Commit Graph

23360 Commits

Author SHA1 Message Date
Mu Tao
610facedaf [mips][wasm] Stage type reflection support
On mips, NaN bit patterns is not same as WASM's definitions.

Port e101dfb708

R=clemensh@chromium.org

Change-Id: I134cd6289b7cf5d1a366345fe0a79cbecc9a6f73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1782234
Auto-Submit: Mu Tao <pamilty@gmail.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63565}
2019-09-05 09:28:34 +00:00
Sigurd Schneider
3b0f89d0a1 [debugger] Fix code coverage for async functions
Async functions were not correctly fixed up for code coverage, which
caused an additional uncovered range to be reported between a return
statement and the closing bracket.

This CL adds code that detects such ranges, and removes them, similarly
to how the ranges are removed for normal functions. The removal process
is different, because the parser rewrites async functions to contain a
try-catch handling promise rejection.

Change-Id: I73b08d64be74d26c32f2f9652d027430d4671251

Bug: chromium:981313, v8:8381
Change-Id: I82a7f0c54d3a48609ef5255a7659d9557e163566
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1782837
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63561}
2019-09-05 06:33:10 +00:00
Tom Tan
61d6db0715 Renaming variables which conflict with macro definition in Windows SDK
Windows SDK defines `near` and `far` as macro in minwindef.h, so they cannot be
used as variable name if Windows SDK header file is included for Windows build.

Bug: chromium:893460
Change-Id: I5ed1076b965979b8e4e09958c1b6f0a698ec8d4f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1783839
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Tom Tan <Tom.Tan@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#63559}
2019-09-04 20:37:48 +00:00
Joey Gouly
b7ade8536e [arm64][wasm] Implement I64x2 multiply
Implement I64x2 multiply using 32-bit multiplies.

This approach uses two fewer cycles (0.88x) on Cortex-A53 and three fewer cycles (0.86x)
on Cortex-A72, compared to moving to general purpose registers and doing two 64-bit multiplies.

Based on a patch by Zhi An Ng.

Bug: v8:8460
Change-Id: I9c8d3bb77f0d751eec2d85823522558b7f173628
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781696
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63558}
2019-09-04 19:22:08 +00:00
Leszek Swirski
b293533ed8 Revert "Reland "[ic] In-place Double -> Tagged transitions""
This reverts commit 981aafaf97.

Reason for revert: Still crashing on Canary.

Original change's description:
> Reland "[ic] In-place Double -> Tagged transitions"
>
> This is a reland of 0736599a69.
> This is a reland of 7e1fbe8f34.
>
> Original change description:
> > [ic] In-place Double -> Tagged transitions
> >
> > With no more MutableHeapNumber, we can make Double -> Tagged transitions
> > in-place, at the cost of an extra map check when accessing double fields
> > to make sure they are still doubles.
> >
> > Bug: v8:9606
> > Change-Id: I74ff39ed6fba62ee223cd37dfe761f7d73020e1c
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743973
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#63374}
>
> TBR=verwaest@chromium.org, tebbi@chromium.org
>
> Bug: v8:9606
> Change-Id: I2d1b7416064d743582f4983fb868316b7e8a4cf2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1777661
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63499}

TBR=leszeks@chromium.org, verwaest@chromium.org, tebbi@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9606
Bug: chromium:997989
Change-Id: Ic95166e67df68e84a524dffd8155121c3ff6aa13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1784283
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63550}
2019-09-04 11:39:43 +00:00
Andreas Haas
00ef19d859 [wasm][fuzzer] Teach the fuzzers to deal with anyref and co
I don't know if there is another problem, but this change fixes all
problems in the test case. The fuzzer will eventually tell us if there
is another problem.

R=clemensh@chromium.org

Bug: chromium:1000503
Change-Id: I2f3ca9132e1b9e3f01e9b32604fb39b2272723f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1784278
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63547}
2019-09-04 10:55:13 +00:00
Andreas Haas
725a0a9076 Revert "[wasm] Stage wasm-bigint"
This reverts commit bf78435b2c.

Reason for revert: This CL is not what I wanted to land. I mixed up my local branches.

Original change's description:
> [wasm] Stage wasm-bigint
> 
> The implementation on wasm-bigint has been done, as far as I can tell.
> There are no spec tests yet, only an out-dated copy of the original
> spec tests which don't pass anymore. Therefore I disabled all the tests
> for now and created a tracking bug at https://crbug.com/v8/9673.
> 
> R=​adamk@chromium.org
> 
> Bug: v8:7741, v8:9673
> Change-Id: I015846cc6008ad266402b6835e634723a1a076da
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781050
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63541}

TBR=adamk@chromium.org,ahaas@chromium.org

Change-Id: I5e8a42ad01200c01446efe4ea50f8ae6fef2c174
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7741, v8:9673
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1784279
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63546}
2019-09-04 10:12:35 +00:00
Georg Neis
086efd8781 Reland "[turbofan] Prepare for moving part of CreateGraph into the background"
This is a reland of ab089c7864, after
making a flaky test more robust.

Original change's description:
> [turbofan] Prepare for moving part of CreateGraph into the background
>
> - Pass Refs, not Handles, to graph builder, and drop bytecode array argument
>   (get it from SFI instead).
> - Add some fields to FeedbackVectorRef that are needed to avoid heap access
>   in BytecodeGraphBuilderPhase.
> - Rename FeedbackVectorRef's SerializeSlots to Serialize, since it's more
>   than just the feedback slots.
> - Rearrange the last steps in PipelineCompilationJob::PrepareJobImpl such
>   that CreateGraph is last.
>
> Bug: v8:7790
> Change-Id: I4b17790d1d74da41ba63ee68e3a33968662fc398
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781682
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63515}

Bug: v8:7790
Change-Id: Ia6f4c1ebd82dea93c14437514d0e25b730523f75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781694
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63545}
2019-09-04 09:35:13 +00:00
Georg Neis
72946aa804 Make more use of NativeContext type in CSA and Torque
Change-Id: I29a4d20656727e6ec1e1fd052a840bd5aefe3cd4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781052
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63544}
2019-09-04 09:33:33 +00:00
Dan Elphick
afca89f848 [parser] Improve hole check elision in async arrow funcs
Use the position of commas in async arrow expressions to mark the
initializer position of any parameters that might have been set in the
preceding parameter.

This extends https://chromium-review.googlesource.com/c/v8/v8/+/1710671
to async arrow heads.

Bug: v8:8510, chromium:997320
Change-Id: I98e0ac817c7f53fbf1dced98fb6891a386ee7803
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781057
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63542}
2019-09-04 09:13:03 +00:00
Andreas Haas
bf78435b2c [wasm] Stage wasm-bigint
The implementation on wasm-bigint has been done, as far as I can tell.
There are no spec tests yet, only an out-dated copy of the original
spec tests which don't pass anymore. Therefore I disabled all the tests
for now and created a tracking bug at https://crbug.com/v8/9673.

R=adamk@chromium.org

Bug: v8:7741, v8:9673
Change-Id: I015846cc6008ad266402b6835e634723a1a076da
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781050
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63541}
2019-09-04 08:52:03 +00:00
Francis McCabe
af04a51efd Revert "Update GetIterator bytecode to load and call object[Symbol.iterator]"
This reverts commit 8b89a7c32d.

Reason for revert: GC Stress tests timing out.
See https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/24272

Original change's description:
> Update GetIterator bytecode to load and call object[Symbol.iterator]
> 
> The functionality of the GetIterator bytecode introduced previously is
> now extended from loading the @@iterator property to calling the property
> as well. This change basically absorbs the functionality of additional
> two bytecodes - Star, CallProperty0 in the GetIterator bytecode.
> Importantly, this change handles the cases of eager and lazy deoptimization
> in the middle of the bytecode, i.e., lazy deopt for LdaNamedProperty and
> eager deopt of the CallProperty0 bytecode, using the continuation builtins.
> This mechanism can work as a template for the future bytecode that require
> handling such inter-bytecode deopt scenario. The tests evaluating the eager
> and lazy deopt scenarios are also included.
> 
> Bug: v8:9489
> Change-Id: I93eb022bbc3d37582407820aa8482a343cac6c12
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758313
> Commit-Queue: Swapnil Gaikwad <swapnilgaikwad@google.com>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63528}

TBR=rmcilroy@chromium.org,neis@chromium.org,leszeks@chromium.org,tebbi@chromium.org,swapnilgaikwad@google.com

Change-Id: I9ae475f71275f71f1b9e60b8bf0578e21ce2704b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9489
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1783736
Reviewed-by: Francis McCabe <fgm@chromium.org>
Commit-Queue: Francis McCabe <fgm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63536}
2019-09-03 23:19:12 +00:00
Dominik Inführ
d4e168a3b5 Revert "[heap] Remove size from invalidated slots"
This reverts commit 93063ade0f.

Reason for revert: Clusterfuzz found issue.

Original change's description:
> [heap] Remove size from invalidated slots
> 
> Slots are always valid inside an invalidated area when outside the
> respective object's current size. This allows us to remove the size
> from the InvalidatedSlots data structure.
> 
> This change was enabled by https://crrev.com/c/1771793.
> 
> Bug: v8:9454
> Change-Id: I2b5a7234d47227cb6ad8d67de20e9b5a2028ae83
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773242
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63510}

TBR=ulan@chromium.org,sigurds@chromium.org,tebbi@chromium.org,dinfuehr@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9454
Change-Id: I7daf96cf50aaedd4dbdab48fd550182df94e54bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1783106
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63535}
2019-09-03 23:14:10 +00:00
Ng Zhi An
85e2dbb32a [wasm-simd] F32x4Div for ia32 x64 arm arm64
Bug: v8:8460
Change-Id: I529310a35b74964cb034b4c757981c7ec70f1d19
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1765442
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63532}
2019-09-03 17:07:57 +00:00
Swapnil Gaikwad
8b89a7c32d Update GetIterator bytecode to load and call object[Symbol.iterator]
The functionality of the GetIterator bytecode introduced previously is
now extended from loading the @@iterator property to calling the property
as well. This change basically absorbs the functionality of additional
two bytecodes - Star, CallProperty0 in the GetIterator bytecode.
Importantly, this change handles the cases of eager and lazy deoptimization
in the middle of the bytecode, i.e., lazy deopt for LdaNamedProperty and
eager deopt of the CallProperty0 bytecode, using the continuation builtins.
This mechanism can work as a template for the future bytecode that require
handling such inter-bytecode deopt scenario. The tests evaluating the eager
and lazy deopt scenarios are also included.

Bug: v8:9489
Change-Id: I93eb022bbc3d37582407820aa8482a343cac6c12
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758313
Commit-Queue: Swapnil Gaikwad <swapnilgaikwad@google.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63528}
2019-09-03 15:09:36 +00:00
Martyn Capewell
39d028c066 Revert "[turbofan,arm64] Add float loads poisoning."
This reverts commit 2869d9de0d.

Reason for revert: Failing on V8 Arm - debug

Original change's description:
> [turbofan,arm64] Add float loads poisoning.
> 
> Also extend load poisoning testing for arm and arm64.
> 
> This is a port of I1ef202296744a39054366f2bc424d6952c3bbe9d,
> originally introduced for arm.
> 
> Change-Id: I7d317bba6be633dd1e563daa7231d3c5e930f8e4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691032
> Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63519}

TBR=rmcilroy@chromium.org,mvstanton@chromium.org,neis@chromium.org,tebbi@chromium.org,martyn.capewell@arm.com,artem.serov@arm.com

Change-Id: I60ae552f98ae843d4fecbe163d60580a9f1a7068
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1782163
Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#63523}
2019-09-03 12:03:47 +00:00
Michael Starzinger
369e0d587a [wasm] Enable optimization of Math.pow intrinsic.
R=clemensh@chromium.org
TEST=mjsunit/wasm/asm-wasm-math-intrinsic
BUG=v8:8505

Change-Id: I883c9ad174f7fda5ec5dd24e71ca674de51239b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1782160
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63521}
2019-09-03 11:57:20 +00:00
Artem Serov
2869d9de0d [turbofan,arm64] Add float loads poisoning.
Also extend load poisoning testing for arm and arm64.

This is a port of I1ef202296744a39054366f2bc424d6952c3bbe9d,
originally introduced for arm.

Change-Id: I7d317bba6be633dd1e563daa7231d3c5e930f8e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691032
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63519}
2019-09-03 10:55:00 +00:00
Pierre Langlois
ffffed9020 [arm64] Fix backwards branch ranges.
The `Instruction::IsValidImmPCOffset()` method was taking an `offset` argument
in numbers of *instructions* while we were passing it numbers of *bytes*. See
`Instruction::IsTargetInImmPCOffsetRange()` and
`MacroAssembler::NeedExtraInstructionsOrRegisterBranch()`.

As a result, we were 4 times too conservative when computing branch ranges going
backwards, forcing us to generate the following sequence for TBZ more often than
needed:

```
  TBNZ <skip>
  B <target>
skip:
```

This happened rarely for loops, but a lot when doing an early return from
out-of-line calls to write barriers. Since out-of-line code is easily out of
range of 8K, although the real range of TBZ is 32K.

This fixes it by changing this method to take a byte offset instead of
instructions, as this is more intuitive and in line with similar methods. For
instance, `Instruction::ImmPcOffset()` returns an offset in bytes.

The tests are adapted so that they would have caught such a bug:

* TEST(far_branch_backward):

  This test used to only check the code worked if the branch was very far away,
  but it didn't test the range was correct. So this test was changed to check
  each branch type separately, and test in-range and out-of-range cases
  separately too.

* TEST(far_branch_veneer_broken_link_chain):

  Because of the backwards range bug, this test wasn't actually testing what it
  should. The idea of the test is to make sure the MacroAssembler can still cope
  when the chain of links is broken after a veneer was emitted. But no veneers
  were ever emitted.

Change-Id: Iddb5c683a71147455175f38fa7ae57da0a3e7337
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781058
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63518}
2019-09-03 10:37:11 +00:00
Andreas Haas
8e91bf3140 [wasm] Fix enabling staged wasm features in libfuzzer fuzzers
In https://crrev.com/c/1768581 I only enabled the --wasm-staging flag,
but that is useless without the implications defined in
flag-definitions.h. With this CL I now just set each flag one by one.

R=clemensh@chromium.org

Bug: v8:9601
Change-Id: Ie0e16f9516aa32b8c958cf58c8c9d4d6cb6f3b22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781060
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63516}
2019-09-03 09:26:29 +00:00
Michael Lippautz
fba101cdac heap: Inspect embedder fields on global and global proxy object
Those object types can carry embedder fields as they are generated from
embedder-provided function templates.

Bug: v8:9672
Change-Id: Iaea794ba8bea2ffec3559131eecfe1941479759a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781048
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63511}
2019-09-02 17:22:04 +00:00
Dominik Inführ
93063ade0f [heap] Remove size from invalidated slots
Slots are always valid inside an invalidated area when outside the
respective object's current size. This allows us to remove the size
from the InvalidatedSlots data structure.

This change was enabled by https://crrev.com/c/1771793.

Bug: v8:9454
Change-Id: I2b5a7234d47227cb6ad8d67de20e9b5a2028ae83
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773242
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63510}
2019-09-02 15:14:04 +00:00
Yang Guo
0b403dcbec [inspector] honor order in console.table's filter argument
R=sigurds@chromium.org

Bug: chromium:956475
Change-Id: Ie4ccd84e1c239d771fd9238599c687782ddb1356
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776097
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63505}
2019-09-02 13:21:24 +00:00
Ana Peško
611d84ee13 [regexp] Naive tier-up testing
This CL adds initial tests for the tier-up logic.

Change-Id: I6e6ff69604b14387e81b08d178f98d2227b4f496
Bug: v8:9566
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776080
Commit-Queue: Ana Pesko <anapesko@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63503}
2019-09-02 12:55:54 +00:00
Leszek Swirski
981aafaf97 Reland "[ic] In-place Double -> Tagged transitions"
This is a reland of 0736599a69.
This is a reland of 7e1fbe8f34.

Original change description:
> [ic] In-place Double -> Tagged transitions
>
> With no more MutableHeapNumber, we can make Double -> Tagged transitions
> in-place, at the cost of an extra map check when accessing double fields
> to make sure they are still doubles.
>
> Bug: v8:9606
> Change-Id: I74ff39ed6fba62ee223cd37dfe761f7d73020e1c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743973
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63374}

TBR=verwaest@chromium.org, tebbi@chromium.org

Bug: v8:9606
Change-Id: I2d1b7416064d743582f4983fb868316b7e8a4cf2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1777661
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63499}
2019-09-02 10:18:34 +00:00
Seth Brenith
2ccca6c5ac [tools][torque] Include string values in GetObjectProperties responses
This change provides a quick way to see string contents in postmortem
debugging sessions, without digging through a (possibly very large, in
the case of ConsString) tree of properties. As well as being convenient
for inspecting String objects, this functionality will also be necessary
for displaying property names on JSReceiver objects. In order to support
custom behaviors for specific classes, this change extends the existing
generated debug reader classes with a visitor pattern.

Bug: v8:9376
Change-Id: I70eab9ea4e74ca0fab39bf5998d6a602716a4202
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771939
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#63485}
2019-08-30 21:56:06 +00:00
Dan Elphick
3e545f38cb [coverage] Collect source positions when toggling mode
When changing the code coverage or type profiler modes, first ensure
there are source positions for all BytecodeArrays as regenerating the
source positions after toggling the mode will result in a bytecode
mismatch.

Bug: v8:9656, v8:8510
Change-Id: Ic6cf3afec1588f11e5ce5fcbea2fd13e4452e15f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1774721
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63484}
2019-08-30 17:58:30 +00:00
Georg Schmid
cbf015025a [torque] Add HeapSlice location references to Torque
This CL adds a LocationReference specifically for slices to Torque. This allows us to safely reference arrays in objects and pass around such references. For an array of T-typed elements, referencing yields a Slice<T>. In addition, the traditional element access syntax ('o.array[i]') now internally produces a slice, indexes it at 'i' and dereferences the resulting HeapReference.

Bug: v8:7793
Change-Id: I4af58e4d2feac547c55a1f6f9350a6c510383df2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771782
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63479}
2019-08-30 11:51:32 +00:00
Leszek Swirski
ef2df57aa5 Reland "[destructuring] Elide coercible check for simple keys"
This is a reland of 1fba044154
Chromium expectation tests have been disabled, and will be enabled

Original change's description:
> [destructuring] Elide coercible check for simple keys
>
> Simple object destructuring, such as `let {a,b} = o`, is less efficient
> than the equivalent assignments `let a = o.a; let b = o.b`. This is
> because it does a nil check of `o` before the assignments. However, this
> nil check is not strictly necessary for simple (i.e. non-computed) names,
> as there will be an equivalent nil check on the first access to o in
> `o.a`. For computed names the computation is unfortunately obervable.
>
> So, we can elide the nil check when the first property (if any) of the
> destructuring target is a non-computed name. This messes a bit with our
> error messages, so we re-use the CallPrinter to also find destructuring
> assignment based errors, and fiddle with the error message there. As
> a side-effect, we also get out the object name in the AST, so we can
> output a slightly nicer error message.
>
> Change-Id: Iafa858e27ed771a146cd3ba57903cc73bb46951d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773254
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63453}

TBR=verwaest@chromium.org

Bug: chromium:999473
Change-Id: Ib0b2e4be433c50521ba1722e1c06b672bfefa405
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1777702
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63477}
2019-08-30 10:51:49 +00:00
Georg Neis
890a315396 [turbofan] Clean up heap broker initialization
E.g. make the setup of the ObjectRef hash table more explicit.

Tbr: jgruber@chromium.org
Bug: v8:7790
Change-Id: I58c03848e7da5c418ff2d6ae1e71b644278f406b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776089
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63475}
2019-08-30 10:19:20 +00:00
Joyee Cheung
df12eb194e [class] implement private accessors
This patch implements the access of private accessors by loading the
referenced component from the AccessorPair associated with private
name variables. It also makes the error messages for invalid kind
of private accessor access more specific.

Bug: v8:8330
Design doc: https://docs.google.com/document/d/10W4begYfs7lmldSqBoQBBt_BKamgT8igqxF9u50RGrI/edit

Change-Id: I6d441cffb85f8d9cd0417ec9b6ae20f3e34ef418
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1695205
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#63474}
2019-08-30 10:16:29 +00:00
Maya Lekova
2a099bfaf7 [turbofan] Fully brokerize JSInlining and EscapeAnalysis
Introduce JSGlobalObjectRef to the heap broker.

Bug: v8:7790
Change-Id: I055a0545b582d6ff4c4e0dd639ce532311a76fec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773267
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63472}
2019-08-30 08:26:37 +00:00
Ulan Degenbaev
9da3483136 Revert "Reland x5 [arraybuffer] Rearchitect backing store ownership"
This reverts commit 62e168308c.

Reason for revert: it will be relanded after branch

Original change's description:
> Reland x5 [arraybuffer] Rearchitect backing store ownership
> 
> This reverts commit 8fdb23873b.
> 
> Original change's description:
> > "Reland x4 [arraybuffer] Rearchitect backing store ownership"
> >
> > This is a reland of bc33f5aeba
> >
> > Contributed by titzer@chromium.org
> >
> > Original change's description:
> > > [arraybuffer] Rearchitect backing store ownership
> > >
> > > This CL completely rearchitects the ownership of array buffer backing stores,
> > > consolidating ownership into a {BackingStore} C++ object that is tracked
> > > throughout V8 using unique_ptr and shared_ptr where appropriate.
> > >
> > > Overall, lifetime management is simpler and more explicit. The numerous
> > > ways that array buffers were initialized have been streamlined to one
> > > Attach() method on JSArrayBuffer. The array buffer tracker in the
> > > GC implementation now manages std::shared_ptr<BackingStore> pointers,
> > > and the construction and destruction of the BackingStore object itself
> > > handles the underlying page or embedder-allocated memory.
> > >
> > > The embedder API remains unchanged for now. We use the
> > > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> > > keep the backing store alive properly, even in the case of aliases
> > > from live heap objects. Thus the embedder has a lower chance of making
> > > a mistake. Long-term, we should move the embedder to a model where they
> > > manage backing stores using shared_ptr to an opaque backing store object.
> >
> > TBR=yangguo@chromium.org
> >
> > BUG=v8:9380,v8:9221,chromium:986318
> >
> > Change-Id: If671a4a9ca0476e8f084efae46e0d2bf99ed99ef
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731005
> > Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> > Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#63041}
> 
> TBR=yangguo@chromium.org,clemensh@chromium.org,mstarzinger@chromium.org
> 
> Change-Id: Iba55c7ab71e5642b5cb6aeb699d6fc9cf9061486
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771795
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63461}

TBR=ulan@chromium.org,mlippautz@chromium.org

Change-Id: Id8f67a68ab398032eb2975b1b24ee125394d9c4b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776095
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63471}
2019-08-30 08:23:40 +00:00
Ng Zhi An
991b5296a8 [wasm-simd] Enable reduction test for 64x2
This is only for turbofan and interpreter, and simd lowering for 64x2 is
not implemented yet.

Bug: v8:8460
Change-Id: I0d046cb39ff64936da772e0db9a86b88b1509ac2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769194
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63466}
2019-08-29 23:57:35 +00:00
Adam Klein
28fa4cb432 Revert "[destructuring] Elide coercible check for simple keys"
This reverts commit 1fba044154.

Reason for revert: blocks V8 roll due to layout test failures caused by error message changes:
https://ci.chromium.org/p/v8/builders/ci/V8%20Blink%20Linux/347

Original change's description:
> [destructuring] Elide coercible check for simple keys
> 
> Simple object destructuring, such as `let {a,b} = o`, is less efficient
> than the equivalent assignments `let a = o.a; let b = o.b`. This is
> because it does a nil check of `o` before the assignments. However, this
> nil check is not strictly necessary for simple (i.e. non-computed) names,
> as there will be an equivalent nil check on the first access to o in
> `o.a`. For computed names the computation is unfortunately obervable.
> 
> So, we can elide the nil check when the first property (if any) of the
> destructuring target is a non-computed name. This messes a bit with our
> error messages, so we re-use the CallPrinter to also find destructuring
> assignment based errors, and fiddle with the error message there. As
> a side-effect, we also get out the object name in the AST, so we can
> output a slightly nicer error message.
> 
> Change-Id: Iafa858e27ed771a146cd3ba57903cc73bb46951d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773254
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63453}

TBR=leszeks@chromium.org,verwaest@chromium.org

Change-Id: I74cf06ebd987e5b8bbe1831b0042c085edf37f5b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776994
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63465}
2019-08-29 23:44:09 +00:00
Ulan Degenbaev
62e168308c Reland x5 [arraybuffer] Rearchitect backing store ownership
This reverts commit 8fdb23873b.

Original change's description:
> "Reland x4 [arraybuffer] Rearchitect backing store ownership"
>
> This is a reland of bc33f5aeba
>
> Contributed by titzer@chromium.org
>
> Original change's description:
> > [arraybuffer] Rearchitect backing store ownership
> >
> > This CL completely rearchitects the ownership of array buffer backing stores,
> > consolidating ownership into a {BackingStore} C++ object that is tracked
> > throughout V8 using unique_ptr and shared_ptr where appropriate.
> >
> > Overall, lifetime management is simpler and more explicit. The numerous
> > ways that array buffers were initialized have been streamlined to one
> > Attach() method on JSArrayBuffer. The array buffer tracker in the
> > GC implementation now manages std::shared_ptr<BackingStore> pointers,
> > and the construction and destruction of the BackingStore object itself
> > handles the underlying page or embedder-allocated memory.
> >
> > The embedder API remains unchanged for now. We use the
> > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> > keep the backing store alive properly, even in the case of aliases
> > from live heap objects. Thus the embedder has a lower chance of making
> > a mistake. Long-term, we should move the embedder to a model where they
> > manage backing stores using shared_ptr to an opaque backing store object.
>
> TBR=yangguo@chromium.org
>
> BUG=v8:9380,v8:9221,chromium:986318
>
> Change-Id: If671a4a9ca0476e8f084efae46e0d2bf99ed99ef
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731005
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63041}

TBR=yangguo@chromium.org,clemensh@chromium.org,mstarzinger@chromium.org

Change-Id: Iba55c7ab71e5642b5cb6aeb699d6fc9cf9061486
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771795
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63461}
2019-08-29 16:40:18 +00:00
Ulan Degenbaev
3293955071 [heap, tracing] Use WorkerThreadRuntimeCallStatsScope in background GC
Before this CL the main thread fetched the background GC stats and
added them to the main runtime-call-stats table. This resulted
in background GC stats showing up in the main thread trace.

This CL switches the background GC stats to use worker thread runtime-
calls-stats table. This is now consistent with other background
components of V8 suchs background compiler and parser.

Bug: v8:9508
Change-Id: Ic4c0685ded6024f78d0f22f81419fd5677202f25
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776083
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63459}
2019-08-29 15:55:48 +00:00
Patrick Thier
213504b9d7 [regexp] Consolidate calls to jitted irregexp and regexp interpreter
The code fields in a JSRegExp object now either contain irregexp
compiled code or a trampoline to the interpreter. This way the code
can be executed without explicitly checking if the regexp shall be
interpreted or executed natively.
In case of interpreted regexp the generated bytecode is now stored in
its own fields instead of the code fields for Latin1 and UC16
respectively.
The signatures of the jitted irregexp match and the regexp interpreter
have been equalized.

Bug: v8:9516
Change-Id: I30e3d86f4702a902d3387bccc1ee91dea501fe4e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762513
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63457}
2019-08-29 15:19:58 +00:00
Leszek Swirski
f6057ff1e3 [scopes] Push sloppy eval check through eval scopes
Sloppy eval extends the outer declaration scope's context. This is also
true for sloppy eval inside of other sloppy evals -- the outer declaration
scope's context is extended rather than the outer sloppy eval's
declaration scope. However, we consider eval scopes to also be declaration
scopes, for the purposes of strict eval and caching lookup variables. So,
we need to make sure that we skip through sloppy eval scopes when marking
a scope as calls_sloppy_eval.

In fact, we implement this rather as never marking sloppy eval scopes as
calls_sloppy_eval, under the assumption that the parent scope will already
have been marked calls_sloppy_eval by the outer eval.

As a drive-by, fix a TODO to move this logic from calls_sloppy_eval() to
RecordEvalCall(), rename the variable to something more meaningful, and
make Snapshotting to use a new calls_eval bit on Scope.

Bug: chromium:996751
Change-Id: I27ccc7ef429a7ce60b3bb02bf64a3820ae4a2c36
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773247
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63455}
2019-08-29 14:49:28 +00:00
Leszek Swirski
1fba044154 [destructuring] Elide coercible check for simple keys
Simple object destructuring, such as `let {a,b} = o`, is less efficient
than the equivalent assignments `let a = o.a; let b = o.b`. This is
because it does a nil check of `o` before the assignments. However, this
nil check is not strictly necessary for simple (i.e. non-computed) names,
as there will be an equivalent nil check on the first access to o in
`o.a`. For computed names the computation is unfortunately obervable.

So, we can elide the nil check when the first property (if any) of the
destructuring target is a non-computed name. This messes a bit with our
error messages, so we re-use the CallPrinter to also find destructuring
assignment based errors, and fiddle with the error message there. As
a side-effect, we also get out the object name in the AST, so we can
output a slightly nicer error message.

Change-Id: Iafa858e27ed771a146cd3ba57903cc73bb46951d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773254
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63453}
2019-08-29 14:42:48 +00:00
Jakob Gruber
f884e2faab [compiler] Pass the max frame size to CodeGenerator
The maximal unoptimized frame size is calculated during instruction
selection and will be needed during code generation (it will be
applied as an offset to the stack check). Pass the information along
to the code generator through PipelineData.

Bug: v8:9534
Change-Id: Ia72cd70d57c3de2db9fe43d91b9378d8e2ab8a0a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762302
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63451}
2019-08-29 13:45:28 +00:00
Milad Farazmand
74fc9048b4 PPC/s390: [wasm] Stage type reflection support.
Port e101dfb708

R=mstarzinger@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:7742
LOG=N

Change-Id: I013d461bce61deae032aee08b2b1d9dac591d66a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1774960
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#63447}
2019-08-29 12:58:28 +00:00
Leszek Swirski
e39c701963 Revert "[ic] In-place Double -> Tagged transitions"
This reverts commit 0736599a69.
This reverts commit 7e1fbe8f34.

Reason for revert: Still some crashes, reverting to unblock dev.

TBR=ishell@chromium.org,tebbi@chromium.org

Bug: v8:9606
Bug: chromium:997485
Bug: chromium:997989
Change-Id: I9a0cb5440bf4fce06c9e6134dacf5c03d512f049
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773271
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63441}
2019-08-29 09:50:08 +00:00
Michael Lippautz
bb5b15c1fd [api,heap] TracedGlobal: Provide copy operators
Provide copy ctor and assignment operators as it turned out that they are
useful for embedders in certain scenarios when dealing with TracedGlobal
handles without finalization callbacks.

Bug: v8:9660
Change-Id: I2b04f540baeef61a0bc8329ca06b999571cbfe66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773250
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63439}
2019-08-29 07:28:18 +00:00
Jun Lim
6bead6bd00 [compiler]Use Phi in Branch if control flow is known
This CL try to use a phi as a branch condition if the control flow from the
branch is known from previous conditions. This change will open up more branch
folding opportunities for later pass.

Change-Id: I26316ab3a68c2d58d0df53691981288a996d4ba1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1674484
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63434}
2019-08-28 19:12:03 +00:00
Z Nguyen-Huu
1f4bec2775 Add new nonextensible element kinds
Currently the backing store and elements kind might not aligned aka
backing store can be dictionary where elements kind is frozen/sealed
element kinds or the other way around. The reason is that
Object.preventExtensions change elements kind to DICTIONARY while
Object.seal/freeze change elements kind to SEALED/FROZEN element kind.
Apply both these operations can lead to that problem as in
chromium:992914

To solve this issue, we avoid Object.preventExtensions to change backing
store to dictionary by introducing new nonextensible elements kind.
These new nonextensible elements kind are handled similar to frozen,
sealed element kinds. This change not only fixes the problem but also
optimize the performance of nonextensible objects.

Change-Id: Iffc7f14eb48223c11abf3c577f305d2d072eb65b
Bug: chromium:992914, v8:6831
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760976
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63432}
2019-08-28 17:24:49 +00:00
Ng Zhi An
cb0eface4c Enable alltrue anytrue lowered_simd tests
Bug: v8:8665
Bug: v8:9418
Change-Id: Ice4778deb363649ae6ee9f5b5957171587b28798
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769481
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63431}
2019-08-28 16:30:05 +00:00
Sigurd Schneider
4477097489 [runtime] Throw range error on too many properties
This change allows the KeyAccumulator to throw a range error if there
are too many properties to be enumerated.

This CL introduces extensive checks during key enumeration in the run-time,
and might introduce regressions. If so, feel free to revert.

Bug: chromium:918301
Change-Id: I6166c0b15f1a05eac7116a979f12ba4833d1d1b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545902
Auto-Submit: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63430}
2019-08-28 15:58:04 +00:00
Maya Lekova
9925079bb2 [turbofan] Remove JSGraph::Constant for Handles
Bug: v8:7790
Change-Id: I666f545f4b5b7b5aeaed4ce2910240ef54f40c0e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773251
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63427}
2019-08-28 15:36:59 +00:00
Yang Guo
1e5fe736d8 [debugger] disable break on stack overflow
This partially reverts commit 763f63fff6.

Reason for the revert is that the breaking at stack overflow does not
introduce improvement of usability, but rather exposes many issues
caused by the fact that V8 cannot perform a lot of functionality close
to the stack limit.

We keep the test, slightly modified, and use a better way to
detect stack overflow.

Bug: chromium:997469
Change-Id: I32bdf96767812b19f138310cc2dbd6a818fbf031
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771792
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63426}
2019-08-28 14:54:49 +00:00