Commit Graph

2490 Commits

Author SHA1 Message Date
Sathya Gunasekaran
f6e20fcbba [modules] Fix dynamic import in eval
In the case of a function constructor or eval, we create a new script
object which doesn't have a script name. In this case, we traverse
upwards on the list of SFI's through script->eval_from_shared() to get
the outermost script that was not an eval script and get the script
name from that script.

Bug: chromium:746909, v8:6683, v8:5785
Change-Id: I430459f632a0e3b18fc3111a5cf1c00cedb9f520
Reviewed-on: https://chromium-review.googlesource.com/606701
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47352}
2017-08-14 23:21:49 +00:00
Jakob Kummerow
89e5792d60 [tests] Make %NeverOptimizeFunction ClusterFuzz safe
It expected its argument to be a JSFunction, but fuzzer tests can
pass anything. Non-JSFunction arguments should just silently be
ignored, just like similar CF-whitelisted runtime functions do.

Bug: chromium:754177
Change-Id: I41b29528bbe72f24b3d84f021b22602160769d26
Reviewed-on: https://chromium-review.googlesource.com/610706
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47316}
2017-08-11 14:56:45 +00:00
Maya Lekova
0410e7e850 Reland ^4 "[builtins] Port getting property from Proxy to CSA"
This is a reland of edc4ae14c8

With fixes for crbug.com/752846, crbug.com/752712, crbug.com/752850

Previously landed as: 47a97aa53b / 47113
Previously landed as: 15ef03cbf3 / 47159
Previously landed as: e86c066b77 / 47235
Previously landed as: edc4ae14c8 / 47245

TBR=jkummerow@chromium.org, franzih@chromium.org, bmeurer@chromium.org,
jgruber@chromium.org, mstarzinger@chromium.org

Bug: v8:6559, v8:6557
Change-Id: I956486e90aab36ba95676bd4ec2febebed509fc1
Reviewed-on: https://chromium-review.googlesource.com/609781
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Commit-Queue: Maya Lekova <mslekova@google.com>
Cr-Commit-Position: refs/heads/master@{#47299}
2017-08-11 07:17:35 +00:00
Mircea Trofin
1ca0eea23c [wasm] Correctly reconstitute ModuleEnv from runtime data
When lazy-compiling, it is important we reconstitute the
ModuleEnv accurately. Besides addressing a bug, this change
also does away with the need to relocate memory and globals
parameters (in lazy compilation), by using "the right ones" upfront.

Bug: chromium:753496
Change-Id: I1412a499f05d02d49319fced1b3047698328f3b5
Reviewed-on: https://chromium-review.googlesource.com/609376
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47280}
2017-08-10 14:52:50 +00:00
Michael Starzinger
45b4522e40 [fullcodegen] Remove --stress-fullcodegen flag.
This is in preparation to the removal of the FullCodeGenerator, we no
longer need the ability to stress the underlying implementation.

R=rmcilroy@chromium.org
BUG=v8:6409

Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Iad3177d6de4a68b57c12a770b6e85ed7a9710254
Reviewed-on: https://chromium-review.googlesource.com/584747
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47276}
2017-08-10 09:52:49 +00:00
Sathya Gunasekaran
58bbc6bf77 [parser] Check if async function before throwing error
This changes the DCHECK (which could correctly fail) to be part of the
conditional that checks if we're in an async function.

Bug: chromium:751789
Change-Id: I3b8c1239ac93190055622c41fa1122e83b69d255
Reviewed-on: https://chromium-review.googlesource.com/607356
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47261}
2017-08-09 23:43:52 +00:00
Peter Marshall
06f5f84656 [runtime] Align Seq{One,Two}ByteString::kMaxSize.
Because SizeFor only returns aligned values, when we check values
returned there against kMaxSize, they can be larger if they were
rounded up.

It wasn't possible to write a test for the 2-byte version that didn't
regularly OOM.

Bug: chromium:752764
Change-Id: Id2f387449e0fafe633a2fde1ac728be31487f62d
Reviewed-on: https://chromium-review.googlesource.com/607935
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47252}
2017-08-09 14:48:54 +00:00
Ben L. Titzer
f6d5504f98 [wasm] Fix patching of table sizes.
BUG=chromium:752423
R=mtrofin@chromium.org,bradnelson@chromium.org

Change-Id: Ie6d80a82cd40b598e917a79842e6639e73be9194
Reviewed-on: https://chromium-review.googlesource.com/606587
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47251}
2017-08-09 14:44:33 +00:00
Michael Achenbach
57200ddb42 Revert "Reland ^3 "[builtins] Port getting property from Proxy to CSA"""
This reverts commit edc4ae14c8.

Reason for revert: There's still this problem:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug/builds/5835

Original change's description:
> Reland ^3 "[builtins] Port getting property from Proxy to CSA""
> 
> This is a reland of e86c066b77
>  
> With fixes for crbug.com/752846, crbug.com/752712, crbug.com/752850
> 
> Previously landed as: 47a97aa53b / 47113
> Previously landed as: 15ef03cbf3 / 47159
> 
> TBR=jkummerow@chromium.org, franzih@chromium.org, bmeurer@chromium.org,
> jgruber@chromium.org, mstarzinger@chromium.org
> 
> Bug: v8:6559, v8:6557
> Change-Id: I12ccae44331b05dd3f304ac538c0154133b43c35
> Reviewed-on: https://chromium-review.googlesource.com/608187
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47245}

TBR=jkummerow@chromium.org,mstarzinger@chromium.org,neis@chromium.org,franzih@chromium.org,jgruber@chromium.org,ishell@chromium.org,bmeurer@chromium.org,mslekova@google.com

Change-Id: Ib46b68f011c056675f2024f91c7f1024767b4dd0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6559, v8:6557
Reviewed-on: https://chromium-review.googlesource.com/608189
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47247}
2017-08-09 13:37:37 +00:00
Maya Lekova
edc4ae14c8 Reland ^3 "[builtins] Port getting property from Proxy to CSA""
This is a reland of e86c066b77
 
With fixes for crbug.com/752846, crbug.com/752712, crbug.com/752850

Previously landed as: 47a97aa53b / 47113
Previously landed as: 15ef03cbf3 / 47159

TBR=jkummerow@chromium.org, franzih@chromium.org, bmeurer@chromium.org,
jgruber@chromium.org, mstarzinger@chromium.org

Bug: v8:6559, v8:6557
Change-Id: I12ccae44331b05dd3f304ac538c0154133b43c35
Reviewed-on: https://chromium-review.googlesource.com/608187
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47245}
2017-08-09 12:52:51 +00:00
Georg Neis
b7227dc8d2 Make ValidateAndApplyPropertyDescriptor pass on its ShouldThrow mode.
This fixes a bug affecting module namespace objects, which are currently
implemented using native accessors.

Bug: v8:6681, v8:1569
Change-Id: I6a678652573a332c47315497d927c390d9da0926
Reviewed-on: https://chromium-review.googlesource.com/606027
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47238}
2017-08-09 09:01:39 +00:00
Georg Neis
703b5ff960 Revert "Reland^2 "[builtins] Port getting property from Proxy to CSA""
This reverts commit e86c066b77.

Reason for revert: <INSERT REASONING HERE>

Original change's description:
> Reland^2 "[builtins] Port getting property from Proxy to CSA"
> 
> With fixes for crbug.com/752846, crbug.com/752712, crbug.com/752850
> 
> Previously landed as: 47a97aa53b / 47113
> Previously landed as: 15ef03cbf3 / 47159
> 
> Bug: v8:6559, v8:6557
> This is a reland of 15ef03cbf3
> 
> Change-Id: Ia53ffb80ebe44581fdb923d9f572be92ee3ed080
> Reviewed-on: https://chromium-review.googlesource.com/603796
> Commit-Queue: Maya Lekova <mslekova@google.com>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47235}

TBR=jkummerow@chromium.org,mstarzinger@chromium.org,franzih@chromium.org,jgruber@chromium.org,ishell@chromium.org,bmeurer@chromium.org,mslekova@google.com

Change-Id: Ibf0b9f786f3df247acaf9e7ffe9f49ec1db905d8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6559, v8:6557
Reviewed-on: https://chromium-review.googlesource.com/607928
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47236}
2017-08-09 08:58:03 +00:00
Maya Lekova
e86c066b77 Reland^2 "[builtins] Port getting property from Proxy to CSA"
With fixes for crbug.com/752846, crbug.com/752712, crbug.com/752850

Previously landed as: 47a97aa53b / 47113
Previously landed as: 15ef03cbf3 / 47159

Bug: v8:6559, v8:6557
This is a reland of 15ef03cbf3

Change-Id: Ia53ffb80ebe44581fdb923d9f572be92ee3ed080
Reviewed-on: https://chromium-review.googlesource.com/603796
Commit-Queue: Maya Lekova <mslekova@google.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47235}
2017-08-09 07:59:48 +00:00
Michael Starzinger
d929cc755c [turbofan] Fix introduction of contradicting {TypeGuard}.
This avoid introduction of {TypeGuard} nodes during load elimination.
Such type guard could lead to contradicting type information where a
constant {NumberConstant} node was guarded to have {ExternalPointer}
type, which would lead to an impossible constraint on representation
selection.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-752826
BUG=chromium:752826

Change-Id: Ida3815af24ccc8a48474b8d66117b9718f61adda
Reviewed-on: https://chromium-review.googlesource.com/605547
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47218}
2017-08-08 11:54:51 +00:00
Adam Klein
a9846ad451 Throw errors when assigning to const variables inside with
This code appears to have been wrong forever, as it only
threw in strict mode (presumably predating ES2015 const).

In order to get exactly the right behavior, special
handling of sloppy named function expressions is required.
Rather than polluting PropertyAttributes with another
dummy value, this CL simply adds a bool output argument
to Context::Lookup to indicate that case.

Bug: v8:6677
Change-Id: I34daa5080d291808f10cbaefc91d716f0b22963b
Reviewed-on: https://chromium-review.googlesource.com/602690
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47207}
2017-08-08 02:00:22 +00:00
Benedikt Meurer
cb9402aa98 [turbofan] Properly check new.target parameter in inlined Reflect.construct.
The ConstructFunctionForwardVarargs and ConstructForwardVarargs
builtins, which are used when inlining the Reflect.construct
builtin into TurboFan optimized code, didn't properly check the
new.target parameter whether it's a constructor.

Bug: chromium:752481
Change-Id: I9b8f8c429d6eaed0ff8d27fc3f6b52eb906766a2
Reviewed-on: https://chromium-review.googlesource.com/604187
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47206}
2017-08-07 18:15:30 +00:00
Michael Starzinger
b329b24986 [builtins] Fix missing check in Array.prototype.filter.
This fixes a missing fast-path check in the code-stub implementation of
the {Array.prototype.filter} method. Appending to the target JSArray is
only correct if the underlying length did not change.

R=jgruber@chromium.org
TEST=mjsunit/regress/regress-6657
BUG=v8:6657

Change-Id: Ida8d3511485b649b70d9a4b161742d494ebe4dac
Reviewed-on: https://chromium-review.googlesource.com/600467
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47156}
2017-08-04 08:55:15 +00:00
Michael Starzinger
c8ee3fb405 [deoptimizer] Fix bogus DCHECK in OptimizedFrame::Summarize.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-751715
BUG=chromium:751715

Change-Id: Ibc5d2ce958b6f0c94b41926eb215e81d70833a9d
Reviewed-on: https://chromium-review.googlesource.com/598227
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47108}
2017-08-03 07:34:42 +00:00
Adam Klein
74edfccd45 Enable --harmony-strict-legacy-accessor-builtins by default
This behavior has been staged successfully without a bug report, and
has been shipped in the latest versions of Firefox and Safari.

Bug: v8:5070
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I084cae2cc303d6a213bd6789297b91656e162d6b
Reviewed-on: https://chromium-review.googlesource.com/595129
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47098}
2017-08-02 21:30:57 +00:00
Benedikt Meurer
71012480b7 [runtime] Properly forward the "interesting symbol" bit.
This fixes a corner case of rewriting the transition trees, where the
"interesting symbols" bit was not properly forwarded.

Drive-by-fix: Introduce additional checking in Map::ConnectTransition to
make it easier for clusterfuzz to detect cases we might have missed.

R=mstarzinger@chromium.org

Bug: chromium:751109
Change-Id: I3f1a1e6232db9b3694064b3d4e9f37255b018acc
Reviewed-on: https://chromium-review.googlesource.com/597669
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47075}
2017-08-02 11:08:38 +00:00
Julien Brianceau
b41f857b9e Fix common misspellings
Bug: chromium:750830
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng;master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Icab7b5a1c469d5e77d04df8bfca8319784e92af4
Reviewed-on: https://chromium-review.googlesource.com/595655
Commit-Queue: Julien Brianceau <jbriance@cisco.com>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47072}
2017-08-02 09:35:28 +00:00
Leszek Swirski
e47d175738 [sfi] Remove opt_count
Remove opt_count from SFI, which only had two real uses:

  1. Detecting OSR in tests -- replaced with a stack walk in
     %GetOptimizationStatus
  2. Naming optimization log files -- replaced with the
     optimization id

This allows us to remove a field from the SFI, moving the
bailout reason into the counters field.

As a drive-by, add optimization marker information (e.g.
marked for optimization) to the optimization status.

Change-Id: Id77deb5dd5439dfba058a7e1e1748de26b717d0d
Reviewed-on: https://chromium-review.googlesource.com/592028
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47009}
2017-07-31 13:18:49 +00:00
Adam Klein
48a903eb3f Properly fix-up ClassLiterals in ReparentExpressionScope()
Everything inside a class lives inside the class scope, so
reparenting the class scope is the only operation that
should be done to ClassLiterals during reparenting.

Bug: chromium:740591
Change-Id: Ia5b96b44ff1ca6cfa274effb5a04651809bab9bd
Reviewed-on: https://chromium-review.googlesource.com/588054
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46951}
2017-07-27 18:22:57 +00:00
Michael Starzinger
44f88dcd87 [turbofan] Fix missing callability check on Array callbacks
This fixes the second-order Array.prototype function {forEach} and {map}
to now perform a callability check of the given callback function. For
empty arrays it is observable whether such a check outside the loop has
been elided or not.

R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-747062
BUG=chromium:747062

Change-Id: I1bbe7f44b3b3d18e9b41ad0436975434adf84321
Reviewed-on: https://chromium-review.googlesource.com/588893
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46942}
2017-07-27 14:49:58 +00:00
Igor Sheludko
10e4fe3d32 [runtime] Don't create class field types for arrays' fields.
... when generalizing const fields to mutable fields.

Bug: chromium:748539, chromium:747979, chromium:738763
Change-Id: Iee772a5d0cddd23599f1f68bca00b8beecb76da0
Reviewed-on: https://chromium-review.googlesource.com/586709
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46921}
2017-07-27 07:11:05 +00:00
Peter Marshall
8315422762 [runtime] Check for overflow when serializing Strings for JSON.
Previously we would shift the length of the string by three, which
could overflow with the new larger string length limit. Now we check
that the length will fit without extra allocation before and after
the shift, because really large strings will never fit, and will
always go to the Checked case.

Bug: chromium:748069, v8:6148
Change-Id: I41cac14b0fde6c5e8ca92305a052cbb743111554
Reviewed-on: https://chromium-review.googlesource.com/584611
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46896}
2017-07-26 11:40:56 +00:00
Ben L. Titzer
cbd8d67f3e [wasm][test] Remove non-standard S128 from wasm-constants.js
This brings the wasm-constants.js file inline with that (forked copy) in
the WebAssembly spec repo, which should make it easier to export tests
from V8 to the spec in the future.

R=clemensh@chromium.org

Bug: 
Change-Id: I7db23efc2d671f65b614f9dbc97ae2f355f91b04
Reviewed-on: https://chromium-review.googlesource.com/586248
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46894}
2017-07-26 10:49:22 +00:00
Adam Klein
f1f2285715 Rewrite scopes of initializers in for-in/of destructured declarations
Bug: chromium:740591
Change-Id: I869be41d8630b23704b9470c4d3db8a21bbde873
Reviewed-on: https://chromium-review.googlesource.com/583531
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46881}
2017-07-25 18:26:16 +00:00
Camillo Bruni
0392eb20ac [literals] Introduce CreateEmptyArrayLiteral Bytecode
Empty Array literals are amongst the most commonly used literal types on our
top25 page list. Using a custom bytecode we can drop the boilerplate for empty
Array literals alltogether. However, we still need a proper AllocationSite to
track ElementsKind transitions.

Bug: v8:6211, chromium:746935
Change-Id: I891eaa778e4e81e138e483a65f04ae00ae30bd28
Reviewed-on: https://chromium-review.googlesource.com/580932
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46875}
2017-07-25 14:30:43 +00:00
Camillo Bruni
c7854ed957 [builtins] Array.prototype.sort bug
Bug: chromium:743154
Change-Id: Id5b2a91a9242326b1dafccc4aeb95e18fb0fc8d8
Reviewed-on: https://chromium-review.googlesource.com/580928
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46873}
2017-07-25 13:26:03 +00:00
Igor Sheludko
c558369af2 [runtime] Don't create "class" field types for arrays' fields.
... when reconfiguring const fields to mutable fields.

Bug: chromium:747979, chromium:738763, chromium:745844
Change-Id: Ibfac1b875a1da8234966ac10658260f1cc718fe5
Reviewed-on: https://chromium-review.googlesource.com/583647
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46854}
2017-07-25 06:54:46 +00:00
Mike Stanton
d9b98f3d05 [TurboFan] Array.prototype.map inlining error
A Phi is necessary to carry the ElementsKind forward in case transitions
are taken.

Bug: chromium:747075
Change-Id: I9d9d66b0219fe3f67d08536f4d478ee300c76acb
Reviewed-on: https://chromium-review.googlesource.com/583090
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46852}
2017-07-25 04:05:56 +00:00
Peter Marshall
e8c9649e25 [builtins] Increase the maximum string length on 64-bit platforms.
Increase from 2^28 - 16 to 2^30 - 25 for 64-bit platforms.

Bug: v8:6148
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I3529d7ed757a7ab49a001af8641cf888db171cdb
Reviewed-on: https://chromium-review.googlesource.com/570047
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46838}
2017-07-24 10:38:55 +00:00
jgruber
d8e147752c [regexp] Teach deoptimizer to materialize JSRegExp objects
Now that literal allocation is inlined, it is possible to optimize out regexp
literal allocation completely. If a lazy deopt is triggered in that situation,
the deoptimizer needs to know how to materialize regexp objects.

Bug: v8:6605,v8:6556,chromium:747825
Change-Id: Id491053f8e64fec16540efbfdc6c7c524da3e080
Reviewed-on: https://chromium-review.googlesource.com/582609
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46837}
2017-07-24 10:36:25 +00:00
Igor Sheludko
21e7f08385 [runtime] Don't track "class" field types for arrays with properties.
... in order to avoid the need to update field types through elements
kind transitions.

Bug: chromium:738763, chromium:745844
Change-Id: I9f0e7f321e7f44ab5b36c06dd4c5633611370807
Reviewed-on: https://chromium-review.googlesource.com/581647
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46830}
2017-07-24 06:34:12 +00:00
Igor Sheludko
5520cae3fd Revert "Reland "[runtime] Add shortcuts for elements kinds transitions.""
This reverts commit 6e27386d68.

Reason for revert: There will be another much simpler and
back-mergeable fix.

Original change's description:
> Reland "[runtime] Add shortcuts for elements kinds transitions."
> 
> This is a reland of b90e83f5da
> Original change's description:
> > [runtime] Add shortcuts for elements kinds transitions.
> >
> > The shortcuts ensure that field type generalization is properly
> > propagated in the transition graph.
> >
> > Bug: chromium:738763
> > Change-Id: Id701a6f95ed6ea093c707fbe0bac228f1f856e9f
> > Reviewed-on: https://chromium-review.googlesource.com/567992
> > Commit-Queue: Igor Sheludko <ishell@chromium.org>
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#46622}
> 
> Bug: chromium:738763, chromium:742346, chromium:742381, chromium:745844
> Change-Id: I93974e3906b2c7710bd525f15037a2dd97f263ad
> Reviewed-on: https://chromium-review.googlesource.com/575227
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46759}

TBR=ulan@chromium.org,jkummerow@chromium.org,ishell@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:738763, chromium:742346, chromium:742381, chromium:745844
Change-Id: I203dc748c47db554e0a86d61f0e2b7b8b96f2370
Reviewed-on: https://chromium-review.googlesource.com/581547
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46826}
2017-07-24 05:31:29 +00:00
Igor Sheludko
b30ea1646a [ic] Properly handle reconfiguring of a global property to 'readonly'.
Bug: chromium:722783
Change-Id: Id4612f3d45fb26daca8b4ef2efb0f7bc9ac39ed3
Reviewed-on: https://chromium-review.googlesource.com/579268
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46795}
2017-07-20 13:39:23 +00:00
Mythri
3e47cb87d6 [Turbofan] Use bytecode size for inlining heuristics.
Inlining heuristics in Turbofan used ast node count. Bytecode size
is a better approximation of the size of the graph than the
ast node count. This cl changes the heuristics to use the bytecode
size instead. Also removing the ast_node_count filed in the shared
function info. It was used only for the inlining heuristics.

Also removed the max_inlined_source_size flag which is no longer used.

Bug: 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I8a2d2509c8e8d2779b33b817bb217de203d54ec3
Reviewed-on: https://chromium-review.googlesource.com/570055
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46771}
2017-07-19 17:01:55 +00:00
Igor Sheludko
6e27386d68 Reland "[runtime] Add shortcuts for elements kinds transitions."
This is a reland of b90e83f5da
Original change's description:
> [runtime] Add shortcuts for elements kinds transitions.
>
> The shortcuts ensure that field type generalization is properly
> propagated in the transition graph.
>
> Bug: chromium:738763
> Change-Id: Id701a6f95ed6ea093c707fbe0bac228f1f856e9f
> Reviewed-on: https://chromium-review.googlesource.com/567992
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46622}

Bug: chromium:738763, chromium:742346, chromium:742381, chromium:745844
Change-Id: I93974e3906b2c7710bd525f15037a2dd97f263ad
Reviewed-on: https://chromium-review.googlesource.com/575227
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46759}
2017-07-19 11:31:21 +00:00
Benedikt Meurer
e1e35df329 [turbofan] Fix CanTreatHoleAsUndefined check.
The test for CanTreatHoleAsUndefined on keyed element access was
checking for stability of Object.prototype and Array.prototype and
even adding stability dependencies on both, which is too restrictive
and leads to unnecessary deoptimizations (and might disable further
optimization of the keyed access depending on the state of the
prototype objects during optimization). This was not intended and
is considered a (performance) bug.

Instead use the correct approach of checking whether the receiver's
prototype is one of the current Object.prototype or Array.prototype
objects (since the Array protector works isolate-wide), and then
check the Array protector and install an appropriate code dependency
on the protector only.

Bug: v8:6607
Change-Id: I0bcfe32813ca3693e7b22de31b03edb3509d0a27
Reviewed-on: https://chromium-review.googlesource.com/574849
Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46743}
2017-07-18 16:29:29 +00:00
Sathya Gunasekaran
c45b2291a7 [modules] Propogate scheduled exception on ToString failure
Also, add a couple of macros to handle error cases.

R=adamk@chromium.org

Bug: chromium:744292
Change-Id: I5dcb19ce67ec1aa4318d68d973d304cb07a65b80
Reviewed-on: https://chromium-review.googlesource.com/575394
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46722}
2017-07-17 22:07:41 +00:00
Ross McIlroy
259bf74df0 [Compiler] Fix setting shared function info flags from literal for asm_wasm.
BUG=chromium:743622

Change-Id: Ic29a39d5976425eda2358c7e5ace0efa1b78a718
Reviewed-on: https://chromium-review.googlesource.com/574604
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46714}
2017-07-17 16:08:17 +00:00
Daniel Clifford
9a0403a679 Don't add dependencies on prototype chain when inlining forEach
Bug=chromium:740784
LOG=N

Change-Id: I61fe1b07426d0b1e5131687c9ce99a8dbfa09781
Reviewed-on: https://chromium-review.googlesource.com/574175
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46706}
2017-07-17 12:54:32 +00:00
Clemens Hammacher
883db26e6f [wasm] Update signature map on indirect calls
The code was already there, but there was a bug in it: Because of the
missing reference, we were only updating a *copy* of the signature map,
hence the update had no effect.
This intentially is a minimal CL, in order to allow for easy
backmerging.
More mitigations and tests are coming in a separate CL.

R=titzer@chromium.org

Change-Id: Ifb462093f4b8f4d5380b6774636537c67c2b676c
Reviewed-on: https://chromium-review.googlesource.com/570278
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46664}
2017-07-14 08:42:40 +00:00
Michael Achenbach
682832a0f5 Revert "[runtime] Add shortcuts for elements kinds transitions."
This reverts commit b90e83f5da.

Reason for revert: Blocks roll:
https://chromium-review.googlesource.com/c/570002/

Confirmed by:
https://chromium-review.googlesource.com/c/571700/2

Original change's description:
> [runtime] Add shortcuts for elements kinds transitions.
> 
> The shortcuts ensure that field type generalization is properly
> propagated in the transition graph.
> 
> Bug: chromium:738763
> Change-Id: Id701a6f95ed6ea093c707fbe0bac228f1f856e9f
> Reviewed-on: https://chromium-review.googlesource.com/567992
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46622}

TBR=jkummerow@chromium.org,ishell@chromium.org

Change-Id: I5ede80db6bc209f16c6fd43f6bf3c8865c9577d8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:738763
Reviewed-on: https://chromium-review.googlesource.com/571741
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46660}
2017-07-14 08:04:05 +00:00
Adam Klein
1769f892ce [cleanup] Remove always-off support for tail calls
The tail call implementation is hidden behind the --harmony-tailcalls
flag, which is off-by-default (and has been unstaged since February).
It is known to be broken in a variety of cases, including clusterfuzz
security issues (see sample Chromium issues below). To avoid letting
the implementation bitrot further on trunk, this patch removes it.

Bug: v8:4698, chromium:636914, chromium:724746
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng;master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I9cb547101456a582374fdf7b1a3f044a9ef33e5c
Reviewed-on: https://chromium-review.googlesource.com/569069
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46651}
2017-07-13 19:29:05 +00:00
Michael Starzinger
05f3b27cdd Reland "[flags] Remove some dead Crankshaft flags."
This is a reland of ec6da23bfe
Original change's description:
> [flags] Remove some dead Crankshaft flags.
> 
> R=bmeurer@chromium.org
> BUG=v8:6408
> 
> Change-Id: I34abbcdc2fc47df44938bac0e59f9982c935c657
> Reviewed-on: https://chromium-review.googlesource.com/569963
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46631}

Bug: v8:6408
Change-Id: I8a856e25d56e27bccb79588b2e5ee4369d7c5fe5
Reviewed-on: https://chromium-review.googlesource.com/570050
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46637}
2017-07-13 13:15:34 +00:00
Ross McIlroy
05207b098a [Interpreter] Replace --ignition flag with a --stress-fullcodegen
Removes the --ignition flag which is now on by default. Adds a
--stress-fullcodegen flag which enables running all functions supported
by fullcodegen to be compiled by fullcodegen.

This will enable moving parser internalization later when we are not
stressing fullcodegen or compiling asm.js functions.

BUG=v8:5203, v8:6409, v8:6589

Change-Id: I7fa68016d4e734755434ec0b4e749ef65ffa7f4e
Reviewed-on: https://chromium-review.googlesource.com/565569
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46635}
2017-07-13 13:05:00 +00:00
Michael Starzinger
5d16e866e7 Revert "[flags] Remove some dead Crankshaft flags."
This reverts commit ec6da23bfe.

Reason for revert: Requires infrastructure changes first. Will reland after changes have happened.

Original change's description:
> [flags] Remove some dead Crankshaft flags.
> 
> R=​bmeurer@chromium.org
> BUG=v8:6408
> 
> Change-Id: I34abbcdc2fc47df44938bac0e59f9982c935c657
> Reviewed-on: https://chromium-review.googlesource.com/569963
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46631}

TBR=mstarzinger@chromium.org,bmeurer@chromium.org

Change-Id: Iee077911ae7d877c6a9d2edb548e3c04345b47ce
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6408
Reviewed-on: https://chromium-review.googlesource.com/570049
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46632}
2017-07-13 12:24:56 +00:00
Michael Starzinger
ec6da23bfe [flags] Remove some dead Crankshaft flags.
R=bmeurer@chromium.org
BUG=v8:6408

Change-Id: I34abbcdc2fc47df44938bac0e59f9982c935c657
Reviewed-on: https://chromium-review.googlesource.com/569963
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46631}
2017-07-13 11:56:14 +00:00