic variable in a `with` scope. This
marking can cause false positives and sub-optimal optimization for
some functions with 'with' blocks, but it's also the simplest fix
for this issue which doesn't affect performance in the common case
of no 'with' blocks.

Bug: v8:9394
Change-Id: I6924bd7d48dda61232aa9d72c39df1c76c665c67
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1678365
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62407}
2019-06-27 08:26:02 +00:00
Georg Schmid
eaf2a23bc7 [objects] Migrate kHoleNanInt64 unboxed doubles to uninitialized values during boilerplate serialization
Boilerplate values may possess an unboxed double field filled with the kHoleNan64Int sentinel value, which indicates that the field is uninitialized. When a boilerplate value migrates away from the unboxed double representation to a tagged one, we should replace the sentinel value by the proper uninitialized oddball value.

This fixes an issue with JSCreateLowering::AllocateFastLiteral not detecting const stores of uninitialized values properly.

R=bmeurer@chromium.org, jarin@chromium.org

Bug: chromium:976598
Change-Id: I6bb216c0618a3105e6c8cfc04b1900d2f83a52ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1674034
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#62394}
2019-06-26 15:51:39 +00:00
Leszek Swirski
9c1363e5ad [map] Update map in PrepareForDataProperty
Deprecated maps might not be updated before being passed to
PrepareForDataProperty. If the target map is a dictionary map,
then adding the data property can fail.

As a drive-by, remove the dead ForTransitionHandler code, which
was another (potentially unsafe) caller of PrepareForDataProperty

Bug: chromium:977012
Change-Id: I894bbc9bca2001555474a3570eb03fe6b0f69ddd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1674029
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62377}
2019-06-26 10:17:41 +00:00
Jakob Gruber
4c156936e8 [regexp] Allow JSRegExpResult allocations in large object space
Large regexp results may exceed kMaxRegularHeapObjectSize and must
thus be allocated in large object space.

Drive-by: Rename '%InNewSpace' to '%InYoungGeneration'.

Bug: chromium:976627
Change-Id: I38b5aecb95a95cf2fdbb24d19550cec34361a09d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1674027
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62368}
2019-06-26 07:50:33 +00:00
Leszek Swirski
88d2349620 [map] Ignore migration target bit when normalizing
Bug: chromium:976939
Bug: chromium:977089
Change-Id: I93153dcf8c38e8b0b202597f5b27ce736c0552ec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1672936
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62329}
2019-06-24 10:44:11 +00:00
Dan Elphick
fc68d1e51a [interpreter] Fix order of bytecode generated for adding getters/setters
Makes the order of the generated calls to the Runtime function
DefineAccessorPropertyUnchecked fixed regardless of hashseed so that
recompilation for lazy source positions always generates the same
result.

Moves AccessorTable from src/ast/ast.h to bytecode-generator.cc since
that's the only place that uses it.

Bug: v8:9383, v8:8510
Change-Id: I89e0aad1683a793714bfb48eca1b00abe20cad0a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1669689
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62303}
2019-06-20 18:41:42 +00:00
Mythri A
15709b5a3e [cleanup] Add %PrepareFunctionForOptimization for few more tests
Bug: v8:8394, v8:8801, v8:9183
Change-Id: Ia5169541ada58bf2bea64e720cae5e5c04617cbd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1667001
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62278}
2019-06-19 10:17:52 +00:00
Mike Stanton
b3ce13f424 [Turbofan] Fix crash in MapInference::~MapInference
CL https://chromium-review.googlesource.com/c/v8/v8/+/1660623
("[Turbofan] Brokerize more promise reductions in JSCallReducer")
introduced a bug where we bail out of a call reduction but failed
to remove graph constructs added by the MapInference class.

R=jarin@chromium.org

Bug: chromium:976256, chromium:976524
Change-Id: I97f142fe6c1caba5e679f7df742893536c83b2d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1666990
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62267}
2019-06-19 06:53:38 +00:00
Dan Elphick
d8164d5906 Fix crash when reporting exceptions
Handlifies exception object as CollectSourcePositions can trigger GCs.

Bug: v8:8510
Change-Id: I29579b200af28bda30ccb5f2cf2e5a48f502c8f2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1664334
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62262}
2019-06-18 20:52:38 +00:00
Mythri A
ae1af6a568 [cleanup] Add %PrepareFunctionForOptimize for tests that use %OptimizeOsr
Bug: v8:8394, v8:8801, v8:9183
Change-Id: I29ff1a6dda97e89335b30fcc8c380bcb4055e1fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1664690
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62254}
2019-06-18 16:47:29 +00:00
Sigurd Schneider
19eb7234ba [arm64] Ensure pools are emitted before emitting large branch tables
Change-Id: Iedb78a62886177f5c603b2f3ce9b586ac1320d31
Bug: chromium:968078
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1664067
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62244}
2019-06-18 13:42:22 +00:00
Mythri A
fd074f9a80 [ic] Don't handle stores with TypedArrays in the prototype chain in ICs
We don't want to handle even non-growing stores when there are TypedArrays
in the prototype chain. Typed arrays handle the out-of-bounds accesses by
ignoring the stores unlike the regular array writes. We just let runtime
handle these cases instead of making ICs more complex.

There was an earlier cl (https://chromium-review.googlesource.com/c/v8/v8/+/1609790)
that fixed it for growing stores. This cl extends it for non-growing stores
as well to handle more cases.

Bug: chromium:961709
Change-Id: I65e079b88c10d2ba343f69a67134893319cd8f8a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662305
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62243}
2019-06-18 13:34:11 +00:00
Benedikt Meurer
523be745d2 [turbofan] Properly handle -0 in Word32->Word64 conversion.
This adds missing support when converting a Word32 value (either in
Signed32 or Unsigned32 range) to Word64 representation, for which the
type also includes MinusZero. This conversion is fine as long as the
difference between 0 and -0 is not observable (in other words, as long
as the truncation identifies zeros).

Bug: chromium:971782, chromium:225811, v8:4153, v8:7881, v8:8171, v8:8383
Change-Id: I9d350a25f57b1342eb7fd1279d55a8610bdaf7cd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1664062
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62235}
2019-06-18 11:17:25 +00:00
Michael Starzinger
b8474e7022 [asm.js] Check that function table indices are intish.
R=titzer@chromium.org
TEST=mjsunit/regress/regress-crbug-969368
BUG=chromium:969368

Change-Id: If8cdd3a170c3c0e487daa2c2dd9e347fb8eabafd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662571
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62226}
2019-06-17 16:59:50 +00:00
Ross McIlroy
2425885552 [cleanup] Add missing %PrepareFunctionForOptimize in mjsunit tests
Bug: v8:8801,v8:8394,v8:9183
Change-Id: I5ceaf731a1b2720f086e6791fe08caaaa55de030
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662568
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62224}
2019-06-17 16:48:50 +00:00
Mythri A
d22884ef02 [cleanup] Add %PrepareFunctionForOptimize in mjsunit tests
Bug: v8:8801, v8:8394, v8:9183
Change-Id: Ie2858af4863511d5f67b662ac6f6f79512f55e7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662307
Commit-Queue: Mythri Alle <mythria@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62223}
2019-06-17 16:28:50 +00:00
Mythri A
9b77a149a6 [test] Add %PrepareFunctionForOptimize in mjsunit tests
Bug: v8:8801, v8:8394, v8:9183
Change-Id: Ic31f97a1b591317a004dc52c8eee777dd6353487
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662299
Commit-Queue: Mythri Alle <mythria@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62216}
2019-06-17 14:13:02 +00:00
Ross McIlroy
994db73210 [cleanup] Add missing %PrepareFunctionForOptimize in mjsunit tests
Bug: v8:8801,v8:8394,v8:9183
Change-Id: I55027b3ba0c78f40d82aaf2d160aaf957d02cab5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662292
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62214}
2019-06-17 13:14:51 +00:00
Jakob Gruber
c51e4f3c66 [regexp] Rewrite certain Assertion sequences
RegExp assertions (e.g.: '^', '$', '\b', ...) sequences have certain
properties that this rewriter exploits:

1. They are zero-width and order-independent, thus one can remove all
duplicate assertions.
2. If a subsequence is guaranteed to fail, the entire sequence fails.
Any sequence always known to fail (e.g. containing both '\b' and '\B')
can be rewritten to a single node that triggers failure.

This CL generalizes the previous optimization for repeated assertions
to be order-independent, i.e. assertions only have to be in the same
sequence but not next to each other.

Bug: v8:6515, v8:6126
Change-Id: I3f92f081ce8a55ad8c34c269a09a6686e3b008f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657925
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62201}
2019-06-17 09:21:58 +00:00
Ross McIlroy
d7a8170d2d [cleanup] Add missing %PrepareFunctionForOptimize in mjsunit tests
Bug: v8:8801,v8:8394,v8:9183
Change-Id: If482c6a14f389d54c6ca3891aa7b8475f7a1fce1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1660617
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62192}
2019-06-14 17:03:41 +00:00
Mythri A
8cbbc2e809 [cleanup] Add missing %PrepareFunctionForOptimize in mjsunit tests
Bug: v8:8801,v8:8394,v8:9183
Change-Id: I88c0268b30d4b927f9856db7a3b054b74baf1923
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1660608
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62189}
2019-06-14 15:54:35 +00:00
Ross McIlroy
ac7c82f905 [cleanup] Add %PrepareForOptimization to some more mjsunit tests.
Bug: v8:8801,v8:8394,v8:9183
Change-Id: If6a4f39991f222337f1c49bd0439e9669d89b030
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1660486
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62181}
2019-06-14 13:55:11 +00:00
Ross McIlroy
ab99a74ce8 [cleanup] Add %PrepareForOptimization to some more mjsunit tests.
Bug=v8:8801,v8:8394,v8:9183

Change-Id: I5bd3505938a49dab0299f1d1d022e8a31cc806c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1660479
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62178}
2019-06-14 12:37:18 +00:00
Andreas Haas
76d33a174e [cleanup] Add PrepareFunctionForOptimization to regression tests(2)
R=mythria@chromium.org

Bug: v8:9183
Change-Id: Ia534816b460eaf005a0017afeb2d55ccb3402a37
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1660473
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62169}
2019-06-14 10:56:48 +00:00
Andreas Haas
054af8477c [cleanup] Add PrepareFunctionForOptimization to regression tests
R=mythria@chromium.org

Bug: v8:9183
Change-Id: Id7c29452ef6d643b59eb3252df188bf288e2de23
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1660469
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62168}
2019-06-14 09:59:20 +00:00
Mythri A
ccb7ff7524 [ic] Turn megamorphic when storing into an array with readonly length
The store element handlers don't check if the array length is writable
before updating the length. Since this is not expected to be a common
case no need of handling this in the element handlers. Just moving to
megamorphic would be sufficient.

Bug: chromium:967104
Change-Id: I7a7f9ea768266b9ffd6289328d61d2297d455619
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658154
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62152}
2019-06-13 15:53:39 +00:00
Toon Verwaest
e79e81cdf5 [runtime] Throw RangeError if we try to get too many values or entries
Bug: chromium:973363
Change-Id: Id2e46702f73e901df5f26b764d98fb3d4f681a98
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657914
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62143}
2019-06-13 12:28:02 +00:00
Mathias Bynens
c6a16c10dd [test] Add %PrepareForOptimization to even more tests
With bytecode flushing and lazy feedback allocation, we need to call
%PrepareForOptimization before we call %OptimizeFunctionOnNextCall,
ideally after declaring the function.

Bug: v8:8801, v8:8394, v8:9183
Change-Id: I3fb257282a30f6526a376a3afdedb44786320d34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648255
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62119}
2019-06-12 14:40:14 +00:00
Jakob Gruber
d766d6d5a3 [error] Use prepareStackTrace from error's realm
An error object's 'stack' property is lazily formatted once the
property is first read. It is thus possible that lazy formatting
happens in a different realm than where the error object was
constructed.

In this case, we should use the origin-realm's prepareStackTrace
function to format the stack trace.

This CL implements that behavior by fetching prepareStackTrace from
the given error object's context's error function.

Bug: v8:7848
Change-Id: Ibc383cf24f2c0dab2fd8bb7bc740f1488d9954a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1113438
Commit-Queue: Simon Zünd <szuend@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62090}
2019-06-11 13:02:45 +00:00
Oliver Dunk
563290194f Add quotes around unexpected token SyntaxError
Quotes have been added around the token to make the message clearer.

Bug: chromium:943636
Change-Id: Ic38f3e6d307157af2c0146e69fb611a2cfb46564
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593307
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62074}
2019-06-11 06:11:58 +00:00
Z Nguyen-Huu
659010ec71 Handle IC store with sealed elements
The path for sealed elements is handled by using the same path for SmiOrObjectElementKind, just need to extend a DCHECK in CodeStubAssembler::IsFixedArrayWithKind.
The only special case is when we write to a hole in holey sealed elements. Since we can not write in that case, just bail out.

Bug: chromium:967101
Change-Id: Ibf837ae053fe609bca83da432f298ef056f3aced
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632830
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62071}
2019-06-10 19:54:17 +00:00
Jakob Kummerow
05e3b64132 [ubsan] Fix a few double-to-float casts
The DoubleToFloat32 helper takes care of everything, so use it
consistently.

Bug: chromium:969498
Change-Id: If71e5374684b89615006548cb0329f4d4cb7fd6d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648253
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62062}
2019-06-08 12:38:02 +00:00
Yang Guo
9bcacf60f8 Fix character ranges in case insensitive regexp
R=jgruber@chromium.org

Bug: chromium:971383
Change-Id: I39d26a63c0735f595a809959c06cb2ac1c141451
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648098
Commit-Queue: Frank Tang <ftang@chromium.org>
Auto-Submit: Yang Guo <yangguo@chromium.org>
Reviewed-by: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62044}
2019-06-07 00:09:17 +00:00
Mythri A
35253de786 Fix a failing mjsunit test with lazy feedback allocation
Bug: v8:8394
Change-Id: I02551ff3d51e914f5a24f221186f23a8e3d2cc77
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648096
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62026}
2019-06-06 14:57:38 +00:00
Mythri A
ea04708ee9 [mjsunit] Fix tests failing with lazy feedback allocation in gc stress
We need to hold onto the bytecode array so it doesn't get flushed.

Bug: v8:8394
Change-Id: Ia583a0a662740e369fcbc1c94041895e463be26e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1645329
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62011}
2019-06-06 06:16:37 +00:00
Georg Schmid
2911a16fa6 Fix Load Elimination crash involving transitioning const stores in loops
R=tebbi@chromium.org

Bug: chromium:964833 chromium:970120
Change-Id: I0fc179aa1e8fc5c13279342501f8639fce9ee7d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1645315
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#61995}
2019-06-05 10:47:58 +00:00
Mathias Bynens
61ce45c9e2 [test] Add %PrepareForOptimization to more tests
With bytecode flushing and lazy feedback allocation, we need to call
%PrepareForOptimization before we call %OptimizeFunctionOnNextCall,
ideally after declaring the function.

Bug: v8:8801, v8:8394, v8:9183
Change-Id: I6bf119e726426df8527d97546b6ce806112c894d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1643167
Auto-Submit: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61988}
2019-06-04 19:58:19 +00:00
Michael Mclaughlin
348cc6f152 Improve toString(radix) for doubles near zero
Currently, Number.prototype.toString(radix) often fails to produce the
least significant bit for doubles near zero. For example, for the
minimum double, 5e-324, toString(2) produces "0". This means that a
user cannot reliably get the exact binary or hexdecimal value of a
double from JavaScript using toString.

This patch makes a slight amendment to the DoubleToRadixCString
function, so that doubles where the gap to the next double is 5e-324
(i.e. doubles less than 2**-1021), are represented exactly in binary and
other power-of-two bases, and close to exactly otherwise. It results
in Number.prototype.toString producing the correct binary value for all
doubles.

R=jkummerow@chromium.org, mathias@chromium.org, yangguo@chromium.org

Bug: v8:9294
Change-Id: I71506149b7c4c0eac8c38675a1ee15fb4f36f9ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631601
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61925}
2019-05-29 20:45:02 +00:00
Maya Lekova
731a370b1f Fix correctness issue in proxy set trap
According to the spec, in case where the property is non-configurable and
non-writable, the value passed to the set trap should be compared to the data.
Instead, the trap result was compared, because of the misleading name of the
CheckGetSetTrapResult parameter.

Regression was introduced in
https://chromium-review.googlesource.com/c/v8/v8/+/1604071

Bug: chromium:966450
Change-Id: I77501980475da3aeb4f6153321da39e6fc2e6bd9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632238
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61916}
2019-05-29 13:16:49 +00:00
Georg Schmid
6e89adc80b Weaken representation tracking assertion in load elimination
Feedback pollution can create situations in which we statically see stores to the same field with incompatible representations; dynamically this should be impossible for a single TurboFan compilation unit. Instead of failing an assertion we produce Unreachable nodes.

R=tebbi@chromium.org

Bug: chromium:967434 chromium:967506
Change-Id: Id549ec84f28b4fed2d2e5ef05b40b48bc5b30e97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632169
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61894}
2019-05-28 13:43:05 +00:00
Benedikt Meurer
70bd7cf0ef Reland "[typedarray] Move external/data pointer to JSTypedArray."
This is a reland of 4b86fea530 with
copy&paste typo in CodeStubAssembler::AllocateByteArray() fixed
(bug led to holes in new space, which was crashing reproducibly
on the ia32 bot).

Original change's description:
> [typedarray] Move external/data pointer to JSTypedArray.
>
> As the next step in supporting huge typed arrays in V8, this moves the
> external/data pointer from the FixedTypedArrayBase backing store to the
> JSTypedArray instance itself, and replaces the special backing stores
> with a plain ByteArray (removing all the code for the FixedTypedArrayBase
> class hierarchy). By doing so, we can drastically simplify the system
> around typed arrays.
>
> Note: Several places in the code base used to check the instance type
> of the elements backing store of a JSTypedArray instead of checking the
> elements kind on the JSTypedArray map directly. Those had to be fixed,
> since the backing store is now always a ByteArray.
>
> Drive-by-fix: Move all the typed elements access related code into the
> elements.cc file to properly encapsulate the accesses.
>
> Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
> Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
> Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
> Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61855}

Tbr: petermarshall@chromium.org
Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
Change-Id: I87fcdb28532c5f08cc227332a4d59546cb423810
Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
Cq-Include-Trybots: luci.v8.try:v8_linux_shared_compile_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631592
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61864}
2019-05-27 17:44:06 +00:00
Toon Verwaest
f58b7e1727 [json] Strings can lie to us about representation, so check what's underneath
Bug: chromium:967151
Change-Id: I54a856cfcc4b4b17bd282dd3eabe5a915e617ca5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630683
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61846}
2019-05-27 10:56:44 +00:00
Simon Zünd
82f6179c63 [array] Prevent negative work array capacity when sorting
When allocating large arrays on 32-bit systems, the length conversion
caused the work array capacity to become negative. As the sort range
is currently clamped at kSmiMaxValue anyway, the fix is to also
clamp the work capacity to that value.

R=jgruber@chromium.org

Bug: chromium:967065
Change-Id: I9ea60464c5b7f3796c5389cbaf668b990eddecf6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630672
Auto-Submit: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61845}
2019-05-27 10:41:44 +00:00