Commit Graph

49033 Commits

Author SHA1 Message Date
Andreas Haas
8f07a87df0 [wasm][fuzzer] Do not execute code with potential non-determinism
The WebAssembly spec is not fully deterministic: the sign bit of NaN
can be arbitrary. This sign bit can be observed by several WebAssembly
opcodes. In the testcase the sign bit of NaN makes the difference
between terminating code and an infinite loop.

In the libfuzzer fuzzer we have to prevent infinite loops ourselves.
At the moment we do this by only execute generated code of WebAssembly
modules for which the interpretation of the code ends in a limited
number of steps. With the non-determinism described above we cannot
guarantee the absence of infinite loops with this method. Therefore
we stop now to execute generated code of WebAssembly modules for which
we observe possible non-determinism in the interpreter.

R=clemensh@chromium.org

Bug: chromium:863829
Change-Id: I461d67df87d672bed25d6c915ba7ea5134cb5890
Reviewed-on: https://chromium-review.googlesource.com/1141945
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54541}
2018-07-19 08:55:55 +00:00
Georg Neis
23ab7c7559 Use JSGlobalProxy type for the global proxy field on Context.
R=mslekova@chromium.org

Change-Id: I1f60108effa15585a7cf5af150fc4c1d4dd9570f
Reviewed-on: https://chromium-review.googlesource.com/1142160
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54540}
2018-07-19 08:42:05 +00:00
Simon Zünd
4a6a631b5d [array] Use Array.p.fill baseline version if object is non-extensible
This CL fixes a bug where a fast-path was used on non-extensible
objects.

R=jgruber@chromium.org

Bug: chromium:865264,chromium:865285
Change-Id: Ie14c95b383a65576799c71576a5c0f9f8e1c29ca
Reviewed-on: https://chromium-review.googlesource.com/1142766
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#54539}
2018-07-19 06:53:11 +00:00
Jaroslav Sevcik
ab20f8cfa7 Reland "[turbofan] More brokerization in JSCreateLowering."
This is a reland of 7f67cbd4d1

Original change's description:
> [turbofan] More brokerization in JSCreateLowering.
> 
> Brokerized ReduceJSCreateEmptyLiteralObject and added the scope
> for ReduceJSCreateLiteralArrayOrObject.
> 
> Bug: v8:7790
> Change-Id: Ife34a6b610678a3fe24152151cf343400ee515bd
> Reviewed-on: https://chromium-review.googlesource.com/1140306
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54507}

Bug: v8:7790
Change-Id: Ia79ff9ef49c727155a9c476268234e56d2cc9fcb
Reviewed-on: https://chromium-review.googlesource.com/1142984
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54538}
2018-07-19 05:39:21 +00:00
v8-ci-autoroll-builder
2d35e6eaff Update V8 DEPS.
Rolling v8/build: e4fb293..abdb548

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/f5342c4..26d6aff

Rolling v8/third_party/depot_tools: 302bb84..f9afc77

Rolling v8/third_party/fuchsia-sdk: 976ce5e..6215064

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: Ib6d7529ad818b0737ce780a70e5e38e6226a457c
Reviewed-on: https://chromium-review.googlesource.com/1142901
Commit-Queue: V8 Autoroller <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Reviewed-by: V8 Autoroller <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#54537}
2018-07-19 03:50:00 +00:00
Ben Smith
6525dd1859 [Atomics] Workaround for d8 worker limit
The previous change to futex.js will spawn too many workers in d8 in
some test configurations, which will throw an error.

This CL works around that by spawning fewer workers for the
Atomics.notify tests.

TBR=adamk@chromium.org

Bug: v8:7338
Change-Id: I0f3583781e5352b4d6672d43a087dc56d920122d
Reviewed-on: https://chromium-review.googlesource.com/1142895
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54536}
2018-07-19 02:53:49 +00:00
Jakob Kummerow
8043f283f6 [test] Add test for Turbofan module namespace access
Turbofan support for property loads from module namespace objects
has been tested by the test/js-perf-tests/Modules/basic-namespace
benchmark, but so far not by the mjsunit suite. This CL adds such
a test.
This is a follow-up to 8d7379c066.

Change-Id: I3c4183d761693199e6bc8740b812279efcd791a0
Reviewed-on: https://chromium-review.googlesource.com/1142594
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54535}
2018-07-19 02:28:29 +00:00
Ben Smith
c79206b363 Add Atomics.notify as alias for Atomics.wake
At the May 2018 TC39 meeting, they decided to rename Atomics.wake to
Atomics.notify. This change adds Atomics.notify as an alias, but does
not remove Atomics.wake, which will be removed later.

This allows for embedders to use either name to prevent
breaking tests. When the tests are switched over, we can remove
Atomics.wake.

Bug: v8:7883
Change-Id: If057ebff162bde975c6e1b60d83a4662f144e81f
Reviewed-on: https://chromium-review.googlesource.com/1142290
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54534}
2018-07-19 00:14:29 +00:00
Bill Budge
e06c2c8564 [wasm] Fix wasm linkage to take advantage of all float registers on ARM
- Modifies LinkageAllocator to understand aliasing on ARM.
- Adds ability to allocate SIMD registers too. Before, these would
  default to stack allocated.
- Modifies WasmCompiler to be platform-independent.

Bug: v8:7754
Change-Id: I0c4355a44a4f409053b51ff675521a465e38aeb8
Reviewed-on: https://chromium-review.googlesource.com/1141114
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54533}
2018-07-18 22:50:45 +00:00
Yang Guo
0dd33901a1 Reland "[builtins] Add %IsTraceCategoryEnabled and %Trace builtins"
This is a reland of 8d4572a22b

Original change's description:
> [builtins] Add %IsTraceCategoryEnabled and %Trace builtins
>
> Adds the builtin Trace and IsTraceCategoryEnabled functions
> exposed via extra bindings. These are intended to use by
> embedders to allow basic trace event support from JavaScript.
>
> ```js
> isTraceCategoryEnabled('v8.some-category')
>
> trace('e'.charCodeAt(0), 'v8.some-category',
>       'Foo', 0, { abc: 'xyz'})
> ```
>
> Bug: v8:7851
> Change-Id: I7bfb9bb059efdf87d92a56a0aae326650730c250
> Reviewed-on: https://chromium-review.googlesource.com/1103294
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Fadi Meawad <fmeawad@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54121}

TBR=cbruni@chromium.org

Bug: v8:7851
Change-Id: Id063754b2834b3b6a2b2654e76e8637bcd6aa5f8
Reviewed-on: https://chromium-review.googlesource.com/1137071
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54532}
2018-07-18 22:49:40 +00:00
Clemens Hammacher
a3a2f83978 [wasm] Switch thread-in-wasm flag directly
Avoid the C-call to switch the flag, just store to the address
directly. Since js-to-wasm wrappers are still isolate dependent,
we just store the address of the thread-local flag in the isolate
(in ThreadLocalTop) and update it if threads are switched.

R=ahaas@chromium.org, mstarzinger@chromium.org

Bug: chromium:862123, v8:5277
Change-Id: I9e8a40094f11a8b3ba6701dfa7fa026a2d052cb1
Reviewed-on: https://chromium-review.googlesource.com/1136299
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54531}
2018-07-18 19:55:20 +00:00
Brian Stell
ef284f7b22 Add Intl::CanonicalizeLocale as a pre-step to supportedLocalesOf
Bug: v8:5751

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I5e149a5d7aff486a31415ae9935461e275c867bd
Reviewed-on: https://chromium-review.googlesource.com/1112202
Commit-Queue: Brian Stell <bstell@chromium.org>
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54530}
2018-07-18 19:44:59 +00:00
Frank Tang
f6aad5d5c3 [Intl] Use bit field accessors for style and numeric values
Bug: v8:7869
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I91bb1948a46249157e143733862c0eeefd15cb0d
Reviewed-on: https://chromium-review.googlesource.com/1137365
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54529}
2018-07-18 19:32:39 +00:00
Clemens Hammacher
47fdf419f3 [mips][be] Skip test which fails with segfault
TBR=sigurds@chromium.org

No-Try: true
Bug: v8:7953
Change-Id: I188c5b0501c2f0cbf8dacdec21f3e86ebec88cd7
Reviewed-on: https://chromium-review.googlesource.com/1142404
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54528}
2018-07-18 19:17:49 +00:00
Dan Elphick
ed9ea21661 Fix uses of V8_DEPRECATE_SOON in v8.h
Move brackets enclosing declarator in a couple of V8_DEPRECATE_SOON
cases so that the attribute is correctly placed.

I.e. should come after the class keyword and after a function signature
but before the body.

Also adds suppressions for a case where a replacement method calls
the deprecated method it replaces.

Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I490ff07a13552cf335186d64ca061f21ac4e8afc
Reviewed-on: https://chromium-review.googlesource.com/1140593
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54527}
2018-07-18 18:32:09 +00:00
Leszek Swirski
6de8560209 [cleanup] Remove unused Isolate parameters
ReadOnlyRoots means that some added Isolate parameters are no longer
needed. So, we can remove them.

This patch was generated mostly automatically with a bespoke tool.

Bug: v8:7786
Bug: v8:7754
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ia44fd2a66652253f780e3674bf7fb431caef0493
Reviewed-on: https://chromium-review.googlesource.com/1136305
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54526}
2018-07-18 16:47:22 +00:00
Leszek Swirski
e8c5a51c3b [liveedit] Fix patching functions with start position zero
For a script '()=>42', the anonymous arrow function has both start and
end position the same as the script function itself. This causes issues
when sorting the SourcePositionEvents of the function, in two ways:

  * If the start positions are the same, we should order by *furthest*
    end position to ensure the stack is in the right order
  * If both start and end are the same, we need to order by function
    literal id to make sure that start order and end order are inversed.

Also, MapLiterals assumes that start+end position uniquely identifies a
function, which is false in this case, so we process the top-level
script function separately in MapLiterals.

Change-Id: I2b2185dc2825018b7ea44c7d0918238e9b1dd972
Reviewed-on: https://chromium-review.googlesource.com/1141741
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54525}
2018-07-18 16:20:22 +00:00
Sigurd Schneider
0c54033591 Revert "[turbofan] More brokerization in JSCreateLowering."
This reverts commit 7f67cbd4d1.

Reason for revert: Speculative revert because of https://ci.chromium.org/p/v8/builders/luci.v8.ci/Mac%20V8%20FYI%20Release%20(Intel)/1842

Original change's description:
> [turbofan] More brokerization in JSCreateLowering.
> 
> Brokerized ReduceJSCreateEmptyLiteralObject and added the scope
> for ReduceJSCreateLiteralArrayOrObject.
> 
> Bug: v8:7790
> Change-Id: Ife34a6b610678a3fe24152151cf343400ee515bd
> Reviewed-on: https://chromium-review.googlesource.com/1140306
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54507}

TBR=jarin@chromium.org,neis@chromium.org,mslekova@chromium.org

Change-Id: Ic4a89cd872b13e4b5f28636e0d91b3b013d6649a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7790
Reviewed-on: https://chromium-review.googlesource.com/1141964
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54524}
2018-07-18 14:26:03 +00:00
Simon Zünd
97b4a27b66 [cleanup] Replace 'let' with 'const' in typed-array.tq where applicable
R=jgruber@chromium.org

Change-Id: If88adfb7cb9a30a50448a39c71bd899484d29510
Reviewed-on: https://chromium-review.googlesource.com/1139060
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54523}
2018-07-18 14:07:34 +00:00
Simon Zünd
eeb583d8b8 [array] Move Array.p.fill to C++
This CL moves Array.p.fill from JavaScript to a C++ builtin. It has
a generic slow-path and fast-paths implemented via ElementsAccessor in
elements.cc.

R=cbruni@chromium.org

Bug: v8:7624
Change-Id: I8820e1195d2cd9b41c254058923ad9875aab067c
Reviewed-on: https://chromium-review.googlesource.com/1131130
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54522}
2018-07-18 14:06:24 +00:00
Yang Guo
a4e0aee306 [snapshot] no longer disable code caching when debugging
This is no longer necessary since we removed the debug context.

R=jgruber@chromium.org

Bug: v8:5530
Change-Id: Ibb9df3a1f139ee076296faedb80204e7fcc23197
Reviewed-on: https://chromium-review.googlesource.com/1134746
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54521}
2018-07-18 13:59:22 +00:00
Frank Tang
b819afeb4f [Intl] Implement Intl.RelativeTimeFormat.prototype.{format, formatToParts}
Spec: http://tc39.github.io/proposal-intl-relative-time/

Design Doc: go/add-intl.relativetimeformat-to-v8

Test: test262/intl402/RelativeTimeFormat/*, intl/relative-time-format/*

R=cira@chromium.org, gsathya@chromium.org

Bug: v8:7869
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ied95d601cf707db5d555f9d963b9b1f206e37331
Reviewed-on: https://chromium-review.googlesource.com/1124728
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54520}
2018-07-18 12:49:22 +00:00
Frank Tang
26c7aa8c86 [Intl] prototype Intl.Locale.prototype.maximize/minimize
Bug: v8:7684
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I8ee5aa4a2f481bbe4e47ab3889a9a6084b6b2943
Reviewed-on: https://chromium-review.googlesource.com/1137927
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54519}
2018-07-18 12:48:12 +00:00
Andreas Haas
cf9563ea71 [wasm] Trace traps in the interpreter
R=clemensh@chromium.org

Change-Id: I4f1bda6f0ad420776eb181563d5efbc0d06a911e
Reviewed-on: https://chromium-review.googlesource.com/1141582
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54518}
2018-07-18 11:50:42 +00:00
Sergiy Byelozyorov
60acf3e8af Revert "[tools] Keep raw data in the generated JSON for debugging purposes"
This reverts commit 1e1cca61da.

Reason for revert: breaks builders

Original change's description:
> [tools] Keep raw data in the generated JSON for debugging purposes
> 
> R=​machenbach@chromium.org
> 
> Bug: chromium:861668
> Change-Id: Ic3225ed5919c21a7f6a9f21cba4aa491e1d6606d
> Reviewed-on: https://chromium-review.googlesource.com/1140331
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54508}

TBR=machenbach@chromium.org,sergiyb@chromium.org

Change-Id: I10dff94c9cfe08c4a6b6d4d225b429fe16b95d19
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:861668
Reviewed-on: https://chromium-review.googlesource.com/1141784
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54517}
2018-07-18 10:51:30 +00:00
Maya Lekova
f94863326b [turbofan] Brokerize ReduceJSCreateArray
Bug: v8:7790
Change-Id: I12c159ade57a0974c6adc5b277a0b5fd74fd4dfb
Reviewed-on: https://chromium-review.googlesource.com/1140313
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54516}
2018-07-18 10:26:22 +00:00
Clemens Hammacher
48e5ef5563 [wasm] Print protected instruction for each wasm code object
This helps debugging unexpected traps, as you can figure out which
instruction triggered the trap.

R=mstarzinger@chromium.org

Change-Id: I61735f14e2838ace195f6b84b555b9ddfc06aa0f
Reviewed-on: https://chromium-review.googlesource.com/1140296
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54515}
2018-07-18 08:47:52 +00:00
Dan Elphick
bb9b41bb03 [explicit isolates] Remove HeapObject::GetHeap/GetIsolate
Convert all remaining uses (in api.cc) to use private local
implementations. These local uses all appear inside deprecated
functions.

Bug: v8:7786
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I86bcafd4c8a737da32fcb8ab275ec708632f9e39
Reviewed-on: https://chromium-review.googlesource.com/1140319
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54514}
2018-07-18 08:22:54 +00:00
Dan Elphick
4f19dac984 [explicit isolates] Remove final GetIsolate/GetHeaps
Strictly speaking there are some left in api.cc, but they are in
deprecated functions with non-deprecated alternatives.

Apart from changes made using tooling, this also modifies
FieldType::AsClass to return Map* rather than Handle<Map> and converts
its call sites to create the Handle when they need it - currently
several sites immediately dereference the Handle.

Also marks WasmDebugInfo as NeverReadOnlySpaceObject so GetIsolate and
GetHeap remain usable.

Bug: v8:7786
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I7ea5048f97f140c757f651712b8c33a5c7e0ebc1
Reviewed-on: https://chromium-review.googlesource.com/1140302
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54513}
2018-07-18 08:16:54 +00:00
Michael Starzinger
98e955a781 [wasm] Make {WasmMemoryTracker} independent of the Isolate.
This removes two pointers to Histograms from the memory tracker. These
histograms are stored as part of the Isolate and their lifetime is also
coupled to the Isolate. We cannot bind the pointers but need to pass
them (or the Isolate) as a parameter instead.

R=clemensh@chromium.org
BUG=v8:7424

Change-Id: I6b141b924bd858234641d6603a25fcb08cdf40e3
Reviewed-on: https://chromium-review.googlesource.com/1140312
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54512}
2018-07-18 08:02:44 +00:00
Marja Hölttä
9991fbd21f [in-place weak refs] Make NormalizedMapCache use in-place weak references.
Now we can finally get rid of Map::weak_cell_cache!

BUG=v8:7308

Change-Id: I87a06509bf638bf6833ea2ba1eca525fb4b15df1
Reviewed-on: https://chromium-review.googlesource.com/1128882
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54511}
2018-07-18 07:35:52 +00:00
Leszek Swirski
6cda092e46 [sfi] Use aligned size for SFI
The BodyDescriptor of an object should use its aligned size.

Change-Id: If743ca130b3cb97c4f25054db6dc887d88fc5e32
Reviewed-on: https://chromium-review.googlesource.com/1140309
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54510}
2018-07-18 07:04:02 +00:00
Marja Hölttä
4b39fe3d60 [objects.h splitting] Move JSProxy.
BUG=v8:7754,v8:5402

Change-Id: Ib3f3a879e68d96cd5d82b1ee461b57dc7367ebe2
Reviewed-on: https://chromium-review.googlesource.com/1139059
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54509}
2018-07-18 06:56:02 +00:00
Sergiy Byelozyorov
1e1cca61da [tools] Keep raw data in the generated JSON for debugging purposes
R=machenbach@chromium.org

Bug: chromium:861668
Change-Id: Ic3225ed5919c21a7f6a9f21cba4aa491e1d6606d
Reviewed-on: https://chromium-review.googlesource.com/1140331
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54508}
2018-07-18 06:35:03 +00:00
Jaroslav Sevcik
7f67cbd4d1 [turbofan] More brokerization in JSCreateLowering.
Brokerized ReduceJSCreateEmptyLiteralObject and added the scope
for ReduceJSCreateLiteralArrayOrObject.

Bug: v8:7790
Change-Id: Ife34a6b610678a3fe24152151cf343400ee515bd
Reviewed-on: https://chromium-review.googlesource.com/1140306
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54507}
2018-07-18 06:21:43 +00:00
v8-ci-autoroll-builder
f19406d800 Update V8 DEPS.
Rolling v8/build: 7315579..e4fb293

Rolling v8/third_party/depot_tools: fb73403..302bb84

Rolling v8/third_party/fuchsia-sdk: 8227701..976ce5e

Rolling v8/tools/clang: c0b1d89..5d1ce93

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: I202ee90eb4c3ea68e2677227dd0ad05cac352be2
Reviewed-on: https://chromium-review.googlesource.com/1141428
Reviewed-by: V8 Autoroller <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: V8 Autoroller <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#54506}
2018-07-18 03:49:03 +00:00
Alexey Kozyatinskiy
a796715eb5 [inspector] warmup dom bindings before calling anything on them
We try to prevent side effects by forbidding running any JavaScript
when we get property from node object.
In case of object node it is possible that by calling property we force
internal object initialization which may force creation of new context,
this initialization can not be made with forbided JavaScript and at the
same time is side effect free.
As workaround we can warmup dom objects first and then generate
description.

R=dgozman@chromium.org

Bug: chromium:827585
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ifd2c6317ffd5cb3822d2a2eedf3d0b0f36a201f1
Reviewed-on: https://chromium-review.googlesource.com/1041078
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54505}
2018-07-17 20:50:16 +00:00
Frank Tang
b7e108d601 [Intl] Use correct fallback values for options in Locale constructor
Fixes intl402/Locale/constructor-options-{casefirst,hourcycle,numeric}-invalid

Bug: v8:7684
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I43317f4bb1bb8422940faab1e5afa4162ed9ea11
Reviewed-on: https://chromium-review.googlesource.com/1137476
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54504}
2018-07-17 20:22:06 +00:00
Johannes Henkel
b102970c46 Roll inspector_protocol to 0d4255502019144a5dec5669d7992165ae8924e7.
0d42555020

Change-Id: I3711883a4cff11f71cca10054e4aac11293f5293
Reviewed-on: https://chromium-review.googlesource.com/1139095
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Johannes Henkel <johannes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54503}
2018-07-17 19:32:31 +00:00
Mathias Bynens
a8cb6a7218 [d8] Treat .mjs files as modules
This patch makes `d8` recognize files with the `.mjs` extension as
modules instead of classic scripts. This change can be tested by saving
the following JavaScript program as both `module.mjs` and as
`script.js`:

    console.log(this === undefined ? 'strict' : 'sloppy');

Then, run these files in `d8` without passing the `--module` flag:

    $ d8 module.mjs
    strict

    $ d8 script.js
    sloppy

The use of `.mjs` matches not just Google’s recommendation [1] but also
the current modules implementation in Node.js [2].

[1] https://developers.google.com/web/fundamentals/primers/modules
[2] https://nodejs.org/api/esm.html

Bug: v8:7950
Change-Id: I8f39420dc24a5eedd7e88d3b1aa48207ebfeff6e
Reviewed-on: https://chromium-review.googlesource.com/1140314
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54502}
2018-07-17 19:04:28 +00:00
Daniel Clifford
1062ffb958 [torque]: Implement structs
Struct are bundles of value types. They are essentially just shorthand
for passing around a group of individually defined values.

Struct types are declared like this:

  struct A {
    x: Smi;
    y: int32;
  }

and can be constructed explicitly like this:

  A{0, 0}

Structs can be used wherever other types are used (e.g. variables,
parameters, return values) except for parameter/return types of
builtins and runtime functions.

Struct use field access notation to set/get their values like this:

  let a: A = A{0, 0};
  let b: Smi = a.x;
  a.y = 0;

Change-Id: I9fd36a6514c37882831256a49a50809c5db75b56
Reviewed-on: https://chromium-review.googlesource.com/1122133
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54501}
2018-07-17 17:04:55 +00:00
Clemens Hammacher
16af1baac4 [Liftoff] Zero-extend i32 stack parameters
i32 stack parameters can be loaded by Turbofan as 64-bit value, hence
they would not be zero extended. If this loaded value is then passed to
Liftoff (which assumes zero-extended i32 values), we could use it for
memory accesses, which would be out of bounds.

R=mstarzinger@chromium.org

Bug: chromium:864509, v8:6600
Change-Id: I0f45a269b1fb1c2befc2e6bc660c559a88323767
Reviewed-on: https://chromium-review.googlesource.com/1140168
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54500}
2018-07-17 16:59:14 +00:00
Brian Stell
e3a5b1e402 Add IsStructurallyValidLanguageTag() routine.
Bug: v8:5751


Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: If71ab553f7f70dd148fb90a18ccd9b1c69791323
Reviewed-on: https://chromium-review.googlesource.com/1119103
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Brian Stell <bstell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54499}
2018-07-17 16:47:34 +00:00
Sigurd Schneider
46a78fbedf Revert "[embedded-builtins] Enable on all arches except x86 for benchmarks"
This reverts commit f5a8352b0f.

Reason for revert: Performance issues

Original change's description:
> [embedded-builtins] Enable on all arches except x86 for benchmarks
> 
> This CL enables embedded builtins to get benchmark feedback. We need
> this feedback to identify and address remaining performance problems.
> 
> Bug: v8:6666
> Change-Id: I8f77f218e656b55ddabe1236eb2a1d14a5ac6233
> Reviewed-on: https://chromium-review.googlesource.com/1105834
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53836}

TBR=sigurds@chromium.org,jgruber@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:6666
Change-Id: I0e0897eefa069b0b9ad2dd56b2ffc3e3617f9258
Reviewed-on: https://chromium-review.googlesource.com/1139974
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54498}
2018-07-17 15:33:20 +00:00
Georg Neis
73b3bb5898 [turbofan] Brokerize CompilationDependencies.
Bug: v8:7790
Change-Id: I747dccb8dcae74c5c0837c0cd7f3dd285a4bd9c0
Reviewed-on: https://chromium-review.googlesource.com/1140304
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54497}
2018-07-17 15:02:50 +00:00
Michael Starzinger
64517a2395 [wasm][arm64] Fix {WasmGrowMemory} builtin to avoid Aborts.
This changes the ARM64-specific {TurboAssembler::AssertSpAligned} helper
to not generate calls to the {Abort} builtin. It is needed to ensure all
WebAssembly runtime stubs (e.g. {WasmGrowMemory}) are independent of the
Isolate. In general calling the {Abort} builtin without a valid frame
being present will produce bogus debug messages anyways. Hence we just
unconditionally use traps for the debug code in question.

R=sigurds@chromium.org

Change-Id: I93eb87e8b87209da8506c9b28e2c800950d1118a
Reviewed-on: https://chromium-review.googlesource.com/1140170
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54496}
2018-07-17 14:49:29 +00:00
Maya Lekova
2f2ce7b7db [turbofan] Remove optimization for NumberToString
We used to have an optimized version for ToString on number nodes
which was allocating an object on the heap, therefore
preventing this code from being executed on the compiler thread.
Octane benchmark results show insignificant increase in performance
(< 0.5%) without this optimization - see
https://docs.google.com/spreadsheets/d/1MC5NrMoMSsqxZqw0ojoZvomBb7q2EOt1S0sFoJ8ld2c/edit#gid=1732639373
which leads to the conclusion we can safely remove the optimization for now.

Bug: v8:7790
Change-Id: Ia1d53608f8d10ba20e0ff57cccb34583655382c6
Reviewed-on: https://chromium-review.googlesource.com/1139063
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54495}
2018-07-17 14:32:47 +00:00
Max Moroz
3b0fd6bd24 [fuzzer] Fix OOM in v8_json_parser_fuzzer due to unnecessary long input.
Bug: Chromium:798921
Change-Id: I6cd3dbe49f586cdedfc70c6c6ad83391240a65d9
Reviewed-on: https://chromium-review.googlesource.com/1138550
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54494}
2018-07-17 14:25:27 +00:00
Dan Elphick
52df1966ea [explicit isolates] Pass Isolate* into Verify*Pointer methods
Also moves ObjectVerify to GlobalHandles::CopyGlobal from
V8::CopyPersistent (which was the only caller) so it can get hold of an
Isolate*.

Bug: v8:7786
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I0758bf6e431bf6e617244741ab2e1583a3566b20
Reviewed-on: https://chromium-review.googlesource.com/1140295
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54493}
2018-07-17 14:23:37 +00:00
Timothy Gu
9eb96bb431 [api] Avoid needlessly calling descriptor interceptors
Reland part of https://chromium-review.googlesource.com/c/v8/v8/+/816515.

Change-Id: I72ad85ffd162fc0563fc25cdf35189e894f9dc82
Reviewed-on: https://chromium-review.googlesource.com/1138808
Commit-Queue: Timothy Gu <timothygu@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54492}
2018-07-17 14:12:07 +00:00