Commit Graph

9517 Commits

Author SHA1 Message Date
Mike Stanton
2222a9d67e [Builtins] Array.prototype.reduce missing length check
In the recent port of reduce() and reduceRight(), a check for a length
change during the loop (standard for iterating builtins) was omitted.

We did get array bounds check protection, however it didn't expose
the issue in our tests because the bounds check is against the
backing store length, not against the length in the referring JSArray.

Also added a test for reduceRight().

R=jgruber@chromium.org

Bug: chromium:937676
Change-Id: I76e22e0d71965bff84a0822b1df5dc818a00b50e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1503732
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60033}
2019-03-05 14:58:59 +00:00
Ben L. Titzer
15925e5cc6 [wasm] Fix import of reexported API function
When a function is exported from a WebAssembly module, it is implicitly
wrapped in a WasmExportedFunction. For functions that were imports into
this module, the exported function appears like other Wasm function,
e.g. can be used in tables. When that exported function was re-imported
to another module, the logic to compute the import kind mistakenly
assumed the exported function was indeed originally a Wasm function
and tried to call it directly, instead of treating it like an imported
JS function.

R=ahaas@chromium.org
BUG=v8:8947

Change-Id: Ib8fac81fbe0f49c50cfbfb2e69d9bb60aef91fcc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1503632
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60031}
2019-03-05 14:34:57 +00:00
Tobias Tebbi
676a020322 [turbofan] representation selection: do not convert from Boolean to Number without truncation
Bug: chromium:937649
Change-Id: I13c64a7cab7a6f1668c546114610006d0d6b91ee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1501052
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60027}
2019-03-05 11:18:00 +00:00
Ben Smith
a3ac513b5e [wasm] Implement passive element binary format
Passive elements have a different binary format, where the contents are
instructions instead of function indexes:

    0xd0 0x0b       -> (ref.null)
    0xd2 var:x 0x0b -> (ref.func x)

Bug: v8:8891
Change-Id: Ie7e8efe7b5acdf99622880dd97d28d3c13744dff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1497516
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60020}
2019-03-04 20:05:13 +00:00
Irina Yatsenko
37ff95adc0 Move empty elements canonicalization from call sites of
AllocateUninitializedJSArrayWithElements into the method.

Prior to the change, if the caller forgets to handle empty case on
their side, AllocateUninitializedJSArrayWithElements would allocate a
new empty FixedArray rather than return the canonical one. This refactor
shifts the burden of canonicalization from the callers to
AllocateUninitializedJSArrayWithElements.


Bug: v8:6777
Change-Id: I1246cb288861b65b51938414a454f21af78f8399
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1480330
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Irina Yatsenko <irinayat@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#60015}
2019-03-04 18:07:52 +00:00
Benedikt Meurer
683cf6f43b [cleanup] Remove obsolete "one byte data hint" for strings.
In the early days of Chrome when we used WebKit there was no support for
ASCII strings on the C++ side, so we put a hint onto these two-byte
strings that said "string only contains one byte data", such that
internally in V8 when these were involved in string operations, we could
instead create the *cheaper* one byte strings.

Nowadays Blink properly supports one-byte string representations and
this additional hint only comes with overhead, since we check it in
quite a few places (i.e. on the hot path for string concatenation), plus
we end up consuming more memory due to the additional string maps.
Removing the hint also frees one bit in the InstanceType zoo for
strings.

This alone improves performance on the `bench-dom-serialize.js` test case
by around **3%**.

Tbr: mstarzinger@chromium.org
Bug: v8:6622, v8:8834, v8:8939
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Change-Id: I0753f2859cee7b5a37b6f0da64d8ec39fcb044ff
Doc: https://bit.ly/fast-string-concatenation-in-javascript
Reviewed-on: https://chromium-review.googlesource.com/c/1498478
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60006}
2019-03-04 14:04:02 +00:00
Ross McIlroy
31a3cfbc10 [Test] Add PrepareForOptimization to mjsunit/compiler
BUG=v8:8801

Change-Id: I9d9d9824c6c9ad0176bbfd3723da1b578b17c256
Reviewed-on: https://chromium-review.googlesource.com/c/1495555
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60001}
2019-03-04 12:25:41 +00:00
Sven Sauleau
5bdb6b8345 Replace assertErrorMessage in mjsunit test
Replaces assertErrorMessage by assertThrows. Previously
assertErrorMessage didn't assert the error message that was
provided.

Change-Id: I30410b43ff16db448776d9f3cae817b1c0966b3d
Reviewed-on: https://chromium-review.googlesource.com/c/1496973
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Sven Sauleau <ssauleau@igalia.com>
Cr-Commit-Position: refs/heads/master@{#59982}
2019-03-01 18:15:13 +00:00
Sigurd Schneider
c924896fba [mjsunit] Skip test on ARM
TBR=ulan@chromium.org

Change-Id: Ic886973633b3631a336b5e549bb4c910d82fe57e
Notry: true
Reviewed-on: https://chromium-review.googlesource.com/c/1495988
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59972}
2019-03-01 13:55:46 +00:00
Matt Gardner
803ad32414 Reland "Optimize in operator"
The original was reverted for breaking webkit layout tests:
https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8-Blink%20Linux%2064/30270

It also caused the following clusterfuzz failures:

chromium:935832
This was a correctness bug due to not properly handling the case of arrays with prototypes other
than Array.prototype. Accesses that were TheHole were not being handled property, both in bounds
holes in holey arrays and out of bounds on either holey or packed arrays. Handling was incorrect
both in access-assembler and in Turbofan.

chromium:935932
This bug was that there was no handling for Has checks on the global object. Turbofan was emitting
code for a store (the 'else' condition on 'access_mode == AccessMode::kLoad'). It hit a DCHECK in
debug builds but in release could show up in different places. This is the bug that caused the
webkit layout test failure that led to the revert.

Both bugs are fixed by in CL, and tests are added for those cases.

Bug: v8:8733, chromium:935932, chromium:935832
Change-Id: Iba0dfcfce6e15d2c0815a7670ece67bc13ba1925
Reviewed-on: https://chromium-review.googlesource.com/c/1493132
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Matt Gardner <magardn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#59958}
2019-03-01 09:01:18 +00:00
Leszek Swirski
c7ebc5814f Reland "[ignition] Skip binding dead labels"
This is a reland of 35269f77f8

Switches on an expression that unconditionally throws would have all their
case statements dead, causing a DCHECK error in the SwitchBuilder. This
fixes up the DCHECK to allow dead labels.

Original change's description:
> [ignition] Skip binding dead labels
>
> BytecodeLabels for forward jumps may create a dead basic block if their
> corresponding jump was elided (due to it dead code elimination). We can
> avoid generating such dead basic blocks by skipping the label bind when
> no corresponding jump has been observed. This works because all jumps
> except JumpLoop are forward jumps, so we only have to special case one
> Bind for loop headers to bind unconditionally.
>
> Since Binds are now conditional on a jump existing, we can no longer rely
> on using Bind to get the current offset (e.g. at the beginning of a try
> block). Instead, we now expose the current offset in the bytecode array
> writer. Conveniently, this means that we can be a bit smarter about basic
> blocks around these statements.
>
> As a drive-by, remove the unused Bind(target,label) function.
>
> Bug: chromium:934166
> Change-Id: I532aa452fb083560d07b90da99caca0b1d082aa3
> Reviewed-on: https://chromium-review.googlesource.com/c/1488763
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59942}

TBR=rmcilroy@chromium.org

Bug: chromium:934166
Change-Id: If6eab4162106717ce64a2dc477000c6a76354cb4
Reviewed-on: https://chromium-review.googlesource.com/c/1494535
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59948}
2019-02-28 14:06:15 +00:00
Sigurd Schneider
8ee20f5e61 Revert "[ignition] Skip binding dead labels"
This reverts commit 35269f77f8.

Reason for revert: Fuzzer unhappy: https://ci.chromium.org/p/v8/builders/ci/V8%20Fuzzer/29792

Original change's description:
> [ignition] Skip binding dead labels
> 
> BytecodeLabels for forward jumps may create a dead basic block if their
> corresponding jump was elided (due to it dead code elimination). We can
> avoid generating such dead basic blocks by skipping the label bind when
> no corresponding jump has been observed. This works because all jumps
> except JumpLoop are forward jumps, so we only have to special case one
> Bind for loop headers to bind unconditionally.
> 
> Since Binds are now conditional on a jump existing, we can no longer rely
> on using Bind to get the current offset (e.g. at the beginning of a try
> block). Instead, we now expose the current offset in the bytecode array
> writer. Conveniently, this means that we can be a bit smarter about basic
> blocks around these statements.
> 
> As a drive-by, remove the unused Bind(target,label) function.
> 
> Bug: chromium:934166
> Change-Id: I532aa452fb083560d07b90da99caca0b1d082aa3
> Reviewed-on: https://chromium-review.googlesource.com/c/1488763
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59942}

TBR=rmcilroy@chromium.org,leszeks@chromium.org

Change-Id: I8118e54e0afa5e08b0a0a874c952f8a01f1c3242
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:934166
Reviewed-on: https://chromium-review.googlesource.com/c/1494534
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59947}
2019-02-28 13:16:28 +00:00
Leszek Swirski
35269f77f8 [ignition] Skip binding dead labels
BytecodeLabels for forward jumps may create a dead basic block if their
corresponding jump was elided (due to it dead code elimination). We can
avoid generating such dead basic blocks by skipping the label bind when
no corresponding jump has been observed. This works because all jumps
except JumpLoop are forward jumps, so we only have to special case one
Bind for loop headers to bind unconditionally.

Since Binds are now conditional on a jump existing, we can no longer rely
on using Bind to get the current offset (e.g. at the beginning of a try
block). Instead, we now expose the current offset in the bytecode array
writer. Conveniently, this means that we can be a bit smarter about basic
blocks around these statements.

As a drive-by, remove the unused Bind(target,label) function.

Bug: chromium:934166
Change-Id: I532aa452fb083560d07b90da99caca0b1d082aa3
Reviewed-on: https://chromium-review.googlesource.com/c/1488763
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59942}
2019-02-28 12:17:34 +00:00
Benjamin
2d08967d4a [coverage] Extend SourceRangeAstVisitor for throw statements
The SourceRangeAstVisitor has custom logic for blocks ending with a
statement that has a continuation range. In these cases, the trailing
continuation is removed which makes the reported coverage ranges a bit
nicer.

throw Error('foo') consists of an ExpressionStatement, with a
Throw expression stored within the statement. The source range itself
is stored with the Throw, not the statement.

We now properly extract the correct AST node for trailing throw
statements.

R=jgruber@chromium.org, neis@chromium.org, yangguo@chromium.org

Bug: v8:8691
Change-Id: Ibcbab79fbe54719a8993045040349c863b139011
Reviewed-on: https://chromium-review.googlesource.com/c/1480632
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59936}
2019-02-28 10:45:29 +00:00
Jakob Kummerow
62bdde9242 [bigint] Fix cornercase in BigInt.asUintN
One of the early (no-op) returns forgot to check whether the
number of existing digits equals the number of required digits.

Bug: chromium:936506
Change-Id: Ic9a5b927306de3cd6b26662785ac11d866e12026
Reviewed-on: https://chromium-review.googlesource.com/c/1493133
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59929}
2019-02-28 01:42:16 +00:00
Frank Tang
985301d8a4 Fix Android Arm64 N5X trybot breakage after ee3f62f
ee3f62fb0d

1. On Android, Skips mjsunit tests depending on setting LC_ALL env var.
2. With the cherrypick from ICU, locale "C" will no longer be
   canonicalized into "en-US-POSIX" since that is not part of a
   registered canonicalization. So on OS which there are no LANG,
   LC_CTYPE or LC_MESSAGE env vars, we need to also map that
   fallback locale "C" to "en-US".

Bug: v8:8242, v8:8260, v8:8903
Change-Id: I63e5db10e0a7453394787421f4d55418f286f67d
Reviewed-on: https://chromium-review.googlesource.com/c/1479030
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59927}
2019-02-28 01:14:46 +00:00
Francis McCabe
4c9c6c5804 [wasm] ReturnCall Implementation (interpreter)
Implement the ReturnCall functionality for the interpreter.

Note that some tests have had to be deferred to the implementation
of ReturnCall for TurboFan.

This a reland of https://chromium-review.googlesource.com/c/v8/v8/+/1467343

Bug: v8:7431
Change-Id: Iac9392a6a81995e30009dac74035e4d728ac3dbb
Cq-Include-Trybots: luci.v8.try:v8_linux64_ubsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/1484905
Commit-Queue: Francis McCabe <fgm@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59925}
2019-02-27 19:34:50 +00:00
Georg Neis
9c5cd06611 [turbofan] Don't assume we have receiver maps in preprocessed feedback
This was an oversight in my previous CL.

Bug: chromium:936077, v8:7790
Change-Id: Ic1034c1754d10c72df8f61d1e2c34333e1565e3e
Reviewed-on: https://chromium-review.googlesource.com/c/1491222
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59923}
2019-02-27 18:46:20 +00:00
Ross McIlroy
2cb8a6e349 [Compile] Avoid flushing code that's marked for optimization in tests.
Bytecode flushing can make tests using assertOptimized flaky if the bytecode is
flushed between marking and optimization. It can also be flaky if the feedback vector
is collected before optimization. To prevent this, a new %PrepareForOptimization
runtime-test function is added that hold onto the bytecode strongly until it is
optimized after being explicitly marked for optimization by %OptimizeFunctionOnNextCall.

BUG=v8:8801,v8:8395

Change-Id: Idbd962a3a2044b915903f9c5e92d1789942b5b41
Reviewed-on: https://chromium-review.googlesource.com/c/1463525
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59914}
2019-02-27 16:44:24 +00:00
Michael Starzinger
4c60e6b6ac [wasm] Support runtime functions in (de)serializer.
R=ahaas@chromium.org
TEST=mjsunit/regress/wasm/regress-8896
BUG=v8:8896

Change-Id: Id942b95ac05226206a08f0a5e516b9072a1a7f6f
Reviewed-on: https://chromium-review.googlesource.com/c/1491220
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59892}
2019-02-27 11:32:42 +00:00
Benedikt Meurer
834c4b3568 [turbofan] Always pass the right arity to calls.
We didn't update the arguments count properly when changing the JSCall
node to a direct Call node.

Bug: chromium:936302, v8:8895
Change-Id: I59a39a07e41151d8eaa2e1a1ea7b1835e00fb501
Reviewed-on: https://chromium-review.googlesource.com/c/1491191
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59885}
2019-02-27 08:40:58 +00:00
Michael Achenbach
2e6ab9fc30 [test] Don't test jitless without embedded-builtins
NOTRY=true

Bug: v8:8889
Change-Id: I1faf4bcb8f573485915a8b79d551fbb4985a02a0
Reviewed-on: https://chromium-review.googlesource.com/c/1489075
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59872}
2019-02-26 14:33:01 +00:00
Benedikt Meurer
066e2a2d79 [turbofan] Properly thread through the feedback for HeapObject checks.
We somehow forgot to thread through the VectorSlotPair for the CALL_IC
based speculation feedback to CheckedTaggedToTaggedPointer. This was
showing for example with `String#concat()` where we ended up with an
endless deoptimization loop if the parameter was a Smi.

Bug: v8:8913
Change-Id: I84d90403f6fada9b435d4eb71c689edc3c34dc86
Reviewed-on: https://chromium-review.googlesource.com/c/1488770
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59871}
2019-02-26 14:19:49 +00:00
Sigurd Schneider
d2729be4ae Revert "Optimize in operator"
This reverts commit 32fc0acfef.

Reason for revert:

https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8-Blink%20Linux%2064/30270

layout test breakage:

https://test-results.appspot.com/data/layout_results/V8-Blink_Linux_64/30270/webkit_layout_tests%20%28with%20patch%29/layout-test-results/results.html

There is a dead node arriving in representation selection, which might indicate that the problem is not in this CL, but that this CL stirs up the node soup in such a way that dead code elimination gets confused.

Original change's description:
> Optimize `in` operator
> 
> This change implements optimizations for the `in` operator for packed array
> elements and object properties. It adds a new feedback slot kind and an IC
> path similar to KeyedLoadIC for handling the lookups. TurboFan uses the
> feedback to optimize based on the maps and keys.
> 
> For more details see:
> https://docs.google.com/document/d/1tIfzywY8AeNVcy_sen-5Xev21MeZwjcU8QhSdzHvXig
> 
> This can provide 10x performance improvements of on loops of the form:
> 
>     for (let i = 0; i < ary.length; ++i) {
>       if (i in ary) {
>         ...
>       }
>     }
> 
> 
> Bug: v8:8733
> Change-Id: I766bf865a547a059e5bce5399bb6112e5d9a85c8
> Reviewed-on: https://chromium-review.googlesource.com/c/1432598
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Matt Gardner <magardn@microsoft.com>
> Cr-Commit-Position: refs/heads/master@{#59843}

TBR=ulan@chromium.org,rmcilroy@chromium.org,jkummerow@chromium.org,jarin@chromium.org,ishell@chromium.org,bmeurer@chromium.org,verwaest@chromium.org,magardn@microsoft.com

Change-Id: Ib2db974e5bed4c4a2b6b450f796bdc4b0b8fd562
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8733
Reviewed-on: https://chromium-review.googlesource.com/c/1488761
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59857}
2019-02-26 10:40:26 +00:00
Michael Starzinger
f94cd449e4 [wasm] Flip section code for exception and data-count.
This flips the section codes for the exception section (part of the
exception handling proposal) and the data-count section (part of the
bulk memory proposal).

Also see the following discussions for the underlying motivation:
https://github.com/WebAssembly/bulk-memory-operations/pull/42
https://github.com/WebAssembly/exception-handling/issues/70

R=binji@chromium.org
BUG=v8:8868

Change-Id: I9f5f524e7aec067720346a5bb8d45c7c80a4c7a2
Reviewed-on: https://chromium-review.googlesource.com/c/1478207
Reviewed-by: Ben Smith <binji@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59856}
2019-02-26 10:38:42 +00:00
Michael Starzinger
85b4ec5090 [wasm] Fix {StreamingDecoder} to reject multiple code sections.
R=ahaas@chromium.org
TEST=mjsunit/regress/wasm/regress-935138
BUG=chromium:935138

Change-Id: I73465e0edcdfcd33b96764ffaf5f33519e424bb8
Reviewed-on: https://chromium-review.googlesource.com/c/1486471
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59852}
2019-02-26 09:59:44 +00:00
Z Duong Nguyen-Huu
4726e82bfd Add more test for non extensible packed object
Bug: v8:6831
Change-Id: I6e9f6fc718928f2f86d3b3c2dd144a6636b05790
Reviewed-on: https://chromium-review.googlesource.com/c/1481895
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59844}
2019-02-25 18:31:44 +00:00
Matt Gardner
32fc0acfef Optimize in operator
This change implements optimizations for the `in` operator for packed array
elements and object properties. It adds a new feedback slot kind and an IC
path similar to KeyedLoadIC for handling the lookups. TurboFan uses the
feedback to optimize based on the maps and keys.

For more details see:
https://docs.google.com/document/d/1tIfzywY8AeNVcy_sen-5Xev21MeZwjcU8QhSdzHvXig

This can provide 10x performance improvements of on loops of the form:

    for (let i = 0; i < ary.length; ++i) {
      if (i in ary) {
        ...
      }
    }


Bug: v8:8733
Change-Id: I766bf865a547a059e5bce5399bb6112e5d9a85c8
Reviewed-on: https://chromium-review.googlesource.com/c/1432598
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Matt Gardner <magardn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#59843}
2019-02-25 18:11:14 +00:00
Mike Stanton
45ed388d3b Reland "[Torque] Port Array.prototype.reduce and reduceRight to Torque"
A custom deoptimization continuation point erroneously cast a parameter
to a number. Tests added.

BUG: v8:7672
Change-Id: I59848aacdedc1de9fd7d83d55045618f37d39fb0
Reviewed-on: https://chromium-review.googlesource.com/c/1485974
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59841}
2019-02-25 17:05:23 +00:00
Benedikt Meurer
75629d5f9a [turbofan] Skip arguments adaptor when target cannot observe arguments.
When calling a known function from optimized code, where the number of
actual arguments does not match the number of expected arguments,
TurboFan has to call indirectly via the arguments adaptor trampoline,
which creates an argument adaptor frame underneath the activation record
for the callee. This is done so that the callee can still get to the
actual arguments, using either

1. the arguments object, or
2. rest parameters (to get to superfluous arguments), or
3. the non-standard Function.arguments accessor (for sloppy mode
   functions), or
4. direct eval(), where we don't know whether there's a use of the
   arguments object hiding somewhere in the string.

However going through the arguments adaptor trampoline is quite
expensive usually, it seems to be responsible for over 60% of the
call overhead in those cases.

So this adds a fast path for the case of calling strict mode functions
where we have an arguments mismatch, but where we are sure that the
callee cannot observe the actual arguments. We use a bit on the
SharedFunctionInfo to indicate that this is safe, which is controlled
by hints from the Parser which knows whether the callee uses either
arguments object or rest parameters.

In those cases we use a direct call from optimized code, passing the
expected arguments instead of the actual arguments. This improves the
benchmark on the document below by around 60-65%, which is exactly
the overhead of the arguments adaptor trampoline that we save in this
case.

This also adds a runtime flag --fast_calls_with_arguments_mismatches,
which can be used to turn off the new behavior. This might be handy
for checking the performance impact via Finch.

Bug: v8:8895
Change-Id: Idea51dba7ee6cb989e86e0742eaf3516e5afe3c4
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Doc: http://bit.ly/v8-faster-calls-with-arguments-mismatch
Reviewed-on: https://chromium-review.googlesource.com/c/1482735
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59825}
2019-02-25 12:47:36 +00:00
Ross McIlroy
ec9aef3d1e [Runtime] Ensure template objects are retained if bytecode is flushed.
Template objects should be cached after they are first created and reused on
subsiquent calls to tag functions. Currently these cached objects are stored
on the feedback vector, which has appropriate lifetime, however with bytecode
flushing the feedback vector could be cleared when the bytecode is flushed,
causing the template object to be dropped.

In order to retain the cached template objects in the face of bytecode flushing,
this CL adds a weakmap for each native context that is (weakly) keyed by
shared function info, and holds a linked list of cached template objects
associated with that shared function info, indexed by feedback vector slot id.
Misses will check this weakmap, and if no entry is found, a new template object
is created and added into this weakmap alongside the feedback vector.

BUG=v8:8799,v8:8799,v8:8395

Change-Id: Ia95d5cfc394ce58dc9fe6a1e49780f05299acc17
Reviewed-on: https://chromium-review.googlesource.com/c/1477746
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59818}
2019-02-25 11:20:06 +00:00
Toon Verwaest
4b0c2b32af [parser] Fix stackoverflow on function expressions
This merges all the possible targets for 'member expressions' previously
parsed in ParseMemberExpression into ParsePrimaryExpression; since that's
not independently used anyway. This will make it faster since we don't
need to go through unnecessary branches before ParsePrimaryExpression on
the fast path, *and* it will make the binary smaller since
ParseMemberExpression is inlined but ParsePrimaryExpression is not. It
saves 4kb. Yay :)

Bug: chromium:913222
Change-Id: Ib92e1c2a128fffff1db85b625bb5f311ec8c24ef
Reviewed-on: https://chromium-review.googlesource.com/c/1480379
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59814}
2019-02-25 10:44:26 +00:00
Toon Verwaest
e14a24d32e [parser] Always return a valid var from DeclareVariableName
That way we can continue running in failure mode.

Bug: chromium:933214
Change-Id: I975901a72f615e2b7ed9955b75ce86bbcad0bbbb
Reviewed-on: https://chromium-review.googlesource.com/c/1481219
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59813}
2019-02-25 10:31:26 +00:00
Deepti Gandluri
5d0f5bd739 Revert "[wasm] ReturnCall Implementation (interpreter)"
This reverts commit 6a88f0b1e4.

Reason for revert: Fails UBSAN bots - https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux64%20UBSan/4866

Original change's description:
> [wasm] ReturnCall Implementation (interpreter)
> 
> Implement the ReturnCall functionality for the interpreter.
> 
> Note that some tests have had to be deferred to the implementation
> of ReturnCall for TurboFan.
> 
> Bug: v8:7431
> Change-Id: I091528e72f9113ddf1929bd1a5650b490bc8cc0c
> Reviewed-on: https://chromium-review.googlesource.com/c/1467343
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Commit-Queue: Francis McCabe <fgm@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59803}

TBR=adamk@chromium.org,ahaas@chromium.org,clemensh@chromium.org,fgm@chromium.org

Change-Id: Ib2a85e586549e9c36f94d70f04f6e103a8272367
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7431
Reviewed-on: https://chromium-review.googlesource.com/c/1484574
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59804}
2019-02-22 23:31:54 +00:00
Francis McCabe
6a88f0b1e4 [wasm] ReturnCall Implementation (interpreter)
Implement the ReturnCall functionality for the interpreter.

Note that some tests have had to be deferred to the implementation
of ReturnCall for TurboFan.

Bug: v8:7431
Change-Id: I091528e72f9113ddf1929bd1a5650b490bc8cc0c
Reviewed-on: https://chromium-review.googlesource.com/c/1467343
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Francis McCabe <fgm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59803}
2019-02-22 19:27:10 +00:00
Jaroslav Sevcik
6660639e7e [turbofan] Re-type JSAdd("", prim) reduction to ToString.
Bug: chromium:934175
Change-Id: I00b4d6931d196037f0ead168cc9cbb19cb83a12d
Reviewed-on: https://chromium-review.googlesource.com/c/1481632
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59787}
2019-02-22 09:24:53 +00:00
Igor Sheludko
69e7ded547 [ptr-compr] Fix string externalization
With 32-bit kTaggedSize small strings may be not externalizable.

Bug: v8:7703
Change-Id: I34002568214742dadb2358fca97dfb4b92a5342a
Reviewed-on: https://chromium-review.googlesource.com/c/1480373
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59770}
2019-02-21 15:03:33 +00:00
Michael Starzinger
cc787e174e [asm.js] Fix handling of bogus code after export statement.
This makes the asm.js validator reject source with trailing expressions
after the module exporting return statement. Most of the time trailing
statements would not affect semantics, since they are unreachable. In
some cases we might hide an expected ReferenceError tough.

R=leszeks@chromium.org
TEST=mjsunit/regress/regress-crbug-934138
BUG=chromium:934138

Change-Id: I790366204f5e9c943715a065b5229f2442e2c86e
Reviewed-on: https://chromium-review.googlesource.com/c/1481216
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59766}
2019-02-21 14:37:37 +00:00
Sven Sauleau
6f8bd2eb2f [wasm] change test name
Change-Id: Ib45690bb03b9c76502afed89a71e1dc9a545893b
Reviewed-on: https://chromium-review.googlesource.com/c/1481213
Commit-Queue: Sven Sauleau <ssauleau@igalia.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59756}
2019-02-21 12:02:47 +00:00
Jakob Gruber
c54bbd2c23 Remove invalid DCHECK in ReplacementStringBuilder
The DCHECK verified capacity just before the call to EnsureCapacity()
(which extends capacity if needed). This DCHECK can just be removed
since FixedArray::set() already checks the given index is in-bounds.

Drive-by: Remove similar duplicate DCHECKs in FixedArrayBuilder.

Bug: chromium:933776
Change-Id: I9f058548063a170ea6dce112a3877792887efcca
Reviewed-on: https://chromium-review.googlesource.com/c/1479955
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59753}
2019-02-21 09:41:06 +00:00
Jaroslav Sevcik
9371781f60 [turbofan] Support f64 truncation in f64->tagged representation change.
Bug: chromium:933331
Change-Id: I598a32b1efe2d4b7e8278ddf84140c72f787afa8
Reviewed-on: https://chromium-review.googlesource.com/c/1475496
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59749}
2019-02-21 05:04:26 +00:00
Ulan Degenbaev
624ab5cc1f [test] Adjust test expectations for regress-779407 on android.
The test started passing on android arm64 after
https://chromium-review.googlesource.com/c/1477736

Change-Id: I52e8372678e37b68d2af4d53b06025ed3660f159
Reviewed-on: https://chromium-review.googlesource.com/c/1478206
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59741}
2019-02-20 16:07:00 +00:00
Jaroslav Sevcik
64bad451f4 [turbofan] Handle -0 truncation in word32->tagged rep change.
Bug: chromium:932392
Change-Id: Icf5690585303a7f61421bdfe7729823c98950d13
Reviewed-on: https://chromium-review.googlesource.com/c/1478192
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59731}
2019-02-20 12:48:25 +00:00
peterwmwong
02b9847f4e Reland "[builtins]: Optimize CreateTypedArray to use element size log 2 for calculations."
This is a reland of c9ef0405c7

Original change's description:
> [builtins]: Optimize CreateTypedArray to use element size log 2 for calculations.
>
> TypedArrayElementsInfo now represents an element's size as a log 2 and typed as
> uintptr.  This simplifies and speeds up (avoids possible HeapNumber allocations) a
> number of calculations:
>
>   - Number of Elements (length) -> Byte Length - is now a WordShl
>   - Byte Length -> Number of Elements (length) - is now a WordShr
>   - Testing alignment (byte offset or length)  - is now a WordAnd
>
> These element/byte length related calculations are encapsulated in
> TypedArrayElementsInfo as struct methods.
>
> This reduces the size of CreateTypedArray by 2.125 KB (24%) on Mac x64.release:
>   - Before: 9,088
>   - After:  6,896
>
> This improves the performance of the following microbencmarks
>   - TypedArrays-ConstructWithBuffer: ~87%
>   - TypedArrays-SubarrayNoSpecies:   ~28%
>
> Bug: v8:7161
> Change-Id: I2239fd0e0af9d3ad55cd52318088d3c7c913ae44
> Reviewed-on: https://chromium-review.googlesource.com/c/1456299
> Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59531}

Bug: v8:7161, chromium:932034
Change-Id: I5c3dc34c549234417f95b404e7d49b2fd496fa69
Reviewed-on: https://chromium-review.googlesource.com/c/1476306
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59728}
2019-02-20 12:06:53 +00:00
Sergiy Belozorov
6956c02c8e Revert "Preparing v8 to use with python3 /test"
This reverts commit f8962ae1a2.

Reason for revert: breaks Arm bots, e.g. https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Arm/9655, task: https://chromium-swarm.appspot.com/task?d=true&id=431dfa503db16d10

Original change's description:
> Preparing v8 to use with python3 /test
> 
> There are now less that 400 days until the end of life
> of Python 2(aka _legacy_ Python) https://pythonclock.org/ .
> The code compatibility check for python2 and python3
> used the following tools: futurize, flake8
> You can see the reports here: https://travis-ci.com/bmsdave/v8/builds
> 
> This CL was uploaded by git cl split.
> 
> Bug: v8:8594
> Change-Id: Idbf467daf629a4e808345a6a88036c2a3f259138
> Reviewed-on: https://chromium-review.googlesource.com/c/1470121
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Sergiy Belozorov <sergiyb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59679}

TBR=machenbach@chromium.org,sergiyb@chromium.org,herhut@chromium.org,bmsdave@gmail.com

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:8594
Change-Id: I17a0a7b203fa2c0ab0f965240ee1415b7513e1cf
Reviewed-on: https://chromium-review.googlesource.com/c/1478692
Reviewed-by: Sergiy Belozorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Sergiy Belozorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59725}
2019-02-20 10:20:59 +00:00
Jaroslav Sevcik
0a069d94df Reland "Fix accessor update of non-extensible maps."
This is a reland of 1a3a2bc335,
fixed an infinite loop in Map::TryUpdateSlow and added
a relevant test.

Original change's description:
> Fix accessor update of non-extensible maps.
>
> When installing getter/setter of non-extensible map with existing
> setter/getter of the same name, we introduce a new transition
> (so we have two transitions with the same name!). This triggers
> an assertion in map updater.
>
> This fix carefully checks that on the back-pointer path from
> non-extensible map to the extensible map there are only
> integrity level transitions. Otherwise, we just bail out.
>
> Bug: chromium:932953
> Change-Id: I02e91c3b652428a84a9f5c58b6691ea9b1fc44d6
> Reviewed-on: https://chromium-review.googlesource.com/c/1477067
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59667}

Bug: chromium:932953
Change-Id: I015ee3795f816c8eabb5b5c5cb0ee30f365cc972
Reviewed-on: https://chromium-review.googlesource.com/c/1477675
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59715}
2019-02-20 04:51:27 +00:00
Aseem Garg
f5c0361abc [wasm] fix alignment issue for WasmI64AtomicWait
WasmI64AtomicWait checked alignment at 32 bit instead of 64 bit.

Bug=v8:8075

Change-Id: Ibd668ad8440e928d14a1fcae1577c4aae345151b
Reviewed-on: https://chromium-review.googlesource.com/c/1475918
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Aseem Garg <aseemgarg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59713}
2019-02-20 03:19:27 +00:00
Georg Neis
110a07ff07 [test] Explicitly add --turbo-inlining to tests that require it
This lets me run tests with --no-turbo-inlining without having to
worry about false positives.

Change-Id: Icf906e631ef5821136f397af141ba8b18334da7e
Reviewed-on: https://chromium-review.googlesource.com/c/1477730
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59707}
2019-02-19 19:30:30 +00:00
Jaroslav Sevcik
f23712f99a Remove incorrect dcheck from map updater.
Bug: chromium:933179
Change-Id: I511dfa7c060fd3f4e4b59c199a27a69d4cf81f97
Reviewed-on: https://chromium-review.googlesource.com/c/1477275
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59705}
2019-02-19 19:04:55 +00:00
Michael Starzinger
d7a5e5ba3e [wasm] Fix section order checking in {StreamingDecoder}.
This removes an outdated section order check from {CreateNewBuffer} and
relies solely on the checks done in {ProcessSection}. Those checks are
more comprehensive and will remain coherent with synchronous decoding.

R=ahaas@chromium.org
TEST=mjsunit/regress/wasm/regress-8846
BUG=v8:8846

Change-Id: Id0cdc3bf3ad78f7970c9fceff66a17ab20f4666b
Reviewed-on: https://chromium-review.googlesource.com/c/1477211
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59702}
2019-02-19 16:57:23 +00:00
Dan Elphick
5d7cc775a6 [Lite] Enable lazy source positions on V8 Lite mode
Also disables tests in Lite mode that currently fail with lazy source
positions.

Bug: v8:8510
Change-Id: Id27b7cb31682559173b137ef51eaf06d517ee9ec
Reviewed-on: https://chromium-review.googlesource.com/c/1477129
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59700}
2019-02-19 16:20:53 +00:00
Mythri
a508efa61d [ic] Update Clone/StoreInArrayLiteral builtins to handle no feedback case
Updates CloneIC builtin to take the CloneIC_slow path when there is no
feedback vector. Also fixes the CloneIC_Slow to handle proxies correctly.

StoreInArrayLiteralIC doesn't change the behaviour but just makes it
consistent with other ICs.

Bug: v8:8293
Change-Id: Ib824b3ef06db1595ce06f04669857bb957cbe072
Reviewed-on: https://chromium-review.googlesource.com/c/1475750
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59682}
2019-02-19 11:27:47 +00:00
Leszek Swirski
4cbdf97daf Revert "Fix accessor update of non-extensible maps."
This reverts commit 1a3a2bc335.

Reason for revert: Only CL in a reverted roll (https://chromium-review.googlesource.com/c/chromium/src/+/1477147)

Original change's description:
> Fix accessor update of non-extensible maps.
> 
> When installing getter/setter of non-extensible map with existing
> setter/getter of the same name, we introduce a new transition
> (so we have two transitions with the same name!). This triggers
> an assertion in map updater.
> 
> This fix carefully checks that on the back-pointer path from
> non-extensible map to the extensible map there are only
> integrity level transitions. Otherwise, we just bail out.
> 
> Bug: chromium:932953
> Change-Id: I02e91c3b652428a84a9f5c58b6691ea9b1fc44d6
> Reviewed-on: https://chromium-review.googlesource.com/c/1477067
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59667}

TBR=jarin@chromium.org,ishell@chromium.org

Change-Id: I9264423c605cebef87beb6c0f066e90b59faae48
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:932953
Reviewed-on: https://chromium-review.googlesource.com/c/1477219
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59680}
2019-02-19 09:40:28 +00:00
Vadim Gorbachev (bmsdave)
f8962ae1a2 Preparing v8 to use with python3 /test
There are now less that 400 days until the end of life
of Python 2(aka _legacy_ Python) https://pythonclock.org/ .
The code compatibility check for python2 and python3
used the following tools: futurize, flake8
You can see the reports here: https://travis-ci.com/bmsdave/v8/builds

This CL was uploaded by git cl split.

Bug: v8:8594
Change-Id: Idbf467daf629a4e808345a6a88036c2a3f259138
Reviewed-on: https://chromium-review.googlesource.com/c/1470121
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Sergiy Belozorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59679}
2019-02-19 09:24:16 +00:00
Ulan Degenbaev
ab2180cd0b [test] Disable deopt-array-push for GC stress
The test is sensitive to bytecode flushing.

Bug: v8:8801
Change-Id: I2e290246681c014838be7411cc0ff68fd44c3590
Reviewed-on: https://chromium-review.googlesource.com/c/1477217
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59674}
2019-02-19 09:03:07 +00:00
Jaroslav Sevcik
1a3a2bc335 Fix accessor update of non-extensible maps.
When installing getter/setter of non-extensible map with existing
setter/getter of the same name, we introduce a new transition
(so we have two transitions with the same name!). This triggers
an assertion in map updater.

This fix carefully checks that on the back-pointer path from
non-extensible map to the extensible map there are only
integrity level transitions. Otherwise, we just bail out.

Bug: chromium:932953
Change-Id: I02e91c3b652428a84a9f5c58b6691ea9b1fc44d6
Reviewed-on: https://chromium-review.googlesource.com/c/1477067
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59667}
2019-02-19 04:59:36 +00:00
Mythri
441c020229 [test] Enable spread-large-array/spread-large-string on lite mode
These tests were timing out because we used to miss to runtime when
storing keyed properties in lite mode. Now, the store ICs are updated to
use fast path when possible even with lite mode. So, these should no longer
timeout

Bug: v8:8293
Change-Id: I63481768cc7d12c25c7f1a20ed1fa097979f2c50
Reviewed-on: https://chromium-review.googlesource.com/c/1475754
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59652}
2019-02-18 10:58:07 +00:00
Maya Lekova
68ed2f17c5 [turbofan] Handle all oddballs in OddballToNumber
Bug: chromium:931664

R=neis@chromium.org

Change-Id: I4ad8e79b9b64898034d72264e968fc0cd01909b9
Reviewed-on: https://chromium-review.googlesource.com/c/1477050
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59650}
2019-02-18 10:46:37 +00:00
Leszek Swirski
54e515220d [parser] Force func decl allocation for non-block code coverage
In addition to the previous change enabling forced FunctionDeclaration
allocation when block code coverage is enabled, enable it now for all
(non-best-effort) code coverage by reading off the coverage mode from
the isolate (rather than relying on the presence of a source range map).

Bug: chromium:927464
Change-Id: I26f86c9fbebc0df52d5cdeff3ca1095215a6d912
Reviewed-on: https://chromium-review.googlesource.com/c/1456041
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59626}
2019-02-15 11:49:26 +00:00
Jaroslav Sevcik
0f6f064c9e Relax a too-strict DCHECKs.
This allows updates to SLOW_STRING_WRAPPER_ELEMENTS elements kind
for non-extensible map (so far only dictionary elements and typed-array
elements were allowed).

Bug: chromium:932101
Change-Id: Id532684aa94f908eb14f3451aa823f282342668b
Reviewed-on: https://chromium-review.googlesource.com/c/1475390
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59621}
2019-02-15 07:44:11 +00:00
Clemens Hammacher
15a621a2f9 [wasm][test] Check streaming decoder error messages
In the wasm streaming decoder error position test, do also check the
error messages generated. This revealed messages that were not quite
fitting and some that were formatted differently than the majority.

R=ahaas@chromium.org

Bug: v8:8814
Change-Id: If157f1083a104413bf14797ac56e756baac98c17
Reviewed-on: https://chromium-review.googlesource.com/c/1463780
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59604}
2019-02-14 16:06:43 +00:00
Mathias Bynens
3b4cadedee Remove always-true --harmony-symbol-description runtime flag
It shipped in Chrome 70.

Bug: v8:7807, v8:8562
Change-Id: I5c5a9fc23656018ee6e9115af7a0c779230e681b
Reviewed-on: https://chromium-review.googlesource.com/c/1450787
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59589}
2019-02-14 10:36:05 +00:00
Ulan Degenbaev
77c94fae3a [test] Make deopt-array-push test robust against page size changes
Bug: chromium:852420
Change-Id: Ic34b996460b9ad2124f4bdb18afdcc83f2453e6a
Reviewed-on: https://chromium-review.googlesource.com/c/1470109
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59573}
2019-02-13 16:30:25 +00:00
Jakob Gruber
10f0d8c143 Reland "[nojit] Don't expose wasm in jitless mode"
This is a reland of c79a63e634

Original change's description:
> [nojit] Don't expose wasm in jitless mode
>
> Wasm currently still creates executable memory even in
> interpreter-only mode, and is thus unsupported in jitless mode. This
> hides wasm completely, which will help e.g. fuzzers that attempt to
> run wasm code (and currently crash on the CHECK in AddOwnedCode).
>
> Bug: v8:7777,chromium:931068
> Change-Id: Iee692cb947d482ba16fb0f4da32490d42d5daef8
> Reviewed-on: https://chromium-review.googlesource.com/c/1470124
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59561}

Tbr: mstarzinger@chromium.org
Bug: v8:7777, chromium:931068
Change-Id: I535c3f598c90cd5c4072a73544cc33c5bf5460c1
Reviewed-on: https://chromium-review.googlesource.com/c/1470132
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59571}
2019-02-13 16:24:04 +00:00
Jakob Gruber
8a173c6ff4 Revert "[nojit] Don't expose wasm in jitless mode"
This reverts commit c79a63e634.

Reason for revert: Needs addtl test skips: https://chromium-review.googlesource.com/c/1470124

Original change's description:
> [nojit] Don't expose wasm in jitless mode
> 
> Wasm currently still creates executable memory even in
> interpreter-only mode, and is thus unsupported in jitless mode. This
> hides wasm completely, which will help e.g. fuzzers that attempt to
> run wasm code (and currently crash on the CHECK in AddOwnedCode).
> 
> Bug: v8:7777,chromium:931068
> Change-Id: Iee692cb947d482ba16fb0f4da32490d42d5daef8
> Reviewed-on: https://chromium-review.googlesource.com/c/1470124
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59561}

TBR=mstarzinger@chromium.org,jgruber@chromium.org

Change-Id: Ic242db3efe73ef362e0f0c3efde90682db6de4a8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7777, chromium:931068
Reviewed-on: https://chromium-review.googlesource.com/c/1470131
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59570}
2019-02-13 15:39:12 +00:00
Toon Verwaest
9439a1d2bb [ast] Always visit all AST nodes, even dead nodes
We'll let the bytecode compiler and optimizing compilers deal with dead code,
rather than the ast visitors. The problem is that the visitors previously
disagreed upon what was dead. That's bad if necessary visitors omit parts of
the code that the bytecode generator will actually visit.

I did consider removing the AST nodes immediately in the parser, but that
adds overhead and actually broke code coverage. Since dead code shouldn't be
shipped to the browser anyway (and we can still omit it later in the bytecode
generator), I opted for keeping the nodes instead.

Change-Id: Ib02fa9031b17556d2e1d46af6648356486f8433d
Reviewed-on: https://chromium-review.googlesource.com/c/1470108
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59569}
2019-02-13 15:24:28 +00:00
Jakob Gruber
c79a63e634 [nojit] Don't expose wasm in jitless mode
Wasm currently still creates executable memory even in
interpreter-only mode, and is thus unsupported in jitless mode. This
hides wasm completely, which will help e.g. fuzzers that attempt to
run wasm code (and currently crash on the CHECK in AddOwnedCode).

Bug: v8:7777,chromium:931068
Change-Id: Iee692cb947d482ba16fb0f4da32490d42d5daef8
Reviewed-on: https://chromium-review.googlesource.com/c/1470124
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59561}
2019-02-13 14:26:54 +00:00
Sigurd Schneider
82faa6d315 [array] Fix Array#map storing signaling NaNs
Bug: chromium:930948
Change-Id: I7567fec06ec4bad11e8b8336ac13fdfc225b632c
Reviewed-on: https://chromium-review.googlesource.com/c/1466503
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59547}
2019-02-13 10:23:19 +00:00
Andreas Haas
01dc5707e4 [wasm] Generate code for the table.get and table.set instructions
This CL contains the following changes:
(1) Allocate memory for WasmTables in the WasmInstance.
    - We extend the WasmInstance by a FixedArray which stores
      references to the WasmTables.
(2) Rename the name of the backing store of WasmTables from `functions`
    to `elements`.
    - The name `functions` just does not fit anyref tables.
(3) Generate code with TurboFan for table.get and table.set.
(4) Extend wasm-module-builder.js to be able to generate modules with
    multiple tables.
(5) Add  mjsunit tests to test table.get and table.set.

R=mstarzinger@chromium.org

Bug: v8:7581
Change-Id: I44af4838ee7a37b394841a2f673ecae5734a4d1c
Reviewed-on: https://chromium-review.googlesource.com/c/1463519
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59529}
2019-02-12 13:10:53 +00:00
Caitlin Potter
1483561328 [parser] don't accept PRIVATE_NAME for object literal property names
Currently, PRIVATE_NAME / PrivateIdentifier is not valid in
ObjectLiterals or other places expecting the PropertyName production.
A SyntaxError here prevents an access violation later on when attempting
to dereference a null property key

BUG=v8:8808
R=gsathya@chromium.org, littledan@chromium.org

Change-Id: Idde9c669cb48c1595b83115351a8fe0caed40eef
Reviewed-on: https://chromium-review.googlesource.com/c/1461161
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#59515}
2019-02-11 18:17:32 +00:00
Jaroslav Sevcik
a953f8d4ee Fix map equivalence check.
Given a map, its HasNonInstancePrototype bit in bit_field can differ
from the same bit in that map's root map. If that is the case just
return false from the equivalence check. (Currently, we just assert
that bit_field is the same for a map and its root map.)

Bug: chromium:930486
Change-Id: Ic0eb83f80725fb1224e0f97927127e1cb8ad92e6
Reviewed-on: https://chromium-review.googlesource.com/c/1462004
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59508}
2019-02-11 16:31:35 +00:00
Ulan Degenbaev
214992e255 Remove obsolete array constructor test
The test says that it is testing dictionary mode, but it is only
creating fast mode arrays.

Bug: chromium:852420
Change-Id: I99ccc997aaa87ecf49bddf02e46b7e543f535374
Reviewed-on: https://chromium-review.googlesource.com/c/1462918
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59504}
2019-02-11 15:05:30 +00:00
Toon Verwaest
486ec80a7d [parser] Reset expression_scope_ stack to nullptr when parsing a function body
That way we can properly walk the active ambiguous stack of expressions and
stop where it's non-ambiguous. In the bug we would have forced context
allocation of "this" in an outer function because an inner function was parsed
as part of an arrow function head and "this" was referenced. That caused the
ambiguous arrow head scope to be marked, even though the reference came from a
non-ambiguous function.

Bug: chromium:930580
Change-Id: I0bf0fa569e2d2ca1dc26b0514fe5bdb48ab7ae6f
Reviewed-on: https://chromium-review.googlesource.com/c/1462005
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59488}
2019-02-11 09:22:57 +00:00
Jaroslav Sevcik
154bb50c22 Fix map updater for non-extensible maps with private symbols.
Bailout from map update if there are private symbol transitions on
non-extensible maps.

Bug: chromium:930045
Change-Id: I02fbea0ec0afde07cded688c06122d8f2bb25921
Reviewed-on: https://chromium-review.googlesource.com/c/1460949
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59480}
2019-02-09 09:09:02 +00:00
Matt Gardner
c22bb466d8 Inline indexOf/includes at polymorphic sites
This commit allows inlining of Array#indexOf and Array#includes when the array type is polymorphic for types that are compatable for array iteration.

Bug: v8:8388
Change-Id: Ib826bad857c7dfe0ee7af99bb456b50b7a8b6ef9
Reviewed-on: https://chromium-review.googlesource.com/c/1450137
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59473}
2019-02-08 19:45:10 +00:00
Gus Caplan
98453126c1 Reland^2 "[builtins] [turbofan] Refactor Float64Pow to use single implementation"
This is a reland of d7def9003d

Original change's description:
> Reland "[builtins] [turbofan] Refactor Float64Pow to use single implementation"
>
> This is a reland of I968a08cef6a6d49350aa79185b2c6fb856d15f23
>
> Original change's description:
> > [builtins] [turbofan] Refactor Float64Pow to use single implementation
> >
> > Remove platform-specific Float64Pow implementations and utils Pow in
> > favor of a base::ieee754::pow implementation.
> >
> > This unifies the implementation of pow for the compiler, wasm, and
> > runtime.
> >
> > Bug: v8:5848, v8:5086
> > Change-Id: I968a08cef6a6d49350aa79185b2c6fb856d15f23
> > Reviewed-on: https://chromium-review.googlesource.com/c/1403018
> > Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> > Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> > Reviewed-by: Georg Neis <neis@chromium.org>
> > Reviewed-by: Yang Guo <yangguo@chromium.org>
> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#59229}
>
> Bug: v8:5848, v8:5086
> Change-Id: I92f22ae03adafd9ad042e8d4bb406cbd5b5fb51e
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_ubsan_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/1447854
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59411}

Tbr: neis@chromium.org, bmeurer@chromium.org, jkummerow@chromium.org
Bug: v8:5848, v8:5086
Change-Id: I42972b29b8830ed47a00b2b1d408d3005a810c0e
Cq-Include-Trybots: luci.chromium.try:linux_chromium_ubsan_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_ubsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/1456302
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59454}
2019-02-08 12:25:27 +00:00
Clemens Hammacher
7a8cd55146 [wasm] Check that sync and async errors match
This makes the existing error message tests also test the error
produced by asynchronous compilation and instantiation.
It also slightly tweaks the error message to contain the name of the
API function invoked instead of "WebAssembly Instantiation".

R=titzer@chromium.org

Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Bug: chromium:926311
Change-Id: If4ab963cee8267d43b289169d21b31637c471d6d
Reviewed-on: https://chromium-review.googlesource.com/c/1456085
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59442}
2019-02-07 16:41:47 +00:00
Ujjwal Sharma
155ccadda6 [string] port String.p.endsWith to torque
Port String.prototype.endsWith from a CPP builtin to a Torque builtin.

Spec: https://tc39.github.io/ecma262/#sec-string.prototype.endswith
Bug: v8:8400
Change-Id: I4ac8cb92acb68389db844deaecc9ae1c6e7d6bd5
Reviewed-on: https://chromium-review.googlesource.com/c/1454677
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59441}
2019-02-07 15:39:18 +00:00
Jaroslav Sevcik
daf67d6de3 Reland "Ship constant field tracking"
This is a reland of 78ed0e3fdb

The breakage was unrelated to constant field tracking (see
the linked bugs).

Original change's description:
> Ship constant field tracking
>
> Bug: v8:8361
> Change-Id: I25c52c708517cf27add89e0c5c97e6d21abb2a9a
> Reviewed-on: https://chromium-review.googlesource.com/c/1456089
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59415}

Bug: v8:8361, v8:8799, v8:8801
Change-Id: I318768b925f3efd285cb27aa93e6de35fdcced42
Reviewed-on: https://chromium-review.googlesource.com/c/1458238
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59440}
2019-02-07 15:22:29 +00:00
Sigurd Schneider
d691fde360 Revert "Reland "[builtins] [turbofan] Refactor Float64Pow to use single implementation""
This reverts commit d7def9003d.

Reason for revert: Breaks UBSan:
https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux64%20UBSan/4542

Besides undefined behavior, things were looking good!


Original change's description:
> Reland "[builtins] [turbofan] Refactor Float64Pow to use single implementation"
> 
> This is a reland of I968a08cef6a6d49350aa79185b2c6fb856d15f23
> 
> Original change's description:
> > [builtins] [turbofan] Refactor Float64Pow to use single implementation
> >
> > Remove platform-specific Float64Pow implementations and utils Pow in
> > favor of a base::ieee754::pow implementation.
> >
> > This unifies the implementation of pow for the compiler, wasm, and
> > runtime.
> >
> > Bug: v8:5848, v8:5086
> > Change-Id: I968a08cef6a6d49350aa79185b2c6fb856d15f23
> > Reviewed-on: https://chromium-review.googlesource.com/c/1403018
> > Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> > Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> > Reviewed-by: Georg Neis <neis@chromium.org>
> > Reviewed-by: Yang Guo <yangguo@chromium.org>
> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#59229}
> 
> Bug: v8:5848, v8:5086
> Change-Id: I92f22ae03adafd9ad042e8d4bb406cbd5b5fb51e
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_ubsan_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/1447854
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59411}

TBR=jkummerow@chromium.org,jarin@chromium.org,neis@chromium.org,jgruber@chromium.org,clemensh@chromium.org,bmeurer@chromium.org,me@gus.host

Change-Id: I65c4bbd3ab7aaa1c396d182467c5a1fe6a639df5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:5848, v8:5086
Cq-Include-Trybots: luci.chromium.try:linux_chromium_ubsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/1456107
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59419}
2019-02-06 15:49:46 +00:00
Clemens Hammacher
82d240c736 [test] Introduce assertThrowsAsync
We often use raw assertPromiseResult with {success ==
assertUnreachable} for that. Having a separate helper increases
readability and allows us to generate consistent (and better) error
messages.

R=titzer@chromium.org

Bug: chromium:926311
Change-Id: I507941eacaafe6c576098d7829a76b27384a4fb6
Reviewed-on: https://chromium-review.googlesource.com/c/1456039
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59417}
2019-02-06 15:35:04 +00:00
Gus Caplan
d7def9003d Reland "[builtins] [turbofan] Refactor Float64Pow to use single implementation"
This is a reland of I968a08cef6a6d49350aa79185b2c6fb856d15f23

Original change's description:
> [builtins] [turbofan] Refactor Float64Pow to use single implementation
>
> Remove platform-specific Float64Pow implementations and utils Pow in
> favor of a base::ieee754::pow implementation.
>
> This unifies the implementation of pow for the compiler, wasm, and
> runtime.
>
> Bug: v8:5848, v8:5086
> Change-Id: I968a08cef6a6d49350aa79185b2c6fb856d15f23
> Reviewed-on: https://chromium-review.googlesource.com/c/1403018
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59229}

Bug: v8:5848, v8:5086
Change-Id: I92f22ae03adafd9ad042e8d4bb406cbd5b5fb51e
Cq-Include-Trybots: luci.chromium.try:linux_chromium_ubsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/1447854
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59411}
2019-02-06 15:04:43 +00:00
Jaroslav Sevcik
ea86509424 Constant field tracking for arrays.
This adds constant field tracking for arrays. To prevent changing the
field in some other elements-kind-branch of transition tree, we only
use the const information in the optimizing compiler if the map is not
an array map or if the map is stable (since stable maps cannot
transition to a different elements-kind-branch without deopt).

Some more details:
https://docs.google.com/document/d/1r2GAvdi_wudDS6iRUfdPw0gxWMfV-IX1PqKgwW47FyE

Bug: chromium:912162, v8:8361
Change-Id: Iea1b2f03ddee16205c2141ac5e813a973dd23cf4
Reviewed-on: https://chromium-review.googlesource.com/c/1454606
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59409}
2019-02-06 14:44:43 +00:00
Tamer Tas
df630e67fd Reland "Reland "[test] refactor testsuite configuration""
This is a reland of 81eec150f6

Original change's description:
> Reland "[test] refactor testsuite configuration"
>
> This is a reland of 7f92ad0ab6
>
> Original change's description:
> > [test] refactor testsuite configuration
> >
> > Every testsuite configuration consist of at least 30% code duplication.
> >
> > The code age ranges from 10 years old to 5 years old. Implementing anything that
> > touches the testsuite code becomes a technical fight to the death.
> >
> > This CL removes all the duplication by refactoring the common functionality.
> >
> > This CL contains structural changes without any logical changes % small bug
> > fixes.
> >
> > R=machenbach@chromium.org
> > CC=yangguo@chromium.org,sergiyb@chromium.org
> >
> > Bug: v8:8174, v8:8769
> > Change-Id: Iee299569caa7abdc0307ecf606136669034a28a2
> > Reviewed-on: https://chromium-review.googlesource.com/c/1445881
> > Commit-Queue: Sergiy Belozorov <sergiyb@chromium.org>
> > Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#59361}
>
> Bug: v8:8174, v8:8769
> Change-Id: I8e7078cfb875ceb3777e57084e6f8dfac09693e7
> Reviewed-on: https://chromium-review.googlesource.com/c/1454485
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Tamer Tas <tmrts@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59369}

Bug: v8:8174, v8:8790
Change-Id: I38ab9d37bca76057441a970f26e2102e4387a857
Reviewed-on: https://chromium-review.googlesource.com/c/1454724
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59387}
2019-02-06 09:02:09 +00:00
Leszek Swirski
76f6495c5f [parser] Force func decl allocation for code coverage
Preserve coverage for unused functions by force marking them used when
code coverage is enabled.

Bug: chromium:927464
Change-Id: Ia973467d06f7268f4e98cc76d0bb98cc591e979c
Reviewed-on: https://chromium-review.googlesource.com/c/1454717
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59373}
2019-02-05 16:19:38 +00:00
Tamer Tas
ea4412ad33 Revert "Reland "[test] refactor testsuite configuration""
This reverts commit 81eec150f6.

Reason for revert: windows mozilla test failures

Original change's description:
> Reland "[test] refactor testsuite configuration"
> 
> This is a reland of 7f92ad0ab6
> 
> Original change's description:
> > [test] refactor testsuite configuration
> > 
> > Every testsuite configuration consist of at least 30% code duplication.
> > 
> > The code age ranges from 10 years old to 5 years old. Implementing anything that
> > touches the testsuite code becomes a technical fight to the death.
> > 
> > This CL removes all the duplication by refactoring the common functionality.
> > 
> > This CL contains structural changes without any logical changes % small bug
> > fixes.
> > 
> > R=machenbach@chromium.org
> > CC=yangguo@chromium.org,sergiyb@chromium.org
> > 
> > Bug: v8:8174, v8:8769
> > Change-Id: Iee299569caa7abdc0307ecf606136669034a28a2
> > Reviewed-on: https://chromium-review.googlesource.com/c/1445881
> > Commit-Queue: Sergiy Belozorov <sergiyb@chromium.org>
> > Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#59361}
> 
> Bug: v8:8174, v8:8769
> Change-Id: I8e7078cfb875ceb3777e57084e6f8dfac09693e7
> Reviewed-on: https://chromium-review.googlesource.com/c/1454485
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Tamer Tas <tmrts@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59369}

TBR=machenbach@chromium.org,sergiyb@chromium.org,tmrts@chromium.org

Change-Id: I8f5650b5f46be299c004e2fa8b708fa2c17a4dc2
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8174, v8:8769
Reviewed-on: https://chromium-review.googlesource.com/c/1454607
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59370}
2019-02-05 15:20:46 +00:00
Tamer Tas
81eec150f6 Reland "[test] refactor testsuite configuration"
This is a reland of 7f92ad0ab6

Original change's description:
> [test] refactor testsuite configuration
> 
> Every testsuite configuration consist of at least 30% code duplication.
> 
> The code age ranges from 10 years old to 5 years old. Implementing anything that
> touches the testsuite code becomes a technical fight to the death.
> 
> This CL removes all the duplication by refactoring the common functionality.
> 
> This CL contains structural changes without any logical changes % small bug
> fixes.
> 
> R=machenbach@chromium.org
> CC=yangguo@chromium.org,sergiyb@chromium.org
> 
> Bug: v8:8174, v8:8769
> Change-Id: Iee299569caa7abdc0307ecf606136669034a28a2
> Reviewed-on: https://chromium-review.googlesource.com/c/1445881
> Commit-Queue: Sergiy Belozorov <sergiyb@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59361}

Bug: v8:8174, v8:8769
Change-Id: I8e7078cfb875ceb3777e57084e6f8dfac09693e7
Reviewed-on: https://chromium-review.googlesource.com/c/1454485
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59369}
2019-02-05 14:53:05 +00:00
Tamer Tas
97068800fe Revert "[test] refactor testsuite configuration"
This reverts commit 7f92ad0ab6.

Reason for revert: https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Win32/19148

Original change's description:
> [test] refactor testsuite configuration
>
> Every testsuite configuration consist of at least 30% code duplication.
>
> The code age ranges from 10 years old to 5 years old. Implementing anything that
> touches the testsuite code becomes a technical fight to the death.
>
> This CL removes all the duplication by refactoring the common functionality.
>
> This CL contains structural changes without any logical changes % small bug
> fixes.
>
> R=​machenbach@chromium.org
> CC=​yangguo@chromium.org,sergiyb@chromium.org
>
> Bug: v8:8174, v8:8769
> Change-Id: Iee299569caa7abdc0307ecf606136669034a28a2
> Reviewed-on: https://chromium-review.googlesource.com/c/1445881
> Commit-Queue: Sergiy Belozorov <sergiyb@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59361}

TBR=machenbach@chromium.org,sergiyb@chromium.org,tmrts@chromium.org,v8-reviews@chromium.org

Change-Id: I473f0d4c6b9c0239923b8c03699dbc38b7f85030
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8174, v8:8769
Reviewed-on: https://chromium-review.googlesource.com/c/1454599
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59362}
2019-02-05 12:06:18 +00:00
Tamer Tas
7f92ad0ab6 [test] refactor testsuite configuration
Every testsuite configuration consist of at least 30% code duplication.

The code age ranges from 10 years old to 5 years old. Implementing anything that
touches the testsuite code becomes a technical fight to the death.

This CL removes all the duplication by refactoring the common functionality.

This CL contains structural changes without any logical changes % small bug
fixes.

R=machenbach@chromium.org
CC=yangguo@chromium.org,sergiyb@chromium.org

Bug: v8:8174, v8:8769
Change-Id: Iee299569caa7abdc0307ecf606136669034a28a2
Reviewed-on: https://chromium-review.googlesource.com/c/1445881
Commit-Queue: Sergiy Belozorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59361}
2019-02-05 11:37:51 +00:00
Sven Sauleau
764815811d [wasm] remove [[HasProperty]] in memory/constructor when threads
Remove the call to [[HasProperty]] for the shared property when threads
feature is enabled.

Bug: v8:8782
Change-Id: I492ed3726ea846a1a52dc3a0e0a183d9ee506e96
Reviewed-on: https://chromium-review.googlesource.com/c/1451826
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Sven Sauleau <ssauleau@igalia.com>
Cr-Commit-Position: refs/heads/master@{#59352}
2019-02-04 19:48:27 +00:00
Michael Achenbach
b7b43b7dc0 [test] Run jitless on all bots
Bug: v8:8778
Change-Id: I384ad4387743d534a79ebad03130e8a688cc4631
Reviewed-on: https://chromium-review.googlesource.com/c/1449691
Reviewed-by: Sergiy Belozorov <sergiyb@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59332}
2019-02-04 12:04:08 +00:00
Clemens Hammacher
ac73e1d52b Reland "[test] Check for illegal uses of mjsunit methods"
This is a reland of a9e93572d4

Original change's description:
> [test] Check for illegal uses of mjsunit methods
> 
> The assertThrows and assertDoesNotThrow methods expect either a
> function to execute, or a string to eval. In several tests however we
> accidentally passed the *result* of the statement to be tested instead
> of the code.
> This CL adds check to catch such error early, and removes wrong uses.
> In most places, we do not need to use assertDoesNotThrow anyway,
> because exceptions are handled as test failures.
> 
> Drive-by: Unify catch syntax in mjsunit.js and make sure to propagate
> MjsUnitAssertionErrors correctly.
> 
> R=mathias@chromium.org
> 
> Bug: v8:8562
> Change-Id: I88894a667cbe0570774f748a9a23e8a527887a49
> Reviewed-on: https://chromium-review.googlesource.com/c/1439238
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59277}

Bug: v8:8562
Change-Id: I3b26935f7b35302d499266155273ea271bf8151d
Reviewed-on: https://chromium-review.googlesource.com/c/1449792
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59328}
2019-02-04 10:45:18 +00:00
Clemens Hammacher
5fc71d7b40 [test] Skip flaky test
R=mstarzinger@chromium.org

Bug: v8:8781
Change-Id: I6982170a3e4c31a6d39e6368b7a3163dbb08cee7
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/1451917
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59327}
2019-02-04 10:26:28 +00:00
Jakob Gruber
8de3a2ca44 Reland "[nojit] Check that --jitless is disabled when creating wasm code"
This is a reland of 0befa6d4c3

Original change's description:
> [nojit] Check that --jitless is disabled when creating wasm code
>
> Drive-by: Amend wasm test skips for lite mode.
>
> Bug: v8:7777
> Change-Id: I23e13b65e548c19d6b24a26e0b962a9978f54ed7
> Reviewed-on: https://chromium-review.googlesource.com/c/1449616
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59314}

Tbr: mstarzinger@chromium.org
Bug: v8:7777
Change-Id: I0a076b36bb2e69b612df89b0f35067f299f27a7e
Reviewed-on: https://chromium-review.googlesource.com/c/1451819
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59325}
2019-02-04 10:20:08 +00:00
Simon Zünd
b79e661957 [typedarray] Improve test for TA#sort stableness
This CL makes the TypedArray#sort unit test more robust, that checks
for the stable property.

R=jgruber@chromium.org

Bug: v8:8567
Change-Id: I8e6a729d0a8b54901535d49eb578b8b34bd6f2eb
Reviewed-on: https://chromium-review.googlesource.com/c/1449695
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59316}
2019-02-04 09:01:48 +00:00
Mathias Bynens
b62a7f18cb Remove always-true --harmony-array-flat runtime flag
It shipped in Chrome 69.

Bug: v8:7220, v8:8562
Change-Id: I09d5ee9e98fc32ae3163c8983d552b99ac4f08e6
Reviewed-on: https://chromium-review.googlesource.com/c/1450781
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59309}
2019-02-02 17:54:27 +00:00
Jakob Kummerow
f738c6c4c3 [ubsan][bigint] Fix int overflow in BigIntToStringImpl
The result of Object::ToInteger is a number rounded to an
integer value, but not necessarily in the range of what a
C++ "int" can represent. Doing the 2 <= radix <= 36 range
check first makes the subsequent cast safe.

Bug: chromium:927212
Change-Id: I49f115140f6dc1f951cbc08a3025b3ac92ec8628
Reviewed-on: https://chromium-review.googlesource.com/c/1449040
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59303}
2019-02-01 19:10:17 +00:00
Clemens Hammacher
327fd140fd [wasm] Revise compile error messages
This CL revises some of our error messages, and removes unneeded parts
(like "AsyncCompilation: " or "(null): "). It also extends existing
tests to check for the precise error message more thoroughly to detect
changes or nondeterminism earlier.

R=titzer@chromium.org, ahaas@chromium.org

Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Bug: chromium:926311
Change-Id: I1ccfb307d4a61291f4582330152a53fbadd0848f
Reviewed-on: https://chromium-review.googlesource.com/c/1445897
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59296}
2019-02-01 14:36:12 +00:00
Jaroslav Sevcik
06ba822ead Map update for integrity level transitions.
This adds support for integrity level transitions (preventExtensions,
seal and freeze) to MapUpdater and Map::TryUpdate.

In both cases, we first try to detect whether there were integrity
level transitions in the transition tree to the old map and make note
of the most restrictive integrity transition and the map just before
the transition (integrity-source-map). Then we find an appropriate root
(based on integrity-source-map's elements kind) and replay the
transitions based on the integrity-source-map's descriptor
array. Finally, if we saw an integrity level transition in
the beginning, we will find-or-create that transition (on the
updated version of integrity-source-map).

For the following micro-benchmark, we get about 10x speedup.

```
function C() {
  this.x = 1;
  Object.seal(this);
  this.x = 0.1;
}

const start = Date.now();
for (let i = 0; i < 1e7; i++) {
  new C();
}
console.log("Reconfigure sealed: " + (Date.now() - start));
```

Before:
> Reconfigure sealed: 5202

After:
> Reconfigure sealed: 479

Bug: v8:8538
Change-Id: If695be7469d8b6ccd44ac4528be8aa34b65b3e4d
Reviewed-on: https://chromium-review.googlesource.com/c/1442640
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59295}
2019-02-01 14:28:57 +00:00
Mike Stanton
183b857958 [Builtins]: Array.prototype.map out of memory error
If we need to allocate a DOUBLE_ELEMENTS backing store, it's important
to allow large object space allocation.

BUG: chromium:926856

Change-Id: I9dd94f7176891a6f8f11d5f579b67df8151a40b5
Reviewed-on: https://chromium-review.googlesource.com/c/1449531
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59285}
2019-02-01 12:33:19 +00:00
Michael Achenbach
14c06a34db Revert "[test] Check for illegal uses of mjsunit methods"
This reverts commit a9e93572d4.

Reason for revert:
https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/23956
Happened already 2 builds earlier, but the output is corrupted due to
an outage.

Original change's description:
> [test] Check for illegal uses of mjsunit methods
> 
> The assertThrows and assertDoesNotThrow methods expect either a
> function to execute, or a string to eval. In several tests however we
> accidentally passed the *result* of the statement to be tested instead
> of the code.
> This CL adds check to catch such error early, and removes wrong uses.
> In most places, we do not need to use assertDoesNotThrow anyway,
> because exceptions are handled as test failures.
> 
> Drive-by: Unify catch syntax in mjsunit.js and make sure to propagate
> MjsUnitAssertionErrors correctly.
> 
> R=​mathias@chromium.org
> 
> Bug: v8:8562
> Change-Id: I88894a667cbe0570774f748a9a23e8a527887a49
> Reviewed-on: https://chromium-review.googlesource.com/c/1439238
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59277}

TBR=ahaas@chromium.org,clemensh@chromium.org,mathias@chromium.org

Change-Id: Iec06c95dd3223f27297e5c6e02835d26b5e753e7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8562
Reviewed-on: https://chromium-review.googlesource.com/c/1449634
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59284}
2019-02-01 12:12:41 +00:00
Clemens Hammacher
a9e93572d4 [test] Check for illegal uses of mjsunit methods
The assertThrows and assertDoesNotThrow methods expect either a
function to execute, or a string to eval. In several tests however we
accidentally passed the *result* of the statement to be tested instead
of the code.
This CL adds check to catch such error early, and removes wrong uses.
In most places, we do not need to use assertDoesNotThrow anyway,
because exceptions are handled as test failures.

Drive-by: Unify catch syntax in mjsunit.js and make sure to propagate
MjsUnitAssertionErrors correctly.

R=mathias@chromium.org

Bug: v8:8562
Change-Id: I88894a667cbe0570774f748a9a23e8a527887a49
Reviewed-on: https://chromium-review.googlesource.com/c/1439238
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59277}
2019-02-01 10:13:30 +00:00
Simon Zünd
4863a5505f [typedarray] Replace quicksort with mergesort to make TA#sort stable
This CL replaces the current TypedArray#sort with a simpler mergesort.
The fastpath when the user does not provide a comparison function
is still used.

In addition, TypedArray#sort now converts all elements in the
TypedArray to tagged values upfront, sorts them and writes them
back into the TypedArray as the final step.

R=jgruber@chromium.org, tebbi@chromium.org

Bug: v8:8567
Change-Id: Ib672c5cf510f7c0a2e722d1baa2704305a9ff235
Reviewed-on: https://chromium-review.googlesource.com/c/1445987
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59271}
2019-02-01 09:08:53 +00:00
Ben Smith
70c94dfab0 [wasm] Rename memory.drop and table.drop
The new names for memory.drop and table.drop are data.drop and elem.drop
respectively. See
https://github.com/WebAssembly/bulk-memory-operations/issues/23 and
https://github.com/WebAssembly/bulk-memory-operations/pull/46.

Change-Id: I07aab8448fabe24eb9734dc7dac6f91c570cb553
Reviewed-on: https://chromium-review.googlesource.com/c/1446148
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59261}
2019-01-31 19:27:57 +00:00
Ben Smith
787d83c57c [wasm] Update bulk-memory instruction immediates
* There are now two indexes for table.copy and memory.copy, one for the
source and the one for the destination table/memory. (see
https://github.com/WebAssembly/bulk-memory-operations/pull/43)

* Reverse the order of the table.init and memory.init indexes, so the
segment index is first and the table/memory index is second. (see
https://github.com/WebAssembly/bulk-memory-operations/pull/45)

Change-Id: I1781edd4200a7b693e3d0814999e6292aafa58d3
Reviewed-on: https://chromium-review.googlesource.com/c/1446149
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59259}
2019-01-31 18:24:17 +00:00
Clemens Hammacher
659347f9aa [wasm] Slighly modify some error messages
This CL revises some of our error messages to be more precise or more
aesthetically appealing.

R=titzer@chromium.org, ahaas@chromium.org

Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Bug: chromium:926311
Change-Id: I38eaee09fd37f9b67fdb08bc7b0df64a6eaf96f9
Reviewed-on: https://chromium-review.googlesource.com/c/1445980
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59249}
2019-01-31 15:52:42 +00:00
Georg Neis
e1bc9dead7 Revert "[builtins] [turbofan] Refactor Float64Pow to use single implementation"
This reverts commit 595aafeb21.

Reason for revert:
https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket.appspot.com/8922824501209195616/+/steps/Mozilla/0/logs/15.8.2.13/0

Original change's description:
> [builtins] [turbofan] Refactor Float64Pow to use single implementation
> 
> Remove platform-specific Float64Pow implementations and utils Pow in
> favor of a base::ieee754::pow implementation.
> 
> This unifies the implementation of pow for the compiler, wasm, and
> runtime.
> 
> Bug: v8:5848, v8:5086
> Change-Id: I968a08cef6a6d49350aa79185b2c6fb856d15f23
> Reviewed-on: https://chromium-review.googlesource.com/c/1403018
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#59229}

TBR=yangguo@chromium.org,jarin@chromium.org,neis@chromium.org,clemensh@chromium.org,me@gus.host

Change-Id: I266df4b8350cfcebcea8f6063ad75ad962381105
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:5848, v8:5086
Reviewed-on: https://chromium-review.googlesource.com/c/1447715
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59232}
2019-01-31 10:13:53 +00:00
Clemens Hammacher
595aafeb21 [builtins] [turbofan] Refactor Float64Pow to use single implementation
Remove platform-specific Float64Pow implementations and utils Pow in
favor of a base::ieee754::pow implementation.

This unifies the implementation of pow for the compiler, wasm, and
runtime.

Bug: v8:5848, v8:5086
Change-Id: I968a08cef6a6d49350aa79185b2c6fb856d15f23
Reviewed-on: https://chromium-review.googlesource.com/c/1403018
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59229}
2019-01-31 09:42:25 +00:00
Sven Sauleau
5bdb13297f [wasm] merge js constants file in module-builder
We noticed that almost every call site were loading both files,
the split isn't necessary anymore.

In some message tests, removed the absolute line number to allow future
changes.

Bug: v8:8726
Change-Id: I8527f0a1ecfa685aa01a5e2f5f47ddf1cb13a545
Reviewed-on: https://chromium-review.googlesource.com/c/1446452
Commit-Queue: Sven Sauleau <ssauleau@igalia.com>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59220}
2019-01-30 22:10:34 +00:00
Sven Sauleau
3c3233e6f8 [wasm] js module-builder and constants improvements
Changes made to the Wasm module builder:
- Create emit_u64v for emitting a LEB128 that conceptually represent
an 64-bits integer.
- Differentiate toBuffer and toUint8Array for returning respectively
ArrayBuffer and a Uint8Array.
- Moved wasmF32Const and wasmF64Const functions because we can take
advantage of the existing cached conversion buffers. Also, declaring
them in the constants file will collide with the module-builder since
they are loaded in the same scope.
- The byte_view buffer (used by some conversions to bytes) switched from
Int8Array to Uint8Array.

Changes made to the Wasm contants:
- Add a new kSharedHasMaximumFlag flag for shared memory with a maximum
value.

Bug: v8:8726
Change-Id: If16c59896cfa1d42008da413e2e144b73a0fa5ce
Reviewed-on: https://chromium-review.googlesource.com/c/1443062
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Sven Sauleau <ssauleau@igalia.com>
Cr-Commit-Position: refs/heads/master@{#59213}
2019-01-30 15:18:44 +00:00
Mathias Bynens
b645a259bd [parser] Allow try {} catch (e) { for (var e of x) {} }
This patch changes the parser to allow for-of initializer
var-redeclaration of non-destructured catch parameters.

Previously, the spec allowed var-redeclaration of a
non-destructured catch parameter…

    try {} catch (e) { var e; }

…except in the particular case where the var declaration is
a for-of initializer:

    try {} catch (e) { for (var e of whatever) {} }

https://github.com/tc39/ecma262/pull/1393 removes this strange
exceptional case. This patch implements that change.

BUG=v8:8759

Change-Id: Ia4e33ac1eab89085f8a5fdb547f479cfa38bbee5
Reviewed-on: https://chromium-review.googlesource.com/c/1444954
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59209}
2019-01-30 14:20:58 +00:00
Marja Hölttä
ea526196f4 [js weak refs] Update to new API
This replaces WeakFactory with FinalizationGroup.

New API is here: https://weakrefs.netlify.com/

BUG=v8:8179

Change-Id: I8c1c4a70deb42581d17117423dd29d93bdd35cb0
Reviewed-on: https://chromium-review.googlesource.com/c/1435938
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59204}
2019-01-30 13:47:18 +00:00
Toon Verwaest
3ef9af8409 [parser] Don't hoist sloppy block functions on error
Bug: chromium:926819
Change-Id: I44832f8707c413d40e5632ed39b97624059f1fba
Reviewed-on: https://chromium-review.googlesource.com/c/1445891
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59198}
2019-01-30 11:54:28 +00:00
Z Duong Nguyen-Huu
0cabc54666 Throw TypeError if a proxy's [[OwnPropertyKeys]] returns dupes
Adding implementation for step 9 which is missing for spec:
https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-ownpropertykeys
Update bytecode_expectations as well.

Bug v8:6776

Change-Id: Id191f9604e2dc08e71cbcff8ebd5707c233af193
Reviewed-on: https://chromium-review.googlesource.com/c/1419779
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#59180}
2019-01-29 17:55:06 +00:00
Clemens Hammacher
3af3c9d100 [Liftoff] Correctly unuse Labels
On Liftoff bailout, instead of binding all unbound labels (to avoid
triggering DCHECKS in their destructor), just Unuse them.

R=mstarzinger@chromium.org

Bug: chromium:924843
Change-Id: Icf581bca06eaa7369ab2bbd5d805112289d6a801
Reviewed-on: https://chromium-review.googlesource.com/c/1442645
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59172}
2019-01-29 15:18:48 +00:00
Clemens Hammacher
185922de91 [wasm] Distinguish requested tier and executed tier
During execution, the tier can be switch from Liftoff to TurboFan. We
already handle this in some locations by getting the tier before
execution, so that we later know which was the requested tier for that
unit.
In the case of the --wasm-tier-mask-for-testing flag, this accounting
was not right because the tier was already switched in the constructor.
This CL changes the compilation units to store both the requested and
the executed tier explicitly, so we know which counter to decrement
when the unit finishes.

R=ahaas@chromium.org

Bug: chromium:925671
Change-Id: I673463135e9b3ab17e40cfdfd5d3a526ad5a9b79
Reviewed-on: https://chromium-review.googlesource.com/c/1442639
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59168}
2019-01-29 12:36:48 +00:00
Leszek Swirski
b0e1c2bfe5 [parser] Make pattern DCHECK dependent on !has_error
Bug: chromium:926036
Change-Id: Ibc8d3ffc3f9411fa33c0ed6326cb6b19a7d8dd05
Reviewed-on: https://chromium-review.googlesource.com/c/1442635
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59162}
2019-01-29 11:03:09 +00:00
Simon Zünd
eb18edb4f5 [json] Extend JSON#stringify error message for circular structures
This CL extends the kCircularStructure error message to include the
constructors and keys involved in the circle:

const a = {};
a.arr = [];
a.arr[0] = a;
JSON.stringify(a);

TypeError: Converting circular structure to JSON
    --> starting at object with constructor 'Object'
    |     property 'arr' -> object with constructor 'Array'
    --- index 0 closes the circle

R=gsathya@chromium.org, yangguo@chromium.org

Bug: v8:6513, v8:8696
Change-Id: I393aa3ce47d8bfd03734fccac63445006940ef7a
Reviewed-on: https://chromium-review.googlesource.com/c/1433776
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59152}
2019-01-29 08:00:10 +00:00
Jakob Kummerow
a8aa4b4ef2 [ubsan] Fix Clusterfuzz-found bugs
Smi::LexicographicCompare: signed integer overflow on negation.
Drive-by improvement: reduce number of branches.

RegExpQuantifier: signed integer overflow on multiplication.

DateCache::DaylightSavingsOffsetInMs: signed integer overflow
on addition.

Bug: v8:3770,chromium:923466,chromium:923642,chromium:923626
Change-Id: If7d995a13893d1315449ee0bab8b5f2553e170f5
Reviewed-on: https://chromium-review.googlesource.com/c/1436229
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59143}
2019-01-28 21:23:24 +00:00
Ben L. Titzer
3a638a57cf [wasm] 0-count is out-of-bounds for table.*
The spec wasn't clear (or I misunderstood). As per
(https://github.com/WebAssembly/bulk-memory-operations/issues/11),
zero-count table operations are also out of bounds.

R=mstarzinger@chromium.org
CC=binji@chromium.org
BUG=v8:7747

Change-Id: Iac689b93a040eb6eb06975bc2ba0facb85d24756
Reviewed-on: https://chromium-review.googlesource.com/c/1436022
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59121}
2019-01-28 13:13:34 +00:00
Andreas Haas
258371bd44 [wasm][anyref] Support anyref stack parameters
Anyref parameters can exist across GC runs. Therefore the GC has to
know where anyref parameters are on the stack so that it can mark them
in its marking phase, and update them in the compaction phase.

Already in a previous CL we grouped all anyref parameters so that they
can be found more easily in a stack frame, see
https://crrev.com/c/1371827. In this CL we implement the stack scanning
itself.

Note that anyref parameters are not scanned while iterating over the
caller's frame (to which they actually belong), but while iterating
over the callee's frame. The reason is that with tail-calls, only the
callee knows how many tagged stack parameters (aka anyref parameters)
there are.

R=mstarzinger@chromium.org
also-by=mstarzinger@chromium.org

Bug: v8:7581
Change-Id: I7a41ce11d06c0d420146fdb0bb8d5606f28824d7
Reviewed-on: https://chromium-review.googlesource.com/c/1424955
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59099}
2019-01-25 18:00:46 +00:00
Michael Starzinger
8a3c4d9eec [wasm][arm] Fix {Word32Shr} instruction selection.
This fixes a corner case with the matching for a {UBFX} instruction.
According to the ISA reference "UBFX Rd, Rn, #lsb, #width" is only valid
for "#width" in the [1;32-#lsb] range. Specifically a "#width" of 0 is
invalid but was not checked against by the instruction selector.

R=ahaas@chromium.org
TEST=mjsunit/regress/wasm/regress-924905
BUG=chromium:924905

Change-Id: I470671282b215be62dfd147a619a0d317f7cc746
Reviewed-on: https://chromium-review.googlesource.com/c/1435939
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59096}
2019-01-25 13:08:10 +00:00
Toon Verwaest
5a72c6b69b [parser] Use Token::INIT for hoisted sloppy block functions when possible
Change-Id: I83dc3bed644361be1b94063daefd890b10ba50cd
Reviewed-on: https://chromium-review.googlesource.com/c/1433772
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59095}
2019-01-25 12:24:46 +00:00
Mythri
c082b74c96 Cleanup after removing language mode parameter from SetProperty
SetProperty now infers the language mode from the closure and the context
So we no longer have to pass around the language mode. Cleanup by
removing the parameter where it is no longer needed.

Bug: v8:8580
Change-Id: I89452b5a762eb48a911f158d22c7bfa9e3bb1be4
Reviewed-on: https://chromium-review.googlesource.com/c/1421840
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59089}
2019-01-25 10:51:10 +00:00
Jaroslav Sevcik
ec4d45a866 [turbofan] Handle exceptional edges when inserting unreachable node.
... more precisely, do not mess up the exceptional edges.

Bug: chromium:924151
Change-Id: I3541a1c339c07f509519d4ece6d677dd499f181e
Reviewed-on: https://chromium-review.googlesource.com/c/1429860
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59063}
2019-01-24 12:43:46 +00:00
Andreas Haas
5d587693a6 [wasm][anyref] Implement sub-typing of anyref, anyfunc, and nullref
For the reference types anyref, anyfunc, and nullref, there exist
sub-typing rules. The spec says

A reference type reftype1 matches a reference type reftype2 if and only
if:

* Either both reftype1 and reftype2 are the same.
* Or reftype1 is nullref.
* Or reftype2 is anyref.

This CL introduces the type nullref for ref-null, and implements the
sub-typing rules in the function-body-decoder.

Note that because of the sub-typing check validation performance may
regresses. In that case we can optimize the sub-typing check.

R=titzer@chromium.org, clemensh@chromium.org

Bug: v8:7581
Change-Id: I55bab72a109f3374da3770d141b0fc8067aad8b2
Reviewed-on: https://chromium-review.googlesource.com/c/1430061
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59043}
2019-01-23 16:11:15 +00:00
Andreas Haas
ed3738975b [wasm][anyref] Add test for the default value of anyfunc locals
The implementation already exists, but the test doesn't.

R=titzer@chromium.org

Bug: v8:7581
Change-Id: I42e1b0a1c930ec4cc1f1701d5613828acab4fc30
Reviewed-on: https://chromium-review.googlesource.com/c/1426123
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59038}
2019-01-23 15:53:45 +00:00
Ben L. Titzer
61ea7c48ad [wasm] Implement table.init bytecode
The table.init bytecode copies a range of elements from an element
segment into a table, trapping if the segment is not passive, is
dropped, or would cause out-of-bounds accesses.

R=mstarzinger@chromium.org
CC=binji@chromium.org
BUG=v8:7747

Change-Id: Ib27af9cca45a464fd1f876ddd092e99941481896
Reviewed-on: https://chromium-review.googlesource.com/c/1430063
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59037}
2019-01-23 15:45:27 +00:00
Andreas Haas
e7e61ce620 [wasm][anyref] Introduce anyfunc locals
R=titzer@chromium.org

Bug: v8:7581
Change-Id: I153b09ac1676c75590f37c4b7d1f8659c37bbe96
Reviewed-on: https://chromium-review.googlesource.com/c/1421837
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59029}
2019-01-23 13:45:07 +00:00
Sven Sauleau
d4831b31b8 [wasm] fix js-api memory/grow
Fix WebAssembly's memory/grow js-api. The argument is a unsigned long,
this change refactors most of arithmetic and bounds checks type from int64 to
uint32_t, according to the spec.

Bug: v8:8319
Change-Id: I662c704d1d50288ad68be70c72a3db7052a80014
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Reviewed-on: https://chromium-review.googlesource.com/c/1351028
Commit-Queue: Sven Sauleau <ssauleau@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59008}
2019-01-22 19:03:05 +00:00
Matt Gardner
1e5b2358a7 Check for "SuperNotCalled" on "delete this" in a constructor
V8 implements "delete this" as "LdaTrue", but an error needs to be thrown
if done in a constructor before calling super. ThrowIfHole checks the
accumulator, so we need to load 'this' into the accumulator. The check is
inserted by the load since it has HoleCheckMode::kRequired

Bug: https://bugs.chromium.org/p/v8/issues/detail?id=6711

Change-Id: I9f2ce4439505cec4327d88d1195898782edea721
Reviewed-on: https://chromium-review.googlesource.com/c/1419084
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Matt Gardner <magardn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#59007}
2019-01-22 18:58:42 +00:00
Maya Lekova
a61f5ccdcb [test] Fix flaky OOM regression test
The test was originally testing the max string length limit, but due to
refactoring of Array.join started consuming too much memory, resulting in
OOMs on TSAN builds. The new implementation still checks for the limit,
while reducing the memory consumption drastically.

R=jarin@chromium.org

Bug: v8:8504, chromium:336820
Change-Id: I4db9001541103d5908149e623ce4a4beee551e6c
Reviewed-on: https://chromium-review.googlesource.com/c/1426839
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59000}
2019-01-22 16:42:40 +00:00
Simon Zünd
b959ece470 [array] Enable copying from the prototype chain when sorting JSArrays
This CL enables the pre-processing step of copying from the
prototype chain for JSArrays. Previously, this was done for everything
BUT JSArrays. This brings Array#sort more in line with other engines
in the case of undefined behavior.

R=jgruber@chromium.org

Bug: v8:8666
Change-Id: I832d470dc02111b64dc4919e84e7e3e47c8fdd47
Reviewed-on: https://chromium-review.googlesource.com/c/1426119
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58999}
2019-01-22 16:34:38 +00:00
Camillo Bruni
c3722aa5e8 [parser] Fix storing has_data bit for inner function preparse data
Drive-by-fix:
- improve PreparseData::Print

Bug: chromium:923705
Change-Id: I0b0b9baf1c2cc68dccd987007081e0d5c0969c4a
Reviewed-on: https://chromium-review.googlesource.com/c/1425201
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58973}
2019-01-21 18:04:34 +00:00
Clemens Hammacher
ce2bfb8e2f [Liftoff][arm] Avoid use of temp registers
The temp registers might be needed by the assembler, so avoid using them
in LiftoffAssembler. Use Liftoff cache registers instead. This might
introduce additional spills if all registers are in use, but this is
unlikely.

This also simplifies the logic to ensure non-aliasing of certain
registers.

R=ahaas@chromium.org

Bug: chromium:922933, v8:6600
Change-Id: Ie929d9de0b6f4f41c6117d820b6a367dd0a342f7
Reviewed-on: https://chromium-review.googlesource.com/c/1424862
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58961}
2019-01-21 13:09:13 +00:00
Toon Verwaest
0d37b80d05 [parser] Track names in VariableDeclarationParsingScope
This allows us to stop tracking variables_ in the preparser.

This currently makes us track slightly more variables than neccessary in the
case `for (var ...` since `var ... of` needs to check conflicts with out simple
catch variables. We should probably track the names through a ScopedPtrList
instead of a ZonePtrList anyway. Then it won't matter anymore.

Change-Id: I64e3f9ab13af8269456439cf15b0bc4d5b9e5380
Reviewed-on: https://chromium-review.googlesource.com/c/1421360
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58960}
2019-01-21 13:05:22 +00:00
Clemens Hammacher
f77299e1f5 [Liftoff] Fix DCHECK error
Fix fixes a minor DCHECK error, which fired because usually only
LiftoffRegisters of the same type should be compared against each
other. In the RegisterReuseMap we store both register pairs and single
registers, hence check for pair vs non-pair comparisons explicitly.

R=ahaas@chromium.org

Bug: v8:6600, chromium:922670
Change-Id: I18beb61b6b1906cc42bcf6e7dfdd5eb803e874d7
Reviewed-on: https://chromium-review.googlesource.com/c/1421921
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58956}
2019-01-21 11:52:17 +00:00
Camillo Bruni
c45a2eff0b [heap] Allow PreparseData in large object space
Since the PreparseData now directly contains the byte data inline it can
grow very large as well.

Bug: chromium:923264
Change-Id: I456d5bcbfb40587b283584f726d9e084061fd30f
Reviewed-on: https://chromium-review.googlesource.com/c/1421321
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58953}
2019-01-21 11:18:02 +00:00
Simon Zünd
bf17cd2150 [array] Add stack overflow check for Array#flat
This CL adds a stack check to the TFS builtin "FlattenIntoArray" as it
is called recursively and can cause a SEGV with a large enough
"depth" argument.

R=jgruber@chromium.org

Bug: v8:8708
Change-Id: I833506531bcff1c4703b9a21678028cf0e63638d
Reviewed-on: https://chromium-review.googlesource.com/c/1424858
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58952}
2019-01-21 10:39:45 +00:00
Toon Verwaest
b4e7d11178 [parser] Reparsing arrow function head upon failure can overflow the stack
Bug: chromium:923723
Change-Id: Ic397642c2e803b2ada95fa87ece31032eb104782
Reviewed-on: https://chromium-review.googlesource.com/c/1424857
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58949}
2019-01-21 10:12:10 +00:00
Sven Sauleau
0e9e8164c2 [wasm] fix js-api table/get-set
Fix WebAssembly's table/get-set js-api. The argument is a unsigned long,
this change refactors most of arithmetic and bounds checks type from
int64 to uint32_t, according to the spec.

Bug: v8:8319
Change-Id: I088f631c6805b0e5ba29089b08ea15e78fe5852d
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Reviewed-on: https://chromium-review.googlesource.com/c/1414914
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Sven Sauleau <ssauleau@igalia.com>
Cr-Commit-Position: refs/heads/master@{#58941}
2019-01-19 09:15:37 +00:00
Sven Sauleau
fc27711780 [wasm] fix js-api table/grow
Fix WebAssembly's table/grow js-api. The argument is a unsigned long,
this change refactors most of arithmetic and bounds checks type from
int64 to uint32_t, according to the spec.

Bug: v8:8319
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Change-Id: Ia29121c930d7fb930668e54a5a769dae25234f2c
Reviewed-on: https://chromium-review.googlesource.com/c/1351006
Commit-Queue: Sven Sauleau <ssauleau@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58936}
2019-01-18 20:19:51 +00:00
Simon Zünd
e38faab1c7 [array] Remove CHECK_LE from RemoveArrayHolesGeneric
This CL removes a CHECK_LE that does not hold in all cases. After
moving all elements to the front, current_pos will point to the next
free spot. In the case where an object is 'packed', i.e. each index
has a non-undefined value, and the length is smaller then the max
index, current_pos will be greater than the length (limit in the code).

Sidenote: The block after taking the minimum (where the counted
undefineds get set) will not be affected. In the case where
num_undefined > 0, current_pos should be guaranteed to be smaller
than limit, as long there are no accessors with side-effects.

R=jgruber@chromium.org

Bug: chromium:923265
Change-Id: Id533cdc4db6c6c6f266cf7c6a8ab6ecbbeee7016
Reviewed-on: https://chromium-review.googlesource.com/c/1420679
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58912}
2019-01-18 10:01:37 +00:00
Ben L. Titzer
cb4e772921 [wasm] table.copy: handle overlap and zero count cases
This CL fixes the zero-count and overlapping cases for the table.copy
bytecode.

R=mstarzinger@chromium.org
CC=binji@chromium.org
BUG=v8:7747

Change-Id: I6211e4c899621069ebf8bc088b3ab4e80c7bbd0a
Reviewed-on: https://chromium-review.googlesource.com/c/1417172
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58887}
2019-01-17 13:55:20 +00:00
Andreas Haas
b565cda493 [wasm] Implement anyfunc parameters
Implementation of anyfunc parameters. Different to anyref parameters we
have to do a validation in the js-to-wasm wrapper: Only exported wasm
functions are allowed. I implemented this check in a runtime function.

R=titzer@chromium.org

Bug: v8:7581
Change-Id: I6145782fb8578124ddc21b50133c82235d666f19
Reviewed-on: https://chromium-review.googlesource.com/c/1417470
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58885}
2019-01-17 13:43:59 +00:00
Simon Zünd
4bf28a33ee [array] Fix prototype chain interaction in sort pre-processing
This CL fixes two bugs. First, when looking for a free spot while
moving elements to the front, the prototype chain was also considered,
even though an object at a specific index might have a hole (free
spot).

Second, when moving an element to the front, we are not allowed to
delete it immediately (to preserve semantics when interacting with
non-extensible objects). Such an element is then a free spot, but
won't be recognised as such. This CL sets that element to undefined
after it was moved, to mark it as a free spot.

R=jgruber@chromium.org

Bug: chromium:897512,v8:8369
Change-Id: I79207215b8b0a3c714f064450d8fe5ca0ea4a096
Reviewed-on: https://chromium-review.googlesource.com/c/1417171
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58878}
2019-01-17 11:53:52 +00:00
kingwl
65bb02593f [objects] Correctly Object.isSeal for TypedArray
Add a special handle of TypedArray elements in TestElementsIntegrityLevel

Bug: v8:8082
Change-Id: I60be644801618b576b0b8b1883ac67bf0040c849
Reviewed-on: https://chromium-review.googlesource.com/c/1412133
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58874}
2019-01-17 10:46:29 +00:00
Sven Sauleau
e65736241b [wasm] fix js-api global/value-get-set
Fix WebAssembly's global/value-get-set. The argument must not be
undefined.

mjsunit tests were updated.

Bug: v8:8319
Change-Id: Id3d3c9b18cbc8854e589481dfc7c52f35cfb7bf7
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Reviewed-on: https://chromium-review.googlesource.com/c/1411886
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Sven Sauleau <ssauleau@igalia.com>
Cr-Commit-Position: refs/heads/master@{#58863}
2019-01-16 18:56:51 +00:00
Toon Verwaest
d5f321cb5a [parser] Check conflicting var declarations from eval at compile-time
Change-Id: I9195c7ffdc4b841f14701662527c97c9698bd472
Reviewed-on: https://chromium-review.googlesource.com/c/1411888
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58859}
2019-01-16 17:01:31 +00:00
Ben L. Titzer
8a40e88db3 [wasm] Implement table.copy bytecode
The table.copy bytecode copies a range of table entries in a similar
way to memcopy. This CL implements the behavior in a runtime call
that calls into the wasm engine.

R=mstarzinger@chromium.org,binji@chromium.org
BUG=v8:7747

Change-Id: I420451202b1b78ea92cbd10387a644ed57e111c8
Reviewed-on: https://chromium-review.googlesource.com/c/1414919
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58858}
2019-01-16 16:55:31 +00:00