Without this shortcut we generate one BooleanNot per JSUnaryNot with
number input, which is quite common in asm.js. These dead nodes then
survive until the late control reducer runs, and may prevent
optimizations in the mean time.
R=dcarney@chromium.org
Review URL: https://codereview.chromium.org/963713002
Cr-Commit-Position: refs/heads/master@{#26911}
port 6af7ca6be4 (r26886)
original commit message:
Skip the mapcheck on the global object since the global proxy and cell are already
checked (or the global object map for contextual global loads).
BUG=
Review URL: https://codereview.chromium.org/965693002
Cr-Commit-Position: refs/heads/master@{#26908}
port e9cdcb7174 (r26875)
original commit message:
Only dynamically perform access checks on the receiver if it's a JSGlobalProxy.
Proxies up the chain are guaranteed to provide access if we had access to the receiver,
since otherwise we wouldn't have been able to compile the stub in the first place.
If the security check would change, the window navigates, changing the map of the JSGlobalProxy.
BUG=
R=weiliang.lin@intel.com
Review URL: https://codereview.chromium.org/964813002
Cr-Commit-Position: refs/heads/master@{#26905}
For now we just use the RawMachineAssembler, this will be changed
later to use the whole TurboFan pipeline.
Review URL: https://codereview.chromium.org/925373002
Cr-Commit-Position: refs/heads/master@{#26902}
Reason for revert:
Need to revert the ported CL.
Original issue's description:
> MIPS: Also skip when the target is the global object.
>
> Port cc918d30b9
>
> BUG=
>
> Committed: https://crrev.com/b24a0efa447235e11b9ff9d1eeaada06131b2e04
> Cr-Commit-Position: refs/heads/master@{#26897}
TBR=danno@chromium.org,verwaest@chromium.org,paul.lind@imgtec.com,gergely.kis@imgtec.com,akos.palfi@imgtec.com,dusan.milosavljevic@imgtec.com,balazs.kilvady@imgtec.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review URL: https://codereview.chromium.org/963603002
Cr-Commit-Position: refs/heads/master@{#26898}
This also adds a new VariableMode, IMPORT, which will be
used to do appropriate binding for Import-declared Variables.
Only named imports are handled for now. "import *" and default
import syntaxes have had their TODOs adjusted to match the new
code structure.
BUG=v8:1569
LOG=n
Review URL: https://codereview.chromium.org/948303004
Cr-Commit-Position: refs/heads/master@{#26895}
Port e9cdcb7174
Original commit message:
Proxies up the chain are guaranteed to provide access if we had access to the receiver, since otherwise we wouldn't have been able to compile the stub in the first place. If the security check would change, the window navigates, changing the map of the JSGlobalProxy.
BUG=
Review URL: https://codereview.chromium.org/958923002
Cr-Commit-Position: refs/heads/master@{#26894}
This reverts commit b57be748b1 and
disables the test/mjsunit/debug-clearbreakpointgroup.js because
BreakLocationIterator::ClearBreakPoint is already broken for unrelated reasons (see v8:3924).
BUG=v8:3877
LOG=N
TEST=cctest/test-heap/Regress3877
Review URL: https://codereview.chromium.org/957373002
Cr-Commit-Position: refs/heads/master@{#26893}
Reason for revert:
Breaks "Simple Leaks Check"
Original issue's description:
> Default-enable external startup data for Linux for stand-alone builds.
>
> Notes:
> - Other platforms to follow later.
> - This follows Chromium practice, that mostly uses this feature these days.
> - The statically linked-in startup data will stay. So whoever prefers
> the old way just needs to set the flag differently.
>
> BUG=
>
> Committed: https://crrev.com/6d0dcaabe55ca3556bebfd771fbc7fd560fdd4e0
> Cr-Commit-Position: refs/heads/master@{#26884}
TBR=machenbach@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review URL: https://codereview.chromium.org/962593003
Cr-Commit-Position: refs/heads/master@{#26885}
Notes:
- Other platforms to follow later.
- This follows Chromium practice, that mostly uses this feature these days.
- The statically linked-in startup data will stay. So whoever prefers
the old way just needs to set the flag differently.
BUG=
Review URL: https://codereview.chromium.org/959693002
Cr-Commit-Position: refs/heads/master@{#26884}
Reason for revert:
Breaks test/mjsunit/debug-clearbreakpointgroup.js on arm64.debug.
Original issue's description:
> Fix memory leak caused by field type in descriptor array.
>
> When a field type is a map, it is wrapped in a weak cell upon storing to the descriptor array.
>
> Map::GetFieldType(i) does the unwrapping.
>
> BUG=v8:3877
> LOG=N
> TEST=cctest/test-heap/Regress3877
>
> Committed: https://crrev.com/77d3ae0e119893ac8d34ea6ca090cddd5bbf987e
> Cr-Commit-Position: refs/heads/master@{#26879}
TBR=verwaest@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3877
Review URL: https://codereview.chromium.org/960103003
Cr-Commit-Position: refs/heads/master@{#26883}
We cannot yet detect use-before-declaration in general, because for that we'd
need to analyze the context when compiling. But we can detect an error case
where we first see a use, then a declaration.
For this, I also added end position tracking (needed for error messages) to
VariableProxy.
Note: the position naming is completely inconsistent: start_position &
end_position, position & end_position, pos & end_pos, beg_pos & end_pos, to name
a few. This doesn't fix all of it, but tries to unify towards start_position &
end_position whenever possible w/ minimal changes.
BUG=
Review URL: https://codereview.chromium.org/943543002
Cr-Commit-Position: refs/heads/master@{#26880}
When a field type is a map, it is wrapped in a weak cell upon storing to the descriptor array.
Map::GetFieldType(i) does the unwrapping.
BUG=v8:3877
LOG=N
TEST=cctest/test-heap/Regress3877
Review URL: https://codereview.chromium.org/955063002
Cr-Commit-Position: refs/heads/master@{#26879}
Side note: tools/v8-info.sh seems to have been broken ever
since the move to git. At least it's not more broken now.
BUG=v8:3075
LOG=y
TEST=./script_test.py
Review URL: https://codereview.chromium.org/959713003
Cr-Commit-Position: refs/heads/master@{#26873}
Bad scenario:
- Enter a binop IC miss handler from optimized code object C from call
site S,
- From the binop IC, invoke arbitrary javascript that lazy deopts C,
so all relocation info is nuked and replaced with lazy deopt entries'
reloc info. In particular, there is no reloc info for S.
- Still from the arbitrary JavaScript, make IC target's code object move.
Note that the call site S is not updated.
- Return to the miss handler and inspect the IC's target. This will try
to get the target from S, but that is a potentially invalid pointer.
It is quite possible that we will have to do a similar fix for other ICs,
but we will have to find a reliable repro first. I am not submitting a
repro here because it is quite long running and brittle (it
relies on code compaction happening while in the binop IC).
BUG=v8:3910
LOG=n
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/958473004
Cr-Commit-Position: refs/heads/master@{#26872}
The new logic ensures that the error messages are the same in the
"import { <reserved word> }" and "import { foo as <reserved ord> }"
cases.
Also prepares ParseImportNames for returning both the import and local
names to ParseImportClause.
BUG=v8:1569
LOG=n
Review URL: https://codereview.chromium.org/952863006
Cr-Commit-Position: refs/heads/master@{#26863}