This adds:
* A script (tools/update-wasm-fuzzers.sh), which creates a new fuzzing seed
corpus and uploads to google storage (you must have the right credentials).
* A new pair of DEPS entries to pull in the current version of the corpus
based on a checked in pair of hash files.
BUG=None
TEST=None
R=ahaas@chromium.org,kcc@chromium.org,mvstanton@chromium.org
Review-Url: https://codereview.chromium.org/2273303002
Cr-Commit-Position: refs/heads/master@{#38987}
Tail calls don't make sense from async functions and generators, as
each activation of these functions needs to make a new, distnict,
non-reused generator object. These tail calls are not required per
spec. This patch disables both syntactic and implicit tail calls
in async functions and generators.
R=neis
BUG=v8:5301,chromium:639270
Review-Url: https://codereview.chromium.org/2278413003
Cr-Commit-Position: refs/heads/master@{#38986}
V8 can use this metter to better estimate the amount of work that is still to be
done by the embedder. Supposed to be used to decide whether incremental marking
should be finalized or not.
BUG=chromium:468240
R=ulan@chromium.org
Review-Url: https://codereview.chromium.org/2291613002
Cr-Commit-Position: refs/heads/master@{#38985}
The format of this is a little strange, and has to do with the previous
implementation maintaining a "stack" of objects as it works. As a result,
the format writes the array buffer before giving any hint that the reason
for doing so is to obtain a view wrapping it. Handling this without creating
an explicit on-heap stack requires checking whether the next tag is 'V'
after obtaining an array buffer.
BUG=chromium:148757
Review-Url: https://codereview.chromium.org/2287653002
Cr-Commit-Position: refs/heads/master@{#38984}
Add comments to make it easier to browse the HTML documentation generated with Doxygen.
BUG=v8:5260
Review-Url: https://codereview.chromium.org/2290553003
Cr-Commit-Position: refs/heads/master@{#38982}
These DCHECKs are executed when a wasm module is instantiated. However,
invalid load/store offsets should trigger runtime traps, not
instantiation-time errors.
R=titzer@chromium.org
Review-Url: https://codereview.chromium.org/2285223002
Cr-Commit-Position: refs/heads/master@{#38981}
This additionally gets rid of old approach to global shortcuts.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2287173002
Cr-Commit-Position: refs/heads/master@{#38980}
Parser::Declare has a lot of Scope-related logic inside; especially it
does Lookup in Scope. Scope should be the class which knows how to
declare variables in different kinds of Scopes, not Parser.
BUG=
Review-Url: https://codereview.chromium.org/2280033002
Cr-Commit-Position: refs/heads/master@{#38979}
Introduced MachineType::TaggedSigned() and TaggedPointer().
The idea is to quit using the representational dimension of Type, and
instead encode this information in the MachineRepresentation (itself
lightly wrapped in MachineType, along with MachineSemantic).
There are three parts to the whole change:
1) Places that set the machine representation - constant nodes, loads nad
stores, global object and native context specialization.
2) Places that propagate type/representation - this is representation
inference (aka simplified lowering). At the end of this process we
expect to have a MachineRepresentation for every node. An interesting
part of this is phi merging.
3) Places that examine representation - WriteBarrier elimination does this.
Currently it's looking at the Type representation dimension, but as
a part of this change (or in a soon-to-follow change) it can simply
examine the MachineRepresentation.
BUG=
Review-Url: https://codereview.chromium.org/2258073002
Cr-Commit-Position: refs/heads/master@{#38978}
This removes test/webkit/fast/js/stack-overflow-arrity-catch.js, which tests that the stack overflows in a very particular way. It doesn't seem to test anything important, and only used to work because we didn't inline into try-blocks.
BUG=
R=jarin
Review-Url: https://codereview.chromium.org/2216353002
Cr-Commit-Position: refs/heads/master@{#38976}
If we know statically that x and y are both in Unsigned32 or NaN or -0,
and we have SignedSmall or Signed32 feedback for x % y, then we can take
the feedback on the inputs and lower to Uint32Mod.
Drive-by-fix: Refactor this logic into a separate method.
R=jarin@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2287303002
Cr-Commit-Position: refs/heads/master@{#38975}
- Make constants more interesting.
- Add an addition to be done after the inlined call in the try-block.
- On command line, have a bit more output.
- New alternative that deopts from unoptimized code.
BUG=
R=jarin
Review-Url: https://codereview.chromium.org/2285743002
Cr-Commit-Position: refs/heads/master@{#38974}
Infer exact types for the various Date getter builtins, and also inline
the Date.prototype.getTime() builtin, which just returns the Date value
and thus doesn't need to check the cache stamp.
R=epertoso@chromium.org
Review-Url: https://codereview.chromium.org/2285213002
Cr-Commit-Position: refs/heads/master@{#38973}
Drop the typing rules for the machine operators and replace them
with UNREACHABLE. These typing rules were never correct and there's
also no need to have those rules at all.
Drive-by-fix: Remove the extremely annoying test-simplified-lowering.cc
file, which is not very useful, but consumes a large amount of time to
keep it compiling and passing. Instead we should introduce appropriate
tests for the SimplifiedLowering that also test something meaningful
w/o just cementing the implementation.
R=jarin@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2292463002
Cr-Commit-Position: refs/heads/master@{#38970}
These JavaScript operators were special hacks to ensure that we always
operate on Smis for the magic for-in index variable, but this never
really worked in the OSR case, because the OsrValue for the index
variable didn't have the proper information (that we have for the
JSForInPrepare in the non-OSR case).
Now that we have loop induction variable analysis and binary operation
hints, we can just use JSLessThan and JSAdd instead with appropriate
Smi hints, which handle the OSR case by inserting Smi checks (that are
always true). Thanks to OSR deconstruction and loop peeling these Smi
checks will be hoisted so they don't hurt the OSR case too much.
Drive-by-change: Rename the ForInDone bytecode to ForInContinue, since
we have to lower it to JSLessThan to get the loop induction variable
goodness.
R=epertoso@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2289613002
Cr-Commit-Position: refs/heads/master@{#38968}
For asm.js we now have a dedicated AsmTyper, that uses it's own type
system (which is tailored towards asm.js), and so we don't need the
special asm.js types anymore in the TypeCache. This also moves the
TypeCache into the src/compiler directory, because it doesn't make
sense to use outside anyways.
TBR=ahaas@chromium.orgR=jarin@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2289573002
Cr-Commit-Position: refs/heads/master@{#38964}
There's no need to preserve the exact callee for lazy bailouts
from JSCallFunction in the AstGraphBuilder, as fullcodegen code
will never look at that value after the callee returns. So we
just push optimized_out instead.
BUG=v8:5267
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2285183002
Cr-Commit-Position: refs/heads/master@{#38963}
Reason for revert:
Tanks pretty much alle metrics across the board. Probably LO space limit too low but needs investigation.
Original issue's description:
> [heap] Switch to 500k pages
>
> Decrease regular heap object size to 400k. In a follow up, we can now get rid of
> the new space border page while keeping the 1M minimum new space size.
>
> This reverts commit 1617043c10.
>
> BUG=chromium:636331
>
> Committed: https://crrev.com/2101e691caeef656eb91f1c98620b3955d337c83
> Cr-Commit-Position: refs/heads/master@{#38916}
TBR=ulan@chromium.org,verwaest@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:636331
NOPRESUBMIT=true
Review-Url: https://codereview.chromium.org/2289493002
Cr-Commit-Position: refs/heads/master@{#38960}
Reason for revert:
Significantly tanks parsing. We probably should just keep on doing what we're doing: partially deserialize while resolving variables. If we do scope-info backed resolution after regular resolution based on remaining free variables, we can probably reduce the time-frame of that part. We soon after anyway need to sync with the main thread.
Original issue's description:
> Always deserialize scope infos for parsing
>
> When looking up variables in the ScopeInfo, we did a linear scan of the
> ScopeInfo. Since that's unacceptably slow, a context slot cache was added
> that would speed up repeated lookups of the same variable.
>
> Instead, just always fully convert the ScopeInfo into scopes, so they can
> lookup variables without scanning the ScopeInfo.
>
> This also allows for removing the now unused ContextSlotCache.
>
> R=adamk@chromium.org,verwaest@chromium.org,marja@chromium.org
> BUG=v8:5315
>
> Committed: https://crrev.com/81f824cad18e4dc873a8838943217eb9c9f0c1f0
> Cr-Commit-Position: refs/heads/master@{#38953}
TBR=adamk@chromium.org,marja@chromium.org,jochen@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5315
Review-Url: https://codereview.chromium.org/2287783003
Cr-Commit-Position: refs/heads/master@{#38958}
As part of the work to implement catch prediction for async functions,
the resulting Promise that is the output of the function needs to be
available earlier for a couple reasons:
- To be able to do %DebugPushPromise/%DebugPopPromise over the body
of the async function
- To be able to pass the resulting promise into AsyncFunctionAwait
in order to set up the dependency chains
This patch creates the Promise earlier and pushes it onto the debug
stack; a later patch will set up the dependency chain. Although the
debug stack is set up, it's not anticipated that this will change
the catch prediction helpfully yet, as everything will still likely
be predicted as 'caught' for now, as before.
R=caitp@igalia.com,yangguo@chromium.org
CC=neis@chromium.org,gsathya@chromium.org
BUG=v8:5167
Review-Url: https://codereview.chromium.org/2233923003
Cr-Commit-Position: refs/heads/master@{#38957}
By removing the copy flag, we reduce the amount of strings to be copied each
time.
BUG=v8:5089
LOG=N
Review-Url: https://codereview.chromium.org/2233993002
Cr-Commit-Position: refs/heads/master@{#38955}
When looking up variables in the ScopeInfo, we did a linear scan of the
ScopeInfo. Since that's unacceptably slow, a context slot cache was added
that would speed up repeated lookups of the same variable.
Instead, just always fully convert the ScopeInfo into scopes, so they can
lookup variables without scanning the ScopeInfo.
This also allows for removing the now unused ContextSlotCache.
R=adamk@chromium.org,verwaest@chromium.org,marja@chromium.org
BUG=v8:5315
Review-Url: https://codereview.chromium.org/2280933002
Cr-Commit-Position: refs/heads/master@{#38953}
The embedder is expected to arrange for the array buffer contents to be
transferred into a v8::ArrayBuffer in the receiving context (generally by
assuming ownership of the externalized backing store).
BUG=chromium:148757
Review-Url: https://codereview.chromium.org/2275033003
Cr-Commit-Position: refs/heads/master@{#38948}
The accumulator is always part of the translation for every interpreted
frame. The assumption is that all frames are in {TOS_REGISTER} state.
This however is not supported for non-topmost frames and we need to
avoid pushing the accumulator onto the machine stack.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2271153003
Cr-Commit-Position: refs/heads/master@{#38945}
These DCHECKs were causing several test failures or r6. They should not
be here because only NEG.PS format was removed in r6, NEG.S and NEG.D
instructions remain.
BUG=
Review-Url: https://codereview.chromium.org/2276563006
Cr-Commit-Position: refs/heads/master@{#38944}
Floating point negate instructions are still present in release 6, only
one format of neg is removed, NEG.PS. Others formats can be used and in
r6 they also change the sign of NaN-like operands as well. This makes r6
generated code simpler for Neg_d and Neg_s macroassembler functions.
BUG=
Review-Url: https://codereview.chromium.org/2285703002
Cr-Commit-Position: refs/heads/master@{#38943}
on architectures that do not support missaligned memory access
BUG=unittests/AstDecoderTest.Float64Const, unittests/AstDecoderTest.Float32Const
Review-Url: https://codereview.chromium.org/2275323002
Cr-Commit-Position: refs/heads/master@{#38941}
New space evaucation in MC supports, similar to scavenges, fall back allocation
in old space.
For new space evacuation we support stick and non-sticky modes for fallback. The
sticky mode essentially removes the capability to allocate in new space while
the non-sticky mode only falls back for a single allocation.
We use the non-sticky mode for allocations that are too large for a LAB but
should still go in new space. When such an allocation fails in new space, we
allocate in old space in non-sticky mode as we would still like to reuse the
remainder memory in new space. However, in such a case we fail to properly
report the space allocated in resulting in a missed recorded slot.
BUG=chromium:641270
R=ulan@chromium.org
Review-Url: https://codereview.chromium.org/2280943002
Cr-Commit-Position: refs/heads/master@{#38940}