Commit Graph

7284 Commits

Author SHA1 Message Date
bmeurer
23bb8fa9c0 [test] Increase test coverage for Array constructor inlining.
This still doesn't cover all the paths yet, since some paths are
impossible to trigger at this point due to the way the CanInlineCall
predicate works on the AllocationSite, which says multiple things:

 - In case of Array(len), the len was always a Smi so far.
 - In case of Array(...args), storing the args didn't change the
   elements kind.
 - In case of Array(len), the len was always less than the initial
   maximum fast element array size.

These conditions are tailored towards Crankshaft and don't really
make a lot of sense in the TurboFan world. We'd need more fine
grained protections, which we will achieve by refactoring the Array
constructor.

BUG=chromium:715404,v8:6262
TBR=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2843033002
Cr-Commit-Position: refs/heads/master@{#44901}
2017-04-26 17:36:32 +00:00
Peter Marshall
e855e514d1 [builtins] Add a fast path to construct TypedArrays from holey arrays.
For holey Smi and double source arrays, we would go to the general
case, which is much slower than before. We already check that there
are no prototype chain changes in IterableToListCanBeElided, and
there is no JS-code run between that check and the copying of the
elements, so we can safely check for the hole and convert it to
undefined, which is then converted to 0/NaN appropriately for the
given TypedArray.

Bug: chromium:713570,chromium:711275
Change-Id: I5b21c915907d71eebb73b7b1eea8eb58b4a5436d
Reviewed-on: https://chromium-review.googlesource.com/485520
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44899}
2017-04-26 15:36:36 +00:00
jgruber
397ebb765c Revert of [turbofan] Fix impossible type handling for TypeGuard and BooleanNot. (patchset #1 id:1 of https://codereview.chromium.org/2836203004/ )
Reason for revert:
Tentative revert for https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/14886

Original issue's description:
> [turbofan] Fix impossible type handling for TypeGuard and BooleanNot.
>
> BUG=chromium:715204
>
> Review-Url: https://codereview.chromium.org/2836203004
> Cr-Commit-Position: refs/heads/master@{#44883}
> Committed: 9c47a061cf

TBR=bmeurer@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:715204

Review-Url: https://codereview.chromium.org/2842793004
Cr-Commit-Position: refs/heads/master@{#44898}
2017-04-26 15:24:52 +00:00
cbruni
6b4b062489 Revert of [turbofan] Set proper representation for initial arguments length. (patchset #1 id:1 of https://codereview.chromium.org/2810333004/ )
Reason for revert:
Field representation is not preserved

Original issue's description:
> [turbofan] Set proper representation for initial arguments length.
>
> The JSArgumentsObject::length representation is initially Smi, so we can
> record that on the initial map and use it to optimize the accesses in
> TurboFan based on that. Similar for JSSloppyArgumentsObject::caller.
>
> BUG=v8:6262
> R=yangguo@chromium.org
>
> Review-Url: https://codereview.chromium.org/2810333004
> Cr-Commit-Position: refs/heads/master@{#44644}
> Committed: 5eec7df9b3

TBR=yangguo@chromium.org,bmeurer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:6262

Review-Url: https://codereview.chromium.org/2825323002
Cr-Commit-Position: refs/heads/master@{#44893}
2017-04-26 14:53:21 +00:00
Michael Starzinger
8952aef167 [asm.js] Fix numeric literal negation in multiplication.
R=clemensh@chromium.org
TEST=mjsunit/asm/int32-mul
BUG=chromium:715482

Change-Id: I525e901fd6ade101999694a53d5147b6e4ccc2e5
Reviewed-on: https://chromium-review.googlesource.com/488024
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44892}
2017-04-26 14:53:09 +00:00
Michael Starzinger
c5bfc27df2 [asm.js] Maintain insertion order of exports.
This makes sure that the observable property order of the module export
maintains insertion order. Now that properties are configurable, we no
longer need to reverse the export processing.

R=clemensh@chromium.org
TEST=mjsunit/asm/asm-validation
BUG=chromium:715420

Change-Id: Ib2024254c07bdad7fee1cf2fa0bd3e847721f5b5
Reviewed-on: https://chromium-review.googlesource.com/488022
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44891}
2017-04-26 14:15:54 +00:00
Michael Starzinger
e2accb425c [asm.js] Fix numeric literal bounds checking.
This fixes the bounds checking of "unsigned" numeric literals (those
that do not contains dots) by the parser. In particular this fixes a
bogus truncation to 32-bit in the scanner. It also makes the scanner
more robust by limiting the range of those numeric literals, hence
completely avoiding rounding loss or truncation errors.

R=clemensh@chromium.org
TEST=unittests/AsmJsScannerTest.UnsignedNumbers
BUG=v8:6298

Change-Id: Id31ab3c652e99fa8d3d6663315768e1bfaf3b773
Reviewed-on: https://chromium-review.googlesource.com/486881
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44890}
2017-04-26 13:45:45 +00:00
bmeurer
d06d4ce2c4 [turbofan] Fix lowering of Array constructor with one argument.
Only create a singleton array for Array(len) if Type(len) cannot be
Number, otherwise we might need to throw an exception instead.

BUG=chromium:715404
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2838123004
Cr-Commit-Position: refs/heads/master@{#44886}
2017-04-26 12:02:12 +00:00
jarin
9c47a061cf [turbofan] Fix impossible type handling for TypeGuard and BooleanNot.
BUG=chromium:715204

Review-Url: https://codereview.chromium.org/2836203004
Cr-Commit-Position: refs/heads/master@{#44883}
2017-04-26 10:27:12 +00:00
bmeurer
e913f9e384 [turbofan] Fix buggy implicit coercion in GetMapWitness.
BUG=chromium:715151
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2839873004
Cr-Commit-Position: refs/heads/master@{#44881}
2017-04-26 09:57:36 +00:00
yangguo
a6b27a725f [d8] console methods must not throw.
R=jarin@chromium.org
BUG=chromium:714696

Review-Url: https://codereview.chromium.org/2838143002
Cr-Original-Commit-Position: refs/heads/master@{#44854}
Committed: 87b5b53f6f
Review-Url: https://codereview.chromium.org/2838143002
Cr-Commit-Position: refs/heads/master@{#44880}
2017-04-26 09:48:29 +00:00
cwhan.tunz
9bf2962c14 Reland [typedarrays] Check detached buffer at start of typed array methods
- Throw TypeError in ValidateTypedArray, matching JSC, SpiderMonkey
  and ChakraCore.
- Validate typed arrays at start of each typed array prototype
  methods in src/js/typedarrays.js
- Add tests to check detached buffers
- Remove an unnecessary parameter of TypedArraySpeciesCreate
  in src/js/typedarrays.js
- Standardize TypedArray.prototype.subarray
- Update test262.status to pass detached buffer tests

Reland of https://codereview.chromium.org/2778623003

BUG=v8:4648, v8:4665, v8:4953
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel

Review-Url: https://codereview.chromium.org/2827443002
Cr-Commit-Position: refs/heads/master@{#44878}
2017-04-26 06:10:17 +00:00
Eric Holk
c1c93e8246 [wasm] add a test case for 3GB memory
Although we currently only support up to 1GB memory, we want to raise
this issue in the future. This test illustrates several issues we need
to be sure to fix first.

Bug: v8:6306
Change-Id: I362b7a9e51e8eb33a50e3b172a6f01d41995c3cb
Reviewed-on: https://chromium-review.googlesource.com/487047
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44876}
2017-04-26 05:09:03 +00:00
jyan
3be834e876 [deoptimizer] float32 stack on s390 and ppc is on lower 32 bit
Also add more local variables to regress-v8-6077 to force
register spill on platform with 32 float registers.

BUG=

Review-Url: https://codereview.chromium.org/2822073003
Cr-Commit-Position: refs/heads/master@{#44865}
2017-04-25 16:49:33 +00:00
Michael Achenbach
ae1fa3daad Revert "[runtime] Keep FAST_SLOPPY_ARGUMENTS packed"
This reverts commit 28930128ce.

Reason for revert: GC stress failures:
https://build.chromium.org/p/client.v8/builders/V8%20Mac%20GC%20Stress/builds/12958

Original change's description:
> [runtime] Keep FAST_SLOPPY_ARGUMENTS packed
> 
> With this CL SloppyArguments immediately go to dictionary elements on 
> deletion, keeping the arguments backing store packed.
> 
> Bug: v8:6251
> Change-Id: I2afa4fb5f0af9942eee0a1606942f5f289539330
> Reviewed-on: https://chromium-review.googlesource.com/480379
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44857}

TBR=jkummerow@chromium.org,cbruni@chromium.org,v8-reviews@googlegroups.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: I9482bf693a745d1301d068869ddae39f11143827
Reviewed-on: https://chromium-review.googlesource.com/486885
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44863}
2017-04-25 14:43:14 +00:00
Tobias Tebbi
f431b597bf [turbofan] escape analysis: patch for wrong deopt info
Bug: chromium:713367
Change-Id: I3f5960f5b2da22c6468ca5a5ea9dc847b30c7fc7
Reviewed-on: https://chromium-review.googlesource.com/486360
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44862}
2017-04-25 14:20:57 +00:00
Michael Starzinger
d049239ca6 [asm.js] Fix [[Configurable]] attribute of exports.
R=clemensh@chromium.org
TEST=mjsunit/asm/asm-validation
BUG=chromium:715068,v8:5877

Change-Id: I26e0b84c94e5f036336f39e9d764f0588ff3ec0d
Reviewed-on: https://chromium-review.googlesource.com/486882
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44861}
2017-04-25 14:19:52 +00:00
Michael Achenbach
ef99f6667d Revert "[parser] Inital parallel parse tasks implementation."
This reverts commit 56a6fda316.

Reason for revert: Makes tsan flaky:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/15038

Original change's description:
> [parser] Inital parallel parse tasks implementation.
> 
> While parsing top-level code eager functions are skipped just like lazy
> ones, but also a parse task is created for each.
> 
> The parse tasks are run by the compiler dispatcher and can be executed
> either on background thread or in idle time.
> After parsing of top-level code finishes it waits for all unfinished
> parser tasks - possibly picking up and executing them on current thread.
> Afterwards parse task results are stitched together with top-level AST,
> in case of failures eager functions are treated just like lazy -
> parsing/compilation is retriggered for them in the runtime and proper
> errors are generated (performance is not optimized for error case at
> all).
> 
> BUG=v8:6093
> 
> Change-Id: I718dd2acc8a70ae1b09c2dea2616716605d7b05d
> Reviewed-on: https://chromium-review.googlesource.com/483439
> Commit-Queue: Wiktor Garbacz <wiktorg@google.com>
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Jochen Eisinger <jochen@chromium.org>
> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44849}

TBR=marja@chromium.org,vogelheim@chromium.org,jochen@chromium.org,wiktorg@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:6093

Change-Id: I17e689efee7d216d28a94a5c8147022ae7e830dd
Reviewed-on: https://chromium-review.googlesource.com/486883
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44859}
2017-04-25 14:18:49 +00:00
Camillo Bruni
28930128ce [runtime] Keep FAST_SLOPPY_ARGUMENTS packed
With this CL SloppyArguments immediately go to dictionary elements on 
deletion, keeping the arguments backing store packed.

Bug: v8:6251
Change-Id: I2afa4fb5f0af9942eee0a1606942f5f289539330
Reviewed-on: https://chromium-review.googlesource.com/480379
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44857}
2017-04-25 14:17:27 +00:00
yangguo
95d53ffee1 Revert of [d8] console methods must not throw. (patchset #1 id:1 of https://codereview.chromium.org/2838143002/ )
Reason for revert:
Breaks no-intl builds.

Original issue's description:
> [d8] console methods must not throw.
>
> R=jarin@chromium.org
> BUG=chromium:714696
>
> Review-Url: https://codereview.chromium.org/2838143002
> Cr-Commit-Position: refs/heads/master@{#44854}
> Committed: 87b5b53f6f

TBR=jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:714696

Review-Url: https://codereview.chromium.org/2840853002
Cr-Commit-Position: refs/heads/master@{#44856}
2017-04-25 14:00:56 +00:00
yangguo
87b5b53f6f [d8] console methods must not throw.
R=jarin@chromium.org
BUG=chromium:714696

Review-Url: https://codereview.chromium.org/2838143002
Cr-Commit-Position: refs/heads/master@{#44854}
2017-04-25 13:47:33 +00:00
Michael Starzinger
54818a635f [asm.js] Fix failure propagation of heap access validation.
This fixes propagation of validation failures that happen during the
validation of a heap access expression in {ValidateHeapAccess}.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-714971
BUG=chromium:714971

Change-Id: I8f91ac1da34ae50fdde2938f61b6468cdac92b6e
Reviewed-on: https://chromium-review.googlesource.com/486801
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44851}
2017-04-25 12:58:26 +00:00
Wiktor Garbacz
56a6fda316 [parser] Inital parallel parse tasks implementation.
While parsing top-level code eager functions are skipped just like lazy
ones, but also a parse task is created for each.

The parse tasks are run by the compiler dispatcher and can be executed
either on background thread or in idle time.
After parsing of top-level code finishes it waits for all unfinished
parser tasks - possibly picking up and executing them on current thread.
Afterwards parse task results are stitched together with top-level AST,
in case of failures eager functions are treated just like lazy -
parsing/compilation is retriggered for them in the runtime and proper
errors are generated (performance is not optimized for error case at
all).

BUG=v8:6093

Change-Id: I718dd2acc8a70ae1b09c2dea2616716605d7b05d
Reviewed-on: https://chromium-review.googlesource.com/483439
Commit-Queue: Wiktor Garbacz <wiktorg@google.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44849}
2017-04-25 12:35:21 +00:00
jgruber
9372dd95d9 [regexp] Fix unicode escapes in test strings
Some of these tests pass the pattern as a string, and in this case
there's a subtle distinction between

"/\u{0041}/"  // Unicode escape interpreted in string literal.

and

"/\\u{0041}/"  // Unicode escape interpreted by regexp parser.

Extend these tests to check both cases.

Thanks littledan@ for pointing this out.

BUG=v8:5437

Review-Url: https://codereview.chromium.org/2839923002
Cr-Commit-Position: refs/heads/master@{#44840}
2017-04-25 11:20:34 +00:00
jgruber
a1af3315a2 [regexp] Fix passing all flags to RegExp construction
Do not bail out when passed a flags string with length > 5, use a
meaningful named constant instead.

Found by https://github.com/tc39/test262/pull/997#issuecomment-296963675

BUG=v8:6300

Review-Url: https://codereview.chromium.org/2841633004
Cr-Commit-Position: refs/heads/master@{#44834}
2017-04-25 09:35:22 +00:00
jarin
d081a6f692 [turbofan] Make sure an inlined call is not resurrected and inlined again.
BUG=chromium:714483

Review-Url: https://codereview.chromium.org/2833423004
Cr-Commit-Position: refs/heads/master@{#44830}
2017-04-25 08:10:32 +00:00
Caitlin Potter
56e07b4a8c [parser] don't treat SuperCall as a valid DestructuringAssignmentTarget
BUG=v8:6291, v8:811
R=marja@chromium.org, vogelheim@chromium.org

Change-Id: I978ea446d7b42092592b0a3ae3c99626e36d40fd
Reviewed-on: https://chromium-review.googlesource.com/485099
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44819}
2017-04-24 20:54:36 +00:00
Caitlin Potter
68235eb936 [parser] don't treat new.target as a valid DestructuringAssignmentTarget
BUG=v8:6291, v8:811
R=marja@chromium.org, vogelheim@chromium.org

Change-Id: Icf18b1cba8562aab87d233d383eb1d73a8e6aa9d
Reviewed-on: https://chromium-review.googlesource.com/485059
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44818}
2017-04-24 20:27:37 +00:00
jkummerow
0f88153075 Reland of [builtins] DeleteProperty: Handle last-added fast properties
In general, deleting a property from a fast-properties object
requires transitioning the object to dictionary mode. However,
when the most-recently-added property is deleted, we can simply
roll back the last map transition that the object went through.

This is a performance experiment: it should make things faster,
but if it turns out to have more negative than positive impact,
we will have to revert it.

TBR=bmeurer@chromium.org (just adding a comment)

Previously reviewed at https://codereview.chromium.org/2830093002
Previously landed as 98acfb36e1 / r44799

Review-Url: https://codereview.chromium.org/2840583002
Cr-Commit-Position: refs/heads/master@{#44808}
2017-04-24 15:59:00 +00:00
machenbach
852a20b08c Revert of [builtins] DeleteProperty: Handle last-added fast properties (patchset #2 id:20001 of https://codereview.chromium.org/2830093002/ )
Reason for revert:
Breaks:
https://build.chromium.org/p/client.v8/builders/V8%20Mac%20GC%20Stress/builds/12920
and
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/10281

Original issue's description:
> [builtins] DeleteProperty: Handle last-added fast properties
>
> In general, deleting a property from a fast-properties object
> requires transitioning the object to dictionary mode. However,
> when the most-recently-added property is deleted, we can simply
> roll back the last map transition that the object went through.
>
> This is a performance experiment: it should make things faster,
> but if it turns out to have more negative than positive impact,
> we will have to revert it.
>
> TBR=bmeurer@chromium.org (just adding a comment)
>
> Review-Url: https://codereview.chromium.org/2830093002
> Cr-Commit-Position: refs/heads/master@{#44799}
> Committed: 98acfb36e1

TBR=ishell@chromium.org,jkummerow@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2843473002
Cr-Commit-Position: refs/heads/master@{#44806}
2017-04-24 14:52:56 +00:00
Michael Starzinger
f06db79c67 [asm.js] Treat typed array constructors as stdlib uses.
This makes sure that typed array constructors (e.g. Int8Array, ...) used
within an asm.js module are considered uses of stdlib values, and hence
are checked during module instantiation.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-6280
BUG=v8:6280,chromium:714537

Change-Id: Ic5d689f5319c4dac4e9df3dca4a8cf5a4edd890b
Reviewed-on: https://chromium-review.googlesource.com/485521
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44800}
2017-04-24 13:33:35 +00:00
jkummerow
98acfb36e1 [builtins] DeleteProperty: Handle last-added fast properties
In general, deleting a property from a fast-properties object
requires transitioning the object to dictionary mode. However,
when the most-recently-added property is deleted, we can simply
roll back the last map transition that the object went through.

This is a performance experiment: it should make things faster,
but if it turns out to have more negative than positive impact,
we will have to revert it.

TBR=bmeurer@chromium.org (just adding a comment)

Review-Url: https://codereview.chromium.org/2830093002
Cr-Commit-Position: refs/heads/master@{#44799}
2017-04-24 13:27:41 +00:00
mvstanton
1eb0ef3161 [builtins] Improve performance of array.prototype.filter and map.
BUG=

Review-Url: https://codereview.chromium.org/2775503006
Cr-Commit-Position: refs/heads/master@{#44793}
2017-04-24 12:47:24 +00:00
bmeurer
359b5f93d4 [turbofan] Also constant-fold Object.getPrototypeOf if possible.
We already have an optimization to constant-fold access to an object's
prototype via the special __proto__ accessor (specified in appendix B).
We can use the same optimization to also constant-fold accesses to an
object's prototype via the official Object.getPrototypeOf function.

Also add the optimization for Reflect.getPrototypeOf, which is
equivalent for object inputs.

This is commonly used by Babel to implement various new language
features, for example subclassing and certain property lookups.

R=yangguo@chromium.org
BUG=v8:6292

Review-Url: https://codereview.chromium.org/2841463002
Cr-Commit-Position: refs/heads/master@{#44788}
2017-04-24 05:37:45 +00:00
jkummerow
75ce09b533 Fix HashTable growth strategy to be 2x instead of 4x
Review-Url: https://codereview.chromium.org/2827263004
Cr-Commit-Position: refs/heads/master@{#44783}
2017-04-21 17:31:29 +00:00
Igor Sheludko
2d856544e5 [ic] Fix handling of elements kind transitions in polymorphic keyed ICs.
Ensure source map is not stable if elements kind transitions are expected.

BUG=chromium:700733

Change-Id: Ie937e7064127250b1100109986c3e9b411fae1d6
Reviewed-on: https://chromium-review.googlesource.com/483442
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44780}
2017-04-21 15:14:26 +00:00
Michael Starzinger
ea7064779a [asm.js] Test and fix global variable imports.
This also removes a broken optimization regarding immutable (i.e. const)
global variables. For now mutable and immutable global variables are
treated the same and hence copied during module initialization.

R=rossberg@chromium.org
TEST=mjsunit/asm/global-imports
BUG=v8:6279

Change-Id: I020fc12036dc534f5a62fb43f5c6fdb252314e62
Reviewed-on: https://chromium-review.googlesource.com/483360
Reviewed-by: Andreas Rossberg <rossberg@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44763}
2017-04-21 08:09:04 +00:00
Eric Holk
ec772a4fd8 Restrict range for int64_t to immediate conversions
The included test case illustrates the problem. It subtracts (16 << 27)
from another number. The Machine Operator Reducer would replace the
shift computation with 0x0000000080000000, and then change the subtract
to an add of -(0x0000000080000000), which is 0xffffffff80000000.
The instruction selector would determine that this value could be an
immediate, because it fits in 32 bits, so it would select the lea
instruction. Finally, the code generator would detect that the
immediate was less than 0, flip the sign and replace the add with a
subtract of 0x80000000. Because the x64 subtract instruction's
immediate field is 32 bits, the processor would interpret this as
0xffffffff80000000 instead of an unsigned value.

This change fixes the issue by making the CanBeImmediate check
explicitly compare against INT_MIN and INT_MAX. We disallow INT_MIN
as an immediate precisely because we cannot tell 0x0000000080000000
from 0xffffffff80000000 when truncated to 32 bits.

Bug: chromium:711203
Change-Id: Ie371b8ea290684a6bb723bae9c693a866f961850
Reviewed-on: https://chromium-review.googlesource.com/482448
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44758}
2017-04-20 21:03:31 +00:00
bmeurer
c9c7dd0d4e [turbofan] Constant-fold certain JSOrdinaryHasInstance nodes.
Move JSOrdinaryHasInstance lowering to JSNativeContextSpecialization,
which was previously mostly done in JSTypedLowering (for no reason).
Add new logic to the lowering to constant-fold OrdinaryHasInstance
checks when the map of the left-hand side and the "prototype" of the
right-hand side is known. This address the performance issue with the
(base) class constructors generated by Babel, i.e.:

  function _classCallCheck(instance, Constructor) {
    if (!(instance instanceof Constructor)) {
      throw new TypeError("Cannot call a class as a function");
    }
  }

  var C = function C() { _classCallCheck(this, C); };

for

  class C {}

Also ensure that a known constructor being used inside an instanceof
get's a proper initial map on-demand.

BUG=v8:6275
R=mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2827013002
Cr-Commit-Position: refs/heads/master@{#44727}
2017-04-19 14:38:11 +00:00
jkummerow
34a26e7dc4 [keyed-store-generic] Update protectors if needed
When adding or overwriting properties of an object, the generic
keyed store stub must check if that property's name might have
an associated protector (e.g. the ArraySpeciesProtector) and
take the slow path if so to ensure that the protector is updated
as needed.

BUG=v8:6269

Review-Url: https://codereview.chromium.org/2821213004
Cr-Commit-Position: refs/heads/master@{#44726}
2017-04-19 14:15:34 +00:00
Peter Marshall
356e9246b2 [builtins] Use the ElementsAccessor to copy TypedArrays.
This includes a fastpath in the ElementsAccessor for the source
array being a JSArray with FastSmi or FastDouble packed kinds. This
is probably a pretty common usage, where an array is passed in as
a way of initializing the TypedArray at creation (as there is not other
syntax to do this). e.g. new Float64Array([1.0, 1.0, 1.0]) for some
sort of vector application.

BUG= v8:5977

Change-Id: Ice4ad9fc29f56b1c4b0b30736a1330efdc289003
Reviewed-on: https://chromium-review.googlesource.com/465126
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44722}
2017-04-19 12:45:20 +00:00
Michael Starzinger
950322e070 [asm.js] Fix source positions in for-statement parsing.
This fixes source position tracking within the "increment" expression of
a for-statement. The old {StashCode} method was inherently incompatible
with side tables like the source position table, as it would leave them
untouched while mutating the bytecode stream. It was hence trimmed down
to {DeleteCode}.

R=bradnelson@chromium.org
BUG=v8:6127

Change-Id: I7a5ff60cd5334208c44b165c8b54144d9ae83209
Reviewed-on: https://chromium-review.googlesource.com/480301
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44714}
2017-04-19 08:53:57 +00:00
jgruber
a031ab92ac [errors] Improve NotGeneric error message
This changes the message from

"method_name is not generic"

to

"method_name requires that 'this' be a primitive_name object"

BUG=v8:6206

Review-Url: https://codereview.chromium.org/2814043006
Cr-Original-Commit-Position: refs/heads/master@{#44683}
Committed: 21b104e3b8
Review-Url: https://codereview.chromium.org/2814043006
Cr-Commit-Position: refs/heads/master@{#44713}
2017-04-19 08:34:24 +00:00
bmeurer
b89ddcf1fc [turbofan] Fix typing rule for JSCreateArguments.
The typing rule for JSCreateArguments must properly declare rest
parameters as arrays and only consider sloppy and strict arguments
objects as Type::OtherObject.

TBR=jarin@chromium.org
BUG=v8:6262,chromium:712802

Review-Url: https://codereview.chromium.org/2828573004
Cr-Commit-Position: refs/heads/master@{#44712}
2017-04-19 07:38:20 +00:00
Adam Klein
cd76322817 Add flag to make __defineGetter__ & co. behave as strict functions
When --harmony-strict-legacy-accessor-builtins is enabled, it brings
V8's behavior in line with the spec and more recent versions of
SpiderMonkey and JSC:
  - No implicit receiver coercion
  - Attempting to redefine a non-configurable property throws

Bug: v8:5070
Change-Id: I82b927538604136c0c550e19bcc606fbfea1377e
Reviewed-on: https://chromium-review.googlesource.com/478312
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44703}
2017-04-18 21:40:14 +00:00
machenbach
5971023353 Revert of [errors] Improve NotGeneric error message (patchset #3 id:40001 of https://codereview.chromium.org/2814043006/ )
Reason for revert:
Please schedule rebasing layout test first:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/15036

https://github.com/v8/v8/wiki/Blink-layout-tests

Original issue's description:
> [errors] Improve NotGeneric error message
>
> This changes the message from
>
> "method_name is not generic"
>
> to
>
> "method_name requires that 'this' be a primitive_name object"
>
> BUG=v8:6206
>
> Review-Url: https://codereview.chromium.org/2814043006
> Cr-Commit-Position: refs/heads/master@{#44683}
> Committed: 21b104e3b8

TBR=littledan@chromium.org,yangguo@chromium.org,jgruber@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:6206

Review-Url: https://codereview.chromium.org/2825123002
Cr-Commit-Position: refs/heads/master@{#44701}
2017-04-18 19:19:53 +00:00
mtrofin
9cc672911f [wasm] Fix DCHECK handiling pending exceptions.
+ additional fixes uncovered by bug, and addressed remaining feedback
from original CL (https://codereview.chromium.org/2806073002/).

Note that the regression test differs slightly from the bug reported one,
in that it catches the RangeError which will eventually be thrown due
to call stack size being exceeded.

BUG=chromium:712569

Review-Url: https://codereview.chromium.org/2825073002
Cr-Commit-Position: refs/heads/master@{#44700}
2017-04-18 19:15:12 +00:00
Camillo Bruni
1979ab55fb [heap-verification] Increase verification for arguments objects
BUG: v8/6251
Change-Id: I64e6ad220f05384e4cd549c1356fd713423c3044
Reviewed-on: https://chromium-review.googlesource.com/480072
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44695}
2017-04-18 15:55:14 +00:00
Marja Hölttä
7fcf658a7b [parser] Skipping inner funcs: make the flag experimental.
The feature is not quite ready for getting ClusterFuzzed.

BUG=v8:5516

Change-Id: I90a42f950727c8ecf46cb2987c9a459b2ba1f5a7
Reviewed-on: https://chromium-review.googlesource.com/480400
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44693}
2017-04-18 15:16:10 +00:00
Michael Starzinger
e6590a37ba [turbofan] Fix translation containing arguments elements.
This fixes the de-duplication logic used when writing the deoptimizer
translation of a frame-state containing {kArgumentsElementsState}. The
object counts as a captured object and participates in the numbering of
duplicated objects.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-711166
BUG=chromium:711166

Change-Id: I4a3b892017ab8217197e5f94c1a0975d0cd6979f
Reviewed-on: https://chromium-review.googlesource.com/476631
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44692}
2017-04-18 14:44:01 +00:00
bmeurer
245ab01ad4 [turbofan] Inline Array constructor calls with multiple parameters.
BUG=v8:6262
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2821273002
Cr-Commit-Position: refs/heads/master@{#44688}
2017-04-18 14:14:58 +00:00
jgruber
21b104e3b8 [errors] Improve NotGeneric error message
This changes the message from

"method_name is not generic"

to

"method_name requires that 'this' be a primitive_name object"

BUG=v8:6206

Review-Url: https://codereview.chromium.org/2814043006
Cr-Commit-Position: refs/heads/master@{#44683}
2017-04-18 12:23:29 +00:00
yangguo
4f3d859f31 [regexp] explicitly whitelist allowed binary property classes.
BUG=v8:4743
TBR=jgruber@chromium.org

Review-Url: https://codereview.chromium.org/2827613002
Cr-Commit-Position: refs/heads/master@{#44677}
2017-04-18 10:01:27 +00:00
gdeepti
78b8d7ed8c [wasm] Handle no initial memory case correctly when memory is exported
Currently when the module has memory specified in the compiled bytes, but with no initial memory
exported memory assigns a bogus buffer to the instance. When grow_memory is called on this buffer, it tries to patch an incorrect address.
 - Fix exported memory to handle no initial memory
 - Fix grow_memory to handle uninitialized buffers

BUG=chromium:710844
R=bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2820223002
Cr-Commit-Position: refs/heads/master@{#44671}
2017-04-18 06:34:16 +00:00
mtrofin
71cf4890d0 [wasm] instantiate expressed in terms of compile
Today, the semantics of:

WebAssembly.instantiate

and

WebAssembly.compile().then(new WebAssemblyInstance)

are subtly different, to the point where attempting the proposed
change uncovered bugs.

In the future, it's possible that .instantiate actually have different
semantics - if we pre-specialized to the provided ffi, for example.
Right now that's not the case.

This CL:
- gets our implementation closer to what developers may write using
the compile -> new Instance alternative, in particular wrt promise
creation. By reusing code paths, we uncover more bugs, and keep
maintenance cost lower.

- it gives us the response-based WebAssembly.instantiate implicitly.
Otherwise, we'd need that same implementation on the blink side. The
negative is maintenance: imagine if the bugs I mentioned could only be
found when running in Blink.

BUG=chromium:697028

Review-Url: https://codereview.chromium.org/2806073002
Cr-Original-Commit-Position: refs/heads/master@{#44592}
Committed: 7829af3275
Review-Url: https://codereview.chromium.org/2806073002
Cr-Commit-Position: refs/heads/master@{#44669}
2017-04-18 01:31:16 +00:00
Josh Wolfe
1236335551 fix assertion failure with --harmony CreateDynamicFunction() in stack overflow conditions
Bug=chromium:707066
R=littledan@chromium.org, adamk@chromium.org, caitp@igalia.com
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel

Change-Id: I24ce0a08816940ef4646d0f2de188d4832c823a0
Reviewed-on: https://chromium-review.googlesource.com/474990
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
Cr-Commit-Position: refs/heads/master@{#44668}
2017-04-17 20:06:15 +00:00
Sathya Gunasekaran
484d25d4df [d8] Fix leak in IntializeModuleEmbedderData
If the current context is overwritten by doing Realm.navigate(0) we
fail to delete the module embedder data from the correct current
context, because we have an handle to the old context which was
already cleaned up by calling DisposeRealm in RealmNavigate.

This patch disallows navigation to the first realm.

Bug: chromium:711165
Change-Id: I6b9d3187367dae9d1fe38c0efa361d461c94c917
Reviewed-on: https://chromium-review.googlesource.com/476970
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44656}
2017-04-13 21:52:28 +00:00
Caitlin Potter
fa0066d170 [async-iteration] implement spec update for yield* in async generators
e3246ad69c
removed some redundancies in yield and yield*.

In particular:
- AsyncGeneratorRawYield becomes unnecessary, and is deleted in this CL
- Parser::RewriteYieldStar() is updated to perform the IteratorValue() algorithm as appropriate

BUG=v8:6187, v8:5855
R=rmcilroy@chromium.org, adamk@chromium.org, littledan@chromium.org, vogelheim@chromium.org

Change-Id: I05e8429b9cbd4531c330ee53a05656b90162064c
Reviewed-on: https://chromium-review.googlesource.com/471806
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#44649}
2017-04-13 14:32:30 +00:00
Leszek Swirski
0010be5b23 [compiler] Always use deopt count for disabling optimization
Currently we count optimizations to decide to disable optimization, and
count deopts to detect this decision and allow re-enabling optimizations
after a while.

However, throwing out TurboFan OSR code and GC optimized code evictions
do not count as deopts, which means that the optimization count
increases without increasing the deopt count. This increased optimization
count disables further optimization -- which is bad, because these are
not "true" deopts -- and can stop the optimization from being re-enabled,
because the deopt count can't go high enough.

Instead, we now only ever look at deopts to disable/re-enable
optimization, and opt counts are only used for naming log files and in
tests.

Change-Id: I0c7d6be497545449a38cf952cd2f007ee51982ba
Reviewed-on: https://chromium-review.googlesource.com/468811
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44647}
2017-04-13 13:41:26 +00:00
Michael Starzinger
f09460389b [asm.js] Test and fix "|0" annotation of calls.
This fixes the validation of "|0" annotations of call sites that are
used to indicate a "signed" return type of functions. We use lookahead
during call validation and request deferred validation as part of the
actual OR-expression. Special care has to be taken to get precedence
levels of all involved operators right.

R=clemensh@chromium.org
TEST=mjsunit/asm/call-annotation
BUG=v8:6183

Change-Id: If0586f669e7cee26a13425b0fd9f41098e852d68
Reviewed-on: https://chromium-review.googlesource.com/475871
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44639}
2017-04-13 10:38:22 +00:00
jgruber
876e23c54d [regexp] Fix incorrect DCHECK in FixSingleCharacterDisjunctions
The condition only applies in unicode mode, where any lone surrogates
are desugared into a character class (and will not be considered in this
optimization). Non-unicode mode treats lone surrogates exactly like
any other codepoint.

BUG=chromium:711092

Review-Url: https://codereview.chromium.org/2808403006
Cr-Commit-Position: refs/heads/master@{#44638}
2017-04-13 10:33:08 +00:00
Franziska Hinkelmann
b30503387f [type feedback] Allow position 0.
In eval scripts, the source code position can be 0 rather
than greater than 0.

Add regression test.

Drive-by fix: unrelated typo.

Bug: 707223
Change-Id: If52c0736daac3ad42ac6d324eb8ec5f1798f6f5a
Reviewed-on: https://chromium-review.googlesource.com/476630
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44637}
2017-04-13 09:55:14 +00:00
Michael Starzinger
68b047d094 [turbofan] Fix lowering of JSGetSuperConstructor.
This fixes the existing lowering of {JSGetSuperConstructor} nodes to
unconditional throws. The above operator is marked as {kNoWrite} but
runtime calls are not marked as such. Any deoptimizing operation after
the throw would not be able to find a valid {Checkpoint}. We remove the
lowering case in question.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-6248
BUG=v8:6248

Change-Id: I22c922947336254502f698b02f944cf35dd8688a
Reviewed-on: https://chromium-review.googlesource.com/476570
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44632}
2017-04-13 08:34:22 +00:00
binji
7b300ba2e9 [SAB] Validate index before value conversion using ToIndex
It's required by the spec -- and observable -- that the index be validated
before the conversion of the value(s) via ToInteger.

The previous implementation also had an old test for validating the atomic
index, which has now been switched to ToIndex.

This also exposed an issue in the ia32 code generator: cmpxchg_b requires a
byte register, but the ia32 instruction selector was ensuring that the
new_value was a byte register, not the TempRegister. This change forces the
temp register to use edx, which always can be used as a byte register (dl).
This is the same behavior as currently used in UseByteRegister.

BUG=v8:4614
R=jarin@chromium.org,jkummerow@chromium.org

Review-Url: https://codereview.chromium.org/2814753003
Cr-Commit-Position: refs/heads/master@{#44626}
2017-04-12 19:08:40 +00:00
Michael Achenbach
e63d74b117 Revert "[heap-verification] Increase verification for arguments objects"
This reverts commit b9194e93f2.

Reason for revert: Makes old pipeline flaky with custom snapshot:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20custom%20snapshot%20-%20debug/builds/14049

Original change's description:
> [heap-verification] Increase verification for arguments objects
> 
> BUG: v8:6251
> Change-Id: I8a6dd528656a69c7910770acaf2133830b60c291
> Reviewed-on: https://chromium-review.googlesource.com/475651
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44609}

TBR=jkummerow@chromium.org,cbruni@chromium.org,v8-reviews@googlegroups.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: Iedfdad290bf4f5f6ec2534e8c5378a7cc195db82
Reviewed-on: https://chromium-review.googlesource.com/475719
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44616}
2017-04-12 14:06:21 +00:00
Marja Hölttä
7079bdb830 [parser] Skipping inner funcs: Add a simple mjsunit test.
Unfortunately, this test cannot test that a function was really skipped (i.e.,
not parsed).

BUG=v8:5516

Change-Id: I8db5027d2216a95cc012ceae8e17554095cc1d4f
Reviewed-on: https://chromium-review.googlesource.com/457037
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44615}
2017-04-12 13:52:52 +00:00
hablich
d3f1d5c50c Revert of [wasm] instantiate expressed in terms of compile (patchset #6 id:140001 of https://codereview.chromium.org/2806073002/ )
Reason for revert:
Roll blocker: https://bugs.chromium.org/p/chromium/issues/detail?id=710824

Original issue's description:
> [wasm] instantiate expressed in terms of compile
>
> Today, the semantics of:
>
> WebAssembly.instantiate
>
> and
>
> WebAssembly.compile().then(new WebAssemblyInstance)
>
> are subtly different, to the point where attempting the proposed
> change uncovered bugs.
>
> In the future, it's possible that .instantiate actually have different
> semantics - if we pre-specialized to the provided ffi, for example.
> Right now that's not the case.
>
> This CL:
> - gets our implementation closer to what developers may write using
> the compile -> new Instance alternative, in particular wrt promise
> creation. By reusing code paths, we uncover more bugs, and keep
> maintenance cost lower.
>
> - it gives us the response-based WebAssembly.instantiate implicitly.
> Otherwise, we'd need that same implementation on the blink side. The
> negative is maintenance: imagine if the bugs I mentioned could only be
> found when running in Blink.
>
> BUG=chromium:697028
>
> Review-Url: https://codereview.chromium.org/2806073002
> Cr-Commit-Position: refs/heads/master@{#44592}
> Committed: 7829af3275

TBR=bradnelson@chromium.org,ahaas@chromium.org,adamk@chromium.org,mtrofin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:697028

Review-Url: https://codereview.chromium.org/2810203002
Cr-Commit-Position: refs/heads/master@{#44614}
2017-04-12 13:27:56 +00:00
Camillo Bruni
b9194e93f2 [heap-verification] Increase verification for arguments objects
BUG: v8:6251
Change-Id: I8a6dd528656a69c7910770acaf2133830b60c291
Reviewed-on: https://chromium-review.googlesource.com/475651
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44609}
2017-04-12 11:31:16 +00:00
bmeurer
8c0c5e8117 [turbofan] Properly represent the float64 hole.
The hole NaN should also have proper Type::Hole, and not silently hide
in the Type::Number. This way we can remove all the special casing for
the hole NaN, and we also finally get the CheckNumber right.

This also allows us to remove some ducktape from the Deoptimizer, as for
escape analyzed FixedDoubleArrays we always pass the hole value now to
represent the actual holes.

Also-By: jarin@chromium.org
BUG=chromium:684208,chromium:709753,v8:5267
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2814013003
Cr-Commit-Position: refs/heads/master@{#44603}
2017-04-12 10:10:48 +00:00
jgruber
4635572471 [regexp] Consider surrogate pairs when optimizing disjunctions
RationalizeConsecutiveAtoms optimizes ab|ac|az to a(?:b|c|d).
Ensure that this optimization does not split surrogate pairs in unicode
mode.

BUG=chromium:641091

Review-Url: https://codereview.chromium.org/2813893002
Cr-Commit-Position: refs/heads/master@{#44599}
2017-04-12 09:09:12 +00:00
bmeurer
483812d46c [turbofan] Fix typing rule for CheckBounds.
As of crrev.com/2760213003, the CheckBounds operator passes a truncation
that identfies zero and minus zero. However that was not reflected in
the typing rule, and as such the type of CheckBounds(-0,length) was
always Type::None. That confused the typed alias analysis in the
LoadElimination and led to ignoring StoreElement nodes.

BUG=chromium:708050
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2812013006
Cr-Commit-Position: refs/heads/master@{#44598}
2017-04-12 09:02:28 +00:00
Sathya Gunasekaran
a7c4e77846 [builtins] Change semantics of class constructors returning primitives
This change mirrors the semantics for derived class constructors. This
change doesn't affect non class constructors.

This change could potentially break web compat. More details:
https://github.com/tc39/ecma262/pull/469

Bug=v8:5536

Change-Id: I519599949523733332d0b35e4f8d9ecb01cac495
Reviewed-on: https://chromium-review.googlesource.com/461225
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44594}
2017-04-12 04:35:43 +00:00
mtrofin
7829af3275 [wasm] instantiate expressed in terms of compile
Today, the semantics of:

WebAssembly.instantiate

and

WebAssembly.compile().then(new WebAssemblyInstance)

are subtly different, to the point where attempting the proposed
change uncovered bugs.

In the future, it's possible that .instantiate actually have different
semantics - if we pre-specialized to the provided ffi, for example.
Right now that's not the case.

This CL:
- gets our implementation closer to what developers may write using
the compile -> new Instance alternative, in particular wrt promise
creation. By reusing code paths, we uncover more bugs, and keep
maintenance cost lower.

- it gives us the response-based WebAssembly.instantiate implicitly.
Otherwise, we'd need that same implementation on the blink side. The
negative is maintenance: imagine if the bugs I mentioned could only be
found when running in Blink.

BUG=chromium:697028

Review-Url: https://codereview.chromium.org/2806073002
Cr-Commit-Position: refs/heads/master@{#44592}
2017-04-12 00:01:04 +00:00
mtrofin
53908d05b9 [wasm] Bumped DEPS for public js api tests, fixed failures.
This also fixes an existing discrepancy.

BUG=v8:6017

Review-Url: https://codereview.chromium.org/2808403002
Cr-Commit-Position: refs/heads/master@{#44590}
2017-04-11 20:09:20 +00:00
Caitlin Potter
96698b55e0 [parser] allow ASI when "await" or "yield" follows "let"
Per https://github.com/tc39/test262/pull/956, André believes that ASI
should be permitted in these situations.

BUG=
R=marja@chromium.org, adamk@chromium.org, littledan@chromium.org

Change-Id: I5602d8a507576607750ffa9e873e1bfa53dd3523
Reviewed-on: https://chromium-review.googlesource.com/472568
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#44585}
2017-04-11 16:32:39 +00:00
Clemens Hammacher
b3ff390364 [wasm] Fix tests and improve error message
The test "assertThrows(builder.instantiate)" threw a TypeError before,
which made the test pass, but not because of the feature we wanted to
test.
This CL fixes the test to call builder.instantiate correctly, and also
tests for the correct error message.

Drive-by fix: Fix {expected} and {found} parameters in assertThrows.

R=ahaas@chromium.org

Change-Id: I11c0f63885cc14a36559e637aea60a9da6f1bb8f
Reviewed-on: https://chromium-review.googlesource.com/472886
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44584}
2017-04-11 16:22:33 +00:00
yangguo
eee279257a [regexp] Add tests for binary property classes.
See https://tc39.github.io/proposal-regexp-unicode-property-escapes

R=jgruber@chromium.org
BUG=v8:4743

Review-Url: https://codereview.chromium.org/2807293003
Cr-Commit-Position: refs/heads/master@{#44577}
2017-04-11 14:06:45 +00:00
littledan
c1a9e556ca Reland of [date] Add ICU backend for timezone info behind a flag (patchset #1 id:1 of https://codereview.chromium.org/2811103002/ )
Reason for revert:
Reland with tests marked as off in no-i18n mode

Original issue's description:
> Revert of [date] Add ICU backend for timezone info behind a flag (patchset #17 id:320001 of https://codereview.chromium.org/2724373002/ )
>
> Reason for revert:
> Breaks noi18n:
> https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20noi18n%20-%20debug/builds/13314
>
> Original issue's description:
> > [date] Add ICU backend for timezone info behind a flag
> >
> > This patch implements a timezone backend which is based on ICU, rather
> > than operating system calls. It can be turned on by passing the
> > --icu-timezone-data flag. The goal here is to take advantage of ICU's
> > data, which is more complete than the data that some system calls expose.
> > For example, without any special code, this patch fixes the time zone
> > of Lord Howe Island to have a correct 30 minute DST offset, rather than
> > 60 minutes as the OS backends assume it to have.
> >
> > Unfortunately, the parenthized timezone name in Date.prototype.toString()
> > differs across platforms. This patch chooses the long timezone name,
> > which matches Windows behavior and might be the most intelligible, but
> > the web compatibility impact is unclear.
> >
> > BUG=v8:6031,v8:2137,v8:6076
> >
> > Review-Url: https://codereview.chromium.org/2724373002
> > Cr-Commit-Position: refs/heads/master@{#44562}
> > Committed: b213f23990
>
> TBR=ulan@chromium.org,jshin@chromium.org,jgruber@chromium.org,littledan@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:6031,v8:2137,v8:6076
>
> Review-Url: https://codereview.chromium.org/2811103002
> Cr-Commit-Position: refs/heads/master@{#44565}
> Committed: 13ad508110

TBR=ulan@chromium.org,jshin@chromium.org,jgruber@chromium.org,machenbach@chromium.org
BUG=v8:6031,v8:2137,v8:6076

Review-Url: https://codereview.chromium.org/2813863002
Cr-Commit-Position: refs/heads/master@{#44575}
2017-04-11 13:17:29 +00:00
Caitlin Potter
30439676db [async-iteration] implement spec change to [Async-from-Sync Iterator]
A really slight change in behaviour introduced by
395b2e3b2f

Just swaps the order that properties are loaded from an iterator result
object in the various Async-from-Sync Iterator methods.

Fixes for the test262 tests have been submitted already (https://github.com/tc39/test262/pull/961).

BUG=v8:5855, v8:6242
R=littledan@chromium.org, jwolfe@igalia.com,

Change-Id: I1ff0e1b7758c126d02aec27d67ceeb15b91c06cf
Reviewed-on: https://chromium-review.googlesource.com/474087
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#44572}
2017-04-11 12:55:03 +00:00
mathias
f956279ed6 [regexp] remove \p{Other_ID_Start} and \p{Other_ID_Continue}
The spec proposal has been updated to drop contributory binary
properties such as `Other_ID_Start` and `Other_ID_Continue`.

This patch reverts commit 26e5d0129c and
adds tests to ensure these properties are not supported.

R=
BUG=v8:4743

Review-Url: https://codereview.chromium.org/2809143003
Cr-Commit-Position: refs/heads/master@{#44569}
2017-04-11 12:40:41 +00:00
machenbach
13ad508110 Revert of [date] Add ICU backend for timezone info behind a flag (patchset #17 id:320001 of https://codereview.chromium.org/2724373002/ )
Reason for revert:
Breaks noi18n:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20noi18n%20-%20debug/builds/13314

Original issue's description:
> [date] Add ICU backend for timezone info behind a flag
>
> This patch implements a timezone backend which is based on ICU, rather
> than operating system calls. It can be turned on by passing the
> --icu-timezone-data flag. The goal here is to take advantage of ICU's
> data, which is more complete than the data that some system calls expose.
> For example, without any special code, this patch fixes the time zone
> of Lord Howe Island to have a correct 30 minute DST offset, rather than
> 60 minutes as the OS backends assume it to have.
>
> Unfortunately, the parenthized timezone name in Date.prototype.toString()
> differs across platforms. This patch chooses the long timezone name,
> which matches Windows behavior and might be the most intelligible, but
> the web compatibility impact is unclear.
>
> BUG=v8:6031,v8:2137,v8:6076
>
> Review-Url: https://codereview.chromium.org/2724373002
> Cr-Commit-Position: refs/heads/master@{#44562}
> Committed: b213f23990

TBR=ulan@chromium.org,jshin@chromium.org,jgruber@chromium.org,littledan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:6031,v8:2137,v8:6076

Review-Url: https://codereview.chromium.org/2811103002
Cr-Commit-Position: refs/heads/master@{#44565}
2017-04-11 12:07:29 +00:00
Michael Starzinger
1f3a863bbd [turbofan] Fix traversal order of boilerplate objects.
This fixes {JSCreateLowering} to traverse boilerplate objects in the
same order the runtime uses (i.e. properties first, elements second).
That order is hard-coded in the nesting of {AllocationSite} objects.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-709537
BUG=chromium:709537

Change-Id: I8f446a0880448ea88a3e242e92d11d611581a42b
Reviewed-on: https://chromium-review.googlesource.com/474028
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44563}
2017-04-11 11:42:52 +00:00
littledan
b213f23990 [date] Add ICU backend for timezone info behind a flag
This patch implements a timezone backend which is based on ICU, rather
than operating system calls. It can be turned on by passing the
--icu-timezone-data flag. The goal here is to take advantage of ICU's
data, which is more complete than the data that some system calls expose.
For example, without any special code, this patch fixes the time zone
of Lord Howe Island to have a correct 30 minute DST offset, rather than
60 minutes as the OS backends assume it to have.

Unfortunately, the parenthized timezone name in Date.prototype.toString()
differs across platforms. This patch chooses the long timezone name,
which matches Windows behavior and might be the most intelligible, but
the web compatibility impact is unclear.

BUG=v8:6031,v8:2137,v8:6076

Review-Url: https://codereview.chromium.org/2724373002
Cr-Commit-Position: refs/heads/master@{#44562}
2017-04-11 11:37:31 +00:00
Camillo Bruni
55f5bac450 [tools] Add options to separate more entries in tickprocessor
Enable separatio of ic, bytecode, builtin and stub entries through:
    --separate-ic=true
    --separate-bytecodes=true
    --separate-builtins=true
    --separate-stubs=true

Change-Id: I6da4be7add093bb54abe956c60cd186e735ed9b5
Reviewed-on: https://chromium-review.googlesource.com/473046
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44555}
2017-04-11 10:23:02 +00:00
Michael Starzinger
7f7d403d1e [asm.js] Test and fix call kind collisions.
R=clemensh@chromium.org
TEST=mjsunit/asm/call-collisions
BUG=v8:6202

Change-Id: Ie382ed011defb0146c07336b1fd65532ecc20e2e
Reviewed-on: https://chromium-review.googlesource.com/473146
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44554}
2017-04-11 10:05:03 +00:00
gsathya
94283dcf44 [ESNext] Implement DynamicImportCall
This patch implements the runtime semantics of dynamic import.

We create a new ASTNode so that we can pass the JSFunction closure() to
the runtime function from which we get the script_url.

d8 implements the embedder logic required to load and evaluate the modules.

The API is mostly implemented as specified.

BUG=8:5785

Review-Url: https://codereview.chromium.org/2703563002
Cr-Commit-Position: refs/heads/master@{#44551}
2017-04-11 09:33:11 +00:00
yangguo
26e5d0129c [regexp] implement \p{Other_ID_Start} and \p{Other_ID_Continue}.
Other_ID_Start and Other_ID_Continue are not supported by ICU, so for
now we implement these manually as special binary property classes.

R=jgruber@chromium.org
BUG=v8:4743

Review-Url: https://codereview.chromium.org/2808803002
Cr-Commit-Position: refs/heads/master@{#44549}
2017-04-11 07:10:33 +00:00
aseemgarg
14be6ae5e1 [Atomics] use TFJ builtins for atomic add, sub, and, or, and xor
BUG=v8:4614
R=binji@chromium.org,jarin@chromium.org

Review-Url: https://codereview.chromium.org/2799863002
Cr-Commit-Position: refs/heads/master@{#44542}
2017-04-11 00:09:37 +00:00
Peter Marshall
e00dd8ebe1 [runtime] Filter out non-JSObject prototypes when eliding iteration.
We assumed that every JSArray would have a JSObject as a prototype,
but it could be null, in which case we bail out to slow path.

Also rename spread_array variable here, because this fast-path
isn't just used by spreads anymore.

Bug: chromium:707675
Change-Id: I8045d83977735dd00c3ebde2e0704f6b04afdedd
Reviewed-on: https://chromium-review.googlesource.com/472907
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44531}
2017-04-10 15:37:11 +00:00
jgruber
db61537afc [regexp] Avoid side effects between map load and fast path check
Loading the map, performing a side-effect, and then using the stored
pointer for the fast-path check is another antipattern that can lead to
unintended shapes on the fast path.

BUG=chromium:709029

Review-Url: https://codereview.chromium.org/2807153002
Cr-Commit-Position: refs/heads/master@{#44528}
2017-04-10 14:57:55 +00:00
mtrofin
85b1f108c5 Fixed accounting issues due to code table containing imports as well as wasm funcs.
Ensuring we move forward all the deferred handles, in all cases.

BUG=

Review-Url: https://codereview.chromium.org/2807013002
Cr-Commit-Position: refs/heads/master@{#44525}
2017-04-10 14:03:59 +00:00
Clemens Hammacher
88e169dc62 [wasm] Stop decoding sections once an error occured
We went on decoding the next section, which happened to be the start
section. But since the function section had an error, the signature
pointer was not still {nullptr} on the start function, leading to a
segfault.

Drive-by fix: Improve decoder trace output.

R=ahaas@chromium.org
BUG=chromium:708714, chromium:708787

Change-Id: I5ae2adb32764b9d154f1ca878019f26ac31839b4
Reviewed-on: https://chromium-review.googlesource.com/472847
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44521}
2017-04-10 13:00:50 +00:00
Camillo Bruni
186bfbb1b9 [runtime] Fix TypedArray slice when sharing the underlying buffer
According to the spec the copy step is defined iteratively and with
@@species we can create a TypedArray which shares the buffer with the
receiver which in turn prevents us from using memcpy.

Bug: v8:6223

Change-Id: If1bad085ea1d022bf3fb2cffc81645b2f7f56346
Reviewed-on: https://chromium-review.googlesource.com/471409
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44520}
2017-04-10 12:57:21 +00:00
Marja Hölttä
930174c25c [parser] Skipping inner funcs: Fix untrue DCHECK.
The DCHECK added by https://chromium-review.googlesource.com/461827 was not true
in case we failed to compile the function.

BUG=chromium:708598

Change-Id: I6a542c3ac6281c0549396b4ff0af34ea44450006
Reviewed-on: https://chromium-review.googlesource.com/472826
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44513}
2017-04-10 11:03:30 +00:00
yangguo
582921454d [regexp] add more tests for binary property classes.
R=jgruber@chromium.org
BUG=v8:4743

Review-Url: https://codereview.chromium.org/2803693006
Cr-Commit-Position: refs/heads/master@{#44512}
2017-04-10 10:19:01 +00:00
Peter Marshall
cc75535dc9 [runtime] Fix spec bug in TypedArrayConstruct with mutating iterables.
The spec requires that we use IterableToList, which we skipped for
some arrays as an optimization. We can't skip this for arrays with
objects though, because the objects may mutate the array during
the copying step via valueOf side effects.

Also clean up the implementation to use a runtime function rather
than a builtin as the helper. Also reverses the result of the helper
because I think it is a bit more intuitive that way.

Bug: v8:6224
Change-Id: I9199491abede4479785df6d9068331bc2d6e9c5e
Reviewed-on: https://chromium-review.googlesource.com/471986
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44507}
2017-04-10 09:11:01 +00:00
binji
03e260cb2a [SAB] Fix {newtarget-prototype-is-not-object,proto-from-ctor-realm} tests
This revealed a bug in the TypedArray(typedArray) constructor when the arg is backed by a SharedArrayBuffer.

Also install the species getter and add a test, since it's not tested in
test262 presently.

BUG=v8:5983,v8:5984
R=adamk@chromium.org

Review-Url: https://codereview.chromium.org/2798403004
Cr-Commit-Position: refs/heads/master@{#44500}
2017-04-08 20:13:45 +00:00
Clemens Hammacher
1a73f73b3b [wasm] Implement extensible name section
The format of the name section changed recently. It now contains
subsections of different type (currently for function names or local
variable names).
This CL changes our internal wasm module builders (in JS and C++) to
emit this new format, and changes the decoder to understand it.
We currently only parse the function name section, and ignore names of
local variables. I will later extend this to parse local variable names
when needed for debugging.

R=ahaas@chromium.org, rossberg@chromium.org
BUG=v8:6222

Change-Id: I2627160c25c9209a3f09abe0b88941ec48b24434
Reviewed-on: https://chromium-review.googlesource.com/470247
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Rossberg <rossberg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44492}
2017-04-07 16:31:47 +00:00
jgruber
52a53da5a4 [csa] Fix CSA::ToUint32 rounding for negative HeapNumbers
The spec requires truncation while ToUint32 originally rounded down.
This also adds a bunch of test cases to check edge case behavior.

BUG=v8:6212

Review-Url: https://codereview.chromium.org/2805783003
Cr-Commit-Position: refs/heads/master@{#44487}
2017-04-07 12:50:15 +00:00
jgruber
f3b848fe5d [regexp] Updates for unicode escapes in capture names
Update docs and tests for recent changes in the spec for unicode escapes
in capture group names.

https://github.com/tc39/proposal-regexp-named-groups/issues/23

BUG=v8:5437

Review-Url: https://codereview.chromium.org/2788423003
Cr-Commit-Position: refs/heads/master@{#44474}
2017-04-07 08:57:42 +00:00
jgruber
1329d15e99 [regexp] Throw on invalid capture group names in replacer string
References to invalid names (i.e. not specified as a named group in the
pattern) throw a SyntaxError. Unmatched groups are still replaced by the
empty string.

See https://github.com/tc39/proposal-regexp-named-groups/issues/14.

BUG=v8:5437

Review-Url: https://codereview.chromium.org/2791183002
Cr-Commit-Position: refs/heads/master@{#44471}
2017-04-07 08:32:46 +00:00
jgruber
4498419438 [regexp] Add tests for recent changes in Annex B
See https://github.com/tc39/ecma262/pull/303.

BUG=v8:5937,v8:6201

Review-Url: https://codereview.chromium.org/2793313002
Cr-Commit-Position: refs/heads/master@{#44467}
2017-04-07 07:52:10 +00:00
jgruber
a8651c5671 [regexp] Support unicode capture names in non-unicode patterns
This ensures that capture names containing surrogate pairs are parsed
correctly even in non-unicode RegExp patterns by introducing a new
scanning mode which unconditionally combines surrogate pairs.

BUG=v8:5437,v8:6192

Review-Url: https://codereview.chromium.org/2791163003
Cr-Commit-Position: refs/heads/master@{#44466}
2017-04-07 07:34:10 +00:00
jgruber
ed5496f3cd [regexp] Properly handle HeapNumbers in AdvanceStringIndex
This fixes behavior for HeapNumber {index} arguments passed to
AdvanceStringIndex.

Previously, we'd blindly treat {index} as a Smi. Passing a HeapNumber instead
would result in a Smi addition on the tagged HeapNumber pointer.

BUG=chromium:709015

Review-Url: https://codereview.chromium.org/2798933003
Cr-Commit-Position: refs/heads/master@{#44458}
2017-04-06 18:43:09 +00:00
Peter Marshall
4f03ccdfcf [errors] Add the requested length to the TypedArray length error.
Why not?

Bug: v8:6215
Change-Id: I29f3731cbd0d03af6858eb475a1df8b8988cb89f
Reviewed-on: https://chromium-review.googlesource.com/469848
Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44452}
2017-04-06 16:05:58 +00:00
jgruber
1ccf6c0943 [regexp] Fix two more possible shape changes on fast path
This CL fixes two more cases in which a regexp could unintentionally transition
to slow mode while on the fast path, leading to possible OOB accesses of
lastIndex.

In both cases, the fix is to re-check the shape and possibly bail to runtime.

BUG=chromium:708247,v8:6210

Review-Url: https://codereview.chromium.org/2803603005
Cr-Commit-Position: refs/heads/master@{#44451}
2017-04-06 15:52:21 +00:00
Camillo Bruni
98d1d4ec9b [tests] Introduce %HeapObjectVerify runtime function for tests
Bug: v8/6024
Change-Id: Iff8a1b7a75e9f8f18ac24f31a5275e91aa16a272
Reviewed-on: https://chromium-review.googlesource.com/469347
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44439}
2017-04-06 11:16:43 +00:00
Andreas Haas
22615158ed Reland [wasm] Make WebAssembly.compile() asynchronous
The following aspects were changed for the reland:

* The DeferredHandleScope is supposed with a specific pattern,
  i.e. allocate handles in a normal HandleScope and then 
  reopen them in the DeferredHandleScope.
* Set the native_context when it is used in a task.

Change-Id: Ia42c46ec6bc73179cb1f458e36658414ff85cc23
Reviewed-on: https://chromium-review.googlesource.com/468809
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44434}
2017-04-06 10:13:08 +00:00
jgruber
ae45935646 [regexp] Ensure there are no shape changes on the fast path
BUG=v8:5437,chromium:708247

Review-Url: https://codereview.chromium.org/2797993002
Cr-Commit-Position: refs/heads/master@{#44428}
2017-04-06 08:12:56 +00:00
Michael Starzinger
5e8eb624fa [asm.js] Prevent throwing of asm.js warning messages.
This fixes a corner case which allowed warnings during the asm.js
instantiation to be promoted to actual exceptions. Even instantiation
attempts that fail are not allowed to throw exceptions observable by
JavaScript, but need to fall back to JavaScript execution.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-6203
BUG=v8:6203

Change-Id: I86f5a3adda4bcfe63b5cddc42d8ae1c3dbb88147
Reviewed-on: https://chromium-review.googlesource.com/468808
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44414}
2017-04-05 14:41:52 +00:00
Michael Starzinger
42b179c4e5 [asm.js] Fix source positions of ToNumber conversions.
This extends the test coverage for source position tracking of ToNumber
conversion to also test conversion to "double" type. It also fixes the
discovered inconsistencies. Note that the conversion to "float" remains
untested as imported functions are not allowed have "float" return type.

R=clemensh@chromium.org
TEST=mjsunit/wasm/asm-wasm-exception-in-tonumber
BUG=v8:6127

Change-Id: I6c59b7a24456a585a814f19a86eb9447ac5098ab
Reviewed-on: https://chromium-review.googlesource.com/467251
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44409}
2017-04-05 12:34:55 +00:00
jgruber
d890ec3261 [regexp] Disallow '\' in capture names
IdentifierStart::Is and IdentifierContinue::Is both return true for '\'.
The reason for this is lost to history.

Special-case '\' in the regexp parser to handle this.

BUG=v8:5437,v8:5868

Review-Url: https://codereview.chromium.org/2795093003
Cr-Commit-Position: refs/heads/master@{#44396}
2017-04-05 07:01:50 +00:00
Caitlin Potter
5f782db954 [parser] don't rewrite destructuring assignments in params for lazy top level arrow functions
Remove destructuring assignments (parsed during arrow function formal
parameters) from queue for rewriting if parsing a lazy top-level arrow function.

Built ontop of https://chromium-review.googlesource.com/c/464769/

BUG=chromium:706234, chromium:706761, v8:6182
R=marja@chromium.org, adamk@chromium.org, vogelheim@chromium.org

Change-Id: Ib35196b907350d1d78e4c3fcbf4cc971bf200948
Reviewed-on: https://chromium-review.googlesource.com/465415
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44393}
2017-04-04 20:35:03 +00:00
Adam Klein
8b8295dbb9 [regexp] Handle a function Proxy passed to String.prototype.replace
Bug: v8:6186
Change-Id: If460313ee861f826a89bc7390a5e35d43d175622
Reviewed-on: https://chromium-review.googlesource.com/466549
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44390}
2017-04-04 18:48:56 +00:00
Loo Rong Jie
2b1b32253b [typedarray] ToNumber coercion is done only once for TA.p.fill
Update according to new spec change at
https://github.com/tc39/ecma262/pull/856

- Call ToNumber only once in BUILTIN
- Remove unused FillNumberSlowPath
- FillImpl assumes obj_value->IsNumber() is true
- Update test

Bug:v8:5929,chromium:702902

Change-Id: Ic83e6754d043582955b81c76e68f95e1c6b7e901
Reviewed-on: https://chromium-review.googlesource.com/465646
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44373}
2017-04-04 12:51:56 +00:00
Clemens Hammacher
d1b4d4fea6 [wasm] [interpreter] Fix GC issue
Make sure that we call the destructors on all embedded object by
replacing the WasmInterpreterInternals::Delete method by an actual
destructor. This way, the compiler automatically calls destructors on
all embedded objects, in particular the IdentityMap in the CodeMap.

This change also requires to release managed objects *before*
tearing down the heap, because the wasm interpreter, referenced via
Managed<>, contains global handles. When those are destroyed, the
isolate still needs to be intact.

Drive-by: Fix include guard in managed.h.

R=ahaas@chromium.org, ulan@chromium.org, mvstanton@chromium.org
BUG=v8:5822

Change-Id: I9a067f037e013c84e4d697a1e913b27c683bb529
Reviewed-on: https://chromium-review.googlesource.com/466187
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44368}
2017-04-04 10:39:57 +00:00
Michael Starzinger
ce06d1f232 [asm.js] Fix nested function table calls.
This makes temporary variables nestable and fixes borked nesting with
function table calls by introducing a {TemporaryVariableScope} helper.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-6196
BUG=v8:6196

Change-Id: Ie760f27ce9ede3d4d5dacdebdc295c56cc666970
Reviewed-on: https://chromium-review.googlesource.com/467327
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44367}
2017-04-04 10:28:06 +00:00
Franziska Hinkelmann
28a3e34bdd [type-profile] Return type profile object.
Return a structured objet with the type profile
information.

Move the test from message to mjsunit.

BUG=v8:5933

Change-Id: I3e1c592697924d87f82d46b0ddbdb6d82d9c8467
Reviewed-on: https://chromium-review.googlesource.com/464847
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44364}
2017-04-04 09:02:49 +00:00
machenbach
68c14892cb Revert of [typedarrays] Check detached buffer at start of typed array methods (patchset #10 id:180001 of https://codereview.chromium.org/2778623003/ )
Reason for revert:
Breaks layout tests:
https://build.chromium.org/p/tryserver.v8/builders/v8_linux_blink_rel/builds/18499

Changes:
https://storage.googleapis.com/chromium-layout-test-archives/v8_linux_blink_rel/18499/layout-test-results/results.html

See:
https://github.com/v8/v8/wiki/Blink-layout-tests

Original issue's description:
> [typedarrays] Check detached buffer at start of typed array methods
>
> - Throw TypeError in ValidateTypedArray, matching JSC, SpiderMonkey
>   and ChakraCore.
> - Validate typed arrays at start of each typed array prototype
>   methods in src/js/typedarrays.js
> - Add tests to check detached buffers
> - Remove an unnecessary parameter of TypedArraySpeciesCreate
>   in src/js/typedarrays.js
> - Standardize TypedArray.prototype.subarray
> - Update test262.status to pass detached buffer tests
>
> BUG=v8:4648,v8:4665,v8:4953
>
> Review-Url: https://codereview.chromium.org/2778623003
> Cr-Commit-Position: refs/heads/master@{#44357}
> Committed: 238d5b4453

TBR=cbruni@chromium.org,adamk@chromium.org,bmeurer@chromium.org,littledan@chromium.org,petermarshall@chromium.org,cwhan.tunz@gmail.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4648,v8:4665,v8:4953

Review-Url: https://codereview.chromium.org/2793233003
Cr-Commit-Position: refs/heads/master@{#44362}
2017-04-04 08:01:02 +00:00
Michael Starzinger
6a3756f9de [asm.js] Fix names for forward declared functions.
This fixes the name stored with functions where the declaration was
hoisted above the actual function definition. It also extends test
coverage and emits proper source position mapping for such cases.

R=clemensh@chromium.org
TEST=mjsunit/wasm/asm-wasm-stack
BUG=v8:6127

Change-Id: I675a98b244fe2157925e799b5c46b7f6bd53c9da
Reviewed-on: https://chromium-review.googlesource.com/466247
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44361}
2017-04-04 07:55:54 +00:00
jgruber
31700b7fbd [regexp] Stage the dotall flag
BUG=v8:6172

Review-Url: https://codereview.chromium.org/2795693002
Cr-Commit-Position: refs/heads/master@{#44360}
2017-04-04 07:04:20 +00:00
cwhan.tunz
238d5b4453 [typedarrays] Check detached buffer at start of typed array methods
- Throw TypeError in ValidateTypedArray, matching JSC, SpiderMonkey
  and ChakraCore.
- Validate typed arrays at start of each typed array prototype
  methods in src/js/typedarrays.js
- Add tests to check detached buffers
- Remove an unnecessary parameter of TypedArraySpeciesCreate
  in src/js/typedarrays.js
- Standardize TypedArray.prototype.subarray
- Update test262.status to pass detached buffer tests

BUG=v8:4648,v8:4665,v8:4953

Review-Url: https://codereview.chromium.org/2778623003
Cr-Commit-Position: refs/heads/master@{#44357}
2017-04-04 03:48:48 +00:00
Caitlin Potter
44b5be0473 Reland Stage --harmony-function-tostring"
Relanding now that v8:6190 has been fixed

BUG=v8:4958
R=adamk@chromium.org, littledan@chromium.org, jwolfe@igalia.com

Change-Id: I2732dbf96c5f9f899cee826dd2fdc621098a87e5
Reviewed-on: https://chromium-review.googlesource.com/466226
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44351}
2017-04-03 16:50:55 +00:00
Michael Starzinger
0cb5ba0ef0 [asm.js] Fix function table call position tracking.
This adds test coverage for the source position tracking of function
table calls in asm.js and fixes the discovered issues. It also fixes
function start positions (used by errors thrown at stack checks).

R=clemensh@chromium.org
TEST=mjsunit/wasm/asm-wasm-stack
BUG=v8:6127,v8:6166

Change-Id: Id6ab6dc72bcedb0d838eed315e2a05fbc59039f4
Reviewed-on: https://chromium-review.googlesource.com/465949
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44348}
2017-04-03 15:33:53 +00:00
Michael Achenbach
668dcf3b56 Revert "[wasm] Make WebAssembly.compile() asynchronous"
This reverts commit 7a6e6bb1e2.

Reason for revert: breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/14688

See:
https://github.com/v8/v8/wiki/Blink-layout-tests

Original change's description:
> [wasm] Make WebAssembly.compile() asynchronous
> 
> titzer@ originally created this
> CL (https://codereview.chromium.org/2757903002). I fixed crashing tests
> and adressed some comments of the reviewers.
> 
> R=​bradnelson@chromium.org, clemensh@chromium.org, mtrofin@chromium.org
> BUG=v8:6003
> 
> Change-Id: I4ab6d503909402d24043657a896200032e6d1023
> Reviewed-on: https://chromium-review.googlesource.com/464887
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44333}

TBR=bradnelson@chromium.org,mtrofin@chromium.org,ahaas@chromium.org,clemensh@chromium.org,titzer@chromium.org,v8-reviews@googlegroups.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:6003

Change-Id: I87dbdbba0be4624828b6b0a94e02b6681593e335
Reviewed-on: https://chromium-review.googlesource.com/465813
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44342}
2017-04-03 14:34:38 +00:00
Peter Marshall
c5ad59f4d4 [builtins] Use length field in TypedArrayConstructByArrayLike.
The byte_length field of the TypedArray is not set to 0 on neutering,
but JSArrayBufferView::byte_length() returns 0 if WasNeutered() is
true. We should use the length property here instead.

We can just short-circuit if the length is 0. Added checks to the
memcpy path that assert length and neutered status are sane.

Bug:chromium:707472,chromium:707595,chromium:707364,chromium:707410

Change-Id: Ia1dec53f175357673012cbbc5e2fc40207e03623
Reviewed-on: https://chromium-review.googlesource.com/465987
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44336}
2017-04-03 12:45:22 +00:00
Michael Starzinger
953bdee0ef [asm.js] Track token positions in scanner.
This adds support for tracking token positions in the asm.js scanner and
uses these positions to emit a mapping from WASM to asm.js positions.
Note that the mapping is still incomplete (some call sites are not yet
covered).

R=clemensh@chromium.org
TEST=debugger/debug/wasm/asm-debug
BUG=v8:6127

Change-Id: Ic8aad1a85e7d9e19da2eec523fcc73d4984afcc8
Reviewed-on: https://chromium-review.googlesource.com/466046
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44335}
2017-04-03 11:58:52 +00:00
Andreas Haas
7a6e6bb1e2 [wasm] Make WebAssembly.compile() asynchronous
titzer@ originally created this
CL (https://codereview.chromium.org/2757903002). I fixed crashing tests
and adressed some comments of the reviewers.

R=bradnelson@chromium.org, clemensh@chromium.org, mtrofin@chromium.org
BUG=v8:6003

Change-Id: I4ab6d503909402d24043657a896200032e6d1023
Reviewed-on: https://chromium-review.googlesource.com/464887
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44333}
2017-04-03 11:04:02 +00:00
Clemens Hammacher
a472eccd53 [wasm] [interpreter] Test unwinding a single activation
A DCHECK was failing if we unwind an activation which is not the
bottom-most. This CL fixes this and adds a test for this.

R=ahaas@chromium.org
BUG=v8:5822

Change-Id: Ib69116b4c45a7b2a0d6cab97ad984dfdcda55918
Reviewed-on: https://chromium-review.googlesource.com/464788
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44332}
2017-04-03 10:25:43 +00:00
Daniel Ehrenberg
81a976953d Revert "Stage --harmony-function-tostring"
This reverts commit fa31434127.

Reason for revert: Causes a significant bug: https://bugs.chromium.org/p/v8/issues/detail?id=6190

Original change's description:
> Stage --harmony-function-tostring
> 
> BUG=v8:4958
> 
> Change-Id: Id02d36fce76eed54a5a3d348dbac2ea7d43f4ef3
> Reviewed-on: https://chromium-review.googlesource.com/462336
> Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
> Commit-Queue: Adam Klein <adamk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44275}

TBR=adamk@chromium.org,littledan@chromium.org,hablich@chromium.org,v8-reviews@googlegroups.com
# Not skipping CQ checks because original CL landed > 1 day ago.
BUG=v8:4958

Change-Id: I43388674e454275fb93a15b9af03e3d8c3cfaaa2
Reviewed-on: https://chromium-review.googlesource.com/465810
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44330}
2017-04-03 09:28:14 +00:00
jgruber
a3be9e78c1 [regexp] Allow named captures and back-references in non-unicode patterns
Previously, named captures (and related functionality) were restricted to
unicode-mode regexps.

This CL extends that support to non-unicode patterns. Named groups are
supported regardless of the mode, and named back-references are supported if
the regexp is in unicode mode or if it contains a named capture (otherwise '\k'
is treated as an identity escape).

BUG=v8:5437,v8:6192

Review-Url: https://codereview.chromium.org/2788873002
Cr-Commit-Position: refs/heads/master@{#44324}
2017-04-03 08:03:09 +00:00
cwhan.tunz
c5c0765ad9 [typedarrays] Move %TypedArray%.prototype.slice to C++
- Implement %TypedArray%.prototype.slice to C++ builtins
- Remove TypedArraySlice in src/js/typedarray.js
- Implement TypedArraySpeciesCreate in builtins-typedarray.cc
- Implement TypedArrayCreate in builtins-typedarray.cc

BUG=v8:5929

Review-Url: https://codereview.chromium.org/2763473002
Cr-Commit-Position: refs/heads/master@{#44322}
2017-04-01 16:46:10 +00:00
gdeepti
0f9680cd2d [wasm] Gate SIMD load/store opcodes with the --wasm-simd-prototype flag.
BUG=chromium:702460

R=mtrofin@chromium.org, bbudge@chromium.org

Review-Url: https://codereview.chromium.org/2794693002
Cr-Commit-Position: refs/heads/master@{#44319}
2017-03-31 22:52:59 +00:00
bmeurer
2de2840f2e [bootstrapper] Ensure RegExp constructor has fast properties.
Currently x instanceof RegExp checks cannot take the fast path, since
the RegExp constructor has dictionary properties. To avoid that, just
forcibly migrate the RegExp constructor to fast properties again once
it's fully setup in the bootstrapper. This yields a 10x improvement for
x instanceof RegExp checks.

R=yangguo@chromium.org
BUG=v8:5902

Review-Url: https://codereview.chromium.org/2786143004
Cr-Commit-Position: refs/heads/master@{#44316}
2017-03-31 18:27:30 +00:00
jgruber
686c37839c [regexp] Revert to ZoneList usage in @@replace
Fixes a crash found by clusterfuzz caused by a call to
std::vector::reserve with a huge capacity, and reverts to ZoneList
handling as a tentative fix for performance regressions on the slow
@@replace path.

BUG=chromium:707187,chromium:706748,v8:5437

Review-Url: https://codereview.chromium.org/2787343002
Cr-Commit-Position: refs/heads/master@{#44311}
2017-03-31 14:38:36 +00:00
jgruber
3f8b2aeb35 [regexp] Fix numbered reference before named capture
Numbered back-references that occur before the referenced capture
trigger an internal mini-parser that looks ahead in the pattern and
counts capturing groups.

This updates the mini-parser to correctly handle named captures.

BUG=v8:5437

Review-Url: https://codereview.chromium.org/2792523002
Cr-Commit-Position: refs/heads/master@{#44303}
2017-03-31 10:50:05 +00:00
Peter Marshall
a450c18544 [builtins] Copy array contents using JS in ConstructByArrayLike.
The last CL https://chromium-review.googlesource.com/c/456707/ caused
some pretty heavy performance regressions. After experimenting, it
seems the easiest and most straight-forward way to copy the elements
into the new typed array is to do it in JS.

Adds a fast path for typed arrays, where the source typed array has
the same elements kind, in which case we can just copy the backing
store using memcpy.

This CL also removes regression test 319120 which is from a pwn2own
vulnerability. The old code path enforced a maximum byte_length
that was too low, which this change removes. The length property of
the typed array must be a Smi, but the byte_length, which can be up
to 8x larger than length for a Float64Array, can be a heap number.

We can also re-use some of the logic from ConstructByLength when
deciding whether to allocate the buffer on- or off-heap, so that
is factored out into InitializeBasedOnLength. We can also re-use
the DoInitialize helper instead of calling into the runtime,
meaning we can remove InitializeFromArrayLike.

BUG=v8:5977,chromium:705503,chromium:705394

Change-Id: I63372652091d4bdf3a9491acef9b4e3ac793a755
Reviewed-on: https://chromium-review.googlesource.com/459621
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44301}
2017-03-31 10:37:57 +00:00
Clemens Hammacher
da7786759e [wasm] Fix grow_memory implementation in interpreter
grow_memory was working from test cases, but not in combination with
compiled code. This CL makes the effect of grow_memory executed either
in the interpreter or compiled code always be reflected in both
execution environments.
It also adds a %RedirectToWasmInterpreter runtime function for testing
this interaction.

R=ahaas@chromium.org
CC=gdeepti@chromium.org
BUG=v8:5822

Change-Id: I3e7c184c42ef655d1c30d2e0dddad7fb783455fc
Reviewed-on: https://chromium-review.googlesource.com/463506
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44297}
2017-03-31 09:29:13 +00:00
Clemens Hammacher
701124db95 [wasm] [interpreter] Add stack overflow checks
Add a limit to the number of nested call frames in the C++ wasm
interpreter.
Both the size of the value stack as well as the size of the block stack
are limited per call frame. Thus, a limit on only the call frame stack
is enough to limit the overall memory consumption of one interpreter
instance.

R=ahaas@chromium.org
BUG=v8:5822

Change-Id: If9f7e547cd1d003bc2ae3c7586ece6b3cf3be587
Reviewed-on: https://chromium-review.googlesource.com/463486
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44296}
2017-03-31 09:22:56 +00:00
jgruber
cec39ad1ad [regexp] Add support for dotAll flag
The dotAll flag changes behavior of the dot '.' character to match every
possible single character instead of excluding certain line terminators.

The implementation is staged behind --harmony-regexp-dotall.

Spec proposal: https://github.com/mathiasbynens/es-regexp-dotall-flag

BUG=v8:6172

Review-Url: https://codereview.chromium.org/2780173002
Cr-Commit-Position: refs/heads/master@{#44295}
2017-03-31 09:20:13 +00:00
jgruber
cb812f8e58 [regexp] Extend tests for named captures
Additional tests, mostly for interactions with lookbehind assertions.

BUG=v8:5437

Review-Url: https://codereview.chromium.org/2784813002
Cr-Commit-Position: refs/heads/master@{#44290}
2017-03-31 07:57:15 +00:00
Caitlin Potter
e89452dd25 [async-iteration] improve Function.prototype.toString() output
Currently, async generators are stringified the same way normal
Generators are. This change prefixes async generator methods with
"async *", and other async generator functions with
"async function* ".

BUG=v8:5855
R=adamk@chromium.org, littledan@chromium.org, jwolfe@igalia.com

Change-Id: Ia809fad64caac4464dbc9f7fa7728584d0f67832
Reviewed-on: https://chromium-review.googlesource.com/463526
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44278}
2017-03-30 17:40:58 +00:00
Andreas Haas
c066623ed7 [wasm] Fix the regression-680683 test.
The test was out-dated. The wasm bytes still had the version 0xd, and
no END instruction at the end of the function. In addition, the test
used asynchronous compilation but did not wait for the promise to
resolve.

R=clemensh@chromium.org

Change-Id: Ib01f47ac8f668401ed14470af7100e990e5bbd94
Reviewed-on: https://chromium-review.googlesource.com/463286
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44276}
2017-03-30 17:37:29 +00:00
Adam Klein
fa31434127 Stage --harmony-function-tostring
BUG=v8:4958

Change-Id: Id02d36fce76eed54a5a3d348dbac2ea7d43f4ef3
Reviewed-on: https://chromium-review.googlesource.com/462336
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44275}
2017-03-30 16:49:55 +00:00
tebbi
e837594cd8 [builtins] Implement %TypedArray%.prototype.{some,every} in the CSA
R=mvstanton@chromium.org,danno@chromium.org

Review-Url: https://codereview.chromium.org/2775203002
Cr-Commit-Position: refs/heads/master@{#44274}
2017-03-30 16:36:53 +00:00
Michael Starzinger
e803448767 [asm.js] Enable tests that should no longer fail.
R=machenbach@chromium.org
BUG=v8:6127

Change-Id: If029d449aedb6c10ec14aa847a2b68e6ce46ef94
Reviewed-on: https://chromium-review.googlesource.com/463046
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44273}
2017-03-30 16:20:21 +00:00
bmeurer
c019e53cbb [turbofan] Disable inlining of derived class constructors.
The inlining logic doesn't account for the fact that the derived
constructor could return a primitive, thus leaking the implicit
receiver (which is the hole).

R=jarin@chromium.org
BUG=chromium:706642

Review-Url: https://codereview.chromium.org/2788603002
Cr-Commit-Position: refs/heads/master@{#44264}
2017-03-30 10:17:10 +00:00
Michael Starzinger
709bc4229c [asm.js] Fix invalid test case.
R=clemensh@chromium.org
BUG=v8:6127

Change-Id: I5e1b0d3efdf7f4aede7da83a35c072b5ac85d5c7
Reviewed-on: https://chromium-review.googlesource.com/463026
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44261}
2017-03-30 09:16:25 +00:00
Michael Starzinger
6748fa7cad [asm.js] Fix assignment with undeclared target.
R=clemensh@chromium.org
BUG=v8:6127

Change-Id: I32d2a36cdc2a65c3e0016e49157524573755d09d
Reviewed-on: https://chromium-review.googlesource.com/461185
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44260}
2017-03-30 08:36:17 +00:00
mtrofin
f2531acb1e [wasm] Fix serialization after instantiation
The regression comes from attempting to serialize a module with memory
requirements after instantiation - which is what happens in common emscripten
scenarios, where the module is obtained from WebAssembly.instantiate(buffer). We then try and serialize the JSArrayBuffer
representing the instance memory. That operation fails.

Added regression test and also extended the test to cover the other 2
instance-specific values - globals and tables.

Added a discussion on WasmCompiledModule (comments) explaining design decisions.

BUG=chromium:705562

Review-Url: https://codereview.chromium.org/2784453002
Cr-Commit-Position: refs/heads/master@{#44250}
2017-03-29 21:22:57 +00:00