Reason for revert:
Correcting issue.
Original issue's description:
> Revert of Add errors for declarations which conflict with catch parameters. (patchset #6 id:100001 of https://codereview.chromium.org/2109733003/ )
>
> Reason for revert:
> Fuzzer claims `try { \"\" ; } catch(x) { let x1 = [1,,], x = x; }` causes a crash.
>
> Original issue's description:
> > Add errors for declarations which conflict with catch parameters.
> >
> > Catch parameters are largely treated as lexical declarations in the
> > block which contains their body for the purposes of early syntax errors,
> > with some exceptions outlined in B.3.5. This patch introduces most of
> > those errors, except those from `eval('for (var e of ...);')` inside of
> > a catch with a simple parameter named 'e'.
> >
> > Note that annex B.3.5 allows var declarations to conflict with simple
> > catch parameters, except when the variable declaration is the init of a
> > for-of statement.
> >
> > BUG=v8:5112,v8:4231
> >
> > Committed: https://crrev.com/2907c726b2bb5cf20b2bec639ca9e6a521585406
> > Cr-Commit-Position: refs/heads/master@{#37462}
>
> TBR=littledan@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:5112,v8:4231
>
> Committed: https://crrev.com/8834d5ecb559001c87c42322969471da60574a8c
> Cr-Commit-Position: refs/heads/master@{#37464}
R=littledan@chromium.org
BUG=v8:5112,v8:4231
Review-Url: https://codereview.chromium.org/2119933002
Cr-Commit-Position: refs/heads/master@{#37728}
* Rename Atomics.futexWait -> Atomics.wait
* Rename Atomics.futexWake -> Atomics.wake
* Remove Atomics.futexWakeOrRequeue
* Return value of Atomics.wait is now a string: "ok", "not-equal" or
"timed-out"
* Update comments that reference URL for ecmascript_sharedmem to
https://github.com/tc39/ecmascript_sharedmem
Review-Url: https://codereview.chromium.org/2143443002
Cr-Commit-Position: refs/heads/master@{#37727}
This runtime function in question can indirectly be fuzzed by the two
assertion methods "assertOptimized" and "assertUnoptimized" that our
test harness provides for the "mjsunit" test suite.
R=ishell@chromium.org
BUG=chromium:627841
Review-Url: https://codereview.chromium.org/2145993002
Cr-Commit-Position: refs/heads/master@{#37722}
This fixes the deoptimization information for the lazy bailout point
after a [[ToName]] operation inserted for object literals and class
literals. The result value was erroneously ignored.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-627828
BUG=chromium:627828
Review-Url: https://codereview.chromium.org/2149493003
Cr-Commit-Position: refs/heads/master@{#37719}
- Instead of tracing during marking we can now trace in a separate phase in MC.
(Heap is iterable.)
- Add more subtypes for fixed arrays, reducing the unknown bucket to around ~8%
(local run).
- Refactor collection calls to have a single bottleneck.
- Provide JSON-based output format that can be "easily" processed in JS.
BUG=
R=ulan@chromium.org,hpayer@chromium.org
Review-Url: https://codereview.chromium.org/2129173002
Cr-Commit-Position: refs/heads/master@{#37718}
This CL reduces the number of dependencies bytecodes.{h,cc} to facilitate
generating the bytecode peephole optimizer table during build. Specifically,
it avoids depending on v8_base.
BUG=v8:4280
LOG=N
Review-Url: https://codereview.chromium.org/2135273002
Cr-Commit-Position: refs/heads/master@{#37715}
- Adds move/swap handling for 4 and 16 bytes to ia32.
- Register allocator now only requests 4 bytes for floats on ia32 and arm.
- We probably need similar support in mips.
LOG=N
BUG=v8:4124
Review-Url: https://codereview.chromium.org/2027043002
Cr-Commit-Position: refs/heads/master@{#37714}
Extends the truncation and type checks for NumberOrUndefined in
representation selection and truncation analysis to deal with all
oddballs not just undefined. Also extend the type hints to always
report NumberOrOddball. This is necessary for the bitwise and shift
operators where NUMBER feedback actually means NUMBER or ODDBALL.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2149583002
Cr-Commit-Position: refs/heads/master@{#37711}
This CL also combines Runtime::GetGlobalInsideTypeof and Runtime::kGetGlobalNotInsideTypeof
to Runtime::GetGlobal with explicit typeof_mode parameter.
Drive-by-fix: tail call to correct Slow builtin from LoadCallback handlers when --runtime-call-stats is on.
BUG=chromium:576312
Review-Url: https://codereview.chromium.org/2144643004
Cr-Commit-Position: refs/heads/master@{#37710}
After this CL we can avoid using Code::flags in hash computations for megamorphic
stub caches and therefore the unused ICState field can be finally removed from flags.
BUG=chromium:618701
Review-Url: https://codereview.chromium.org/2123983004
Cr-Commit-Position: refs/heads/master@{#37708}
Original commit message:
Also, CodeGenerator::MakeCodeEpilogue now accepts an optional pointer
to a EhFrameWriter and will attach unwinding information to the code
object when passed one.
Reason for reverting:
The STATIC_CONST_MEMBER_DEFINITION in eh-frame-writer-unittest.cc
causes a compiler error on V8 Win64 - clang buildbot.
Removing that bit.
BUG=v8:4899
LOG=N
Review-Url: https://codereview.chromium.org/2023503002
Cr-Commit-Position: refs/heads/master@{#37707}
If operands are loaded as unsigned 32-bit integer, they need to be sign extended to 64 bits.
TEST=cctest/test-run-machops/RunWord32AndAndWord32ShrP, cctest/test-run-machops/RunWord32OrP,
cctest/test-run-machops/RunWord32ShrP, cctest/test-run-machops/RunWord32XorP
BUG=
Review-Url: https://codereview.chromium.org/2147883002
Cr-Commit-Position: refs/heads/master@{#37705}
This fully deprecates all uses of the RUNTIME_ASSERT macro and removes
the macro and underlying logging function in question. All uses have
been replaces with CHECK macros which crash safely even in production.
It makes sure we discover abuse of runtime functions in the wild early
and also abort the process safely. Breaking assumptions in any runtime
function can no longer accidentally be caught by JavaScript.
R=yangguo@chromium.org
BUG=v8:5066
Review-Url: https://codereview.chromium.org/2132493002
Cr-Commit-Position: refs/heads/master@{#37704}
Checked integer division and modulus can be done more efficiently
if we know that the inputs are in Unsigned32 range.
Drive-by-fix: Replace the TypeCheckKind on NodeInfo by a proper
restriction type, and thread the feedback type through binary
Number operations similar to what we do for their speculative
versions. Also deal with Unsigned32 inputs for integer multiplication.
R=jarin@chromium.org
BUG=v8:4583,v8:5141
Review-Url: https://codereview.chromium.org/2149493002
Cr-Commit-Position: refs/heads/master@{#37703}
This makes sure the {AstGraphBuilder} respects the catch-prediction that
is provided by the parser along with each {TryStatement}. This is needed
for try-blocks materialized by the parser not to influence predictions
users expect when using the debugger.
R=neis@chromium.org
TEST=mjsunit/debug-exceptions
BUG=v8:5183
Review-Url: https://codereview.chromium.org/2147573002
Cr-Commit-Position: refs/heads/master@{#37702}
Previously, the following schedule fragment:
1: Parameter[0](0)
2: Parameter[1](0)
7: Int32Constant[1]
8: Int32Sub(2, 7)
9: Load[kRepTagged|kTypeAny](1, 8)
would generate the following code (on ia32):
mov eax,[ebp+0x8]
mov ecx,[ebp+0xc]
sub eax,0x1
mov eax,[eax+ecx*1]
Now it generates:
mov eax,[ebp+0x8]
mov ecx,[ebp+0xc]
mov eax,[eax+ecx*1-1]
Similar pattern matching also now works on x64.
BUG=v8:5192
LOG=N
Review-Url: https://codereview.chromium.org/2137323003
Cr-Commit-Position: refs/heads/master@{#37701}
Collect type feedback in the call bytecode handler. The current
implementation only collects feedback for JS function objects. The other
objects and Array functions do not collect any feedback. They will be
marked Megamorphic.
BUG=v8:4280, v8:4780
LOG=N
Review-Url: https://codereview.chromium.org/2122183002
Cr-Commit-Position: refs/heads/master@{#37700}
For JSToBoolean with Number inputs we still called out to the
ToBooleanStub, even though we easily handle them inline nowadays.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2145923002
Cr-Commit-Position: refs/heads/master@{#37699}
To correctly support instantiating a compiled module multiple times, we clone the
compiled module each time we create an instance, since some of the data is specific
to the instance - e.g. export code, wasm functions, indirect table.
BUG=v8:5072
Review-Url: https://codereview.chromium.org/2134593002
Cr-Commit-Position: refs/heads/master@{#37692}
Reason for revert:
The STATIC_CONST_MEMBER_DEFINITION in eh-frame-writer-unittest.cc causes a compiler error on V8 Win64 - clang buildbot. Removing that bit should be sufficient.
Original issue's description:
> Implement .eh_frame writer and disassembler.
>
> Also, CodeGenerator::MakeCodeEpilogue now accepts an optional pointer
> to a EhFrameWriter and will attach unwinding information to the code
> object when passed one.
>
> BUG=v8:4899
> LOG=N
>
> Committed: https://crrev.com/27d810e63b744b5b3d9aa28ff21413247773e6c2
> Cr-Commit-Position: refs/heads/master@{#37683}
TBR=rmcilroy@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4899
Review-Url: https://codereview.chromium.org/2143033002
Cr-Commit-Position: refs/heads/master@{#37688}
When trying to clone a branch, the ControlFlowOptimizer gave up as soon as it found a Phi/EffectPhi node that could not be placed directly below the IfTrue or IfFalse control paths.
Moving the step in the EffectControlLinearizer phase, after the first schedule, works around the problem by looking at the successor blocks.
BUG=
Review-Url: https://codereview.chromium.org/2139593002
Cr-Commit-Position: refs/heads/master@{#37687}
This solves an issue with throws inside for-of always being marked as caught.
BUG=v8:5183
Review-Url: https://codereview.chromium.org/2146493002
Cr-Commit-Position: refs/heads/master@{#37686}
Also, CodeGenerator::MakeCodeEpilogue now accepts an optional pointer
to a EhFrameWriter and will attach unwinding information to the code
object when passed one.
BUG=v8:4899
LOG=N
Review-Url: https://codereview.chromium.org/2023503002
Cr-Commit-Position: refs/heads/master@{#37683}
The manual input trimming inside the EffectControlLinearizer is no
longer necessary, since we have to do explicit graph trimming before
running the MemoryOptimizer anyways these days.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2144603002
Cr-Commit-Position: refs/heads/master@{#37681}
- check that packed elements do not contain the_hole (with fix)
- verify argument objects with elements kind
- use JSObjectVerifiy in all JSObject "subclasses"
- change initialization order for ArrayLiteralBoilerplate to simplify verification
BUG=v8:5188
Review-Url: https://codereview.chromium.org/2126613002
Cr-Commit-Position: refs/heads/master@{#37680}
This widens the set of binary operator reductions that are applied by
TurboFan when graphs are built from bytecode. By now we only insert
number conversions to inputs of integer binary ops (i.e. bitwise and
shifts), others no longer require a "before" frame state input.
R=bmeurer@chromium.org
Review-Url: https://codereview.chromium.org/2135973003
Cr-Commit-Position: refs/heads/master@{#37674}
This is another point where we add inconsistent behavior between simple and
detailed stack traces. The functionality also does not seem to be used in
chrome anymore when uncaught exceptions are thrown. Remove it to reduce
maintenance burden.
BUG=624285
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2141523002
Cr-Commit-Position: refs/heads/master@{#37673}
Turn the retyping pass of SimplifiedLowering into a proper phase, and
make it possible to propagate feedback types through non-speculative
operators. This defers the output representation selection to the
retyping phase, and checks that we don't mess up.
As a first user, we consume input type feedback for NumberAbs as well.
Long-term we can add all other operators to the mix.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2139203002
Cr-Commit-Position: refs/heads/master@{#37672}
This removes the checking for use-def and def-use chain links from the
graph verification. Presence of such links can only be violated by a bug
in the actual {Node} implementation itself. That container class is also
covered by unit tests.
The verification in question was useful in the early days when the graph
implementation itself was prone to bugs. By now it has stabilized and
spending O(n^2) time during graph verification is too wasteful to still
be considered a reasonable trade-off.
R=jarin@chromium.org
TEST=unittests/NodeTest.*
Review-Url: https://codereview.chromium.org/2140973003
Cr-Commit-Position: refs/heads/master@{#37670}
The PlainPrimitiveToNumber operator performs a superset of the operations
previously performed by the BooleanToNumber and StringToNumber operators,
so we can just use the special lowering rules for PlainPrimitiveToNumber
based on the input type and get rid of the specialized operators.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2139183002
Cr-Commit-Position: refs/heads/master@{#37669}
This CL separates the check whether something is tail-callable from
the computation of the size of the stack parameters that a function
takes.
In order to track this precisely, the stack parameter size calculation
uses the recently landed MachineType information that's embedded
in return and parameter value LinkageLocations.
Review-Url: https://codereview.chromium.org/2121753002
Cr-Commit-Position: refs/heads/master@{#37668}
Remove obsolete definitions from macros.py, and drop the now obsolete
%_ToPrimitive, %_ToPrimitive_Number, %_ToPrimitive_String, %_ToName
and the %ToPrimitive_String intrinsics/runtime entries.
R=yangguo@chromium.org
BUG=v8:5049
Review-Url: https://codereview.chromium.org/2137203002
Cr-Commit-Position: refs/heads/master@{#37665}
Added trace printout for replacements in Turbofan reducers.
Renamed graph trimmer trace flag to avoid confusion.
Review-Url: https://codereview.chromium.org/2123283006
Cr-Commit-Position: refs/heads/master@{#37663}
AllocateSpillSlot can now handle requests for 16 byte slots.
LOG=N
BUG=v8:4124
Review-Url: https://codereview.chromium.org/2139663002
Cr-Commit-Position: refs/heads/master@{#37661}
Instead just return undefined
A side effect of this is that it's no longer possible to compile
functions in a detached context.
BUG=chromium:541703
R=verwaest@chromium.org,bmeurer@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng
Review-Url: https://codereview.chromium.org/2034083002
Cr-Commit-Position: refs/heads/master@{#37657}
When the scanner finds a '-->', it's either part of an HTMLCloseComment
or a '--' followed by a '>'. Previously, only a preceding newline would
make it an HTMLCloseComment. Now, a preceding multiline comment also
makes it an HTMLCloseComment. The effect is that now the following is
not a SyntaxError:
x/*
*/-->this is now a comment
BUG=v8:5142
LOG=y
Review-Url: https://codereview.chromium.org/2119763003
Cr-Commit-Position: refs/heads/master@{#37656}
This patch just checks for a stack overflow and returns failure
from the cases which Clusterfuzz found. However, there may be
more locations in the parser which need similar treatment.
R=caitpotter88@gmail.com,neis
BUG=v8:4483,chromium:624300
Review-Url: https://codereview.chromium.org/2135503002
Cr-Commit-Position: refs/heads/master@{#37655}
This removes the frame state input representing the before-state from
nodes having any comparison operator. Lowering that inserts number
conversions of the inputs has to be disabled when deoptimization is
enabled, because the frame state layout is no longer known.
R=jarin@chromium.org
BUG=v8:5021
Review-Url: https://codereview.chromium.org/2134173002
Cr-Commit-Position: refs/heads/master@{#37646}
This extends pretenuring decisions based on allocation sites to heap
numbers that are allocated as part of object literals. It ensures memory
locality of a bigger enclosure of the deep copy of an object literal.
R=bmeurer@chromium.org
TEST=cctest/test-heap/OptimizedPretenuringMixedInObjectProperties
Review-Url: https://codereview.chromium.org/2135933002
Cr-Commit-Position: refs/heads/master@{#37645}
If the first input to CheckBounds is already an Unsigned32, then
we can just truncate both inputs to word32 and lower the bounds
check.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2138753002
Cr-Commit-Position: refs/heads/master@{#37643}
This unifies phases in SimplifiedLowering, and will enable
more optimizations, i.e. we can do the output representation
during typing then, which in turn should allow us to use the
feedback type even in unchecked operators (i.e. NumberAbs).
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2137003002
Cr-Commit-Position: refs/heads/master@{#37639}
By adding MachineType to LinkageLocation, it is possible not only to reason
about the location of a LinkageLocation on the stack, but also about it's
size. This will be useful in follow-on CLs that attempt to merge some of the
parameter passing logic of tail calls and normal (non-tail) calls.
As a nice side-effect, it is no longer necessary to separately keep a
MachineSignature in a CallDescriptor, because the MachineTypes contianed in
LinkageLocation for all of the Descriptor's parameters and return types are
sufficient. This CL therefore removes the MachineSignature from the
CallDescriptor and adjusts all the calling code accordingly, simplifying and
de-duplicating code in a bunch of places.
R=titzer@chromium.org, bmeurer@chromium.org
LOG=N
Review-Url: https://codereview.chromium.org/2124023003
Cr-Commit-Position: refs/heads/master@{#37633}
Reason for revert:
crashes: crbug.com/626719
Original issue's description:
> Avoid Context::Enter and Context::Exit if we're reentering the active and last entered context
>
> A bit of browsing around indicates that the new fast-path is taken most of the time:
> 3496 Entering new
> 152295 Reentering same
>
> BUG=
>
> Committed: https://crrev.com/1829eb661ef1cf432fb551bcb193f521a219d490
> Cr-Commit-Position: refs/heads/master@{#37570}
TBR=jochen@chromium.org,verwaest@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=
Review-Url: https://codereview.chromium.org/2140563002
Cr-Commit-Position: refs/heads/master@{#37632}
CallSite::IsConstructor() was unable to recognize builtin construct stubs
(NumberConstructor_ConstructStub and StringConstructor_ConstructStub) as
constructors, and thus these frames were not formatted correctly in stack
traces.
Fix this by explicitly marking their Code objects as construct stubs and
passing along a special receiver value when we encounter such cases in
CaptureSimpleStackTrace.
R=mstarzinger@chromium.org, yangguo@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2125163004
Cr-Commit-Position: refs/heads/master@{#37631}
If a Smi field load is truncated to Word32, we can just load the upper
32 bits on 64-bit architectures (with 32-bit Smis), which avoids the
nasty shift right that we'd have to perform otherwise to untag it.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2140553002
Cr-Commit-Position: refs/heads/master@{#37630}
Usually loops run from 0 to some array length l, which means the
induction variable i will probably have type Unsigned32, just like
the length l. The CheckBounds operation lowers to an Uint32LessThan
comparison, so if we also lower the user level i < l comparison to
Uint32LessThan (whenever possible), we get some bounds check elimination
for free (via value numbering plus branch condition elimination).
This merges the branch condition elimination phase with the late
optimization phase to make this magic happen.
R=jarin@chromium.org
BUG=v8:4930,v8:5141
Review-Url: https://codereview.chromium.org/2135123002
Cr-Commit-Position: refs/heads/master@{#37629}
Enable the same checks for builtin exit frames as are used for all other
standard (i.e. non-wasm) types, and refactor them into a single helper
class.
R=yangguo@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2135593002
Cr-Commit-Position: refs/heads/master@{#37625}
Consume Smi/Signed32 feedback for division and modulus and introduce
appropriate checked operators. This is especially important for modulus
where the Float64Mod operator is significantly slower than Int32Mod on
most platforms. For division it's mostly important to propagate
integerness, i.e. to avoid follow-up conversions between float and
int32.
Drive-by-fix: Use Int32Mod for the ModulusStub (and the bytecode handler)
when the inputs are both Smi.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2138633002
Cr-Commit-Position: refs/heads/master@{#37621}
The Intl code previously called the initial value of String.prototype.split
for some internal operations. However, this did not have the intended effect
as Intl only needs to split strings by strings, but String.prototype.split
has integration with Symbol.split for RegExps.
This patch replaces the calls of StringSplit in the Intl implementation
with direct calls to the %StringSplit runtime function to avoid the issue.
R=yangguo@chromium.org
BUG=v8:5179
Review-Url: https://codereview.chromium.org/2126073002
Cr-Commit-Position: refs/heads/master@{#37615}
Isolate is not going to retain a CPU profiler.
The client will be creating an instance of profiler when needed.
Deprectate v8::Isolate::GetCpuProfiler()
BUG=v8:4789
Review-Url: https://codereview.chromium.org/2117343006
Cr-Commit-Position: refs/heads/master@{#37613}
Reason for revert:
This workaround is no longer needed, port of e60c4053c7 fixes the issue.
Original issue's description:
> MIPS: [turbofan] Fix addition for deoptimization.
>
> In turbofan, after an addition operation where the same register is the
> output and both inputs, if deoptimization is performed the input is
> overwritten with the output value and the final result is not correct.
> This is fixed by restoring the original value of the input before
> deoptimization.
>
> BUG=
> TEST=mjsunit/regress/regress-int32-truncation
>
> Committed: https://crrev.com/99385e8e4bcef1f333ede61c936528bfc0c8ecfa
> Cr-Commit-Position: refs/heads/master@{#37524}
TBR=akos.palfi@imgtec.com,balazs.kilvady@imgtec.com,ivica.bogosavljevic@imgtec.com
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=
Review-Url: https://codereview.chromium.org/2129083003
Cr-Commit-Position: refs/heads/master@{#37612}
