Many mjsunit tests (as well as the promises-aplus adapter scripts) were
using Object.observe simply for microtask-enqueueing purposes. Replaced
such uses with %EnqueueMicrotask.
Review URL: https://codereview.chromium.org/1246933002
Cr-Commit-Position: refs/heads/master@{#29779}
Prior to this patch, we enter a global debug mode whenever a break point
is set. By entering this mode, all code is deoptimized and activated
frames are recompiled and redirected to newly compiled debug code.
After this patch, we only deoptimize/redirect for functions we want to
debug. Trigger for this is Debug::EnsureDebugInfo, and having DebugInfo
object attached to the SFI prevents optimization/inlining.
The result is that we can have optimized code for functions without break
points alongside functions that do have break points, which are not
optimized.
R=mstarzinger@chromium.org, ulan@chromium.org
BUG=v8:4132
LOG=Y
Review URL: https://codereview.chromium.org/1233073005
Cr-Commit-Position: refs/heads/master@{#29758}
- Test that TypedArray properties cannot be set in strict mode
Properties like %TypedArray%.prototype.length have a getter and no
setter. This test verifies that property, which was apparently not
true in the past or had no test ensuring throwing in this case.
- Test that TypedArray integer indexed properties (array elements)
are not configurable
Both of these have passed for some time, but there are open bugs against
them and apparently no tests verifying that they are fixed.
BUG=v8:3048, v8:3799
LOG=N
R=adamk
Review URL: https://codereview.chromium.org/1232843005
Cr-Commit-Position: refs/heads/master@{#29717}
This is a change from ES5 to ES6: When reversing an array, first it is checked
whether the element exists, before the element is looked up. The order in ES6
is
[[HasElement]] lower
[[Get]] lower (if present)
[[HasElement]] upper
[[Get]] upper (if present)
In ES5, on the other hand, the order was
[[Get]] lower
[[Get]] upper
[[HasElement]] lower
[[HasElement]] upper
To mitigate the performance impact, this patch implements a new, third copy
of reversing arrays if %_HasPackedElements. This allows us to skip all
membership tests, and a quick and dirty benchmark shows that the new version
is faster:
Over 4 runs, the slowest for the new version:
d8> var start = Date.now(); for (var i = 0; i < 100000000; i++) [1, 2, 3, 4, 5].reverse(); Date.now() - start
4658
Over 3 runs, the fastest for the old version:
d8> var start = Date.now(); for (var i = 0; i < 100000000; i++) [1, 2, 3, 4, 5].reverse(); Date.now() - start
5176
BUG=v8:4223
R=adamk
LOG=Y
Review URL: https://codereview.chromium.org/1238593003
Cr-Commit-Position: refs/heads/master@{#29716}
This CL exposes the constructor function, defines type related
information, and implements value type semantics.
It also refactors test/mjsunit/samevalue.js to test SameValue and SameValueZero.
TEST=test/mjsunit/harmony/simd.js, test/cctest/test-simd.cc
LOG=Y
BUG=v8:4124
Committed: https://crrev.com/e5ed3bee99807c502fa7d7a367ec401e16d3f773
Cr-Commit-Position: refs/heads/master@{#29689}
Review URL: https://codereview.chromium.org/1219943002
Cr-Commit-Position: refs/heads/master@{#29712}
This makes the implicit initializing assignment to 'this' performed
after a super constructor call explicit in the AST. It removes the
need to handle the special case where a CallExpression behaves like a
AssignmentExpression from various AstVisitor implementations.
R=rossberg@chromium.org
Review URL: https://codereview.chromium.org/1226123010
Cr-Commit-Position: refs/heads/master@{#29705}
This CL exposes the constructor function, defines type related
information, and implements value type semantics.
It also refactors test/mjsunit/samevalue.js to test SameValue and SameValueZero.
TEST=test/mjsunit/harmony/simd.js, test/cctest/test-simd.cc
LOG=Y
BUG=v8:4124
Review URL: https://codereview.chromium.org/1219943002
Cr-Commit-Position: refs/heads/master@{#29689}
During parsing, we now keep track of the first spread seen in an array
literal (if any), and make use of that information when creating the
FixedArray backing store representing the constant elements for array
literal materialization.
The old code tried to do this by setting the generated JSArray's length
in ArrayLiteral::BuildConstantElements(), but that Array length is never
read by the rest of the literal materialization code (it always uses
the length of the FixedArray backing store).
BUG=v8:4298
LOG=n
Review URL: https://codereview.chromium.org/1225223004
Cr-Commit-Position: refs/heads/master@{#29684}
By not having to patch the return sequence (we patch the debug
break slot right before it), we don't overwrite it and therefore
don't have to keep the original copy of the code around.
R=ulan@chromium.org
BUG=v8:4269
LOG=N
Review URL: https://codereview.chromium.org/1234833003
Cr-Commit-Position: refs/heads/master@{#29672}
A sloppy mode eval call that establishes strict mode will leak that strictness
into the sloppy surrounding scope on recompile. This changes the structure
of the type feedback vector for the function and crashes follow.
The fix is straightforward.
BUG=491536, 503565
LOG=N
Review URL: https://codereview.chromium.org/1231343003
Cr-Commit-Position: refs/heads/master@{#29671}
Note: the previous try was reverted for occasional flaky tests. This continued
after the revert, and should be fixed by
https://codereview.chromium.org/1226143003.
Previously, the serialization code would call Externalize for every transferred
ArrayBuffer or SharedArrayBuffer, but that function can only be called once. If
the buffer is already externalized, we should call GetContents instead.
Also fix use-after-free bug when transferring ArrayBuffers. The transferred
ArrayBuffer must be internalized in the new isolate, or be managed by the
Shell. The current code gives it to the isolate externalized and frees it
immediately afterward when the SerializationData object is destroyed.
BUG=chromium:497295
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1223813008
Cr-Commit-Position: refs/heads/master@{#29658}
--debug-code causes full-codegen on arm64 to emit different number
of calls, which confuses the debugger when on-stack replacing code
with recompiled debug version on-stack.
BUG=chromium:507070
TBR=mstarzinger@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/1228353004
Cr-Commit-Position: refs/heads/master@{#29638}
The new implemtation counts the number of calls (or continuations)
before the PC to find the corresponding PC in the new code.
R=mstarzinger@chromium.org
BUG=chromium:507070
LOG=N
Review URL: https://codereview.chromium.org/1235603002
Cr-Commit-Position: refs/heads/master@{#29636}
Until now, TF-generated code stubs piggy-backed off of the builtin
context. Since generation of code stubs is lazy, stubs generated at
different times in different native contexts would contain embedded
pointers different builtin contexts, leading to cross-context references
and memory leaks.
After this CL, all TF-generated code stubs are generated inside a
internal thinned-out, native context that lives solely for the
purpose of hosting generated code stubs.
Review URL: https://codereview.chromium.org/1213203007
Cr-Commit-Position: refs/heads/master@{#29593}
For now it uses a pretty slow path for accessing strings by wrapping it into a new temporary wrapper.
BUG=v8:4042, v8:3088
LOG=y
Review URL: https://codereview.chromium.org/1221303019
Cr-Commit-Position: refs/heads/master@{#29576}
Break point at calls are currently set via IC. To change this, we
need to set debug break slots instead. We also need to distinguish
those debug break slots as calls to support step-in.
To implement this, we add a data field to debug break reloc info to
indicate non-call debug breaks or in case of call debug breaks, the
number of arguments. We can later use this to find the callee on the
evaluation stack in Debug::PrepareStep.
BUG=v8:4269
R=ulan@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/1222093007
Cr-Commit-Position: refs/heads/master@{#29561}
Instead of updating the SharedFuntionInfo set the name property on
the function directly.
BUG=v8:4278
LOG=N
R=verwaest@chromium.org, littledan@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1227523003
Cr-Commit-Position: refs/heads/master@{#29558}
When quit() is called, d8 shell exits without cleanup. If a worker is running,
it might be holding the context_mutex_, which if destroyed will DCHECK.
BUG=4279
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1231473002
Cr-Commit-Position: refs/heads/master@{#29557}
The function returned from Function.prototype.bind should have the same
[[Prototype]] as the receiver.
BUG=v8:3889
LOG=N
R=adamk@chromium.org, verwaest@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1217603005
Cr-Commit-Position: refs/heads/master@{#29556}
The breakage to Chrome seems to be based on @@isConcatSpreadable
and turning that part off with this patch fixes the Maps Tips & Tricks
test case.
BUG=chromium:507553
LOG=Y
R=adamk
Review URL: https://codereview.chromium.org/1226063002
Cr-Commit-Position: refs/heads/master@{#29545}
Optimize string "length" property access based on static type
information if possible, but also optimistically optimize the access
based on type feedback from the LoadIC.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1216593003
Cr-Commit-Position: refs/heads/master@{#29543}
This one occurred when serializing an object. When the property getter threw an
exception, that value was skipped, but the property count wasn't updated. The
deserializer then tried to deserialize the wrong value.
BUG=chromium:506549
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1220193004
Cr-Commit-Position: refs/heads/master@{#29541}
- Add a TurboFanIC class, derived from TurboFanCodeStub, that
automatically distinguishes between versions of the IC called from
optimized and unoptimized code.
- Add appropriate InterfaceDescriptors for both the versions of the
stub called from unoptimized and optimized code
- Change the MathFloor TF stub generator to output either the
for-optimized or for-unoptimized version based on the minor_key
parameter.
Committed: https://crrev.com/8f13b655b8a10dae2116dd18b32f09337bb2d410
Cr-Commit-Position: refs/heads/master@{#29534}
Review URL: https://codereview.chromium.org/1225943002
Cr-Commit-Position: refs/heads/master@{#29539}
Reason for revert:
Failure on compiling runtime.js on windows
Original issue's description:
> Add unoptimized/optimized variants of MathFloor TF code stub
>
> - Add a TurboFanIC class, derived from TurboFanCodeStub, that
> automatically distinguishes between versions of the IC called from
> optimized and unoptimized code.
> - Add appropriate InterfaceDescriptors for both the versions of the
> stub called from unoptimized and optimized code
> - Change the MathFloor TF stub generator to output either the
> for-optimized or for-unoptimized version based on the minor_key
> parameter.
>
> Committed: https://crrev.com/8f13b655b8a10dae2116dd18b32f09337bb2d410
> Cr-Commit-Position: refs/heads/master@{#29534}
TBR=mvstanton@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1220783006
Cr-Commit-Position: refs/heads/master@{#29535}
- Add a TurboFanIC class, derived from TurboFanCodeStub, that
automatically distinguishes between versions of the IC called from
optimized and unoptimized code.
- Add appropriate InterfaceDescriptors for both the versions of the
stub called from unoptimized and optimized code
- Change the MathFloor TF stub generator to output either the
for-optimized or for-unoptimized version based on the minor_key
parameter.
Review URL: https://codereview.chromium.org/1225943002
Cr-Commit-Position: refs/heads/master@{#29534}
Smi immediates are not supported, so instructions with Smi representations need their constants in a register. LAddI has already been doing this. The manifestation of the bug was that an operation would compute 0 instead of the correct result.
BUG=chromium:478612
LOG=y
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/1224623017
Cr-Commit-Position: refs/heads/master@{#29529}
If we compile handlers to call accessors, Debug::HandleStepIn won't get
called. Therefore we need to clear ICs each time. This has not been
necessary before because we used to patch ICs for breaking, and restored
them with cleared ICs. This is no longer the case. We do not use ICs
for breaking anymore, so they are not implicitly cleared any longer.
R=mvstanton@chromium.org
BUG=v8:4269
LOG=N
Review URL: https://codereview.chromium.org/1212253009
Cr-Commit-Position: refs/heads/master@{#29518}
Reason for revert:
[Sheriff] Test hangs sometimes and times out flakily. E.g.: http://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosse3/builds/4551/steps/Check%20%28flakes%29/logs/d8-worker-sharedarray..
Original issue's description:
> Fix bug when transferring SharedArrayBuffer to multiple Workers.
>
> Previously, the serialization code would call Externalize for every transferred
> ArrayBuffer or SharedArrayBuffer, but that function can only be called once. If
> the buffer is already externalized, we should call GetContents instead.
>
> Also fix use-after-free bug when transferring ArrayBuffers. The transferred
> ArrayBuffer must be internalized in the new isolate, or be managed by the
> Shell. The current code gives it to the isolate externalized and frees it
> immediately afterward when the SerializationData object is destroyed.
>
> BUG=chromium:497295
> R=jarin@chromium.org
> LOG=n
>
> Committed: https://crrev.com/dd7962bf7838f8379ba776ee6b7b0e4d3bec2140
> Cr-Commit-Position: refs/heads/master@{#29499}
TBR=jarin@chromium.org,jochen@chromium.org,binji@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:497295
Review URL: https://codereview.chromium.org/1224843008
Cr-Commit-Position: refs/heads/master@{#29506}
Previously, the serialization code would call Externalize for every transferred
ArrayBuffer or SharedArrayBuffer, but that function can only be called once. If
the buffer is already externalized, we should call GetContents instead.
Also fix use-after-free bug when transferring ArrayBuffers. The transferred
ArrayBuffer must be internalized in the new isolate, or be managed by the
Shell. The current code gives it to the isolate externalized and frees it
immediately afterward when the SerializationData object is destroyed.
BUG=chromium:497295
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1215233004
Cr-Commit-Position: refs/heads/master@{#29499}
The context constant cannot be materialized from the frame when we are
compiling for OSR, because the context spill slot contains the current
instead of the outermost context in full-codegen.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1220013003
Cr-Commit-Position: refs/heads/master@{#29472}
Currently we lower shifts directly to machine operators, and add an
appropriate Word32And to implement the & 0x1F operation on the right
hand side required by the specification. However for Word32And we assume
Int32 in simplified lowering, which is basically changes the right hand
side bit interpretation for the shifts from Uint32 to Int32, which is
obviously wrong. So now we represent that explicitly by proper
simplified operators for the shifts, which are lowered to machine in
simplified lowering.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1213803008
Cr-Commit-Position: refs/heads/master@{#29465}
Keeping this CL separate in case there are more GC-stress problems.
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1217543006
Cr-Commit-Position: refs/heads/master@{#29449}
The only right way to enable access checks is to install access check callbacks on an object template via v8::ObjectTemplate::SetAccessCheckCallbacks(). It does not make sense to enable access checks on an arbitrary object.
Review URL: https://codereview.chromium.org/1217893012
Cr-Commit-Position: refs/heads/master@{#29439}
This involves:
- Enabling the tail call optimization reducer in all cases.
- Adding an addition flag to CallFunctionParameters to mark call sites
that can be tail-called enabled.
- Only set the tail-call flag for %_CallFunction.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1216933011
Cr-Commit-Position: refs/heads/master@{#29436}
Conditionally including Array and TypedArray methods seems to cause
a slowdown in V8 context creation, possibly due to the new code added.
BUG=chromium:504629
R=adamk@chromium.org
LOG=Y
Review URL: https://codereview.chromium.org/1215863003
Cr-Commit-Position: refs/heads/master@{#29430}
This is more consistent with the DOM API, and is clearer w.r.t. which values
are available in the lexical environment of the Worker.
BUG=chromium:497295
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1218553004
Cr-Commit-Position: refs/heads/master@{#29426}
The enumerable expression in a for-in/of loop is supposed to have a TDZ for any
lexically bound names in that loop (there can be more than one with destructuring).
This patch accomplishes this with an almost-correct desugaring. The only thing missing
is proper debugger support (the let declarations added by the desugaring, while invisible
to code due to shadowing, are visible to the debugger).
BUG=v8:4210
LOG=n
Review URL: https://codereview.chromium.org/1218543003
Cr-Commit-Position: refs/heads/master@{#29396}
v8::Internal::List will DCHECK when indexing out of the array, even if just to
get the address, and the value is never used. So this construct will fail:
memcpy(p, &data[0], length);
When data is empty and length is 0.
BUG=chromium:505778
R=mstarzinger@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1216853003
Cr-Commit-Position: refs/heads/master@{#29388}
Revert "Revert relanded strong property access CL"
Regression issues should be solved. Initial patchset is the original, subsequent patchsets are the fixing modifications.
This reverts commit 4ac7be5656.
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1199983002
Cr-Commit-Position: refs/heads/master@{#29384}
Also fixes a crankshaft bug with strong implicit conversions.
It turns out that the implicit conversion of oddball values
is smushed into so many places in crankshaft that it would
have been pretty invasive surgery to make everything fall
out naturally.
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1216463003
Cr-Commit-Position: refs/heads/master@{#29381}
