The bot is at its resource limits.
TBR=yangguo@chromium.org,jgruber@chromium.org
NOTRY=true
Change-Id: I40520aa7ec8a85a16cce2c9f17544d6fb68166bb
Reviewed-on: https://chromium-review.googlesource.com/490087
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44973}
When a FunctionTemplate-based function is used as a constructor
and returns a JSProxy, we incorrectly treated that result the same
as a non-object result. Now it is treated like any other object
result, i.e., it becomes the result of the constructor call.
R=verwaest@chromium.org
BUG=v8:6294
Review-Url: https://codereview.chromium.org/2845123002
Cr-Commit-Position: refs/heads/master@{#44970}
This reduces the amount of special paths for testing.
Setup the memory used for testing exactly the same way as in real world.
Also, always connect the interpreter to the instance being executed,
and to the existing WasmInstance struct. This keeps information
synchronized between interpreter and test runner.
These changes allow us to execute e.g. GrowMemory from cctests either
in the interpreter or in compiled code.
R=ahaas@chromium.org
Change-Id: Id4726d061f3cdba789275350f500d769d27d2d63
Reviewed-on: https://chromium-review.googlesource.com/488561
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44966}
The spec requires that a null @@split / @@replace symbol is treated exactly the
same as if it were undefined, i.e. execution should move on to the default
implementation instead of throwing a TypeError.
BUG=v8:6313
Review-Url: https://codereview.chromium.org/2845153002
Cr-Commit-Position: refs/heads/master@{#44959}
It now passes on both 32-bit and 64-bit nosnap bots.
TBR=ulan@chromium.org
NOTREECHECKS=true
Change-Id: Id797c88f1eb32868433e112883c2c64b8640eb2c
Reviewed-on: https://chromium-review.googlesource.com/489682
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44953}
These tests assume that a newly-created Isolate is pristine, but that's
not true for nosnap builds.
TBR=ulan@chromium.org
Change-Id: Ie5d0fb0450f285c8eeb8e088feef6729102c0f14
Reviewed-on: https://chromium-review.googlesource.com/489063
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44952}
With fix for architectures where x<<32 != x.
Original change's description:
> [base] Introduce RoundUpToPowerOfTwo64
>
> And fix RoundUpToPowerOfTwo32 to return 1 for the input 0.
> 0 is no power of two.
> Beside being the correct value, this also avoids a special case in the
> (new) fast path using the number of leading zeros.
>
> R=jochen@chromium.org, ahaas@chromium.org
>
> Change-Id: I87173495e13b334954bcebbb55724fb666dfa809
> Reviewed-on: https://chromium-review.googlesource.com/488143
> Reviewed-by: Jochen Eisinger <jochen@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44925}
TBR=ahaas@chromium.org,jochen@chromium.org,clemensh@chromium.org,v8-reviews@googlegroups.com
Change-Id: I7b4719d84a419bb7b38e3b5c9d6d183275087ace
Reviewed-on: https://chromium-review.googlesource.com/488981
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44951}
Most callers passed kFinalizeIncrementalMarkingMask, so use that as
a default argument (not using default argument syntax to avoid including
heap.h in cctest.h).
Change-Id: I904f1eb3a0f5fdbe63eab16f6a6f01d04618645d
Reviewed-on: https://chromium-review.googlesource.com/488104
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44950}
When branching to a loop header, we were trying to copy over {arity}
values from the value stack. This is correct for block labels, but not
for loops. When branching back to a loop header, no values need to be
transferred.
R=ahaas@chromium.org
BUG=chromium:715454
Change-Id: I90d806de63d039abf8dcac1abec057860c8f69ca
Reviewed-on: https://chromium-review.googlesource.com/488146
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44949}
With this CL we reduce the difference between directly using a null prototype
in a literal or using Object.create(null).
- The EmitFastCloneShallowObject builtin now supports cloning slow
object boilerplates.
- Unified behavior to find the matching Map and instantiating it for
Object.create(null) and literals with a null prototype.
- Cleanup of literal type parameter of CompileTimeValue, now in sync with
ObjectLiteral flags.
Review-Url: https://codereview.chromium.org/2445333002
Cr-Commit-Position: refs/heads/master@{#44941}
I moved the wasm update scripts from tools/ to tools/wasm. In addition
I cleaned up the scripts a bit.
R=machenbach@chromium.org
Change-Id: I545dd556712e272e6509b78e343e9063346abe56
Reviewed-on: https://chromium-review.googlesource.com/488601
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44940}
This makes sure that asm.js modules can only be instantiated with a
valid {ArrayBuffer} as the underlying heap buffer for all cases where
accepting anything else would be observably different from JavaScript
proper.
R=clemensh@chromium.org
TEST=mjsunit/asm/asm-memory
BUG=chromium:715505,chromium:715748
Change-Id: I355686200151c5667bf836824de922d657a8d943
Reviewed-on: https://chromium-review.googlesource.com/488521
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44938}
This reverts commit 9ceaf21272.
Reason for revert: Fails on arm: http://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/2950/steps/Check/logs/Bits.RoundUpToPowerOf..
Original change's description:
> [base] Introduce RoundUpToPowerOfTwo64
>
> And fix RoundUpToPowerOfTwo32 to return 1 for the input 0.
> 0 is no power of two.
> Beside being the correct value, this also avoids a special case in the
> (new) fast path using the number of leading zeros.
>
> R=jochen@chromium.org, ahaas@chromium.org
>
> Change-Id: I87173495e13b334954bcebbb55724fb666dfa809
> Reviewed-on: https://chromium-review.googlesource.com/488143
> Reviewed-by: Jochen Eisinger <jochen@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44925}
TBR=ahaas@chromium.org,jochen@chromium.org,clemensh@chromium.org,v8-reviews@googlegroups.com,wasm-v8@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Change-Id: Ib353ee0a944316da6f919bac3bb88d4f95d98ea0
Reviewed-on: https://chromium-review.googlesource.com/488365
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44935}
The spec tests are stored on a mirror and are downloaded with the DEPS
file. The test files on the mirror are updated with a script which has
to be executed manually.
This CL contains the following changes:
* A script which updates the spec tests and uploads the generated files
to the mirror.
* Changes to the DEPS file to download the files from the mirror.
* Changes so that tools/run-tests.py can run the spec tests.
R=machenbach@chromium.org, rossberg@chromium.org
Change-Id: Ia50d09bb1501c0c0f1d1506aa3657a3aa69c2864
Reviewed-on: https://chromium-review.googlesource.com/488083
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44933}
For int16 imm values Subu would emit addiu with -imm value, but doing
this with min_int16 would overflow and produce incorrect result. This is
fixed by checking if -imm is int16. A test for this case is created.
An optimization is also added for values imm where we cannot just emit
addiu and loading -imm to a register takes one instruction using ori.
Then instead of loading imm with lui;ori and subtracting with subu, we
can load -imm with ori and add with addu.
BUG=
TEST=cctest/test-assembler-mips/Subu
Review-Url: https://codereview.chromium.org/2845043002
Cr-Commit-Position: refs/heads/master@{#44932}
This also fixes incorrect type for fixed array accesses.
BUG=chromium:715651,v8:6309,chromium:715204
Review-Url: https://codereview.chromium.org/2848583002
Cr-Commit-Position: refs/heads/master@{#44926}
And fix RoundUpToPowerOfTwo32 to return 1 for the input 0.
0 is no power of two.
Beside being the correct value, this also avoids a special case in the
(new) fast path using the number of leading zeros.
R=jochen@chromium.org, ahaas@chromium.org
Change-Id: I87173495e13b334954bcebbb55724fb666dfa809
Reviewed-on: https://chromium-review.googlesource.com/488143
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44925}
This reverts commit d7cdea6fa2.
Reason for revert: Flakiness on bots
Original change's description:
> [wasm] Add guard pages before Wasm Memory
>
> Although Wasm memory indices are all unsigned, they sometimes get assembled
> as 32-bit signed immediates. Values in the top half of the Wasm memory space
> will then get sign extended, causing Wasm to access in front of its memory
> buffer.
>
> Usually this region is not mapped anyway, so faults still happen as they are
> supposed to. This change protects this region with guard pages so we are
> guaranteed to always fault when this happens.
>
> Bug: v8:5277
> Change-Id: Id791fbe2a5ac1b1d75460e65c72b5b9db2a47ee7
> Reviewed-on: https://chromium-review.googlesource.com/484747
> Commit-Queue: Eric Holk <eholk@chromium.org>
> Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44905}
TBR=bradnelson@chromium.org,gdeepti@chromium.org,mtrofin@chromium.org,eholk@chromium.org,mseaborn@chromium.org,adamk@chromium.org,v8-reviews@googlegroups.com,wasm-v8@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Change-Id: Ia1d3e5dbf4f518815a9fd4197047077bc8e42816
Reviewed-on: https://chromium-review.googlesource.com/487828
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44907}
Clearing out the constructor field is invalid in the case where the
function's map has transitioned since the last SetPrototype call.
Bug: chromium:714972
Change-Id: Ie918702a128219c4995b805f7c9a53b41cc4e4b6
Reviewed-on: https://chromium-review.googlesource.com/486130
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44906}
Although Wasm memory indices are all unsigned, they sometimes get assembled
as 32-bit signed immediates. Values in the top half of the Wasm memory space
will then get sign extended, causing Wasm to access in front of its memory
buffer.
Usually this region is not mapped anyway, so faults still happen as they are
supposed to. This change protects this region with guard pages so we are
guaranteed to always fault when this happens.
Bug: v8:5277
Change-Id: Id791fbe2a5ac1b1d75460e65c72b5b9db2a47ee7
Reviewed-on: https://chromium-review.googlesource.com/484747
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44905}
This still doesn't cover all the paths yet, since some paths are
impossible to trigger at this point due to the way the CanInlineCall
predicate works on the AllocationSite, which says multiple things:
- In case of Array(len), the len was always a Smi so far.
- In case of Array(...args), storing the args didn't change the
elements kind.
- In case of Array(len), the len was always less than the initial
maximum fast element array size.
These conditions are tailored towards Crankshaft and don't really
make a lot of sense in the TurboFan world. We'd need more fine
grained protections, which we will achieve by refactoring the Array
constructor.
BUG=chromium:715404,v8:6262
TBR=machenbach@chromium.org
Review-Url: https://codereview.chromium.org/2843033002
Cr-Commit-Position: refs/heads/master@{#44901}
For holey Smi and double source arrays, we would go to the general
case, which is much slower than before. We already check that there
are no prototype chain changes in IterableToListCanBeElided, and
there is no JS-code run between that check and the copying of the
elements, so we can safely check for the hole and convert it to
undefined, which is then converted to 0/NaN appropriately for the
given TypedArray.
Bug: chromium:713570,chromium:711275
Change-Id: I5b21c915907d71eebb73b7b1eea8eb58b4a5436d
Reviewed-on: https://chromium-review.googlesource.com/485520
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44899}
Reason for revert:
Field representation is not preserved
Original issue's description:
> [turbofan] Set proper representation for initial arguments length.
>
> The JSArgumentsObject::length representation is initially Smi, so we can
> record that on the initial map and use it to optimize the accesses in
> TurboFan based on that. Similar for JSSloppyArgumentsObject::caller.
>
> BUG=v8:6262
> R=yangguo@chromium.org
>
> Review-Url: https://codereview.chromium.org/2810333004
> Cr-Commit-Position: refs/heads/master@{#44644}
> Committed: 5eec7df9b3TBR=yangguo@chromium.org,bmeurer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:6262
Review-Url: https://codereview.chromium.org/2825323002
Cr-Commit-Position: refs/heads/master@{#44893}
This makes sure that the observable property order of the module export
maintains insertion order. Now that properties are configurable, we no
longer need to reverse the export processing.
R=clemensh@chromium.org
TEST=mjsunit/asm/asm-validation
BUG=chromium:715420
Change-Id: Ib2024254c07bdad7fee1cf2fa0bd3e847721f5b5
Reviewed-on: https://chromium-review.googlesource.com/488022
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44891}
This fixes the bounds checking of "unsigned" numeric literals (those
that do not contains dots) by the parser. In particular this fixes a
bogus truncation to 32-bit in the scanner. It also makes the scanner
more robust by limiting the range of those numeric literals, hence
completely avoiding rounding loss or truncation errors.
R=clemensh@chromium.org
TEST=unittests/AsmJsScannerTest.UnsignedNumbers
BUG=v8:6298
Change-Id: Id31ab3c652e99fa8d3d6663315768e1bfaf3b773
Reviewed-on: https://chromium-review.googlesource.com/486881
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44890}
Only create a singleton array for Array(len) if Type(len) cannot be
Number, otherwise we might need to throw an exception instead.
BUG=chromium:715404
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2838123004
Cr-Commit-Position: refs/heads/master@{#44886}
The only users of the LoadStoreOpcodeOf function were a number of
macros in wasm-macro-gen.h, and three test functions using it directly.
This CL refactors those functions to also use the macros.
In one case, this requires storing the value in a local variable first.
R=ahaas@chromium.org
Change-Id: Ia2fbf67a3831fafc9345e155eb240cf1bf6feb5d
Reviewed-on: https://chromium-review.googlesource.com/486842
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44885}
Update the json file in js-perf-test with compare bytecode handler tests.
This cl (https://chromium-review.googlesource.com/c/485522/) adds new
tests but not all of them are updated in the json file.
Bug:v8:4280
Change-Id: Ifd1f479b770a4277fbba1de51ca2f7cbc26003cb
Reviewed-on: https://chromium-review.googlesource.com/487961
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44879}
Although we currently only support up to 1GB memory, we want to raise
this issue in the future. This test illustrates several issues we need
to be sure to fix first.
Bug: v8:6306
Change-Id: I362b7a9e51e8eb33a50e3b172a6f01d41995c3cb
Reviewed-on: https://chromium-review.googlesource.com/487047
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44876}
