We were looking at the unreachable flag or stack_depth of the target frame
instead of the current one in a couple of places (most notably BreakTo).
This change fixes these bugs and makes us pass the latest spec tests for
br_table validation. Also need to ensure that br_table targets have consistent
types, which is not implied if the stack is polymorphic.
R=titzer@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2696813002
Cr-Commit-Position: refs/heads/master@{#43250}
The serializer won't ever write a more complex object. Not validating this
allows other things to be used as keys, and converted to string when the
property set actually occurs. It turns out this gives an opportunity to trigger
OOM by giving an object a key which is a very large sparse array (whose string
representation is very large).
This case is now rejected by the deserializer.
BUG=chromium:686511
Review-Url: https://codereview.chromium.org/2697023002
Cr-Commit-Position: refs/heads/master@{#43249}
One optimization in the machine-operator-reducer did not consider that
that word32 shift left instructions only consider the last 5 bits of
the shift input.
The issue only occurs for WebAssembly because in JavaScript we always
add a "& 0xf" on the shift value to the TurboFan graph.
For additional background: The JavaScript and WebAssembly spec both
say that only the last 5 bits of the shift value are used in the
word32-shift-left operation. This means that an "x << 0x29", in the
code is actually executed as "x << 0x09". Therefore the changes in
this CL are okay because they mask the last 5 bit of the shift value.
BUG=chromium:689450
Change-Id: Id92f298ed6d7f1714b109b3f4fbcecd5ac6d30f7
Reviewed-on: https://chromium-review.googlesource.com/439312
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43245}
Map OOM breaks generated by inspector to DebugEvent.OOM.
This avoids generating unintentional DebugEvent.Break events.
Also be more future-proof in event categorization.
On a related note, this CL also fixes a DCHECK in
Runtime::GetFrameDetails.
The receiver needs to be grabbed from the inlined frame, not
the outer optimized frame. Optimized frames only provide the
receiver on a best-effort basis.
BUG=v8:5950
Review-Url: https://codereview.chromium.org/2696173002
Cr-Commit-Position: refs/heads/master@{#43244}
Reason for revert:
Please remove the file in status file too. Breaks presubmit:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20presubmit/builds/14754
Or lets call it post-submit :(
Original issue's description:
> This is a workaround for the fact that %SetCode can "lose" the script for a js native. If the js native is re-initialized (for a Realm or something), then the source SharedFunctionInfo won't have a script anymore. Nonetheless, we may want to optimize the function. If we've compiled bytecode, then we can compile optimized code without a script.
>
> Here, we carve out a special exception for this case, so that we can turn on the --mark-shared-functions-for-tier-up.
>
> BUG=v8:5946
> R=leszeks@chromium.org
>
> Review-Url: https://codereview.chromium.org/2684033007
> Cr-Commit-Position: refs/heads/master@{#43240}
> Committed: 4123a3dd79TBR=leszeks@chromium.org,mstarzinger@chromium.org,marja@chromium.org,mvstanton@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5946
Review-Url: https://codereview.chromium.org/2703553002
Cr-Commit-Position: refs/heads/master@{#43242}
Produce the same scopes / variables for parameters (part 3).
This CL fixes the ordering + variable types in PreParser when there are
simple parameters + a rest parameter. In that case, Parser declares
unnamed temporaries for the non-rest params, then the rest param, then
the named variables (which are not parameters) for the non-rest params.
BUG=v8:5516
R=vogelheim@chromium.org
Change-Id: I9b006595039c8002b0508d1d2a200aa9a0f3eae0
Reviewed-on: https://chromium-review.googlesource.com/443527
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43241}
ES2016 changed the default timezone of dates to be conditional on
whether a time is included. The semantics were a compromise approach
based on web compatibility feedback from V8, but until now, we have been
shipping ES5.1 default timezone semantics. This patch implements the
new semantics, following ChakraCore and SpiderMonkey (though JSC
implements V8's previous semantics).
BUG=chromium:589858
Review-Url: https://codereview.chromium.org/2648603002
Cr-Commit-Position: refs/heads/master@{#43239}
This handles arithmetic addition operations during the early type-hint
lowering (i.e. during graph construction). The string addition case is
still handled by {JSTypedLowering} as it needs static type information.
R=bmeurer@chromium.org
Change-Id: I9df47dfc5bf7613c51f6d803ab43d5d3f6c21be8
Reviewed-on: https://chromium-review.googlesource.com/443185
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43235}
@@replace has a pretty complex implementation, taking different paths
for various situations (e.g.: global/nonglobal regexp, functional/string
replace argument, etc.). Each of these paths must implement similar
logic for calling into the RegExpBuiltinExec spec operation, and many
paths get this subtly wrong.
This CL fixes a couple of issues related to the way @@replace handles lastIndex:
* All paths now respect lastIndex when calling into exec (some used to assume 0).
* lastIndex is now advanced after a successful match for sticky regexps.
* lastIndex is now only reset to 0 on failure for sticky regexps.
BUG=v8:5361
Review-Url: https://codereview.chromium.org/2685183003
Cr-Commit-Position: refs/heads/master@{#43234}
The parser was finalizing the inner block scope, but not clearing the
inner block's scope pointer. This doesn't (yet) have any behavioral
difference, but makes it easier to make assumptions about the structure
of the AST vs the scope chain.
R=neis@chromium.org
Review-Url: https://codereview.chromium.org/2696233003
Cr-Commit-Position: refs/heads/master@{#43233}
- Clear flags to avoid the quite expensive query for whether this page
is to be swept.
- Use a vector instead of a list as we always expect a small number of
pages to go through the pool and we want to avoid memory management on
this path.
BUG=
Change-Id: If3c0ad480b8e4f3ccf5a0ef43200c5269822245d
Reviewed-on: https://chromium-review.googlesource.com/443248
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43230}
This wraps float arrays with a proxy to make raw buffer use slow paths avoiding different NAN patterns.
This also mocks out large typed arrays when passing the lenth as third constructor parameter.
BUG=chromium:691287,chromium:690898
NOTRY=true
Change-Id: Ic4295b0d8690e5209aceeda9ed93efdd580194c0
Reviewed-on: https://chromium-review.googlesource.com/441624
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43229}
Some of these functions are invoked by BytecodeGenerator due to parser
desugarings, and moving the context indices cause
BytecodeExpectationsPrinter to render them as something
useful/meaningful.
BUG=
R=jgruber@chromium.org, adamk@chromium.org
Review-Url: https://codereview.chromium.org/2695323002
Cr-Commit-Position: refs/heads/master@{#43225}
When --harmony-async-iteration is enabled, it is now possible to
use the for-await-of loop, which uses the Async Iteration protocol
rather than the ordinary ES6 Iteration protocol.
the Async-from-Sync Iterator object is not implemented in this CL,
and so for-await-of loops will abort execution if the iterated object
does not have a Symbol.asyncIterator() method. Async-from-Sync
Iterators are implemented seperately in https://codereview.chromium.org/2645313003/
BUG=v8:5855, v8:4483
R=neis@chromium.org, littledan@chromium.org, adamk@chromium.org
Review-Url: https://codereview.chromium.org/2637403008
Cr-Commit-Position: refs/heads/master@{#43224}
The mips64 implementation always ended up in the slowpath due to some
loads that were the wrong width, so that is also fixed here.
BUG=v8:5974
Change-Id: Ie448a1fab5b7fca87597c5a1bf75443864e30c28
Reviewed-on: https://chromium-review.googlesource.com/443247
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43222}
These experimental natives previously only installed functions to the
appropriate parent. In this patch, the exports container is retained
so that the bootstrapper may install the functions instead. This
change is intended to reduce startup time. SharedArrayBuffer retains
some experimental natives exported from JS; this may be addressed
in a follow-on patch. The patch includes some minor cleanup of the
bootstrap process by removing "experimental exports", which was unused.
R=yangguo@chromium.org
BUG=v8:5880
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux_noi18n_rel_ng
Review-Url: https://codereview.chromium.org/2683083003
Cr-Commit-Position: refs/heads/master@{#43221}
- Different places used is_simple to mean different things; renamed one.
- No need to do Scope::SetHasNoSimpleParameters multiple times.
- Normally we create VAR parameters with a name, or (for destructuring
parameters), TEMPORARY parmeters with an empty name. *Except* for
destructuring rest parameters; then we create VAR a parameter with an empty
name. This CL makes the empty-named parameter TEMPORARY instead of VAR.
- This makes it clear that Parser::DeclareFormalParameters declares exactly
those params which Parser::BuildParamerterInitializationBlock doesn't declare.
- This unification doesn't change any functionality, but it makes sense to do
since I'll need to make PreParser emulate what Parser does; this way I don't
need to emulate the weird behavior.
BUG=v8:5501
Change-Id: Ifa6c116bc5908f4e03a36e74f47558888d1582bd
Reviewed-on: https://chromium-review.googlesource.com/443106
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43220}
This handles all arithmetic binary operations except addition during the
early type-hint lowering (i.e. during graph construction). We still use
static type information to potentially further reduce the speculative
operations down to pure operations during the typed lowering phase.
R=bmeurer@chromium.org
Change-Id: I8b93fd7c46ec8e5b81234a49624d503520c3d082
Reviewed-on: https://chromium-review.googlesource.com/443105
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43218}
This CL changes the datastructure to store live variables from a
std::bitset<256> to a std::vector<bool> to support an arbitrary number
of locals. Unfortunately, std::vector<bool> does not define |= and &=
operators, so I added them on the Environment class.
R=vegorov@chromium.org, mstarzinger@chromium.org, machenbach@chromium.org
BUG=v8:5970
Review-Url: https://codereview.chromium.org/2694103005
Cr-Commit-Position: refs/heads/master@{#43216}
The API class is v8::ArrayBuffer; JSArrayBuffer is the internal counterpart,
but its name should not appear in a public API comment.
Review-Url: https://codereview.chromium.org/2692853007
Cr-Commit-Position: refs/heads/master@{#43214}
- Removes shared InnerArrayCopyWithin JS builtin from src/js/array.js
- Implements %TypedArray%.prototype.copyWithin as a C++ builtin, which
relies on std::memmove rather than accessing individual eleements.
- Fixes the case where copyWithin is invoked on a TypedArray with a
detached buffer.
- Add tests to ensure that +/-Infinity (for all 3 parameters) is handled
correctly by the
algorithm
The C++ version gets through the benchmark more than 25000 times as
quickly as the JS implementation.
BUG=v8:5925, v8:5929, v8:4648
R=cbruni@chromium.org, adamk@chromium.org, littledan@chromium.org
Review-Url: https://codereview.chromium.org/2697593002
Cr-Commit-Position: refs/heads/master@{#43213}
Down from 16 * kPointerSize.
Modern compilers have good inlining support for memcpy(), so our
custom C++ loop is only beneficial for very short loops (if at all).
BUG=v8:5395
Review-Url: https://codereview.chromium.org/2438583002
Cr-Commit-Position: refs/heads/master@{#43212}
Instead of calling the LoadGlobalIC stub, bytecode handlers now inline
logic for LoadGlobalIC. The LoadGlobalICData case takes a fast path
which omits name loading and frame construction.
BUG=v8:5917
Review-Url: https://codereview.chromium.org/2684973002
Cr-Commit-Position: refs/heads/master@{#43210}
... and don't clear ICs during GC. The IC clearing used to prevent memory
leaks but it's not necessary anymore because all the handlers that need
to embed objects already use weak cells.
This CL unblocks inlining of IC dispatchers into bytecode handlers.
BUG=v8:5917
Change-Id: I229b9ba8dba44f431dfbe8ac5370d855e3e84dd6
Reviewed-on: https://chromium-review.googlesource.com/442127
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43209}
This allows part of typed lowering that is solely based on type-hints to
run as part of the graph construction. The lowering in question does not
inspect types and hence doesn't require the typer to have run before. We
insert the speculative simplied-level operations in favor of the generic
JavaScript-level variants.
R=bmeurer@chromium.org
Change-Id: I5f0549fc1e4ff607622ee9059e6232a32f77db2e
Reviewed-on: https://chromium-review.googlesource.com/442584
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43208}
ParserBase::is_any_identifier currently does not recognise
Token::ESCAPED_STRICT_RESERVED_WORD as an identifier. This seems different
from what ParserBase::ParseIdentifierName does, and also prevents
"l\u0065t", unlike "let", from becoming a label.
This CL extends is_any_identifier to also accept ESCAPED_STRICT_RESERVED_WORD.
BUG=v8:5692
Review-Url: https://codereview.chromium.org/2695973003
Cr-Commit-Position: refs/heads/master@{#43204}
The method ExpressionUnexpectedToken is not referenced anywhere apart from its
definition. This CL removes it.
The association with the bug below is only through discovering the dead code
when working on a fix for that bug.
BUG=v8:5692
Review-Url: https://codereview.chromium.org/2688413009
Cr-Commit-Position: refs/heads/master@{#43203}
