Commit Graph

8140 Commits

Author SHA1 Message Date
peterwmwong
bd1f8050b0 [builtins] Add Object#toLocaleString stack check
Fixes a regression causing a seg fault instead of the
expected stack overflow.

Bug: chromium:796427, v8:6005
Change-Id: Ifc752a4009a25f447f5e87745dcc1bb83722c34e
Reviewed-on: https://chromium-review.googlesource.com/838854
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50265}
2017-12-21 14:24:02 +00:00
Daniel Clifford
14cd4b5455 Implement Array.prototype.reduce inlining in TF
Bug: v8:1956,v8:4869
Change-Id: Id5822319c14142be2dd984c922b2b65717b96dee
Reviewed-on: https://chromium-review.googlesource.com/803974
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50261}
2017-12-21 12:31:54 +00:00
Georgia Kouveli
5d10735e18 [arm64] Pad function arguments.
This patch updates the instruction selector and code generator to pad arguments
for arm64 and drop an even number of slots when dropping the arguments. It also
updates the builtins that handle arguments. These changes need to be made at
the same time.

It also adds some tests for forwarding varargs, as this was affected by the
builtin changes and the existing tests did not catch all issues.

Bug: v8:6644
Change-Id: I81318d1d1c9ab2568f84f2bb868d2a2d4cb56053
Reviewed-on: https://chromium-review.googlesource.com/829933
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50259}
2017-12-21 11:05:58 +00:00
Deepti Gandluri
f7601238f1 [wasm] Allocate SAB when memory is shared
When shared memory is defined in the module bytes, and not imported/exported
underlying memory should be a SharedArrayBuffer. This was missing in the
allocate flow during instantiation. Fixed to use a SharedArrayBuffer.

BUG=v8:6532

Change-Id: Ic62ed3fd578a0e03124ee40b273e6a4ea474bba4
Reviewed-on: https://chromium-review.googlesource.com/835348
Reviewed-by: Eric Holk <eholk@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50255}
2017-12-21 01:01:32 +00:00
Mircea Trofin
c8fe2635ea [wasm] Freeze mutability of tables
Bug: v8:7232
Change-Id: I1eed337749686ec749b970b4af56413c5614b980
Reviewed-on: https://chromium-review.googlesource.com/837646
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50253}
2017-12-21 00:37:01 +00:00
Mircea Trofin
f9c9616e62 [wasm] Ensure free-standing tables are rooted.
Bug: chromium:796584
Change-Id: Ib6a62d616d36344f35cad0b0a177f8f07c7fd2ac
Reviewed-on: https://chromium-review.googlesource.com/836849
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50244}
2017-12-20 19:17:12 +00:00
Georg Neis
26e21fa67a [bigint] Increase maximum length.
In a benchmark that I'm looking at, the numbers quickly overflow our
current limit.

This patch increases kMaxLength to the greatest value that's possible
without requiring further code changes.

Bug: v8:6791
Change-Id: I7a0d126dcd566d536375a294fa4dcf10b8823ed7
Reviewed-on: https://chromium-review.googlesource.com/833876
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50240}
2017-12-20 14:49:48 +00:00
Hannes Payer
3b914b2bf5 [heap] Remove --heap-stats.
Bug: 
Change-Id: I53b68e8a4200a87d9f14b9540b52cab316678b2d
Reviewed-on: https://chromium-review.googlesource.com/836593
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50233}
2017-12-20 12:49:06 +00:00
Caitlin Potter
18dc491c7a [builtins] abort FrameFunctionIterator::next if frame summary empty
Previously, FrameFunctionIterator::next() assumed that the frame summary
was non-empty. It's now possible for the list not to be empty, if the
JS microtask pump invokes a builtin function which uses
FrameFunctionIterator directly. While this is unlikely to show up in
real world code, it is necessary to handle it to prevent crashes.

BUG=chromium:794744
R=mstarzinger@chromium.org, cbruni@chromium.org, verwaest@chromium.org

Change-Id: Ie95c2228544f57730d1c6c1ff955b2c94ff1c06b
Reviewed-on: https://chromium-review.googlesource.com/833266
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#50221}
2017-12-20 00:08:35 +00:00
Leszek Swirski
9128e8bf1b [ignition] Move object/array literal init to bytecode gen
Move the object and array literal flag and depth initialization to when
they are visited by the bytecode generator. This avoids issues with
doing this initialization before we know whether the (syntactic) literal
is actually a literal value or a destructuring assignment.

Bug: chromium:795922
Bug: v8:7178
Change-Id: I022178ab4bc9e71f80560f3b78a759d95d4d0584
Reviewed-on: https://chromium-review.googlesource.com/833882
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50204}
2017-12-19 14:50:19 +00:00
Michael Achenbach
4faed83040 Revert "Enable --harmony-function-tostring by default"
This reverts commit c3dda0bbac.

Reason for revert: Breaks gc stress bots:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/14266

Original change's description:
> Enable --harmony-function-tostring by default
>
> Update tests to work with new behavior.
>
> This feature is shipping in Firefox 54, so compatibility risk is low.
>
> R=​littledan@chromium.org, adamk@chromium.org, caitp@igalia.com
> CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
>
> Bug: v8:4958
> Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
> Change-Id: Ib16d19468cf935f961d7bcd856ebbeb5692d3e61
> Reviewed-on: https://chromium-review.googlesource.com/546941
> Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50178}

TBR=adamk@chromium.org,hablich@chromium.org,kozyatinskiy@chromium.org,littledan@chromium.org,caitp@igalia.com,jwolfe@igalia.com

Change-Id: Ie5dd0bd2b97ae6d0126edec6373e48abe0eeb3f0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:4958
Reviewed-on: https://chromium-review.googlesource.com/832649
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50182}
2017-12-19 07:47:35 +00:00
Josh Wolfe
c3dda0bbac Enable --harmony-function-tostring by default
Update tests to work with new behavior.

This feature is shipping in Firefox 54, so compatibility risk is low.

R=littledan@chromium.org, adamk@chromium.org, caitp@igalia.com
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel

Bug: v8:4958
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ib16d19468cf935f961d7bcd856ebbeb5692d3e61
Reviewed-on: https://chromium-review.googlesource.com/546941
Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50178}
2017-12-18 23:17:17 +00:00
Sigurd Schneider
1103d4cfef [turbofan] Allow deopt in Array.push to disallow speculation
This CL passes feedback from the element kind deopt points
in Array.push to the deoptimizer. If the deopt points are
triggered, further speculation on Array.push is disallowed.

Bug: v8:7127, v8:7204
Change-Id: Ie91dee598bd8b8797110c8f468406327226893a4
Reviewed-on: https://chromium-review.googlesource.com/831523
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50171}
2017-12-18 16:41:37 +00:00
Clemens Hammacher
9a241228cf [asm.js] Fix continue target in for loops
Make sure that a continue still executed the increment part of a for
loop by adding another nested block for the body, which is the break
target for a continue in the body. The increment code lives outside
this block, in the original loop.

R=bradnelson@chromium.org
CC=mstarzinger@chromium.org

Bug: chromium:788916
Change-Id: I178b874ffac16d9237a0f4da097d2742bd93335a
Reviewed-on: https://chromium-review.googlesource.com/832447
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50169}
2017-12-18 16:29:27 +00:00
Michal Majewski
03165cb93b [test] Store expected outcomes in the testcase.
Bug: v8:6917
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I69d15801b79bf7aa846582367e9f3037b6612431
Reviewed-on: https://chromium-review.googlesource.com/829033
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50163}
2017-12-18 14:51:20 +00:00
jgruber
d2f95e189c [regexp] Add 'groups' property to JSRegExpResult objects
See https://github.com/tc39/proposal-regexp-named-groups/pull/40.

The spec is being changed to always create a 'groups' property on
regexp result objects. Its value is undefined if no named captures
exist, and the object containing named captures otherwise.

Bug: v8:7192, v8:5437
Change-Id: I1fb00ffc186c7effd84b5692dcbed420581855c3
Reviewed-on: https://chromium-review.googlesource.com/829137
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50154}
2017-12-18 10:31:28 +00:00
Mythri
f2d85ff163 [Turbofan] Fix instruction selector to handle switch with no case
Instruction selector computes the range of case statement labels
to choose between a table or lookup based switch. We need to special
case this when there are no case statements.

Bug: chromium:794825
Change-Id: I46ef57d17f5e2b99a3570f7f3c4ff06e75d78fab
Reviewed-on: https://chromium-review.googlesource.com/830013
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50153}
2017-12-18 10:17:08 +00:00
jgruber
41e8619069 [regexp] Mark regress-793588 as failing on no_i18n builds
ICU is needed to parse unicode property names.

NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

TBR=mths@chromium.org

Bug: chromium:793588
Change-Id: I7a4cd2885713c490fbc53867079fba69a26cba75
Reviewed-on: https://chromium-review.googlesource.com/831515
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50147}
2017-12-18 09:19:20 +00:00
jgruber
52b4fb00b3 [regexp] Preserve invariant of non-empty character class
The irregexp compiler expects RegExpCharacterClass instances to
contain at least one range. This preserves that invariant when parsing
the negated \P{Any} unicode property.

Bug: chromium:793588
Change-Id: If71fdce014a7e64d8af559084ee88108303d694b
Reviewed-on: https://chromium-review.googlesource.com/827010
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Erik Corry <erikcorry@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50146}
2017-12-18 08:50:39 +00:00
Sigurd Schneider
ffe7919f12 [turbofan] Allow array grow to disable speculation
Add feedback to GrowFastElements operator and thread it
through to the deoptimize node it the lowering. The CL
uses the feedback to allow Array.push to disable speculation
if the grow operation deopts.

Bug: v8:7127, v8:7204
Change-Id: Ib5850a93759b9194c0fc2f191f6adf5d49cb7f55
Reviewed-on: https://chromium-review.googlesource.com/827128
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50145}
2017-12-16 22:49:57 +00:00
Mircea Trofin
1e7bd2e251 [wasm] Fix WasmCompiledFrame::Print
The function wasn't off-the-heap aware.

Bug: chromium:795020
Change-Id: I133dce54e570ff74b1475192882761d2bc377d6f
Reviewed-on: https://chromium-review.googlesource.com/830819
Reviewed-by: Eric Holk <eholk@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50142}
2017-12-15 22:01:16 +00:00
Mircea Trofin
958b78a795 [wasm] Ensure indirect calls happen in the context of the owning instance
Bug: chromium:793714
Change-Id: I8c1ea8a2e27b5a7fe9cd1f8260873057a3bf9fd9
Reviewed-on: https://chromium-review.googlesource.com/826030
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50136}
2017-12-15 17:00:16 +00:00
peterwmwong
61e2f270d8 [turbofan] Array.prototype.findIndex inlining.
Support inlining Array.prototype.findIndex in Turbofan.
Depending on array size, quick benchmarks show a >2x
improvement: https://github.com/peterwmwong/v8-perf/blob/master/array-find-findIndex-tf/README.md

Bug: chromium:791045, v8:1956, v8:7165
Change-Id: I250554885f924c97b0072e09ee289713df5cbe63
Reviewed-on: https://chromium-review.googlesource.com/824382
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50133}
2017-12-15 16:32:26 +00:00
jgruber
0da56e74cf [regexp] Restrict unicode property value expressions
The unicode property escape syntax restricts unicode property names and
unicode property values to consist only of characters taken from the
[a-zA-Z0-9_] character class. See the spec at:

https://tc39.github.io/proposal-regexp-unicode-property-escapes/

In most cases, we do not actually need to validate that this is the
case, since subsequent property lookup in ICU will fail (and throw a
SyntaxError) if the given property does not exist.

However, there one special case. The ICU lookup takes the property name
as a null-terminated string, so it will accept carefully malformed
property names (e.g. '\p{Number\0[}'). This can end up confusing the
regexp parser.

With this CL, we explicitly restrict potential property names / values
to the character set as specified.

Bug: v8:4743, chromium:793793
Change-Id: Ic97deea8602571ec6793b79c4bb858e1c7597405
Reviewed-on: https://chromium-review.googlesource.com/824272
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50130}
2017-12-15 14:17:34 +00:00
Georg Neis
649ab060c0 [compiler] Don't assume a HeapConstant context input is a Context.
In a generator containing loops, there are always certain control flow
paths that are impossible, due to the way we represent generators at the
bytecode level.  Unfortunately, the graph builder can't tell that these
paths are impossible.  In combination with dead code, it can then happen
that we build a subgraph (for unreachable code) whose incoming context
is the undefined oddball.  JSContextSpecialization did not expect that.

Bug: chromium:794822
Change-Id: I259be5ae6c5f5adc8fca19c64bf71285ee922b7a
Reviewed-on: https://chromium-review.googlesource.com/828954
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50129}
2017-12-15 13:47:14 +00:00
Michael Starzinger
4a7eec590c [turbofan] Fix prototype mutation in Object.create lowering.
This makes sure the builtin lowering of Object.create doesn't invalidate
any previously taken dependencies. Aborting compilation after such cases
would lead to repeating optimization attempts without learning, hence we
disallow such situations.

R=verwaest@chromium.org
BUG=chromium:794394,chromium:786723

Change-Id: I6b6928cab19692bbbe3cd241ade862a2306eb0c7
Reviewed-on: https://chromium-review.googlesource.com/827066
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50128}
2017-12-15 12:36:34 +00:00
Jaroslav Sevcik
d6e68f4334 Reland "[deoptimizer] Use empty fixed array when materializing empty arguments elements."
This reverts commit 917b9cb9fc.

In this CL, we canonicalize the fixed array when allocating storage for
empty fixed array. During initialization, we also make sure that we do
not write to the empty fixed array. This is quite hacky, but it
seems to be the least intrusive change.

Bug: chromium:793863
Change-Id: I1449ebac7c1e390467566a759bf70e7e2fabda31
Reviewed-on: https://chromium-review.googlesource.com/827013
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50119}
2017-12-15 05:55:39 +00:00
Igor Sheludko
4a596cf518 [ic] Unify handling of Load/StoreHandler objects in load/store IC dispatchers.
This CL also adds support for "lookup on dictionary receivers" to store ICs.

Bug: v8:7206, v8:5561
Change-Id: Icebbc2d52c71f5d25b43f2f2a8adf674e4ec2cbc
Reviewed-on: https://chromium-review.googlesource.com/819232
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50113}
2017-12-14 15:14:16 +00:00
Sathya Gunasekaran
e3790896c7 [promise] Remove IsPromise brand check in PromiseFinally
The IsPromise brand check is now replaced with an IsObject check.

The spec was changed here:
a1628886f8

Bug: v8:7095
Change-Id: I5668083c888f9efcdfc1491c919c810c75d73ac7
Reviewed-on: https://chromium-review.googlesource.com/826606
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50108}
2017-12-14 13:00:04 +00:00
Sigurd Schneider
674402fff0 [turbofan] Disable speculation on Array.push if map check fails
Bug: v8:7204, v8:7127
Change-Id: Id99b0e83385275508a9e7f46e17bb8263f7b256a
Reviewed-on: https://chromium-review.googlesource.com/826626
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50103}
2017-12-14 10:26:00 +00:00
Michael Hablich
917b9cb9fc Revert "[deoptimizer] Use empty fixed array when materializing empty arguments elements."
This reverts commit bee8c16895.

Reason for revert: blocks roll https://chromium-review.googlesource.com/c/chromium/src/+/822232

Original change's description:
> [deoptimizer] Use empty fixed array when materializing empty arguments elements.
>
> Bug: chromium:793863
> Change-Id: I68860924c3252184f63dbea8561e5c4fe6bfa4ca
> Reviewed-on: https://chromium-review.googlesource.com/822071
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50028}

TBR=jarin@chromium.org,tebbi@chromium.org

NOTRY=true

Bug: chromium:793863
Change-Id: Iee622cd96333671277029fdd766f4ea137c9efc2
Reviewed-on: https://chromium-review.googlesource.com/826962
Commit-Queue: Michael Hablich <hablich@chromium.org>
Reviewed-by: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50098}
2017-12-14 08:33:20 +00:00
Sigurd Schneider
9d3e0774c9 [turbofan] Add support for updating feedback via CheckBounds
Add support for disallowing speculation upon deoptimize from
a CheckBound node, and use this in the case of array builtins
in js-call-reducer to prevent deoptimization loops.

Bug: v8:7127
Change-Id: I04cf655b10178d2938d2f0ee6b336601fab6463b
Reviewed-on: https://chromium-review.googlesource.com/822195
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50097}
2017-12-14 08:13:10 +00:00
Junliang Yan
cae7667c19 PPC/s390: Reland [turbofan] Implement on-stack returns (Intel)
Port bd732f7ddd

Original Commit Message:

    The original CL introduced a test which uses a random number generator.
    I disable the test for now, which is okay because this CL adds to a
    work-in-progress feature anyways, and I will fix the problem in another
    CL.

    Original description:
    Add the ability to return (multiple) return values on the stack:

    - Extend stack frames with a new buffer region for return slots.
      This region is located at the end of a caller's frame such that
      its slots can be indexed as caller frame slots in a callee
      (located beyond its parameters) and assigned return values.
    - Adjust stack frame constructon and deconstruction accordingly.
    - Extend linkage computation to support register plus stack returns.
    - Reserve return slots in caller frame when respective calls occur.
    - Introduce and generate architecture instructions ('peek') for
      reading back results from return slots in the caller.
    - Aggressive tests.
    - Some minor clean-up.

    So far, only ia32 and x64 are implemented.

R=ahaas@chromium.org, joransiu@ca.ibm.com, jbarboza@ca.ibm.com
BUG=
LOG=N

Change-Id: I8d63286aa5af5f52cc2eeaf2adeee13d0ff19e7d
Reviewed-on: https://chromium-review.googlesource.com/823084
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50091}
2017-12-13 20:06:06 +00:00
Ulan Degenbaev
3ecb047aba [runtime] Decrease the maximum number of descriptors.
This ensures that MigrateFastToFast does not overflow the length of the
property array.

Bug: chromium:789393
Change-Id: I77adc319c1c8c469ea482bad35ead8661d535192
Reviewed-on: https://chromium-review.googlesource.com/824167
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50086}
2017-12-13 18:59:26 +00:00
Michal Majewski
c8102945af [test] Code cleanup in testcfg.py
- All testcase/testsuite/variant generator subclasses renamed to
  just TestCase/TestSuite/VariantGenerator since they're private
  implementation.
- All `testcase` variables renamed to `test` to not conflict with
  a module name.
- No more two statements in the same line.
- Removed some unused testsuite methods.

Bug: v8:6917
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I7710f3419f738a5f9ddca73765dd2cad2e35b952
Reviewed-on: https://chromium-review.googlesource.com/823964
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michał Majewski <majeski@google.com>
Cr-Commit-Position: refs/heads/master@{#50076}
2017-12-13 13:36:20 +00:00
Sigurd Schneider
6630a1f111 [turbofan] Disallow speculation after deopt from array builtin
This disallows speculation after deoptimization from any of
Array.{forEach,map,filter,find} due to CheckMap fails. Such
CheckMap fails happen if the builtins' function argument
causes the map of the array to change. The js-call-lowering
refrains from optimizing builtins for which speculation was
disallowed.

Bug: v8:6898, v8:7127
Change-Id: Ied6696f8fb023ee404fb82e9d37bfb061f293854
Reviewed-on: https://chromium-review.googlesource.com/819354
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50069}
2017-12-13 10:33:16 +00:00
Michal Majewski
08a05c2bff [test] Move data access from suite to test.
- create testcase subclass for each test
- move get_command, get_source from suite to test
- promises-aplus tests are broken
- moving expected outcomes etc. is still in progress

Bug: v8:6917
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I006e64ecf51dda95c41dff88c68b24f17a638566
Reviewed-on: https://chromium-review.googlesource.com/798331
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50065}
2017-12-13 09:14:47 +00:00
peterwmwong
e2ce2e0aff [turbofan] Fix Array.p.find handling of holes in double elements
Bug: chromium:791045, v8:1956
Change-Id: I1400fc95b78e0f4771867d136377b14aed5bd4f4
Reviewed-on: https://chromium-review.googlesource.com/819510
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50061}
2017-12-13 05:38:17 +00:00
Marja Hölttä
10d9c31488 [parser] Fix NaryOperation positions.
If an initializer is a NaryOperation, its position ends up as a start position
of a Scope, and a DCHECK used to fire.

Interestingly, this was not caught by our existing tests.

BUG=chromium:791256

Change-Id: Id47f850c7ad17ca580352f9bd56c9567b485c3b8
Reviewed-on: https://chromium-review.googlesource.com/822093
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50051}
2017-12-12 18:54:03 +00:00
Georg Neis
585b39f53a Reland "Fix "this" value in lazily-parsed module functions."
This is a reland of c3bd741efd
Original change's description:
> Fix "this" value in lazily-parsed module functions.
>
> When preparsing top-level functions in a module, we didn't track
> unresolved variables. Consequently, "this" ended up referencing
> the global "this", which has the wrong value (in a module "this"
> is supposed to be the undefined value).
>
> This patch fixes that. This also lets us stop forcing context
> allocation of all variables in module scopes, which the patch
> takes care of as well.
>
> Bug: chromium:791334
> Change-Id: Ifac1f1adc033f3facfb3d29dd4bca32ee27bffcf
> Reviewed-on: https://chromium-review.googlesource.com/808938
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50025}

TBR=adamk@chromium.org
TBR=kozyatinskiy@chromium.org

Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel

Bug: chromium:791334
Change-Id: I57acc7b84a345565b36cbb55924fa2ff9b449eec
Reviewed-on: https://chromium-review.googlesource.com/822341
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50045}
2017-12-12 17:23:35 +00:00
Michael Achenbach
62f09de9ab Revert "Fix "this" value in lazily-parsed module functions."
This reverts commit c3bd741efd.

Reason for revert: Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/20384

Original change's description:
> Fix "this" value in lazily-parsed module functions.
> 
> When preparsing top-level functions in a module, we didn't track
> unresolved variables. Consequently, "this" ended up referencing
> the global "this", which has the wrong value (in a module "this"
> is supposed to be the undefined value).
> 
> This patch fixes that. This also lets us stop forcing context
> allocation of all variables in module scopes, which the patch
> takes care of as well.
> 
> Bug: chromium:791334
> Change-Id: Ifac1f1adc033f3facfb3d29dd4bca32ee27bffcf
> Reviewed-on: https://chromium-review.googlesource.com/808938
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50025}

TBR=adamk@chromium.org,marja@chromium.org,neis@chromium.org,kozyatinskiy@chromium.org

Change-Id: I81f69334ed2ce104c00e6205d50001e4bdf07d15
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:791334
Reviewed-on: https://chromium-review.googlesource.com/822258
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50036}
2017-12-12 14:08:25 +00:00
Michal Majewski
4f4654a013 [test] Deduplicate parsing source file flags.
Bug: v8:6917
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I12d62e28b8e22820d4358d0166fa5db5e09b8bc3
Reviewed-on: https://chromium-review.googlesource.com/819630
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50033}
2017-12-12 13:12:18 +00:00
Andreas Haas
bd732f7ddd Reland [turbofan] Implement on-stack returns (Intel)
The original CL introduced a test which uses a random number generator.
I disable the test for now, which is okay because this CL adds to a
work-in-progress feature anyways, and I will fix the problem in another
CL.

Original description:
Add the ability to return (multiple) return values on the stack:

- Extend stack frames with a new buffer region for return slots.
  This region is located at the end of a caller's frame such that
  its slots can be indexed as caller frame slots in a callee
  (located beyond its parameters) and assigned return values.
- Adjust stack frame constructon and deconstruction accordingly.
- Extend linkage computation to support register plus stack returns.
- Reserve return slots in caller frame when respective calls occur.
- Introduce and generate architecture instructions ('peek') for
  reading back results from return slots in the caller.
- Aggressive tests.
- Some minor clean-up.

So far, only ia32 and x64 are implemented.

Change-Id: I8b03fc4e53946daaa0e14a34603f4824a04fad7e
Reviewed-on: https://chromium-review.googlesource.com/819557
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50031}
2017-12-12 13:09:05 +00:00
Benjamin
f5a12d8661 [coverage] include 'else' in coverage range
'else' was missing in coverage range, resulting in odd looking reports

R=jgruber@chromium.org

Bug: v8:7179
Change-Id: I377cc557d51075256da27febdc8ab5442ea04d27
Reviewed-on: https://chromium-review.googlesource.com/816736
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50030}
2017-12-12 13:04:43 +00:00
Jaroslav Sevcik
bee8c16895 [deoptimizer] Use empty fixed array when materializing empty arguments elements.
Bug: chromium:793863
Change-Id: I68860924c3252184f63dbea8561e5c4fe6bfa4ca
Reviewed-on: https://chromium-review.googlesource.com/822071
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50028}
2017-12-12 12:56:13 +00:00
Michael Achenbach
256bb274d1 [test] Skip memory-hungry test for gc fuzzer with tsan
TBR=majeski@google.com
NOTRY=true

Bug: v8:6972
Change-Id: I80f392c97e4120dc81745346b36f9c505da13461
Reviewed-on: https://chromium-review.googlesource.com/822410
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50027}
2017-12-12 12:45:13 +00:00
Georg Neis
c3bd741efd Fix "this" value in lazily-parsed module functions.
When preparsing top-level functions in a module, we didn't track
unresolved variables. Consequently, "this" ended up referencing
the global "this", which has the wrong value (in a module "this"
is supposed to be the undefined value).

This patch fixes that. This also lets us stop forcing context
allocation of all variables in module scopes, which the patch
takes care of as well.

Bug: chromium:791334
Change-Id: Ifac1f1adc033f3facfb3d29dd4bca32ee27bffcf
Reviewed-on: https://chromium-review.googlesource.com/808938
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50025}
2017-12-12 12:09:49 +00:00
Michal Majewski
22eac2e987 [test] Code cleanup in test suites.
Some refactor moved from
https://chromium-review.googlesource.com/c/v8/v8/+/798331.

Bug: v8:6917
Change-Id: I8cae6cfca7a0d7d8e234052c0ab0bfe252355e60
Reviewed-on: https://chromium-review.googlesource.com/819550
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50020}
2017-12-12 08:54:52 +00:00
Andreas Haas
943ccb9895 Revert "[turbofan] Implement on-stack returns (Intel)"
This reverts commit 1e49864fa7.

Reason for revert: Crashing test on the waterfall https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Linux_gcc_4.8%2F16871%2F%2B%2Frecipes%2Fsteps%2FCheck%2F0%2Flogs%2FReturnMultipleRandom%2F0

Original change's description:
> [turbofan] Implement on-stack returns (Intel)
> 
> Add the ability to return (multiple) return values on the stack:
> 
> - Extend stack frames with a new buffer region for return slots.
>   This region is located at the end of a caller's frame such that
>   its slots can be indexed as caller frame slots in a callee
>   (located beyond its parameters) and assigned return values.
> - Adjust stack frame constructon and deconstruction accordingly.
> - Extend linkage computation to support register plus stack returns.
> - Reserve return slots in caller frame when respective calls occur.
> - Introduce and generate architecture instructions ('peek') for
>   reading back results from return slots in the caller.
> - Aggressive tests.
> - Some minor clean-up.
> 
> So far, only ia32 and x64 are implemented.
> 
> Change-Id: I9532ad13aa307c1dec40548c5b84600fe2f762ce
> Reviewed-on: https://chromium-review.googlesource.com/766371
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49994}

TBR=titzer@chromium.org,rossberg@chromium.org,ahaas@chromium.org

Change-Id: Ib257e92448942f8ef07d5ef246f9381f4784f014
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/819637
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50000}
2017-12-11 16:54:57 +00:00
Andreas Haas
1e49864fa7 [turbofan] Implement on-stack returns (Intel)
Add the ability to return (multiple) return values on the stack:

- Extend stack frames with a new buffer region for return slots.
  This region is located at the end of a caller's frame such that
  its slots can be indexed as caller frame slots in a callee
  (located beyond its parameters) and assigned return values.
- Adjust stack frame constructon and deconstruction accordingly.
- Extend linkage computation to support register plus stack returns.
- Reserve return slots in caller frame when respective calls occur.
- Introduce and generate architecture instructions ('peek') for
  reading back results from return slots in the caller.
- Aggressive tests.
- Some minor clean-up.

So far, only ia32 and x64 are implemented.

Change-Id: I9532ad13aa307c1dec40548c5b84600fe2f762ce
Reviewed-on: https://chromium-review.googlesource.com/766371
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49994}
2017-12-11 14:26:09 +00:00