It now passes on both 32-bit and 64-bit nosnap bots.
TBR=ulan@chromium.org
NOTREECHECKS=true
Change-Id: Id797c88f1eb32868433e112883c2c64b8640eb2c
Reviewed-on: https://chromium-review.googlesource.com/489682
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44953}
These tests assume that a newly-created Isolate is pristine, but that's
not true for nosnap builds.
TBR=ulan@chromium.org
Change-Id: Ie5d0fb0450f285c8eeb8e088feef6729102c0f14
Reviewed-on: https://chromium-review.googlesource.com/489063
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44952}
With fix for architectures where x<<32 != x.
Original change's description:
> [base] Introduce RoundUpToPowerOfTwo64
>
> And fix RoundUpToPowerOfTwo32 to return 1 for the input 0.
> 0 is no power of two.
> Beside being the correct value, this also avoids a special case in the
> (new) fast path using the number of leading zeros.
>
> R=jochen@chromium.org, ahaas@chromium.org
>
> Change-Id: I87173495e13b334954bcebbb55724fb666dfa809
> Reviewed-on: https://chromium-review.googlesource.com/488143
> Reviewed-by: Jochen Eisinger <jochen@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44925}
TBR=ahaas@chromium.org,jochen@chromium.org,clemensh@chromium.org,v8-reviews@googlegroups.com
Change-Id: I7b4719d84a419bb7b38e3b5c9d6d183275087ace
Reviewed-on: https://chromium-review.googlesource.com/488981
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44951}
Most callers passed kFinalizeIncrementalMarkingMask, so use that as
a default argument (not using default argument syntax to avoid including
heap.h in cctest.h).
Change-Id: I904f1eb3a0f5fdbe63eab16f6a6f01d04618645d
Reviewed-on: https://chromium-review.googlesource.com/488104
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44950}
When branching to a loop header, we were trying to copy over {arity}
values from the value stack. This is correct for block labels, but not
for loops. When branching back to a loop header, no values need to be
transferred.
R=ahaas@chromium.org
BUG=chromium:715454
Change-Id: I90d806de63d039abf8dcac1abec057860c8f69ca
Reviewed-on: https://chromium-review.googlesource.com/488146
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44949}
HeapVisitor is similar to StaticVisitor but uses virtual dispatch
instead of static function table. It is intended as replacement
of StaticVisitor using the CRTP.
This CL also changes the concurrent marker to use the HeapVisitor.
BUG=chromium:709075
Review-Url: https://codereview.chromium.org/2808093003
Cr-Commit-Position: refs/heads/master@{#44948}
We used to rely on the fact that all values kept alive through wrapper
tracing were materialized as heap objects. Smis break this invariant and
need to be filter out.
BUG=chromium:716031
Review-Url: https://codereview.chromium.org/2852463003
Cr-Commit-Position: refs/heads/master@{#44946}
Most of these suppressions were for the old asm-validator or for the old compiler pipeline. Some more are just optimistically removed.
Bug: chromium:681088, chromium:681241, chromium:681806, chromium:662840
NOTRY=true
Change-Id: I4c6851a72d22070026eeaca90ad3394cfce10f90
Reviewed-on: https://chromium-review.googlesource.com/488641
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44942}
With this CL we reduce the difference between directly using a null prototype
in a literal or using Object.create(null).
- The EmitFastCloneShallowObject builtin now supports cloning slow
object boilerplates.
- Unified behavior to find the matching Map and instantiating it for
Object.create(null) and literals with a null prototype.
- Cleanup of literal type parameter of CompileTimeValue, now in sync with
ObjectLiteral flags.
Review-Url: https://codereview.chromium.org/2445333002
Cr-Commit-Position: refs/heads/master@{#44941}
I moved the wasm update scripts from tools/ to tools/wasm. In addition
I cleaned up the scripts a bit.
R=machenbach@chromium.org
Change-Id: I545dd556712e272e6509b78e343e9063346abe56
Reviewed-on: https://chromium-review.googlesource.com/488601
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44940}
This makes sure that asm.js modules can only be instantiated with a
valid {ArrayBuffer} as the underlying heap buffer for all cases where
accepting anything else would be observably different from JavaScript
proper.
R=clemensh@chromium.org
TEST=mjsunit/asm/asm-memory
BUG=chromium:715505,chromium:715748
Change-Id: I355686200151c5667bf836824de922d657a8d943
Reviewed-on: https://chromium-review.googlesource.com/488521
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44938}
This reverts commit 9ceaf21272.
Reason for revert: Fails on arm: http://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/2950/steps/Check/logs/Bits.RoundUpToPowerOf..
Original change's description:
> [base] Introduce RoundUpToPowerOfTwo64
>
> And fix RoundUpToPowerOfTwo32 to return 1 for the input 0.
> 0 is no power of two.
> Beside being the correct value, this also avoids a special case in the
> (new) fast path using the number of leading zeros.
>
> R=jochen@chromium.org, ahaas@chromium.org
>
> Change-Id: I87173495e13b334954bcebbb55724fb666dfa809
> Reviewed-on: https://chromium-review.googlesource.com/488143
> Reviewed-by: Jochen Eisinger <jochen@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44925}
TBR=ahaas@chromium.org,jochen@chromium.org,clemensh@chromium.org,v8-reviews@googlegroups.com,wasm-v8@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Change-Id: Ib353ee0a944316da6f919bac3bb88d4f95d98ea0
Reviewed-on: https://chromium-review.googlesource.com/488365
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44935}
The spec tests are stored on a mirror and are downloaded with the DEPS
file. The test files on the mirror are updated with a script which has
to be executed manually.
This CL contains the following changes:
* A script which updates the spec tests and uploads the generated files
to the mirror.
* Changes to the DEPS file to download the files from the mirror.
* Changes so that tools/run-tests.py can run the spec tests.
R=machenbach@chromium.org, rossberg@chromium.org
Change-Id: Ia50d09bb1501c0c0f1d1506aa3657a3aa69c2864
Reviewed-on: https://chromium-review.googlesource.com/488083
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44933}
For int16 imm values Subu would emit addiu with -imm value, but doing
this with min_int16 would overflow and produce incorrect result. This is
fixed by checking if -imm is int16. A test for this case is created.
An optimization is also added for values imm where we cannot just emit
addiu and loading -imm to a register takes one instruction using ori.
Then instead of loading imm with lui;ori and subtracting with subu, we
can load -imm with ori and add with addu.
BUG=
TEST=cctest/test-assembler-mips/Subu
Review-Url: https://codereview.chromium.org/2845043002
Cr-Commit-Position: refs/heads/master@{#44932}
This reverts commit 0322be817d.
Reason for revert: Breaks:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug/builds/4612
Original change's description:
> [ic] Handle JSArray::length in CodeStubAssembler::CallGetterIfAccessor.
>
> When accessing JSArray::length property from GenericPropertyLoad
> (i.e. via a megamorphic KEYED_LOAD_IC), we'd always go to the runtime
> at this point, because the CallGetterIfAccessor method didn't support
> AccessorInfos at all. Now there's initial support for JSArray::length,
> which reduces the number of %KeyedGetProperty calls we see in the
> Speedometer/EmberJS test by 5000.
>
> Also-By: ishell@chromium.org
> BUG=v8:5269
> R=ishell@chromium.org
>
> Change-Id: I44ce7966f9b7257808110a24d95a8167ab035df9
> Reviewed-on: https://chromium-review.googlesource.com/488224
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44915}
TBR=ishell@chromium.org,bmeurer@chromium.org,v8-reviews@googlegroups.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5269
Change-Id: Ib32e87c4ec4fd746abe3cdea3ec1cd96aabb4cff
Reviewed-on: https://chromium-review.googlesource.com/488362
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44928}
This also fixes incorrect type for fixed array accesses.
BUG=chromium:715651,v8:6309,chromium:715204
Review-Url: https://codereview.chromium.org/2848583002
Cr-Commit-Position: refs/heads/master@{#44926}
And fix RoundUpToPowerOfTwo32 to return 1 for the input 0.
0 is no power of two.
Beside being the correct value, this also avoids a special case in the
(new) fast path using the number of leading zeros.
R=jochen@chromium.org, ahaas@chromium.org
Change-Id: I87173495e13b334954bcebbb55724fb666dfa809
Reviewed-on: https://chromium-review.googlesource.com/488143
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44925}
This refactors the {AsmJs} methods used for instantiating an asm.js
module to only use one single entry point. It is in preparation to
validate the "memory" argument as well.
R=clemensh@chromium.org
BUG=chromium:715505
Change-Id: I5e26fcf46f98c053080c70b26c0f562afc7f794a
Reviewed-on: https://chromium-review.googlesource.com/488226
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44922}
Reason for revert:
Seems to lead to more (completely) misattributed ticks
Original issue's description:
> [tickprocessor] Consider top of the stack as pc if it points to a code object.
>
> Previously, we would only consider it if it pointed to a full-code JS function.
> Thus we could miss both optimized functions and bytecode handlers if they
> called frame-less code.
>
> Review-Url: https://codereview.chromium.org/2822433002
> Cr-Commit-Position: refs/heads/master@{#44640}
> Committed: 4433ac299eTBR=jarin@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
Review-Url: https://codereview.chromium.org/2844053003
Cr-Commit-Position: refs/heads/master@{#44921}
The feedback collection was decoupled from the actual comparison in the
compare bytecode handlers. This involves checks on the type of operands both
when collecting the feedback and when performing the operation. To avoid this
the type feedback is collected inline with the actual comparison.
This cl inlines the type feedback collection for the StrictEqual bytecode
handler. The other compare operations will be handled in subsequent cls.
Bug:
Change-Id: I429ed3c58b344c1c492e743c190bf16ab991ce6e
Reviewed-on: https://chromium-review.googlesource.com/483399
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44919}
Currently, the external API (e.g. v8::Object::Get()) will enter the
context passed to it automatically. This is incorrect and causes some
trouble for Blink, so we want to change that.
It then becomes a potential problem to call the external API without
first entering a context, which the inspector code does in some
places. This patch aims to correct this.
BUG=v8:6307
Review-Url: https://codereview.chromium.org/2841053002
Cr-Commit-Position: refs/heads/master@{#44917}
This is a highly requested feature!
Bug: v8:6276
Change-Id: I17b606ae0ff8fa9dfdd0fa74fd1f7ad0dd3fc4f8
Reviewed-on: https://chromium-review.googlesource.com/488044
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44916}
When accessing JSArray::length property from GenericPropertyLoad
(i.e. via a megamorphic KEYED_LOAD_IC), we'd always go to the runtime
at this point, because the CallGetterIfAccessor method didn't support
AccessorInfos at all. Now there's initial support for JSArray::length,
which reduces the number of %KeyedGetProperty calls we see in the
Speedometer/EmberJS test by 5000.
Also-By: ishell@chromium.org
BUG=v8:5269
R=ishell@chromium.org
Change-Id: I44ce7966f9b7257808110a24d95a8167ab035df9
Reviewed-on: https://chromium-review.googlesource.com/488224
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44915}
The AccessorAssembler::GenericPropertyLoad case went to
%KeyedGetProperty when the actual handler that we found
in the stub cache would miss. In this case we would always
fall into the same trap all the time, since no one updates
the stub cache.
BUG=v8:5269
R=ishell@chromium.org
Change-Id: I90fd83337c320f194dc31a69716627d047a6b070
Also-By: ishell@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/488147
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44914}
Performance regressed for this with the I+TF switch. This speeds up
the simple case by using optimizations in the elements accessor.
Bug: chromium:700835
Change-Id: Iaba30951b93daefa0fb32acd6656ac705cdc73ed
Reviewed-on: https://chromium-review.googlesource.com/483341
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44913}
kNumberOfSpaces includes map and large object spaces,
kNumberOfPreallocatedSpaces does not. Therefore we need
to output both separately.
R=bmeurer@chromium.org
Review-Url: https://codereview.chromium.org/2843353002
Cr-Commit-Position: refs/heads/master@{#44912}
This reverts commit d7cdea6fa2.
Reason for revert: Flakiness on bots
Original change's description:
> [wasm] Add guard pages before Wasm Memory
>
> Although Wasm memory indices are all unsigned, they sometimes get assembled
> as 32-bit signed immediates. Values in the top half of the Wasm memory space
> will then get sign extended, causing Wasm to access in front of its memory
> buffer.
>
> Usually this region is not mapped anyway, so faults still happen as they are
> supposed to. This change protects this region with guard pages so we are
> guaranteed to always fault when this happens.
>
> Bug: v8:5277
> Change-Id: Id791fbe2a5ac1b1d75460e65c72b5b9db2a47ee7
> Reviewed-on: https://chromium-review.googlesource.com/484747
> Commit-Queue: Eric Holk <eholk@chromium.org>
> Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44905}
TBR=bradnelson@chromium.org,gdeepti@chromium.org,mtrofin@chromium.org,eholk@chromium.org,mseaborn@chromium.org,adamk@chromium.org,v8-reviews@googlegroups.com,wasm-v8@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Change-Id: Ia1d3e5dbf4f518815a9fd4197047077bc8e42816
Reviewed-on: https://chromium-review.googlesource.com/487828
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44907}
Clearing out the constructor field is invalid in the case where the
function's map has transitioned since the last SetPrototype call.
Bug: chromium:714972
Change-Id: Ie918702a128219c4995b805f7c9a53b41cc4e4b6
Reviewed-on: https://chromium-review.googlesource.com/486130
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44906}
Although Wasm memory indices are all unsigned, they sometimes get assembled
as 32-bit signed immediates. Values in the top half of the Wasm memory space
will then get sign extended, causing Wasm to access in front of its memory
buffer.
Usually this region is not mapped anyway, so faults still happen as they are
supposed to. This change protects this region with guard pages so we are
guaranteed to always fault when this happens.
Bug: v8:5277
Change-Id: Id791fbe2a5ac1b1d75460e65c72b5b9db2a47ee7
Reviewed-on: https://chromium-review.googlesource.com/484747
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44905}