identifier. Delete unused (and now incorrect) function IsValidStrictVariable.
Implements the strong mode proposal's static restrictions on the use of the
identifier 'undefined'. Assumes these restrictions are intended to be identical
to the restrictions on the use of 'eval' and 'arguments' in strict mode. The
AllowEvalOrArgumentsAsIdentifier enum has been renamed to
AllowRestrictedIdentifiers as logic involving it is now also used for this case.
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1070633002
Cr-Commit-Position: refs/heads/master@{#27744}
Currently we always generate a diamond in the graph builder for every
legacy const context slot, which we cannot get rid of until late control
reduction, even if we know after context specialization that the slot is
already initialized.
Now we generate a select instead, which the CommonOperatorReducer
happily removes during typed lowering. This greatly speeds up asm.js
code generated by Emscripten with the new POINTER_MASKING mode.
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/1072353002
Cr-Commit-Position: refs/heads/master@{#27739}
This makes sure Crankshaft respects interceptors in the global object
even when they shadow a constant global property.
R=verwaest@chromium.org
TEST=cctest/test-api-interceptors/PrePropertyHandler
Review URL: https://codereview.chromium.org/1070803002
Cr-Commit-Position: refs/heads/master@{#27733}
When ObjectToString is installed on Object.prototype twice (once in v8natives.js, and once in harmony-tostring.js), this pollutes old code spaces on some devices. To prevent this, the function is only installed once, preventing test failures when the --harmony-tostring flag is flipped on by default.
BUG=v8:3502
LOG=N
R=arv@chromium.org
Review URL: https://codereview.chromium.org/1072083002
Cr-Commit-Position: refs/heads/master@{#27720}
This is a workaround to make the debugger happy about TurboFan frames
when the debugger causes frame inspection. Note that this can happen
because the debugger can be activated while there still are optimized
TurboFan activations on the stack.
R=ishell@chromium.org
BUG=chromium:465298
TEST=mjsunit/regress/regress-crbug-465298
LOG=N
Review URL: https://codereview.chromium.org/1074793003
Cr-Commit-Position: refs/heads/master@{#27717}
These comparisons are only meant to be done by AstValueFactory itself (in
its string_table_ operations), so make the Compare() function a private
member of AstValueFactory.
All other clients of AstRawStrings should compare them by pointer value.
There were only two clients which failed to abide by this rule, one
recently-added (in ModuleDescriptor) and the other in Literal::Match
(in ast.cc, added in https://code.google.com/p/v8/source/detail?r=24396).
Review URL: https://codereview.chromium.org/1069423003
Cr-Commit-Position: refs/heads/master@{#27715}
This makes some tests in test-heap.cc more robust against flags, now
that top-level code can be optimized by the --always-opt flag.
R=hpayer@chromium.org
TEST=cctest/test-heap/TestInternalWeakLists
Review URL: https://codereview.chromium.org/1071063004
Cr-Commit-Position: refs/heads/master@{#27699}
This is preparatory work to have MachineTypes encoded in AllocatedOperands.
Review URL: https://codereview.chromium.org/1075863002
Cr-Commit-Position: refs/heads/master@{#27698}
- ConstantOperand was using a too-small field too store its virtual register
- drop ConvertTo, replace it with simple copy
- split AllocatedOperand off from Immediate and Constant to make assignment clearer, also paving the way for small Immediates
- put zone first in *Operand::New
- driveby: drop delayed ssa deconstruction experiment
R=titzer@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1050803002
Cr-Commit-Position: refs/heads/master@{#27692}
Those two tests fail in gc-stress and custom snapshot (embedding mjsunit.js).
This is likely due to different GC timing with the custom snapshot.
R=mstarzinger@chromium.org
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1078653002
Cr-Commit-Position: refs/heads/master@{#27688}
Port 9af9f1d026
Original commit message:
These operators compute the absolute floating point value of some
arbitrary input, and are implemented without any branches (i.e. using
vabs on arm, and andps/andpd on x86).
BUG=
Review URL: https://codereview.chromium.org/1073463003
Cr-Commit-Position: refs/heads/master@{#27679}
If we optimize a function before gathering feedback it may be
peppered with soft deoptimizations. So it can't help but deoptimize.
A judicious reading of the code isn't enough to determine what the
optimization state should be in the face of such chaotic gyrations.
BUG=
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/1069363003
Cr-Commit-Position: refs/heads/master@{#27671}
This allows loopy TurboFan code to be interrupted by placing a stack
check (i.e. JSStackCheck node) into each loop. Note that we currently
limit this to non-asm.js code. Also note that stack checks are actually
placed after loop headers and not at back-branches, which allows us to
reuse existing BailoutIds from Crankshaft.
R=titzer@chromium.org
Review URL: https://codereview.chromium.org/1065923002
Cr-Commit-Position: refs/heads/master@{#27666}
These operators compute the absolute floating point value of some
arbitrary input, and are implemented without any branches (i.e. using
vabs on arm, and andps/andpd on x86).
R=svenpanne@chromium.org
Review URL: https://codereview.chromium.org/1066393002
Cr-Commit-Position: refs/heads/master@{#27662}
This is a follow-up to 2d281e71ac and prevents bailouts on empty
script contexts in Crankshaft, which don't need allocation. Only
non-empty script contexts should cause a bailout.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1063373003
Cr-Commit-Position: refs/heads/master@{#27649}
Performance measurements show that the position independent code is
usually slightly faster than the position dependent code, and there
seems to be no noticable regression.
This also gets rid of a lot of support code that was only required to allow
embedding labels into the code stream. And it implies that neither the GC
nor the deserializer need to do anything for jump tables.
R=svenpanne@chromium.org
BUG=v8:3872
LOG=n
Review URL: https://codereview.chromium.org/1069633002
Cr-Commit-Position: refs/heads/master@{#27646}
The ES6 grammar forbids the initialization of variable declarations in IterationStatements.
This CL will report `for (var x = y in z)` as a SyntaxError in strict mode (as done in JSC). It is possible that this could break sites in sloppy mode, and so that change can wait.
BUG=
R=
LOG=N
Review URL: https://codereview.chromium.org/1033823002
Cr-Commit-Position: refs/heads/master@{#27639}
This enables eager optimization of top-level code with TurboFan and
extends test coverage by triggering it with the --always-opt flag.
Script contexts are now also properly allocated in TurboFan.
R=titzer@chromium.org
Review URL: https://codereview.chromium.org/1053063003
Cr-Commit-Position: refs/heads/master@{#27633}
Instead, please use v8::Isolate::RequestInterrupt to synchronize
to the main thread.
R=yurys@chromium.org
API=Removed v8::Debug::DebugBreakForCommand
LOG=Y
Review URL: https://codereview.chromium.org/1036863002
Cr-Commit-Position: refs/heads/master@{#27625}
Support sxtb and sxth extend operators on add and subtract, as we've
done for ubtx/h. This is similar to ARM support for sxtab/h.
BUG=
Review URL: https://codereview.chromium.org/1064813003
Cr-Commit-Position: refs/heads/master@{#27624}
This CL primarily makes the loop peeling algorithm more robust; it no longer damages the graph if the loops are improperly closed.
R=bmeurer@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1052753004
Cr-Commit-Position: refs/heads/master@{#27620}
We can use xorps/xorpd on Intel CPUs to flip the sign bit. Ideally we'd
use an absolute 128-bit constant in the code object, as OCaml/GCC
does, however that requires 128-bit alignment for code objects,
which is not yet implemented. So for now we materialize the mask
inline.
As drive-by-fix, don't hardcode xmm0 as scratch double register.
R=svenpanne@chromium.org
Review URL: https://codereview.chromium.org/1064833002
Cr-Commit-Position: refs/heads/master@{#27618}
The motivation is that we prefer to avoid creating internal properties, and we have a usable field on maps ("transitions", which is not used for prototype maps).
This CL also ensures the invariant that prototype maps are never shared, even if they are in dictionary mode.
Review URL: https://codereview.chromium.org/1033653002
Cr-Commit-Position: refs/heads/master@{#27617}
Optimistically pushing a lot of arguments can run into the stack limit of the process, at least on operating systems where this limit is close to the limit that V8 sets for itself.
BUG=chromium:469768
LOG=y
Review URL: https://codereview.chromium.org/1056913003
Cr-Commit-Position: refs/heads/master@{#27614}
We can use xorps/xorpd on Intel CPUs to flip the sign bit. Ideally we'd
use a RIP-relative 128-bit constant in the code object, as OCaml/GCC
does, however that requires 128-bit alignment for code objects, which is
not yet implemented. So for now we materialize the mask inline.
R=dcarney@chromium.org
Review URL: https://codereview.chromium.org/1046893002
Cr-Commit-Position: refs/heads/master@{#27611}
cctest/test-log/EquivalenceOfLoggingAndTraversal fails on
AIX because it does not correctly handle the full 64 bit
address space supported by AIX. SKIP until the issue
is resolved.
modified: test/cctest/cctest.status
R=danno@chromium.org, svenpanne@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1055183002
Cr-Commit-Position: refs/heads/master@{#27608}
Previously, the only optimized code path for Maps and Sets was for String keys.
This was achieved through an implementation of various complex operations
in Hydrogen. This approach was neither scalable nor forward-compatible.
This patch adds the necessary intrinsics to implement Maps and Sets almost entirely
in JS. The added intrinsics are:
%_FixedArrayGet
%_FixedArraySet
%_TheHole
%_JSCollectionGetTable
%_StringGetRawHashField
With these additions, as well as a few changes to what's exposed as runtime functions,
most of the C++ code backing Maps and Sets is gone (including both runtime code in
objects.cc and Crankshaft in hydrogen.cc).
Review URL: https://codereview.chromium.org/947683002
Cr-Commit-Position: refs/heads/master@{#27605}
From ES6 25.2.3 ("Properties of the GeneratorFunction Prototype
Object"):
> The GeneratorFunction prototype object is an ordinary object. It is
> not a function object and does not have an [[ECMAScriptCode]] internal
> slot or any other of the internal slots listed in Table 27 or Table
> 56.
Introduce one assertion for the value's type and additional tests for its
properties. Remove an invalid assertion that fails as a result of this
fix.
BUG=v8:3991
LOG=N
Review URL: https://codereview.chromium.org/1062633002
Cr-Commit-Position: refs/heads/master@{#27603}
- Fixed single float register type instruction en[de]coding in assembler and disassembler.
- Added max and min instructions for r6 and corresponding tests.
- Fixed selection instruction for boundary cases in simulator.
- Update assembler tests to be more thorough wrt boundary cases.
TEST=cctest/test-assembler-mips64/MIPS17, MIPS18
cctest/test-disasm-mips64/Type1
cctest/test-assembler-mips/MIPS16, MIPS17
cctest/test-disasm-mips/Type1
BUG=
Review URL: https://codereview.chromium.org/1057323002
Cr-Commit-Position: refs/heads/master@{#27601}
Currently, this doesn't really help to generate better code,
nevertheless this is the right thing to do. When our type system(s)
are fixed, this should avoid falling back to floating point operations
in various cases.
Review URL: https://codereview.chromium.org/1057813002
Cr-Commit-Position: refs/heads/master@{#27578}
In ES6 Object.getOwnPropertyDescriptor should call ToObject, which
means that primitive values will return descriptors from the wrapper.
BUG=v8:3964
LOG=N
R=adamk, rossberg@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/998163004
Cr-Commit-Position: refs/heads/master@{#27569}
The removed assertion consistently passes not because the invoked
`close` method internally throws a `TypeError` but because the `close`
method does not exist. The ES6 specification does not define a `close`
method on the GeneratorPrototype, so this test is a tautology.
BUG=None
LOG=N
R=arv
Review URL: https://codereview.chromium.org/1046963002
Cr-Commit-Position: refs/heads/master@{#27567}
The modified assertions targeted the property descriptor for the
template object's first "cooked" value. The code immediately preceeding
these statements asserts these values.
Update the assertions to instead target the property descriptor for the
template object's first "raw" value (which are otherwise untested).
BUG=
Review URL: https://codereview.chromium.org/1049523003
Cr-Commit-Position: refs/heads/master@{#27566}
This reverts commit 992751d0dc.
The final spec for Object.getPrototypeOf calls ToObject on the
parameter, which means that it should only throw for null and
undefined. For other non object values the prototype of the wrapper
should be used.
Difference from last time: Updated .status and will disable Blink
side tests as needed.
BUG=v8:3964
LOG=N
R=adamk, rossberg@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1051523003
Cr-Commit-Position: refs/heads/master@{#27558}
It triggers once per context that calls observe (or attempts to access
any observation metadata, e.g. through Object.getNotifier).
Review URL: https://codereview.chromium.org/1048213002
Cr-Commit-Position: refs/heads/master@{#27557}
In DevTools we've already used sourceURL in inline scripts.
This CL makes the behavior of the V8 in the same for Error.stack property and v8::StackTrace.
BUG=v8:3920
LOG=Y
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/1044173002
Cr-Commit-Position: refs/heads/master@{#27554}
Add missing parts of the port to MIPS/MIPS64 implementations.
BUG=
Review URL: https://codereview.chromium.org/1047213002
Cr-Commit-Position: refs/heads/master@{#27551}
The spec settled on ToBoolean instead of only using not undefined.
BUG=v8:3827
LOG=N
R=adamk
Review URL: https://codereview.chromium.org/1045113002
Cr-Commit-Position: refs/heads/master@{#27548}
Second try. Disabled the tests that were failing due to
https://github.com/tc39/test262/issues/215
This updates test262 to revision d24fd10 (2015/03/11).
The files moved around in the test repo and a lot of new tests are
failing.
BUG=None
LOG=N
R=adamk, rossberg
Review URL: https://codereview.chromium.org/1040093003
Cr-Commit-Position: refs/heads/master@{#27543}
This changes the IrOpcode::kThrow operator to have kNoThrow property,
which sounds unintuitive, but holds for our graphs. The operators is
used to indicate exceptional control flow out of the function, but in
itself does not throw, the throwing is done by a runtime call.
R=titzer@chromium.org
TEST=unittests/CommonOperatorTest/CommonSharedOperatorTest.Properties
Review URL: https://codereview.chromium.org/1046173002
Cr-Commit-Position: refs/heads/master@{#27541}
Currently this only sets branch hints, so we get unlikely code "out of
the way", but in the long run the register allocator needs some love
to treat the unlikely code as, well, unlikely. :-)
Review URL: https://codereview.chromium.org/1048063002
Cr-Commit-Position: refs/heads/master@{#27540}
The V8::IdleNotification will only return 'True' when the gc idle time handler
thinks there is no more GC which can be done. However, the gc idle task handler
can end up repeatedly making no progress (e.g., if it can't finalize a sweep)
which causes idle tasks to be repeatedly scheduled in Chrome which do nothing
but wake up Chrome. Fix this by returning Done if we can't make any progress
within an Idle Round.
BUG=chromium:470615
LOG=Y
Review URL: https://codereview.chromium.org/1042483002
Cr-Commit-Position: refs/heads/master@{#27529}
We only report the usages when full parse is happening, i.e. only when the function that declares a legacy const is compiled. This is an approximation that is easy to implement, but still should reflect the real-world usage.
BUG=v8:3942
LOG=N
Review URL: https://codereview.chromium.org/1041863002
Cr-Commit-Position: refs/heads/master@{#27526}
Reason for revert:
Bot failed to include verifyNotEnumerable function for some screwed up reason.
Original issue's description:
> [es6] Update test262 tests
>
> This updates test262 to revision d24fd10 (2015/03/11).
>
> The files moved around in the test repo and a lot of new tests are
> failing.
>
> BUG=None
> LOG=N
> R=rossberg
>
> Committed: https://crrev.com/4f2fb3835feff3663146f12be42b01a226d0065e
> Cr-Commit-Position: refs/heads/master@{#27522}
TBR=rossberg@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=None
Review URL: https://codereview.chromium.org/1047713002
Cr-Commit-Position: refs/heads/master@{#27525}
This test will fail once we optimize top-level code, because the
aforementioned intrinsic doesn't perform a NumberToUint32 conversion.
R=titzer@chromium.org
TEST=mjsunit/asm/math-clz32
Review URL: https://codereview.chromium.org/1041173002
Cr-Commit-Position: refs/heads/master@{#27524}
This prepares for re-landing crrev.com/956373002
This pulls all decision about the snapshot [no|internal|external] into one rule. Previously, this logic was in separate places and not /quite/ the same, which causes build problems.
BUG=
Review URL: https://codereview.chromium.org/1016603004
Cr-Commit-Position: refs/heads/master@{#27523}
This updates test262 to revision d24fd10 (2015/03/11).
The files moved around in the test repo and a lot of new tests are
failing.
BUG=None
LOG=N
R=rossberg
Review URL: https://codereview.chromium.org/1025043002
Cr-Commit-Position: refs/heads/master@{#27522}
A bug allows JSObject literals with elements to have the elements in the
boilerplate modified.
BUG=466993
LOG=N
Review URL: https://codereview.chromium.org/1037273002
Cr-Commit-Position: refs/heads/master@{#27511}
This adds the basics necessary to support float32 operations in TurboFan.
The actual functionality required to detect safe float32 operations will
be added based on this later. Therefore this does not affect production
code except for some cleanup/refactoring.
In detail, this patchset contains the following features:
- Add support for float32 operations to arm, arm64, ia32 and x64
backends.
- Add float32 machine operators.
- Add support for float32 constants to simplified lowering.
- Handle float32 representation for phis in simplified lowering.
In addition, contains the following (related) cleanups:
- Fix/unify naming of backend instructions.
- Use AVX comparisons when available.
- Extend ArchOpcodeField to 9 bits (required for arm64).
- Refactor some code duplication in instruction selectors.
BUG=v8:3589
LOG=n
R=dcarney@chromium.org
Review URL: https://codereview.chromium.org/1044793002
Cr-Commit-Position: refs/heads/master@{#27509}
No compiler support for now (BTW: %_NewString, doesn't have that,
either), inline allocation will come later. Hopefully the last
intrisic to add for a StringAddStub POC...
Review URL: https://codereview.chromium.org/1041723002
Cr-Commit-Position: refs/heads/master@{#27508}
And reland "Use a slot that is located on a heap page when removing
invalid entries from the SlotsBuffer."
This reverts commits de018fbda3 and
d23a9f7a3e.
Reason for relanding: looking fine on Canary, let's get these fixes back in.
BUG=chromium:454297,chromium:470801
LOG=y
TBR=ishell@chromium.org
Review URL: https://codereview.chromium.org/1043703003
Cr-Commit-Position: refs/heads/master@{#27507}
On 'debugger' statement, if anything in debugger calls 'EnsureDebugInfo'
on a function, EnsureDebugInfo would compile and substitute code without
debug break slots. This causes weird behavior later when stepping fails
to work (see added test as an example).
This fix is to make sure the debugger is prepared for breakpoints in
that case as well.
Also adds extra testing for bug 468661.
R=yangguo@chromium.org,yurys@chromium.orh
BUG=v8:3990,chromium:468661
LOG=N
Review URL: https://codereview.chromium.org/1032353002
Cr-Commit-Position: refs/heads/master@{#27502}
The current GC idle time handling heuristics are getting too complicated. Moreover, with longer idle time we are getting more full garbage collections. This CL shrinks the idle round window and reduces complexity in the case where we cause a full garbage collection.
BUG=chromium:468554
LOG=n
Review URL: https://codereview.chromium.org/1024043003
Cr-Commit-Position: refs/heads/master@{#27493}
Reason for revert:
Reverting risky GC changes that block v8 roll.
Original issue's description:
> Reland "Filter invalid slots out from the SlotsBuffer after marking."
>
> > There are two reasons that could cause invalid slots appearance in SlotsBuffer:
> > 1) If GC trims "tail" of an array for which it has already recorded a slots and then migrate another object to the "tail".
> > 2) Tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
>
> > This CL also adds useful machinery that helps triggering incremental write barriers.
>
> > BUG=chromium:454297
> > LOG=Y
>
> NOTRY=true
>
> Committed: https://crrev.com/f86aadd1d45c756467dff8e08a055b462d7a060b
> Cr-Commit-Position: refs/heads/master@{#27433}
TBR=machenbach@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1041593002
Cr-Commit-Position: refs/heads/master@{#27491}
Only one FrameInspector can be active at a time on any given stack,
this ensures that it's lifetime is sufficiently scoped.
R=yangguo@chromium.org
TEST=mjsunit/regress/regress-crbug-259300
Review URL: https://codereview.chromium.org/1034743002
Cr-Commit-Position: refs/heads/master@{#27477}
Instead of CanRetainOtherContext, we now manually blacklist all access-checked objects.
BUG=
Review URL: https://codereview.chromium.org/1020803004
Cr-Commit-Position: refs/heads/master@{#27473}
Before this patch the embedder could assign timestamp to the last interval after calling GetHeapStats. This would be slightly different from the timstamps assigned by v8 internally and written into heap snapshot. This patch allow to avoid this small discrepancy by returning timestamp along with last heap stats update.
BUG=chromium:467222
LOG=Y
Review URL: https://codereview.chromium.org/1037803002
Cr-Commit-Position: refs/heads/master@{#27466}
This method uses in messages.js in GetSourceLine and GetPositionInLine. This methods uses in v8::Message API methods and there is no documentation about it.
Method looks obsolete.
One of the strange side effect is shown by attached issue.
BUG=chromium:468781
TBR=yangguo@chromium.org
LOG=Y
Review URL: https://codereview.chromium.org/1033973002
Cr-Commit-Position: refs/heads/master@{#27458}
This adapts the debugger so that the first break event starting the
stepping process can come from optimized code. TurboFan supports a
debugger statement and hence can be the top-most frame whenever the
Debug::HandleDebugBreak handler is triggered.
R=yangguo@chromium.org
TEST=mjsunit/debug,cctest/test-debug
Review URL: https://codereview.chromium.org/1038613002
Cr-Commit-Position: refs/heads/master@{#27447}
Also fix Debug.showBreakPoints for multiple break points at the same location.
BUG=v8:3960
LOG=N
Review URL: https://codereview.chromium.org/998253005
Cr-Commit-Position: refs/heads/master@{#27444}
This switches full-codegen to no longer push and pop StackHandler
markers onto the operand stack, but relies on a range-based handler
table instead. We only use StackHandlers in JSEntryStubs to mark the
transition from C to JS code.
Note that this makes deoptimization and OSR from within any try-block
work out of the box, makes the non-exception paths faster and should
overall be neutral on the memory footprint (pros).
On the other hand it makes the exception paths slower and actually
throwing and exception more expensive (cons).
R=yangguo@chromium.org
TEST=cctest/test-run-jsexceptions/DeoptTry
Review URL: https://codereview.chromium.org/1010883002
Cr-Commit-Position: refs/heads/master@{#27440}
> There are two reasons that could cause invalid slots appearance in SlotsBuffer:
> 1) If GC trims "tail" of an array for which it has already recorded a slots and then migrate another object to the "tail".
> 2) Tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
> This CL also adds useful machinery that helps triggering incremental write barriers.
> BUG=chromium:454297
> LOG=Y
NOTRY=true
Review URL: https://codereview.chromium.org/1032833002
Cr-Commit-Position: refs/heads/master@{#27433}
Reason for revert:
Need to revert in order to revert https://codereview.chromium.org/1029323003/
Original issue's description:
> Filter invalid slots out from the SlotsBuffer after marking.
>
> There are two reasons that could cause invalid slots appearance in SlotsBuffer:
> 1) If GC trims "tail" of an array for which it has already recorded a slots and then migrate another object to the "tail".
> 2) Tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
>
> This CL also adds useful machinery that helps triggering incremental write barriers.
>
> BUG=chromium:454297
> LOG=Y
>
> Committed: https://crrev.com/5c47c1c0d3e4a488f190c16a64ee02f5a14e6561
> Cr-Commit-Position: refs/heads/master@{#27423}
TBR=hpayer@chromium.org,erik.corry@gmail.com,ishell@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:454297
Review URL: https://codereview.chromium.org/1033453005
Cr-Commit-Position: refs/heads/master@{#27426}
The root cause for the bug is that the positions assigned to desugared
code was inconsistent with the source ranges of block scopes.
Since the fact that the position is assigned causes the debugger to
break at the parser-generated statement, the fix is to remove positions
from those nodes that we do not want to break on.
The CL also teaches Hydrogen to tolerate these cases.
R=adamk@chromium.org,rossberg@chromium.org
BUG=chromium:468661
LOG=Y
Review URL: https://codereview.chromium.org/1032653002
Cr-Commit-Position: refs/heads/master@{#27424}
There are two reasons that could cause invalid slots appearance in SlotsBuffer:
1) If GC trims "tail" of an array for which it has already recorded a slots and then migrate another object to the "tail".
2) Tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
This CL also adds useful machinery that helps triggering incremental write barriers.
BUG=chromium:454297
LOG=Y
Review URL: https://codereview.chromium.org/1010363005
Cr-Commit-Position: refs/heads/master@{#27423}
Gather references to unbound variables where the reference (VariableProxy) is
inside strong mode. Check them against the global object when a script is bound
to a context (during compilation).
This CL only checks unbound variables which are not inside lazy functions - TBD
how do we solve that; alternatives: add developer mode which disables laziness /
do the check whenever lazy functions are really compiled.
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1005063002
Cr-Commit-Position: refs/heads/master@{#27422}