Commit Graph

1937 Commits

Author SHA1 Message Date
ishell
b4dbb2f710 [deoptimizer] Do not modify stack_fp which is used as a key for lookup of previously materialized objects.
BUG=chromium:604680, v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1904663003

Cr-Commit-Position: refs/heads/master@{#35693}
2016-04-21 09:54:33 +00:00
adamk
e96cbdcdd6 More accurately record an end position for default parameters in arrows
Our previous over-conservative answer caused us to emit hole checks in
full-codegen when eagerly parsing but not when lazily parsing.

With this patch, we use the positions of the BinaryOperations making up
the parameter list (which are the positions of the commas) to determine
the appropriate "end position" for each parameter's initializer. This means
that we get accurate-enough positions for the initializers in the eager
parsing step to get the same answers for hole-check-elimination that we
will later during ParseLazy.

In the included test case, for example:

  (function() { ((s = 17, y = s) => s)(); } )();
                        ^2     ^1

The old code would generate a hole check when trying to load
|s| for assignment to |y| (because it treated the closing parentheses
pointed to by "^1" as the "initialization position" of |s|).

The new code uses the comma pointed to by "^2" as the initialization
position of |s|. Since that occurs textually before the load of |s|,
full-codegen knows it can avoid the hole check.

BUG=v8:4908
LOG=n

Review URL: https://codereview.chromium.org/1900343002

Cr-Commit-Position: refs/heads/master@{#35678}
2016-04-20 20:49:16 +00:00
titzer
b994ad45b0 [turbofan] Length and index2 are unsigned in CheckedLoad/CheckedStore.
Also factor out test cases from test-run-machops.cc into test-run-load-store.cc

BUG=chromium:599717
LOG=Y

Review URL: https://codereview.chromium.org/1858323003

Cr-Commit-Position: refs/heads/master@{#35651}
2016-04-20 09:35:06 +00:00
ishell
28113880e3 Fix polymorphic keyed load handler selection for proxies.
BUG=chromium:603463
LOG=N

Review URL: https://codereview.chromium.org/1894203002

Cr-Commit-Position: refs/heads/master@{#35607}
2016-04-19 08:58:43 +00:00
bmeurer
e96c143171 [turbofan] Optimize typeof in abstract/strict equality comparison.
Add support to optimize certain comparisons of typeof with known
strings to utilize the existing ObjectIs<Type> predicates. Also
add a new ObjectIsCallable, which is used to optimize the common
typeof x === "function" pattern.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1898653003

Cr-Commit-Position: refs/heads/master@{#35562}
2016-04-18 07:03:23 +00:00
mvstanton
401450493e Security: type confusion lead to information leak in decodeURI
Quit using the global array in uri code.

R=yangguo@chromium.org
BUG=chromium:602970
LOG=N

Review URL: https://codereview.chromium.org/1889133003

Cr-Commit-Position: refs/heads/master@{#35530}
2016-04-15 13:09:45 +00:00
yangguo
93135d8c0d [regexp] fix assertion failure when parsing close to stack overflow.
R=jkummerow@chromium.org
BUG=chromium:600257
LOG=N

Review URL: https://codereview.chromium.org/1884143002

Cr-Commit-Position: refs/heads/master@{#35496}
2016-04-14 14:44:28 +00:00
hablich
b88d048adf Reland of [compiler] Make feedback vector cope with flag changes. (patchset #1 id:1 of https://codereview.chromium.org/1876103002/ )
Reason for revert:
Did not fail on another roll including this CL ..

Original issue's description:
> Revert of [compiler] Make feedback vector cope with flag changes. (patchset #1 id:1 of https://codereview.chromium.org/1869693003/ )
>
> Reason for revert:
> Blocks current roll: https://codereview.chromium.org/1876713002/ according to bisect: https://codereview.chromium.org/1872353002/#ps80001
>
> Original issue's description:
> > [compiler] Make feedback vector cope with flag changes.
> >
> > This fixes corner cases where the layout of feedback vectors baked into
> > the snapshot is different from the expected layout, depending on some
> > runtime flags. We make sure the feedback vector is regenereated for
> > functions that are not compiled. Flag changes of this kind are only
> > allowed when code is not serialized.
> >
> > An alternative solution would be to not serialize the feedback vector
> > for such cases in the first place. That solution however would have a
> > higher overhead, as it would required the serializer to be able to
> > recognize feedback vectors while generating a snapshot.
> >
> > R=mvstanton@chromium.org
> > TEST=mjsunit/regress/regress-crbug-600995
> > BUG=chromium:600995
> > LOG=n
> >
> > Committed: https://crrev.com/460bff5fb6af2bd79e610f89afdf6da9dba3cf0c
> > Cr-Commit-Position: refs/heads/master@{#35339}
>
> TBR=mvstanton@chromium.org,mstarzinger@chromium.org
>
> BUG=chromium:600995
> LOG=N
> NOTRY=true
>
> Committed: https://crrev.com/78049e9c4837f053575d6c71e53ae12fec99f1aa
> Cr-Commit-Position: refs/heads/master@{#35392}

TBR=mvstanton@chromium.org,mstarzinger@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:600995

Review URL: https://codereview.chromium.org/1876973002

Cr-Commit-Position: refs/heads/master@{#35398}
2016-04-11 18:56:37 +00:00
hablich
78049e9c48 Revert of [compiler] Make feedback vector cope with flag changes. (patchset #1 id:1 of https://codereview.chromium.org/1869693003/ )
Reason for revert:
Blocks current roll: https://codereview.chromium.org/1876713002/ according to bisect: https://codereview.chromium.org/1872353002/#ps80001

Original issue's description:
> [compiler] Make feedback vector cope with flag changes.
>
> This fixes corner cases where the layout of feedback vectors baked into
> the snapshot is different from the expected layout, depending on some
> runtime flags. We make sure the feedback vector is regenereated for
> functions that are not compiled. Flag changes of this kind are only
> allowed when code is not serialized.
>
> An alternative solution would be to not serialize the feedback vector
> for such cases in the first place. That solution however would have a
> higher overhead, as it would required the serializer to be able to
> recognize feedback vectors while generating a snapshot.
>
> R=mvstanton@chromium.org
> TEST=mjsunit/regress/regress-crbug-600995
> BUG=chromium:600995
> LOG=n
>
> Committed: https://crrev.com/460bff5fb6af2bd79e610f89afdf6da9dba3cf0c
> Cr-Commit-Position: refs/heads/master@{#35339}

TBR=mvstanton@chromium.org,mstarzinger@chromium.org

BUG=chromium:600995
LOG=N
NOTRY=true

Review URL: https://codereview.chromium.org/1876103002

Cr-Commit-Position: refs/heads/master@{#35392}
2016-04-11 15:36:30 +00:00
ishell
26c480d13c [deoptimizer] Extend assert to also expect kTailCallerFunction as bottommost frame when accessing arguments for inlined function.
BUG=chromium:601617, v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1876753002

Cr-Commit-Position: refs/heads/master@{#35385}
2016-04-11 12:20:37 +00:00
mythria
8982cb5c70 [Interpreter] Handles legacy constants in strict mode.
Function bindings are the only variables in LEGACY_CONST mode.
(https://codereview.chromium.org/1819123002/). Since these variables
can also be accessed in strict mode functions we should support
handling such variables. Assigning to a legacy constant throws
a TypeError in strict mode. Also fixes hydrogen.cc to throw a
TypeError for legacy constants.

BUG=v8:4280,chromium:599068
LOG=N
TBR=rmcilroy@chromium.org

Review URL: https://codereview.chromium.org/1845223006

Cr-Commit-Position: refs/heads/master@{#35383}
2016-04-11 12:04:01 +00:00
adamk
a0a8ecd078 Remove runtime flags for sloppy mode block scoping features
These were all on by default in M49 without complaint.

R=littledan@chromium.org

Review URL: https://codereview.chromium.org/1858943002

Cr-Commit-Position: refs/heads/master@{#35342}
2016-04-08 00:30:20 +00:00
mstarzinger
460bff5fb6 [compiler] Make feedback vector cope with flag changes.
This fixes corner cases where the layout of feedback vectors baked into
the snapshot is different from the expected layout, depending on some
runtime flags. We make sure the feedback vector is regenereated for
functions that are not compiled. Flag changes of this kind are only
allowed when code is not serialized.

An alternative solution would be to not serialize the feedback vector
for such cases in the first place. That solution however would have a
higher overhead, as it would required the serializer to be able to
recognize feedback vectors while generating a snapshot.

R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-600995
BUG=chromium:600995
LOG=n

Review URL: https://codereview.chromium.org/1869693003

Cr-Commit-Position: refs/heads/master@{#35339}
2016-04-07 15:35:03 +00:00
cbruni
9478356ed3 Fix representation issue in FastArrayPushStub
Pushing undefined onto a FAST_DOUBLE_ARRAY does not enforce the right representation checks.

BUG=chromuim:599089
LOG=n

Review URL: https://codereview.chromium.org/1868973002

Cr-Commit-Position: refs/heads/master@{#35332}
2016-04-07 12:46:08 +00:00
mvstanton
ce1fe78d7e Bugfix: assert in lithium compile for LMaybeGrowElements
BUG=chromium:585041
LOG=N

Review URL: https://codereview.chromium.org/1854423003

Cr-Commit-Position: refs/heads/master@{#35331}
2016-04-07 11:41:39 +00:00
jarin
3df0a8c1f2 [crankshaft] Make infinite loops preserve control flow.
We have to preserve control flow so that the liveness analysis is less
confused. This CL fixes loops to preserve teh original control flow.

BUG=chromium:599710
LOG=n

Review URL: https://codereview.chromium.org/1863123002

Cr-Commit-Position: refs/heads/master@{#35318}
2016-04-07 05:36:44 +00:00
titzer
77a8c2ea86 [asm.js] Fix typing bug for non-literals in heap access.
R=bradnelson@chromium.org
BUG=chromium:599825
LOG=Y

Review URL: https://codereview.chromium.org/1858263002

Cr-Commit-Position: refs/heads/master@{#35273}
2016-04-05 17:24:03 +00:00
littledan
7a38462e8b Ensure CreateDataProperty works correctly on TypedArrays
Previously, CreateDataProperty would fail a DCHECK when used to create
an integer indexed property on a TypedArray. This patch makes it throw
a TypeError instead. The issue came up when Array.prototype.concat
was repaired to use CreateDataProperty rather than SetElement; concat
can be tricked into making a new TypedArray if it is given an Array
whose prototype is a TypedArray. This patch prevents the issue.

R=adamk
LOG=Y
BUG=chromium:596394

Review URL: https://codereview.chromium.org/1821723004

Cr-Commit-Position: refs/heads/master@{#35271}
2016-04-05 16:56:12 +00:00
cbruni
823224f3ee [elements] Fix length bounds precheck for Array.prototype.concat
BUG=chromium:599414
LOG=n

Review URL: https://codereview.chromium.org/1863553003

Cr-Commit-Position: refs/heads/master@{#35269}
2016-04-05 15:35:27 +00:00
jarin
4142bc6bc1 [turbofan] Restrict types in load elimination.
In simplified numbering, we make sanity checks based on types (e.g.,
NumberSubtract should take numbers as inputs), but this can be
violated if optimization passes make types less precise.

In this CL, we fix load elimination to make sure that types are
smaller in the store -> load elimination by taking an intersection
of the load's type with the store value's type and inserting a guard
with that type. Note that the load type comes from type feedback, so
it can be disjoint from the stored value type (in that case, this
must be dead code because the map chack for the load should prevent
us from using the stored value).

BUG=chromium:599412
LOG=n

Review URL: https://codereview.chromium.org/1857133003

Cr-Commit-Position: refs/heads/master@{#35259}
2016-04-05 12:30:14 +00:00
ishell
792bf2a093 [crankshaft] Fix environment handling after leaving inlined tail call.
BUG=chromium:537444, v8:4698
LOG=N
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1859763005

Cr-Commit-Position: refs/heads/master@{#35253}
2016-04-05 09:43:56 +00:00
bmeurer
e5724d958b [frames] Also properly deal with TF builtins in OptimizedFrame::GetFunctions().
This was missing from the previous fix.

R=ishell@chromium.org
BUG=chromium:599714
LOG=n

Review URL: https://codereview.chromium.org/1861583002

Cr-Commit-Position: refs/heads/master@{#35249}
2016-04-05 06:41:20 +00:00
mstarzinger
6ab9c1850f Fix resuming generator marked for optimization.
This fixes a corner case where the generator function of a suspended
generator has been marked for optimization. We assume the optimization
approach will cause a bailout because generators are not optimized. But
resuming is more resilient by always activating the unoptimized code.

R=neis@chromium.org,bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-513471
BUG=chromium:513471
LOG=n

Review URL: https://codereview.chromium.org/1856683002

Cr-Commit-Position: refs/heads/master@{#35234}
2016-04-04 11:52:09 +00:00
ishell
4598356f17 Properly complete in-object slack tracking.
BUG=chromium:599003
LOG=N

Review URL: https://codereview.chromium.org/1856653002

Cr-Commit-Position: refs/heads/master@{#35232}
2016-04-04 10:00:44 +00:00
ishell
c7ff5766cf Display a meaningfull error message when trying to capture a stack trace to a proxy.
... instead of RUNTIME_ASSERT pointing to V8 guts.

BUG=chromium:599067
LOG=N

Review URL: https://codereview.chromium.org/1844223004

Cr-Commit-Position: refs/heads/master@{#35227}
2016-04-04 08:37:30 +00:00
ishell
ecb8fcfcca [crankshaft] [turbofan] Fix environment handling when generating a tail call from inlined function.
This CL ensures that we build environments/frame states so that tail caller frame will never become topmost.

BUG=chromium:598998, v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1849503002

Cr-Commit-Position: refs/heads/master@{#35188}
2016-04-01 07:22:47 +00:00
bmeurer
6df9a22c3f [ic] Use the CallFunction builtin to invoke accessors.
The HandlerCompiler did not properly handle the weird edge case when a
sloppy mode function was installed as an accessor on one of the value
wrapper prototypes and then accessed via a load from a primitive value.
In this case we just passed the primitive value untouched instead of
properly wrapping it first. The CallFunction builtin properly deals with
all the funny edge cases, so we use it instead of duplicating almost all
of the logic here (the performance difference is neglible).

R=verwaest@chromium.org
BUG=chromium:599073, v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1845243005

Cr-Commit-Position: refs/heads/master@{#35187}
2016-04-01 06:37:57 +00:00
yangguo
297daf6c37 [debugger] allow debug-evaluate to change stack and context values.
R=bmeurer@chromium.org, cbruni@chromium.org, ulan@chromium.org
BUG=chromium:124206,chromium:569811
LOG=N

Review URL: https://codereview.chromium.org/1834633003

Cr-Commit-Position: refs/heads/master@{#35145}
2016-03-31 06:00:21 +00:00
bmeurer
978ad03b92 [crankshaft] Address the deoptimization loops of Math.floor, Math.round and Math.ceil.
Fix and re-enable the flexible representation for Math.floor (which is used to
implement Math.ceil) and Math.round, which allows Math.floor and Math.round to
return double results instead of int32, and therefore allows values outside
the int32 range, especially -0 is now a valid result, which doesn't deopt.

Also port this feature to x64 and ia32 when the CPU supports the SSE4.1
extension.

This addresses all the known deoptimization loops related to Math.round
in the Kraken benchmark suite, and seems to also address most of the
deoptimization loops related to Math.floor in the Oort Online benchmark.

Drive-by-fix: Import the regression tests for the broken HMathFloorOfDiv
optimization that caused the initial revert of the feature (for arm64 only
back then).

BUG=chromium:476477,v8:2890,v8:4059
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1841513003

Cr-Commit-Position: refs/heads/master@{#35094}
2016-03-29 10:24:54 +00:00
adamk
06403470e3 Remove --harmony-regexps flag
It's been on since M49. Also moved tests from harmony -> es6,
one of which was merged with another test of the same name.

While moving stuff over to regexp.js, I also noticed that there
were unused calls to %FunctionSetName and %SetNativeFlag (those
calls are already handled by InstallGetter()).

Review URL: https://codereview.chromium.org/1838563003

Cr-Commit-Position: refs/heads/master@{#35076}
2016-03-25 23:02:11 +00:00
binji
88724ec4cb [Atomics] Fix atomic access index validation
BUG=v8:4737
LOG=n
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1676613002

Cr-Commit-Position: refs/heads/master@{#35074}
2016-03-25 21:52:52 +00:00
littledan
97fce6214e Check for proper types from error handling code
A bug in error printing meant that we failed to do proper type checks
before calling into C++ code, which could lead to RUNTIME_ASSERT
failures if methods are called on alternative receivers. This patch
adds the right type checks.

BUG=chromium:596718
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1831053003

Cr-Commit-Position: refs/heads/master@{#35069}
2016-03-25 02:10:02 +00:00
adamk
ed18aa65ea Remove support for legacy const, part 1
Now that ES2015 const has shipped, in Chrome 49, legacy const declarations
are no more. This lets us remove a bunch of code from many parts of the
codebase.

In this patch, I remove parser support for generating legacy const variables
from const declarations. This also removes the special "illegal declaration"
bit from Scope, which has ripples into all compiler backends.

Also gone are any tests which relied on legacy const declarations.

Note that we do still generate a Variable in mode CONST_LEGACY in one case:
function name bindings in sloppy mode. The likely fix there is to add a new
Variable::Kind for this case and handle it appropriately for stores in each
backend, but I leave that for a later patch to make this one completely
subtractive.

Review URL: https://codereview.chromium.org/1819123002

Cr-Commit-Position: refs/heads/master@{#35002}
2016-03-22 17:52:13 +00:00
adamk
249bf75e0c Remove runtime flags for Proxy and Reflect
Both of them shipped in Chrome 49 without incident.

Also move relevant tests from harmony/ to es6/.

Review URL: https://codereview.chromium.org/1815773002

Cr-Commit-Position: refs/heads/master@{#34964}
2016-03-21 19:40:02 +00:00
ishell
e6dca379b6 [crankshaft] Check if the function is callable before generating a tail call via Call builtin.
This is necessary to ensure that "Called non callable" exception will get a proper message and stack trace even for calls at tail position.

BUG=chromium:595615, v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1818003002

Cr-Commit-Position: refs/heads/master@{#34962}
2016-03-21 19:24:28 +00:00
bmeurer
cc04776632 [json] Allow any callable object for toJSON.
Previously only JSFunctions seemed to be valid for toJSON, which doesn't
match the ES6 specification that allows any object with [[Call]]
internal method (i.e. any Callable in V8 terminology), including bound
functions and proxies.

BUG=chromium:595738, chromium:535408
R=yangguo@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1824533002

Cr-Commit-Position: refs/heads/master@{#34913}
2016-03-20 19:35:28 +00:00
adamk
6a8de15322 Several mjsunit cleanups
- Move default parameters tests from harmony/ to es6/ and remove
    non-existent --harmony-default-parameters flag.
  - Remove some non-existent tests from mjsunit.status

Review URL: https://codereview.chromium.org/1812313002

Cr-Commit-Position: refs/heads/master@{#34908}
2016-03-18 23:20:44 +00:00
yangguo
1e2d0e1136 [regexp] catch stack overflow when parsing back references.
R=jkummerow@chromium.org
BUG=chromium:595657
LOG=N

Review URL: https://codereview.chromium.org/1811913006

Cr-Commit-Position: refs/heads/master@{#34894}
2016-03-18 14:52:41 +00:00
verwaest
c6f9883d53 Remove oob elements collected from the prototype chain by trimming in GetArrayKeys
BUG=chromium:594953
LOG=n

Review URL: https://codereview.chromium.org/1817443003

Cr-Commit-Position: refs/heads/master@{#34893}
2016-03-18 14:37:36 +00:00
littledan
7acee1ef61 Throw the right exceptions from setting elements in Array.prototype.concat
This patch fixes two bugs in Array.prototype.concat in conjunction with
subclassing Arrays:
- Create a new property rather than calling Set when adding elements to
  the output array. This means setters are not called.
- If there is an exception thrown from DefineProperty, propagate it
  outwards properly, rather than swallowing it. This can occur, e.g., with
  a Proxy as the new output array.

R=adamk
LOG=Y
BUG=chromium:595319

Review URL: https://codereview.chromium.org/1814933002

Cr-Commit-Position: refs/heads/master@{#34876}
2016-03-17 22:42:00 +00:00
mvstanton
2aa070be4f InstanceOfStub incorrectly interprets the hole as a prototype.
Repair this to match what the runtime correctly does, by first checking if the
function is a constructor before we access the prototype.

R=verwaest@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1810953002

Cr-Commit-Position: refs/heads/master@{#34863}
2016-03-17 14:32:23 +00:00
jarin
c2e82d6e82 [crankshaft] Fix inlining to always connect both branches of test context.
BUG=v8:4839
LOG=n

Review URL: https://codereview.chromium.org/1811693002

Cr-Commit-Position: refs/heads/master@{#34848}
2016-03-17 10:00:21 +00:00
littledan
f9db79ebdb Ship ES2015 restrictions on function declaration locations
Function declarations were previously permitted by V8 in many locations
which no ECMAScript specification allowed; the ECMAScript 2015 spec
enumerates a few locations (in blocks, as well as after labels and in
conditionals when in sloppy mode). This patch ships the flag to restrict
the usage of function declarations to those contexts.

R=adamk
LOG=Y
BUG=v8:4824
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1799233003

Cr-Commit-Position: refs/heads/master@{#34828}
2016-03-16 16:39:23 +00:00
jkummerow
84dd29bb3c Fix polymorphic keyed load handler selection for string elements
The monomorphic case already carefully ensures that we don't try to use
a regular elements load stub on string wrapper elements. The polymorphic
path must perform an equivalent check.

BUG=chromium:594955
LOG=n
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1806543002

Cr-Commit-Position: refs/heads/master@{#34807}
2016-03-16 10:56:16 +00:00
adamk
108efd7f54 Remove Scope::scope_contains_with_ bit
This part of Scope has existed since V8's initial check in, but from what
I can tell it's not required to implement "with". The only tests that
depend upon it are tests of the debugger and the Scope mirrors, but the
resulting test behavior after removing the bit still seems perfectly
reasonable to me. In fact, with the included fix for scope name collection,
the scope mirror is actually improved with this change.

As a bi-product, this fixes the attached bug, about the contains_with
bit having inconsistent values in some arrow function compilation
scenarios.

BUG=chromium:592353
LOG=n
CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1804783002

Cr-Commit-Position: refs/heads/master@{#34802}
2016-03-15 22:41:59 +00:00
cbruni
96a2bd8ae8 [builtins] Fix Array.prototype.concat bug
Array.prototype.concat did not work correct with complex elements on the
receiver or the prototype chain.

BUG=chromium:594574
LOG=y

Review URL: https://codereview.chromium.org/1804963002

Cr-Commit-Position: refs/heads/master@{#34798}
2016-03-15 20:29:28 +00:00
caitpotter88
3088979d5c [runtime] fix getting element keys from SLOW_SLOPPY_ARGUMENTS_ELEMENTS
BUG=v8:4825
LOG=N
R=jkummerow@chromium.org, cbruni@chromium.org

Review URL: https://codereview.chromium.org/1778023004

Cr-Commit-Position: refs/heads/master@{#34754}
2016-03-14 17:10:50 +00:00
jarin
4d4bd54f0a [turbofan] Fix operand calculation for constant materialization from frame.
BUG=chromium:582702
LOG=N

Review URL: https://codereview.chromium.org/1781393002

Cr-Commit-Position: refs/heads/master@{#34736}
2016-03-13 20:21:41 +00:00
ishell
690c7a854a [turbofan] Avoid dereferencing empty handle when inlining a tail call.
BUG=chromium:593697,v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1781303002

Cr-Commit-Position: refs/heads/master@{#34716}
2016-03-11 11:41:29 +00:00
adamk
dea9559457 Remove destructuring and default arguments runtime flags
These flags have been on by default since version 4.9, which has been
in stable Chrome for over a week now, demonstrating that they're
here to stay.

Also moved the tests out of harmony/ and into es6/.

Review URL: https://codereview.chromium.org/1776683003

Cr-Commit-Position: refs/heads/master@{#34692}
2016-03-10 23:22:30 +00:00
rossberg
4614c7caaf [strong] Remove all remainders of strong mode
R=mstarzinger@chromium.org,bmeurer@chromium.org,adamk@chromium.org
BUG=v8:3956
LOG=Y

Review URL: https://codereview.chromium.org/1773653002

Cr-Commit-Position: refs/heads/master@{#34669}
2016-03-10 12:45:42 +00:00
littledan
ca5deb1ff8 Ensure appropriate bounds checking for Array subclass concat
When an Array subclass is used as the receiver for concat, or with
certain usages of @@species, the output that's constructed is of
a different type with new slow path logic. This slow path still
made references to elements, so it's important that bounds checking
for a too-long result still be done. This patch repairs that bounds
checking.

R=cbruni
LOG=Y
BUG=chromium:592340

Review URL: https://codereview.chromium.org/1782443002

Cr-Commit-Position: refs/heads/master@{#34636}
2016-03-09 18:54:44 +00:00
jkummerow
32b3d3e931 [arm/arm64][stubs] Fix d16-d31 preservation on stub failure
Reading the registers' values back from the FrameDescription
should use the same offset computation as storing them into it.
The offsets must also match what the deoptimizer expects, which
is rx at offset rx.code() * kDoubleSize, even if some registers
are not saved (leaving gaps).

BUG=v8:4800
LOG=n
R=danno@chromium.org

Review URL: https://codereview.chromium.org/1769833006

Cr-Commit-Position: refs/heads/master@{#34633}
2016-03-09 17:36:07 +00:00
yangguo
d1f68f776e [regexp] fix bogus assertion in CharacterRange constructor.
The CharacterRange constructor checks the input for validity. However,
CharacterRange::Singleton also uses the constructor and may have
kEndMarker as input, causing the check to fail.

The solution is to move the check to CharacterRange::Range and
consistently use it across the code base.

R=jkummerow@chromium.org
BUG=chromium:593282
LOG=N

Review URL: https://codereview.chromium.org/1776013003

Cr-Commit-Position: refs/heads/master@{#34626}
2016-03-09 15:55:38 +00:00
jarin
69c84fe460 [turbofan] Fix deoptimization stack layout for fast literal comparisons.
BUG=chromium:592341
LOG=n

Review URL: https://codereview.chromium.org/1776013002

Cr-Commit-Position: refs/heads/master@{#34615}
2016-03-09 12:36:09 +00:00
jarin
9867a8a26e [turbofan] Fix register constraint for memory barrier.
After fixing the memory barrier for maps (https://codereview.chromium.org/1714513003), we are using a temp register for the map case. The temp register should not be aliased with the stored value (otherwise we perform the mem barrier check with a wrong value). This CL makes sure it is not aliased.

BUG=chromium:590074
LOG=n

Review URL: https://codereview.chromium.org/1775083002

Cr-Commit-Position: refs/heads/master@{#34607}
2016-03-09 09:39:51 +00:00
titzer
5c1c98e829 [wasm] Rename _WASMEXP_ object to Wasm.
R=ahaas@chromium.org,binji@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1770383002

Cr-Commit-Position: refs/heads/master@{#34587}
2016-03-08 14:48:27 +00:00
mstarzinger
2669224274 [compiler] Remove support for concurrent OSR.
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1773593002

Cr-Commit-Position: refs/heads/master@{#34572}
2016-03-08 09:02:44 +00:00
yangguo
9113402b53 [debugger] break at each initialization in a multiple var declaration.
R=rossberg@chromium.org
BUG=v8:4807
LOG=N

Committed: https://crrev.com/ee98147ea0d994bcfb0d14d43f490ee828d2426f
Cr-Commit-Position: refs/heads/master@{#34531}

Review URL: https://codereview.chromium.org/1768973002

Cr-Commit-Position: refs/heads/master@{#34540}
2016-03-07 13:41:18 +00:00
machenbach
c6dbb071a3 Revert of [debugger] break at each initialization in a multiple var declaration. (patchset #1 id:1 of https://codereview.chromium.org/1768973002/ )
Reason for revert:
[Sheriff] Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/5160

Original issue's description:
> [debugger] break at each initialization in a multiple var declaration.
>
> R=rossberg@chromium.org
> BUG=v8:4807
> LOG=N
>
> Committed: https://crrev.com/ee98147ea0d994bcfb0d14d43f490ee828d2426f
> Cr-Commit-Position: refs/heads/master@{#34531}

TBR=rossberg@chromium.org,yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4807

Review URL: https://codereview.chromium.org/1770783003

Cr-Commit-Position: refs/heads/master@{#34538}
2016-03-07 12:53:55 +00:00
yangguo
ee98147ea0 [debugger] break at each initialization in a multiple var declaration.
R=rossberg@chromium.org
BUG=v8:4807
LOG=N

Review URL: https://codereview.chromium.org/1768973002

Cr-Commit-Position: refs/heads/master@{#34531}
2016-03-07 12:00:16 +00:00
yangguo
f9d7c711af [regexp] Fix off-by-one in CharacterRange::Negate.
Character ranges starting at 1 are not correctly negated.

R=jkummerow@chromium.org
BUG=chromium:592343
LOG=Y

Review URL: https://codereview.chromium.org/1768093002

Cr-Commit-Position: refs/heads/master@{#34528}
2016-03-07 11:00:01 +00:00
bmeurer
0c35579093 [crankshaft] Fix invalid ToNumber optimization.
We cannot optimize away ToNumber conversions based on the Type that we
see in Crankshaft, as this might be the (unchecked or even pretruncated)
lower bound. We can only use the HType, which is based on the definition.

R=jkummerow@chromium.org
BUG=chromium:590989
LOG=n

Review URL: https://codereview.chromium.org/1757013002

Cr-Commit-Position: refs/heads/master@{#34445}
2016-03-02 19:28:04 +00:00
yangguo
d9fe836dd4 [debugger] fix break locations for assignments and return.
We used to emit debug break location on block entry. This cannot be
ported to the interpreted as we do not emit bytecode for block entry.
This made no sense to begin with though, but accidentally added
break locations for var declarations.

With this change, the debugger no longer breaks at var declarations
without initialization. This is in accordance with the fact that the
interpreter does not emit bytecode for uninitialized var declarations.

Also fix the bytecode to match full-codegen's behavior wrt return
positions:
- there is a break location before the return statement, with the source
  position of the return statement.
- right before the actual return, there is another break location. The
  source position points to the end of the function.

R=rmcilroy@chromium.org, vogelheim@chromium.org
TBR=rossberg@chromium.org
BUG=v8:4690
LOG=N

Review URL: https://codereview.chromium.org/1744123003

Cr-Commit-Position: refs/heads/master@{#34388}
2016-03-01 12:47:55 +00:00
neis
0ad44590e0 [json] Fix iteration over object keys in InternalizeJSONProperty.
We must not use for-of since that could be observed.

R=yangguo@chromium.org
BUG=v8:4769
LOG=n

Review URL: https://codereview.chromium.org/1748633002

Cr-Commit-Position: refs/heads/master@{#34387}
2016-03-01 11:53:28 +00:00
bmeurer
d00da47b61 [turbofan] Don't use the CompareIC in JSGenericLowering.
The CompareICStub produces an untagged raw word value, which has to be
translated to true or false manually in the TurboFan code. But for lazy
bailout after the CompareIC, we immediately go back to fullcodegen or
Ignition with the raw value, to a location where both fullcodegen and
Ignition expect a boolean value, which might crash or in the worst case
(depending on the exact computation inside the CompareIC) could lead to
arbitrary memory access.

Short-term fix is to use the proper runtime functions (unified with the
interpreter now) for comparisons. Next task is to provide optimized
versions of these based on the CodeStubAssembler, which can then be used
via code stubs in TurboFan or directly in handlers in the interpreter.

R=mstarzinger@chromium.org
BUG=v8:4788
LOG=n

Review URL: https://codereview.chromium.org/1738153002

Cr-Commit-Position: refs/heads/master@{#34335}
2016-02-26 18:41:35 +00:00
bmeurer
58ab990aa8 [turbofan] Bailout if LoadBuffer typing assumption doesn't hold.
The LoadBuffer operator that is used for asm.js heap access claims to
return only the appropriate typed array type, but out of bounds access
could make it return undefined. So far we tried to "repair" the graph
later if we see that our assumption was wrong, and for various reasons
that worked for some time. But now that wrong type information that is
propagated earlier is picked up appropriately and thus we generate wrong
code, i.e. we in the repro case we feed NaN into ChangeFloat64Uint32 and
thus get 2147483648 instead of 0 (with proper JS truncation).

This was always considered a temporary hack until we have a proper
asm.js pipeline, but since we still run asm.js through the generic
JavaScript pipeline, we have to address this now. Quickfix is to just
bailout from the pipeline when we see that the LoadBuffer type was
wrong, i.e. the result of LoadBuffer is not properly truncated and thus
undefined or NaN would be observable.

R=mstarzinger@chromium.org, jarin@chromium.org
BUG=chromium:589792
LOG=y

Review URL: https://codereview.chromium.org/1740123002

Cr-Commit-Position: refs/heads/master@{#34322}
2016-02-26 11:06:30 +00:00
mstarzinger
3baa290264 [fullcodegen] Fix assert for operand stack depth tracking.
This fixes a corner case that triggered an assert in full-codegens
operand stack depth tracking. We stop pushing operands if we overflow
the C-stack while iterating the AST. This makes the tracking go out of
sync before we fully returned from the tree traversal, at which point
the thrown RangeError will abort compilation.

R=ishell@chromium.org
TEST=mjsunit/regress/regress-crbug-589472
BUG=chromium:589472
LOG=n

Review URL: https://codereview.chromium.org/1732903002

Cr-Commit-Position: refs/heads/master@{#34255}
2016-02-24 16:29:47 +00:00
bmeurer
6cc5c601b6 [crankshaft] Fix deopt loop in String.fromCharCode on non-int32 inputs.
The Crankshaft fast case for String.fromCharCode() unconditionally
deoptimizes on all non-int32 inputs, even tho it would be perfectly
valid to just truncate the index to an int32.

R=ishell@chromium.org
BUG=chromium:587068
LOG=n

Review URL: https://codereview.chromium.org/1727873003

Cr-Commit-Position: refs/heads/master@{#34243}
2016-02-24 10:59:55 +00:00
littledan
b22b258874 ES2015 web compat workaround: RegExp.prototype.flags => ""
It turns out that some old polyfill library uses
RegExp.prototype.flags as a way of feature testing. It's not clear
how widespread this is. For now, as a minimal workaround, we can
return undefined from getters like RegExp.prototype.global when
the receiver is RegExp.prototype. This patch implements that strategy
but omits a UseCounter to make backports easier.

R=adamk
CC=yangguo@chromium.org
BUG=chromium:581577
LOG=Y
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1640803003

Cr-Commit-Position: refs/heads/master@{#34201}
2016-02-23 01:49:03 +00:00
adamk
cdec6d2bc5 Return undefined from RegExp.prototype.compile
This was changed to match Annex B.2.5.1 of ES2015 and Firefox in
https://chromium.googlesource.com/v8/v8/+/469d9bfa, but website
breakage was seen in M49 Beta. JSC still returns undefined here.

BUG=chromium:585775
LOG=y
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1714903004

Cr-Commit-Position: refs/heads/master@{#34172}
2016-02-20 00:35:57 +00:00
bmeurer
8f87c0acb7 [builtins] Move the Boolean constructor to C++.
Drive-by-fix: Remove the (now) unused %_SetValueOf and %_JSValueGetValue
intrinsics from the various compilers and the runtime.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1698343002

Cr-Commit-Position: refs/heads/master@{#34037}
2016-02-16 14:03:07 +00:00
jkummerow
0d59772b2b [crankshaft][arm][mips][mips64] Fix Math.min(0, 0)
for the special case where the same register is used as both left and
right input.

Review URL: https://codereview.chromium.org/1695283002

Cr-Commit-Position: refs/heads/master@{#33996}
2016-02-15 14:43:02 +00:00
bmeurer
98aec4a719 [runtime] Kill %Arguments and %ArgumentsLength.
This removes support for the %Arguments and %ArgumentsLength runtime
entries and their intrinsic counterparts. If you need variable arguments
in any builtin, either use (strict) arguments object or rest parameters,
which are both compositional across inlining (in TurboFan), and not that
much slower compared to the %_Arguments hackery.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1688163004

Cr-Commit-Position: refs/heads/master@{#33943}
2016-02-12 12:25:23 +00:00
adamk
58a9bc5b53 Force SharedFunctionInfo::name() to be a flat string
This fact is depended upon by, at least, Parser::ParseLazy, and quite
likely by other code. There was already code in %FunctionSetName
enforcing this invariant. This patch adds similar code to
Factory::NewSharedFunctionInfo().

BUG=v8:4659
LOG=n

Review URL: https://codereview.chromium.org/1686193003

Cr-Commit-Position: refs/heads/master@{#33914}
2016-02-11 18:53:02 +00:00
littledan
e1de522afa Extend subarray web compatibility fix to --harmony-species
ES2016 TypedArray subclassing semantics break the Node.js Buffer module,
also used on the web. I wrote a pull request against the web and Node
versions to fix the issue, but the pull request has not yet been granted,
and this is blocking shipping the change. For now, this patch extends the
web compatibility workaround to the --harmony-species flag, so that
Symbol.species and associated subclassing semantics can ship independently.

R=cbruni
BUG=v8:4665
LOG=Y

Review URL: https://codereview.chromium.org/1678123002

Cr-Commit-Position: refs/heads/master@{#33826}
2016-02-08 21:16:49 +00:00
jkummerow
5d2c09a829 Fix Array.prototype.sort for *_STRING_WRAPPER_ELEMENTS
Trying to sort a string should throw a TypeError, proper handling
of elements just needs to get out of the way.

BUG=chromium:584188
LOG=n
R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1670153002

Cr-Commit-Position: refs/heads/master@{#33777}
2016-02-05 13:36:51 +00:00
adamk
8a4a5bf9e0 Remove flags for ES2015 features shipped in M48
This removes --harmony-completion, --harmony-concat-spreadable, and
--harmony-tolength and moves the appropriate tests from harmony/ to es6/.

Review URL: https://codereview.chromium.org/1667453002

Cr-Commit-Position: refs/heads/master@{#33712}
2016-02-03 20:51:46 +00:00
kozyatinskiy
3c3d7e7be8 Revert "Removed support deprecated (//@|/*@) source(URL|MappingURL)="
A lot of deverlopers use deprecated sourceURL syntax. We should add console warning message before removing this.
Original CL: https://codereview.chromium.org/1495633002/

BUG=chromium:558998
LOG=Y
R=yangguo@chromium.org,hablich@chromium.org,adamk@chromium.org

Review URL: https://codereview.chromium.org/1654223003

Cr-Commit-Position: refs/heads/master@{#33709}
2016-02-03 18:45:36 +00:00
verwaest
158cd5cb5e [runtime] Remove receiver==holder check in IntegerIndexedExotic lookup
This was inconsistent in the spec in case of has vs get, set. Removing
receiver==holder simplifies the lookup; so tentatively removing this
additional check which was broken until yesterday anyway. See
https://github.com/tc39/ecma262/issues/347 for more information.

Review URL: https://codereview.chromium.org/1660903002

Cr-Commit-Position: refs/heads/master@{#33701}
2016-02-03 10:30:40 +00:00
bradnelson
255f4507ec Drop the compileRun + asmCompileRun methods from wasm.
Now that we have full fledged module instantiation,
keeping alive a second interface seems clunky.

Droping it and switching the tests.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=test-asm-validator,asm-wasm,other wasm
R=titzer@chromium.org,aseemgarg@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/1660083002

Cr-Commit-Position: refs/heads/master@{#33700}
2016-02-03 10:16:22 +00:00
neis
a973f73465 Expect JSReceiver in Runtime_DeleteLookupSlot, not just JSObject.
BUG=chromium:583260
LOG=n

Review URL: https://codereview.chromium.org/1664683002

Cr-Commit-Position: refs/heads/master@{#33697}
2016-02-03 09:49:22 +00:00
bmeurer
e4e418f3ef [runtime] Make %FunctionGetScript and %FunctionGetSourceCode robust.
R=jarin@chromium.org
BUG=chromium:582703
LOG=n

Review URL: https://codereview.chromium.org/1664483003

Cr-Commit-Position: refs/heads/master@{#33693}
2016-02-03 06:01:19 +00:00
verwaest
621bdd642c [runtime] Fix integer indexed property handling
This includes 2 fixes:
1) We didn't properly advance the holder when checking whether
Receiver==Holder, so we'd inadvertently block loading the property if
the first property we find is on the typed array.
2) Reflect.get may cause any object on the prototype chain of the holder
to be the receiver; so we need to recheck for this special state for
each object we perform lookup on.

Review URL: https://codereview.chromium.org/1651913005

Cr-Commit-Position: refs/heads/master@{#33689}
2016-02-02 17:02:23 +00:00
jkummerow
d582d2bb2a More *_STRING_WRAPPER_ELEMENTS fixes
BUG=chromium:583257
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1651253003

Cr-Commit-Position: refs/heads/master@{#33683}
2016-02-02 13:51:00 +00:00
littledan
11e8c03f94 Add UseCounters for some nonstandard JavaScript features
This patch adds a UseCounter for each of the following:
- Allowing duplicate sloppy-mode block-scoped function declarations
  in the exact same scope
- for-in loops with an initializer

The patch also refactors some of the declaration code to clean it up and
enable the first counter, and adds additional unit tests to nail down
the semantics of edge cases of sloppy-mode block-scoped function declarations.

BUG=v8:4693,chromium:579395
LOG=N
R=adamk

Review URL: https://codereview.chromium.org/1633743003

Cr-Commit-Position: refs/heads/master@{#33650}
2016-02-01 23:01:59 +00:00
yangguo
835b038331 [debugger] correctly find function context.
In the debugger we are interested in getting the context for the
current frame, which is usually a function context. To do that,
we used to call Context::declaration_context, which may also
return a block context. This is wrong and can lead to crashes.
Instead, we now use a newly introduced Context::closure_context,
which skips block contexts. This works fine for the debugger,
since we have other means to find and materialize block contexts.

R=rossberg@chromium.org
BUG=chromium:582051
LOG=N

Review URL: https://codereview.chromium.org/1648263002

Cr-Commit-Position: refs/heads/master@{#33627}
2016-02-01 07:03:44 +00:00
littledan
f3e41d96dd Fix Unicode string normalization with null bytes
Previously, String.prototype.normalize constructed its ICU input
string as a null-terminated string. This creates a bug for strings
which contain a null byte, which is allowed in ECMAScript. This
patch constructs the ICU string based on its length so that the
entire string is normalized.

R=jshin@chromium.org
BUG=v8:4654
LOG=Y

Review URL: https://codereview.chromium.org/1645223003

Cr-Commit-Position: refs/heads/master@{#33614}
2016-01-29 17:00:46 +00:00
bmeurer
5a7bb33e3f [crankshaft] Fix another deopt loop in slow mode for-in.
The for-in slow mode implementation in Crankshaft unconditionally
deoptimizes when %ForInFilter returns undefined instead of just
skipping the item. Even worse, there's nothing we can learn from
that deopt, so we will eventually optimize again and hit exactly
the same problem again once we get back to optimized code.

R=mvstanton@chromium.org
BUG=v8:3650
LOG=n

Review URL: https://codereview.chromium.org/1647093002

Cr-Commit-Position: refs/heads/master@{#33609}
2016-01-29 11:00:05 +00:00
bmeurer
3251a03e81 [crankshaft] Make the for-in slow path compatible with the other compilers.
So far the for-in slow path in Crankshaft unconditionally called
%ForInFilter for every iteration of the for-in loop, without paying
attention to the possible enum cache equipped receiver map. So even
though we iterate the enum cache FixedArray associated with the map
we don't check the map, but always go to %ForInFilter. This would be
perfectly fine if the enum cache FixedArray would be immutable, but
due to some funny GC/runtime interaction kicking in, the enum cache
can be right trimmed while we are iterating it, and the only way to
detect this is to ensure that we check the map when accessing the
enum cache.

BUG=v8:3650,v8:4715
LOG=n

Review URL: https://codereview.chromium.org/1650493002

Cr-Commit-Position: refs/heads/master@{#33599}
2016-01-29 07:50:51 +00:00
verwaest
997cd3d987 [api] Default native data property setter to replace the setter if the property is writable.
BUG=chromium:580584
LOG=y

Review URL: https://codereview.chromium.org/1632603002

Cr-Commit-Position: refs/heads/master@{#33551}
2016-01-27 13:22:18 +00:00
adamk
953bb416a3 Ensure arrow functions can close over lexically-scoped variables
ParseArrowFunctionLiteral was erroneously checking AllowsLazyCompilation
rather than AllowsLazyParsing when deciding whether to parse lazily.
This meant that lexically-scoped variables that had no other referents
wouldn't get closed over properly.

BUG=chromium:580934, v8:4255
LOG=y

Review URL: https://codereview.chromium.org/1630823006

Cr-Commit-Position: refs/heads/master@{#33530}
2016-01-26 23:11:10 +00:00
ishell
ac03ef02d6 Also check new_target_is_base() bit when comparing two maps for equivalence.
BUG=chromium:580506
LOG=N

Review URL: https://codereview.chromium.org/1631673002

Cr-Commit-Position: refs/heads/master@{#33497}
2016-01-25 16:44:01 +00:00
adamk
8aeb6080e1 Sloppy mode webcompat: allow conflicting function declarations in blocks
The web appears to depend on being able to redeclare functions-in-blocks
in sloppy mode (examples seen so far tend to redeclare identical functions,
most likely accidentally).

This patch opens a minimal hole: two same-named function declarations
in the same scope are allowed, only in sloppy mode.

BUG=v8:4693, chromium:579395
LOG=y

Review URL: https://codereview.chromium.org/1622723003

Cr-Commit-Position: refs/heads/master@{#33478}
2016-01-23 00:40:53 +00:00
bmeurer
56e1b13ea1 [runtime] Make sure %ForInPrepare returns the correct length.
In case the receiver map has an enum cache, %ForInPrepare returns the
length of the actual enum cache, which might include properties that
are further down the transition tree tho.

R=jarin@chromium.org
BUG=v8:3650
LOG=n

Review URL: https://codereview.chromium.org/1619353002

Cr-Commit-Position: refs/heads/master@{#33469}
2016-01-22 14:52:20 +00:00
ishell
ed2be747ad Array length reduction should throw in strict mode if it can't delete an element.
When accessor getter callback is called the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, since according to ES6 there's no difference between strict and non-strict property loads. For the setter case the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true if the property is set in strict context.

Interceptors follow same idea: for getter, enumerator and query callbacks the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, and for setter and deleter callback the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true in strict context.

This CL also cleans up the CallApiGetterStub and removes bogus asserts from [arm] Push(reg1, reg2, ..., regN) that prevented from pushing a set of registers containing duplicates.

BUG=v8:4267
LOG=Y

Committed: https://crrev.com/1d3e837fcbbd9d9fd5e72dfe85dfd47c025f3c9f
Cr-Commit-Position: refs/heads/master@{#33438}

Review URL: https://codereview.chromium.org/1587073003

Cr-Commit-Position: refs/heads/master@{#33461}
2016-01-22 09:53:51 +00:00
cbruni
1c523a444b Revert of [runtime] Do not use the enum-cache for non-prototype objects. (patchset #1 id:1 of https://codereview.chromium.org/1612413003/ )
Reason for revert:
let me quickly revert the revert, wut?
Goal: my CL should not be in the tree!

Original issue's description:
> Reland of [runtime] Do not use the enum-cache for non-prototype objects. (patchset #1 id:1 of https://codereview.chromium.org/1619803003/ )
>
> Reason for revert:
> the deopt issues have been taken care of by benedikt
>
> Original issue's description:
> > Revert of [runtime] Do not use the enum-cache for non-prototype objects. (patchset #10 id:180001 of https://codereview.chromium.org/1608523002/ )
> >
> > Reason for revert:
> > tanks for-in significantly
> >
> > Original issue's description:
> > > [runtime] Do not use the enum-cache for keys retrieval.
> > >
> > > Currently we fail to properly handle shadowed properties. If the
> > > receiver defines a non-enumerable property that reappears on the
> > > prototype as enumerable it incorrectly shows up in [[Enumerate]].
> > > By extending the KeyAccumulator to track non-enumerable properties
> > > we can now properly filter them out when seeing them further up in
> > > the prototype-chain.
> > >
> > > BUG=v8:705
> > > LOG=y
> > >
> > > Committed: https://crrev.com/ed24dfe80d1da0827b8571839ee52c03ad09c9c7
> > > Cr-Commit-Position: refs/heads/master@{#33405}
> >
> > TBR=jkummerow@chromium.org,bmeurer@chromium.org
> > # Not skipping CQ checks because original CL landed more than 1 days ago.
> > BUG=v8:705
> > LOG=n
> >
> > Committed: https://crrev.com/6e0573c6fff1c3041bab106d1197ab1b64aa9a6a
> > Cr-Commit-Position: refs/heads/master@{#33443}
>
> TBR=jkummerow@chromium.org,bmeurer@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:705
>
> Committed: https://crrev.com/5569e270eda517b5ea74e3a7676b3230cbe2f7a9
> Cr-Commit-Position: refs/heads/master@{#33458}

TBR=jkummerow@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:705

Review URL: https://codereview.chromium.org/1614313003

Cr-Commit-Position: refs/heads/master@{#33459}
2016-01-22 09:12:10 +00:00
cbruni
5569e270ed Reland of [runtime] Do not use the enum-cache for non-prototype objects. (patchset #1 id:1 of https://codereview.chromium.org/1619803003/ )
Reason for revert:
the deopt issues have been taken care of by benedikt

Original issue's description:
> Revert of [runtime] Do not use the enum-cache for non-prototype objects. (patchset #10 id:180001 of https://codereview.chromium.org/1608523002/ )
>
> Reason for revert:
> tanks for-in significantly
>
> Original issue's description:
> > [runtime] Do not use the enum-cache for keys retrieval.
> >
> > Currently we fail to properly handle shadowed properties. If the
> > receiver defines a non-enumerable property that reappears on the
> > prototype as enumerable it incorrectly shows up in [[Enumerate]].
> > By extending the KeyAccumulator to track non-enumerable properties
> > we can now properly filter them out when seeing them further up in
> > the prototype-chain.
> >
> > BUG=v8:705
> > LOG=y
> >
> > Committed: https://crrev.com/ed24dfe80d1da0827b8571839ee52c03ad09c9c7
> > Cr-Commit-Position: refs/heads/master@{#33405}
>
> TBR=jkummerow@chromium.org,bmeurer@chromium.org
> # Not skipping CQ checks because original CL landed more than 1 days ago.
> BUG=v8:705
> LOG=n
>
> Committed: https://crrev.com/6e0573c6fff1c3041bab106d1197ab1b64aa9a6a
> Cr-Commit-Position: refs/heads/master@{#33443}

TBR=jkummerow@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:705

Review URL: https://codereview.chromium.org/1612413003

Cr-Commit-Position: refs/heads/master@{#33458}
2016-01-22 09:06:56 +00:00
bmeurer
c7d2adc0a2 [crankshaft] For-in index increment cannot overflow.
The internal index used to implement for-in can never leave the
valid smi range, so there's no need to actually check for overflow
in Crankshaft. In fact the overflow only triggered a false alert
in the deopt fuzzer.

R=jarin@chromium.org
BUG=v8:3650
LOG=n

Review URL: https://codereview.chromium.org/1621623002

Cr-Commit-Position: refs/heads/master@{#33456}
2016-01-22 07:55:11 +00:00
machenbach
575e90c1d0 Revert of Array length reduction should throw in strict mode if it can't delete an element. (patchset #7 id:220001 of https://codereview.chromium.org/1587073003/ )
Reason for revert:
[Sheriff] Breaks layout tests. Please fix upstream.
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/4077

Original issue's description:
> Array length reduction should throw in strict mode if it can't delete an element.
>
> When accessor getter callback is called the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, since according to ES6 there's no difference between strict and non-strict property loads. For the setter case the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true if the property is set in strict context.
>
> Interceptors follow same idea: for getter, enumerator and query callbacks the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, and for setter and deleter callback the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true in strict context.
>
> This CL also cleans up the CallApiGetterStub and removes bogus asserts from [arm] Push(reg1, reg2, ..., regN) that prevented from pushing a set of registers containing duplicates.
>
> BUG=v8:4267
> LOG=Y
>
> Committed: https://crrev.com/1d3e837fcbbd9d9fd5e72dfe85dfd47c025f3c9f
> Cr-Commit-Position: refs/heads/master@{#33438}

TBR=verwaest@chromium.org,ishell@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4267

Review URL: https://codereview.chromium.org/1611313003

Cr-Commit-Position: refs/heads/master@{#33444}
2016-01-21 18:54:28 +00:00
cbruni
6e0573c6ff Revert of [runtime] Do not use the enum-cache for non-prototype objects. (patchset #10 id:180001 of https://codereview.chromium.org/1608523002/ )
Reason for revert:
tanks for-in significantly

Original issue's description:
> [runtime] Do not use the enum-cache for keys retrieval.
>
> Currently we fail to properly handle shadowed properties. If the
> receiver defines a non-enumerable property that reappears on the
> prototype as enumerable it incorrectly shows up in [[Enumerate]].
> By extending the KeyAccumulator to track non-enumerable properties
> we can now properly filter them out when seeing them further up in
> the prototype-chain.
>
> BUG=v8:705
> LOG=y
>
> Committed: https://crrev.com/ed24dfe80d1da0827b8571839ee52c03ad09c9c7
> Cr-Commit-Position: refs/heads/master@{#33405}

TBR=jkummerow@chromium.org,bmeurer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:705
LOG=n

Review URL: https://codereview.chromium.org/1619803003

Cr-Commit-Position: refs/heads/master@{#33443}
2016-01-21 17:48:12 +00:00
ishell
1d3e837fcb Array length reduction should throw in strict mode if it can't delete an element.
When accessor getter callback is called the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, since according to ES6 there's no difference between strict and non-strict property loads. For the setter case the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true if the property is set in strict context.

Interceptors follow same idea: for getter, enumerator and query callbacks the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, and for setter and deleter callback the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true in strict context.

This CL also cleans up the CallApiGetterStub and removes bogus asserts from [arm] Push(reg1, reg2, ..., regN) that prevented from pushing a set of registers containing duplicates.

BUG=v8:4267
LOG=Y

Review URL: https://codereview.chromium.org/1587073003

Cr-Commit-Position: refs/heads/master@{#33438}
2016-01-21 14:23:09 +00:00
cbruni
ed24dfe80d [runtime] Do not use the enum-cache for keys retrieval.
Currently we fail to properly handle shadowed properties. If the
receiver defines a non-enumerable property that reappears on the
prototype as enumerable it incorrectly shows up in [[Enumerate]].
By extending the KeyAccumulator to track non-enumerable properties
we can now properly filter them out when seeing them further up in
the prototype-chain.

BUG=v8:705
LOG=y

Review URL: https://codereview.chromium.org/1608523002

Cr-Commit-Position: refs/heads/master@{#33405}
2016-01-20 12:37:18 +00:00
cbruni
ec30425a77 [proxy] Reload the initial map after prototype lookup on constructable
Proxy.

If a constructable Proxy changes the target's prototype during the
prototype lookup the target's initial map stays uninitialized half-way
during object construction.

LOG=n
BUG=chromium:578039

Review URL: https://codereview.chromium.org/1586203003

Cr-Commit-Position: refs/heads/master@{#33359}
2016-01-18 12:49:29 +00:00
neis
107db2ca8c Remove premature crankshaft optimization of HasInPrototypeChain.
R=bmeurer@chromium.org
BUG=chromium:578775
LOG=n

Review URL: https://codereview.chromium.org/1605483002

Cr-Commit-Position: refs/heads/master@{#33356}
2016-01-18 12:12:32 +00:00
cbruni
c86f1897ac [runtime] Throw exception for derived constructors in correct context.
When derived constructors return a non-object (or not undefined) we
currently throw an exception directly in the callee context. This was
achieved by desugaring the return statement for derived classes. To
be spec compliamnt a separate ConstructStubForDerived is introduced.
Instead of trowing directly, the desugared return statement inside
a derived constructor only returns an integer to indicate an incompatible
result.

BUG=v8:4509
LOG=n

Review URL: https://codereview.chromium.org/1593553002

Cr-Commit-Position: refs/heads/master@{#33336}
2016-01-15 15:31:28 +00:00
ishell
1bb7cfda7f [crankshaft] Don't inline array indexOf operations if receiver's proto is not a JSObject.
BUG=chromium:577112
LOG=N

Review URL: https://codereview.chromium.org/1584303002

Cr-Commit-Position: refs/heads/master@{#33320}
2016-01-15 10:19:59 +00:00
littledan
e13f2ff40b Construct instances of base class from TypedArray.prototype.subarray
Previous changes with subclassable builtins and @@species were a bit
aggressive in making TypedArray.prototype.subarray act like the
ES2016 specification in terms of returning an instance of the
subclass as a result. It turns out that Node.js, and extracted
libraries for the web, subclass TypedArrays but don't expect the
subclass constructor to be called by subarray. @@species will provide
an escape hatch, but it has not shipped yet, and will take some time
for uptake by libraries.

For now, this patch makes TypedArray.prototype.subarray fall back to
constructing an instance of the parent TypedArray class, such as
Uint8Array.

R=adamk
LOG=Y
BUG=v8:4665

Review URL: https://codereview.chromium.org/1583773005

Cr-Commit-Position: refs/heads/master@{#33312}
2016-01-14 19:23:26 +00:00
adamk
bcde4e271e Propagate the "calls eval" bit from ScopeInfo to lazily-compiled arrow functions
This avoids generating different scopes on the two compilation passes, which
results in various delirious side-effects.

There's some cleanup to be done in lazy arrow function parsing, but I'd
rather do that in a separate patch, with this one targeted at fixing the
particular crash.

BUG=chromium:572589
LOG=n

Review URL: https://codereview.chromium.org/1575333004

Cr-Commit-Position: refs/heads/master@{#33311}
2016-01-14 19:21:24 +00:00
jkummerow
b40a22dc87 Robustify NewNumberFromSize against int-overflow on cast
As luck would have it, there doesn't seem to be a way to trigger
observable misbehavior currently (only with special flags).

BUG=chromium:380671
LOG=n
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1588013002

Cr-Commit-Position: refs/heads/master@{#33305}
2016-01-14 17:24:07 +00:00
ishell
405c7a68ab Generalize all representations when reconfiguring a property of a strict Function subclass.
BUG=chromium:575080
LOG=N

Review URL: https://codereview.chromium.org/1579603002

Cr-Commit-Position: refs/heads/master@{#33288}
2016-01-14 10:45:34 +00:00
titzer
995c9fe3dc [wasm] Rename the WASM object to _WASMEXP_.
R=ahaas@chromium.org,bradnelson@chromium.org
LOG=Y
BUG=chromium:575167

Review URL: https://codereview.chromium.org/1577803002

Cr-Commit-Position: refs/heads/master@{#33251}
2016-01-12 20:16:46 +00:00
bmeurer
9e217ee490 [builtins] Refactor the remaining Date builtins.
This migrates the remaining Date builtins to C++ and removes obsolete
intrinsics and JavaScript wrappers. This reduces the overhead imposed
by the Date builtins, and will allow us to optimize them later in the
TurboFan compiler, while the interpreter doesn't need to worry about
them.

R=yangguo@chromium.org
BUG=chromium:576574
LOG=n

Committed: https://crrev.com/1e51af1a5c80b1650de47dd4bc8f846fa2d85281
Cr-Commit-Position: refs/heads/master@{#33228}

Review URL: https://codereview.chromium.org/1579613002

Cr-Commit-Position: refs/heads/master@{#33231}
2016-01-12 10:48:26 +00:00
machenbach
405ee3aad5 Revert of [builtins] Refactor the remaining Date builtins. (patchset #2 id:20001 of https://codereview.chromium.org/1579613002/ )
Reason for revert:
[Sheriff] Breaks https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20noi18n%20-%20debug/builds/5711

Original issue's description:
> [builtins] Refactor the remaining Date builtins.
>
> This migrates the remaining Date builtins to C++ and removes obsolete
> intrinsics and JavaScript wrappers. This reduces the overhead imposed
> by the Date builtins, and will allow us to optimize them later in the
> TurboFan compiler, while the interpreter doesn't need to worry about
> them.
>
> R=yangguo@chromium.org
> BUG=chromium:576574
> LOG=n
>
> Committed: https://crrev.com/1e51af1a5c80b1650de47dd4bc8f846fa2d85281
> Cr-Commit-Position: refs/heads/master@{#33228}

TBR=yangguo@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:576574

Review URL: https://codereview.chromium.org/1574223002

Cr-Commit-Position: refs/heads/master@{#33230}
2016-01-12 10:15:25 +00:00
bmeurer
1e51af1a5c [builtins] Refactor the remaining Date builtins.
This migrates the remaining Date builtins to C++ and removes obsolete
intrinsics and JavaScript wrappers. This reduces the overhead imposed
by the Date builtins, and will allow us to optimize them later in the
TurboFan compiler, while the interpreter doesn't need to worry about
them.

R=yangguo@chromium.org
BUG=chromium:576574
LOG=n

Review URL: https://codereview.chromium.org/1579613002

Cr-Commit-Position: refs/heads/master@{#33228}
2016-01-12 09:12:55 +00:00
littledan
2bd9bdbe62 TypedArray and ArrayBuffer support for @@species
This patch improves ArrayBuffer and TypedArray subclassing by adding
support for @@species and constructing outputs to certain methods
by creating an instance of the constructor determined by the
SpeciesConstructor algorithm, rather than fixed to a superclass or
naively the constructor. The new behavior is enabled by the
--harmony-species flag. Care is taken to not significantly change the
observable behavior when the flag is off. Previously, TypedArrays
already supported subclassing by reading the constructor of the
receiver, but ArrayBuffers did not, and this old behavior is
preserved and tested for, to avoid a multi-stage upgrade path and keep
things simple for users.

R=adamk
BUG=v8:4093
LOG=Y

Review URL: https://codereview.chromium.org/1574903004

Cr-Commit-Position: refs/heads/master@{#33223}
2016-01-12 06:07:59 +00:00
littledan
95145fa826 Ship ES2015 sloppy-mode const semantics
This patch moves the semantics of 'const' in sloppy mode to match those
in strict mode, that is, const makes lexical (let-like) bindings, must
have an initializer, and does not create properties of the global object.

R=adamk
LOG=Y
BUG=v8:3305
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1571873004

Cr-Commit-Position: refs/heads/master@{#33218}
2016-01-11 23:09:59 +00:00
littledan
ee9d7acafc Partial rollback of Promise error checking
As V8 becomes more and more spec-compliant, Promise polyfill libraries
like core.js expect fully correct. However, our Promises do not yet
support Symbol.species. Therefore, a case like

```
var test = new Promise(function(){});
test.constructor = function(){};
Promise.resolve(test)
```

would lead to an unhandled Promise rejection, whereas it should not
because test.constructor[Symbol.species] is undefined, so test.then
should end up constructing %Promise% as a fallback, rather than
calling test.constructor as if it were a constructor, which leads
this error checking code to throw.

For now, this patch removes the error checking code (which was not
present until recently). In an interactive test using core.js, the
error message on the console goes away with this patch. When @@species
support is in place, this patch can be reverted. A regression test
is added which checks for the same thing.

Partially reverted patch was originally out for review at
https://codereview.chromium.org/1531073004

BUG=v8:4633
LOG=Y
R=adamk,caitp88@gmail.com

Review URL: https://codereview.chromium.org/1578893002

Cr-Commit-Position: refs/heads/master@{#33217}
2016-01-11 22:42:11 +00:00
littledan
23235b5fdb Reland of Ship ES2015 sloppy-mode function hoisting, let, class (patchset #1 id:1 of https://codereview.chromium.org/1565263002/ )
Reason for revert:
Crash fixed by https://codereview.chromium.org/1564923007

Original issue's description:
> Revert of Ship ES2015 sloppy-mode function hoisting, let, class (patchset #7 id:120001 of https://codereview.chromium.org/1551443002/ )
>
> Reason for revert:
> Causes frequent crashes in Canary: chromium:537816
>
> Original issue's description:
> > Ship ES2015 sloppy-mode function hoisting, let, class
> >
> > This patch doesn't ship all features of ES2015 variable/scoping
> > changes, notably omitting the removal of legacy const. I think
> > function hoisting, let and class in sloppy mode can stand to
> > themselves as a package, and the legacy const change is much
> > riskier and more likely to be reverted, so my intention is to
> > pursue those as a separate, follow-on patch.
> >
> > R=adamk@chromium.org
> > BUG=v8:4285,v8:3305
> > LOG=Y
> > CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
> >
> > Committed: https://crrev.com/fcff8588a5a01587643d6c2507c7b882c78a2957
> > Cr-Commit-Position: refs/heads/master@{#33133}
>
> TBR=adamk@chromium.org
> # Not skipping CQ checks because original CL landed more than 1 days ago.
> BUG=v8:4285,v8:3305,chromium:537816
> LOG=Y
>
> Committed: https://crrev.com/adac5956c6216056a211cfaa460a00ac1500d8f8
> Cr-Commit-Position: refs/heads/master@{#33162}

TBR=adamk@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4285,v8:3305,chromium:537816

Review URL: https://codereview.chromium.org/1571793002

Cr-Commit-Position: refs/heads/master@{#33189}
2016-01-08 17:34:59 +00:00
titzer
cad2294e42 [wasm] Fix validation error for missing return statement in asm.js module.
R=mstarzinger@chromium.org,bradnelson@chromium.org
LOG=Y
BUG=chromium:575364

Review URL: https://codereview.chromium.org/1564313003

Cr-Commit-Position: refs/heads/master@{#33175}
2016-01-08 12:50:07 +00:00
littledan
adac5956c6 Revert of Ship ES2015 sloppy-mode function hoisting, let, class (patchset #7 id:120001 of https://codereview.chromium.org/1551443002/ )
Reason for revert:
Causes frequent crashes in Canary: chromium:537816

Original issue's description:
> Ship ES2015 sloppy-mode function hoisting, let, class
>
> This patch doesn't ship all features of ES2015 variable/scoping
> changes, notably omitting the removal of legacy const. I think
> function hoisting, let and class in sloppy mode can stand to
> themselves as a package, and the legacy const change is much
> riskier and more likely to be reverted, so my intention is to
> pursue those as a separate, follow-on patch.
>
> R=adamk@chromium.org
> BUG=v8:4285,v8:3305
> LOG=Y
> CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
>
> Committed: https://crrev.com/fcff8588a5a01587643d6c2507c7b882c78a2957
> Cr-Commit-Position: refs/heads/master@{#33133}

TBR=adamk@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:4285,v8:3305,chromium:537816
LOG=Y

Review URL: https://codereview.chromium.org/1565263002

Cr-Commit-Position: refs/heads/master@{#33162}
2016-01-07 20:23:21 +00:00
neis
837900ef24 [tests] Fix bogus uses of assertThrows.
Some tests passed a string as second argument to assertThrows, expecting it to
be matched against the exception.  However, assertThrows simply ignored these.
(Some other tests actually seem to use that argument as a comment ...)

This CL
- changes assertThrows to fail if the second argument is not a function,
- adds assertThrowsEquals which compares the exception to a given value using
  assertEquals
- fixes some bogus tests that got exposed by this.

R=jarin@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1544793002

Cr-Commit-Position: refs/heads/master@{#33159}
2016-01-07 14:49:21 +00:00
jkummerow
a0d03d729a Fix^3 cast in HasEnumerableElements
Empty FixedDoubleArrays aren't FixedDoubleArrays.

BUG=chromium:569534
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1568863002

Cr-Commit-Position: refs/heads/master@{#33158}
2016-01-07 14:47:27 +00:00
bmeurer
b0d0d57d2b [date] Date parser says true even for wrong dates, check twice.
R=yangguo@chromium.org
BUG=chromium:575082
LOG=n

Review URL: https://codereview.chromium.org/1566973002

Cr-Commit-Position: refs/heads/master@{#33149}
2016-01-07 09:30:46 +00:00
littledan
fcff8588a5 Ship ES2015 sloppy-mode function hoisting, let, class
This patch doesn't ship all features of ES2015 variable/scoping
changes, notably omitting the removal of legacy const. I think
function hoisting, let and class in sloppy mode can stand to
themselves as a package, and the legacy const change is much
riskier and more likely to be reverted, so my intention is to
pursue those as a separate, follow-on patch.

R=adamk@chromium.org
BUG=v8:4285,v8:3305
LOG=Y
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1551443002

Cr-Commit-Position: refs/heads/master@{#33133}
2016-01-06 02:03:07 +00:00
jkummerow
b4583c0444 [prototype user tracking] Don't skip JSGlobalProxies
For a prototype chain foo -> global_proxy -> global_object, we used to
register a dependency from foo -> global_object. This is incorrect when
the global_proxy/global_object pairing is modified, e.g. when navigating
in iframes. With this patch, we properly register foo -> global_proxy and
global_proxy -> global_object dependencies.
Additionally, when a prototype's prototype changes from null to something
else, this new usage relation must be registered if there are other users
further down on the prototype chain that might expect a complete chain of
registrations to exist (which was the case before, and must be preserved).

BUG=chromium:571517
LOG=n
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1559323002

Cr-Commit-Position: refs/heads/master@{#33119}
2016-01-05 16:15:48 +00:00
littledan
acbd64be36 Accept time zones like GMT-8 in the legacy date parser
In the Date constructor or Date.parse, other browsers will accept time
zones like GMT-8, but before this patch, Chrome would interpret 8 as
8 minutes. This patch interprets GMT-+ a one or two digit number as hours,
not minutes.

R=adamk,jshin@chromium.org
LOG=Y
BUG=chromium:422858

Review URL: https://codereview.chromium.org/1557053002

Cr-Commit-Position: refs/heads/master@{#33100}
2016-01-04 23:25:57 +00:00
jshin
4e18190e69 Timezone name check fix
1. Location names with more than one underscores (e.g. Ho_Chi_Minh)
   didn't work because of the way capturing works with repeated patterns
   in RE. It's now supported by changing the RE to capture the whole string
   and splitting on '_' in the next step.

2. Adds support for location names with a hyphen

3. Adds support for timezone ids with three parts (e.g.
   American/Argentina/Buenos_Aires)

4. Adds special handling of 'au', 'es' and 'of' in zone ids. They need to be kept in lowercase. (see the full list at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones )

5. Adds regression tests for all the above and make the existing tests
   more robust against future ICU changes. ICU canonicalizes zone names to
   deprecated names, but it may change. (
   http://bugs.icu-project.org/trac/ticket/12044 )

BUG=364374
LOG=Y

Review URL: https://codereview.chromium.org/1529363005

Cr-Commit-Position: refs/heads/master@{#33097}
2016-01-04 21:48:04 +00:00
bmeurer
fed2c416df Use JSObjectVerify instead of trying to reimplement parts of it.
R=verwaest@chromium.org
BUG=chromium:573857
LOG=n

Review URL: https://codereview.chromium.org/1551333002

Cr-Commit-Position: refs/heads/master@{#33083}
2016-01-04 13:50:06 +00:00
verwaest
09c41d9bfd ThrowTypeError should not be constructable, so shouldn't have a prototype.
In addition to ThrowTypeError not being a constructor, it was invalidly set up by simply swapping the map. Swapping the map is insufficient since NewFunction* actually set up the function depending on the used map.

BUG=chromium:573858
LOG=n

Review URL: https://codereview.chromium.org/1552223002

Cr-Commit-Position: refs/heads/master@{#33082}
2016-01-04 13:33:09 +00:00
bmeurer
70c4bf1331 [builtins] Migrate a bunch of Object builtins to C++.
The Object.freeze, Object.isExtensible, Object.isFrozen,
Object.isSealed, Object.preventExtensions and Object.seal builtins were
already implemented in C++, but they still had some funny JavaScript
wrappers that just called into the C++ implementation on every
(interesting) execution path.

Review URL: https://codereview.chromium.org/1553043002

Cr-Commit-Position: refs/heads/master@{#33074}
2016-01-04 08:11:07 +00:00
bmeurer
cb21144baf [es6] Unify ArrayBuffer and SharedArrayBuffer constructors.
Unify the constructors and isView methods for ArrayBuffer and
SharedArrayBuffer, moving them to C++ because there's no point
in having the JavaScript wrappers for them.

We choose to deliberately violate the ES2015 specification and
implement the ArrayBuffer constructor in a way that matches
Firefox and Safari instead.

CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel
BUG=chromium:565917, v8:4592
TBR=hpayer@chromium.org
R=cbruni@chromium.org
LOG=n

Committed: https://crrev.com/3235ccbb7826ceec2188f6ebab98fc851b54f60e
Cr-Commit-Position: refs/heads/master@{#32590}

Review URL: https://codereview.chromium.org/1500543002

Cr-Commit-Position: refs/heads/master@{#33072}
2016-01-01 07:13:16 +00:00
littledan
a9c791009b Fix 'illegal access' in Date constructor edge case
In a rare edge case, a difference in checks between C++ and
JavaScript lead to an 'illegal access' being thrown by the Date
constructor. This patch harmonizes the checks from both sides.
It's possible that slightly larger dates could be permitted,
as the ECMAScript 2015 specification indicates that +287396-10-12
would be a permissible date in the note in
http://tc39.github.io/ecma262/#sec-extended-years
This patch does not revisit the limit, only clears up the
inconsistency.

BUG=v8:4640
R=cbruni
LOG=Y

Review URL: https://codereview.chromium.org/1545883003

Cr-Commit-Position: refs/heads/master@{#33068}
2015-12-30 23:54:59 +00:00
littledan
e549c7a356 Reland of Use ES2015-style TypedArray prototype chain (patchset #1 id:1 of https://codereview.chromium.org/1554523002/ )
Reason for revert:
Should be fixed again with this Blink change to add NeedsManualRebaseline

Original issue's description:
> Revert of Use ES2015-style TypedArray prototype chain (patchset #5 id:80001 of https://codereview.chromium.org/1541233002/ )
>
> Reason for revert:
> [Sheriff] Changes layout tests. Please fix upstream first if intended.
>
> https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/3689
>
> Original issue's description:
> > Use ES2015-style TypedArray prototype chain
> >
> > This patch switches TypedArrays to use the prototype chain described
> > in the ES2015 specification, which adds a %TypedArray% superclass above
> > all individual TypedArray types. Most methods are defined on the
> > superclass rather than the subclasses.
> >
> > In order to prevent a performance regression, a few methods are
> > marked as inline. Inlining might prevent code which was previously
> > monomorphic from becoming polymorphic, and it was specifically
> > applied in places where methods became more polymorphic than before.
> > Tests with realistic workloads would be nice to do before this
> > ships in stable.
> >
> > This patch does not bring TypedArrays up to full spec compliance. In
> > particular, @@species is not yet supported.
> >
> > R=cbruni
> > BUG=v8:4085
> > LOG=Y
> >
> > Committed: https://crrev.com/07c91dccbe55c7be3ec75857dee5ad59873330b7
> > Cr-Commit-Position: refs/heads/master@{#33050}
>
> TBR=caitpotter88@gmail.com,cbruni@chromium.org,littledan@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:4085
>
> Committed: https://crrev.com/28b55ffd1e32e09aaf42b8bbb407944d4808e07c
> Cr-Commit-Position: refs/heads/master@{#33053}

TBR=caitpotter88@gmail.com,cbruni@chromium.org,machenbach@chromium.org
BUG=v8:4085
LOG=Y

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1558663002

Cr-Commit-Position: refs/heads/master@{#33067}
2015-12-30 22:14:16 +00:00
littledan
797d1090ae Reland "Clean up promises and fix an edge case bug (patchset #4 id:60001 of https://codereview.chromium.org/1488783002/ )"
This patch relands a change to ES2015 Promises which brings us closer to
spec compliance. In this new version, a bug which would lose async callstack
data was fixed.

R=adamk
CC=rossberg,caitp
LOG=Y
BUG=v8:3641
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1538663002

Cr-Commit-Position: refs/heads/master@{#33065}
2015-12-30 20:47:37 +00:00
ishell
bae0d6c8dc [crankshaft] Don't inline array resize operations if receiver's proto is not a JSObject.
BUG=chromium:571064
LOG=Y
TBR=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1548363003

Cr-Commit-Position: refs/heads/master@{#33058}
2015-12-29 14:35:18 +00:00
ishell
c1aded3c4b [ic] Fixed receiver_map register trashing in KeyedStoreIC megamorphic.
BUG=chromium:571370
LOG=Y

Review URL: https://codereview.chromium.org/1546323002

Cr-Commit-Position: refs/heads/master@{#33057}
2015-12-29 12:52:13 +00:00
bmeurer
2fcf3aa62c Only verify in-object fields in fast properties case.
This matches the behavior of JSObject::JSObjectVerify() and seems to be
the current contract for --verify-heap.

BUG=chromium:572590
LOG=n

Review URL: https://codereview.chromium.org/1553463002

Cr-Commit-Position: refs/heads/master@{#33056}
2015-12-29 11:20:52 +00:00
machenbach
28b55ffd1e Revert of Use ES2015-style TypedArray prototype chain (patchset #5 id:80001 of https://codereview.chromium.org/1541233002/ )
Reason for revert:
[Sheriff] Changes layout tests. Please fix upstream first if intended.

https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/3689

Original issue's description:
> Use ES2015-style TypedArray prototype chain
>
> This patch switches TypedArrays to use the prototype chain described
> in the ES2015 specification, which adds a %TypedArray% superclass above
> all individual TypedArray types. Most methods are defined on the
> superclass rather than the subclasses.
>
> In order to prevent a performance regression, a few methods are
> marked as inline. Inlining might prevent code which was previously
> monomorphic from becoming polymorphic, and it was specifically
> applied in places where methods became more polymorphic than before.
> Tests with realistic workloads would be nice to do before this
> ships in stable.
>
> This patch does not bring TypedArrays up to full spec compliance. In
> particular, @@species is not yet supported.
>
> R=cbruni
> BUG=v8:4085
> LOG=Y
>
> Committed: https://crrev.com/07c91dccbe55c7be3ec75857dee5ad59873330b7
> Cr-Commit-Position: refs/heads/master@{#33050}

TBR=caitpotter88@gmail.com,cbruni@chromium.org,littledan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4085

Review URL: https://codereview.chromium.org/1554523002

Cr-Commit-Position: refs/heads/master@{#33053}
2015-12-29 08:43:29 +00:00
littledan
07c91dccbe Use ES2015-style TypedArray prototype chain
This patch switches TypedArrays to use the prototype chain described
in the ES2015 specification, which adds a %TypedArray% superclass above
all individual TypedArray types. Most methods are defined on the
superclass rather than the subclasses.

In order to prevent a performance regression, a few methods are
marked as inline. Inlining might prevent code which was previously
monomorphic from becoming polymorphic, and it was specifically
applied in places where methods became more polymorphic than before.
Tests with realistic workloads would be nice to do before this
ships in stable.

This patch does not bring TypedArrays up to full spec compliance. In
particular, @@species is not yet supported.

R=cbruni
BUG=v8:4085
LOG=Y

Review URL: https://codereview.chromium.org/1541233002

Cr-Commit-Position: refs/heads/master@{#33050}
2015-12-28 17:28:54 +00:00
bmeurer
97def8070c [runtime] Introduce dedicated JSBoundFunction to represent bound functions.
According to the ES2015 specification, bound functions are exotic
objects, and thus don't need to be implemented as JSFunctions. So
we introduce a new JSBoundFunction type to represent bound functions
and make them optimizable. This already improves the performance of
calling or constructing bound functions by 10-100x depending on the
use case because we avoid the crazy dance between JavaScript and C++
that was implemented in v8natives.js previously.

There's still room for improvement in the performance of actually
creating bound functions, which is also relevant in practice, but
we already have a plan how to accomplish that later.

The mips/mips64 ports were contributed by akos.palfi@imgtec.com.

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
BUG=chromium:535408, chromium:571299, v8:4629
LOG=n

Committed: https://crrev.com/ca8623eaa468cba65a5adafcdfb4615966f43ce2
Cr-Commit-Position: refs/heads/master@{#33042}

Review URL: https://codereview.chromium.org/1542963002

Cr-Commit-Position: refs/heads/master@{#33044}
2015-12-27 06:31:44 +00:00
bmeurer
1cf8b105d6 Revert of [runtime] Introduce dedicated JSBoundFunction to represent bound functions. (patchset #14 id:260001 of https://codereview.chromium.org/1542963002/ )
Reason for revert:
Breaks arm64 sim nosnap: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug/builds/805/steps/Check/logs/function-bind

Original issue's description:
> [runtime] Introduce dedicated JSBoundFunction to represent bound functions.
>
> According to the ES2015 specification, bound functions are exotic
> objects, and thus don't need to be implemented as JSFunctions. So
> we introduce a new JSBoundFunction type to represent bound functions
> and make them optimizable. This already improves the performance of
> calling or constructing bound functions by 10-100x depending on the
> use case because we avoid the crazy dance between JavaScript and C++
> that was implemented in v8natives.js previously.
>
> There's still room for improvement in the performance of actually
> creating bound functions, which is also relevant in practice, but
> we already have a plan how to accomplish that later.
>
> The mips/mips64 ports were contributed by akos.palfi@imgtec.com.
>
> CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
> BUG=chromium:535408, chromium:571299, v8:4629
> LOG=n
>
> Committed: https://crrev.com/ca8623eaa468cba65a5adafcdfb4615966f43ce2
> Cr-Commit-Position: refs/heads/master@{#33042}

TBR=cbruni@chromium.org,hpayer@chromium.org,yangguo@chromium.org,akos.palfi@imgtec.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:535408, chromium:571299, v8:4629

Review URL: https://codereview.chromium.org/1552473002

Cr-Commit-Position: refs/heads/master@{#33043}
2015-12-27 04:42:13 +00:00
bmeurer
ca8623eaa4 [runtime] Introduce dedicated JSBoundFunction to represent bound functions.
According to the ES2015 specification, bound functions are exotic
objects, and thus don't need to be implemented as JSFunctions. So
we introduce a new JSBoundFunction type to represent bound functions
and make them optimizable. This already improves the performance of
calling or constructing bound functions by 10-100x depending on the
use case because we avoid the crazy dance between JavaScript and C++
that was implemented in v8natives.js previously.

There's still room for improvement in the performance of actually
creating bound functions, which is also relevant in practice, but
we already have a plan how to accomplish that later.

The mips/mips64 ports were contributed by akos.palfi@imgtec.com.

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
BUG=chromium:535408, chromium:571299, v8:4629
LOG=n

Review URL: https://codereview.chromium.org/1542963002

Cr-Commit-Position: refs/heads/master@{#33042}
2015-12-26 20:28:17 +00:00
bmeurer
d1d4fa20b0 [runtime] Also migrate the Function and GeneratorFunction constructors to C++.
These constructors always go through C++ at least twice anyway, so
there's not really a point in trying to implement them in JavaScript.

R=yangguo@chromium.org
BUG=chromium:535408
LOG=n

Review URL: https://codereview.chromium.org/1548623002

Cr-Commit-Position: refs/heads/master@{#33012}
2015-12-22 14:15:53 +00:00
ishell
37b5ebc31d Fix UTC offset computation in date parser.
BUG=chromium:561973
LOG=N

Review URL: https://codereview.chromium.org/1532573003

Cr-Commit-Position: refs/heads/master@{#32956}
2015-12-17 16:29:33 +00:00
verwaest
d64dc800db Return CallSite numbers as Number rather than Smi
BUG=chromium:570651
LOG=n

Review URL: https://codereview.chromium.org/1532083002

Cr-Commit-Position: refs/heads/master@{#32947}
2015-12-17 13:17:42 +00:00
mvstanton
6540e736f3 Bugfix: Make sure not to overwrite the empty optimized code map root.
BUG=chromium:568765
LOG=N
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1534453002

Cr-Commit-Position: refs/heads/master@{#32910}
2015-12-16 16:28:02 +00:00
yangguo
65d3009e03 [regexp] clear QuickCheckDetails for backward reads.
R=erik.corry@gmail.com
BUG=chromium:570241
LOG=N

Review URL: https://codereview.chromium.org/1528333002

Cr-Commit-Position: refs/heads/master@{#32898}
2015-12-16 13:43:23 +00:00
yangguo
8bee91a58b [debugger] remove step count parameter from prepare step.
And tons of changes to debugger tests.

R=bmeurer@chromium.org
BUG=chromium:569835
LOG=N

Review URL: https://codereview.chromium.org/1525173003

Cr-Commit-Position: refs/heads/master@{#32885}
2015-12-16 08:39:54 +00:00
yangguo
abe2feb081 [debugger] debug-evaluate should not not modify local values.
Debug evaluate no longer writes back changes to the replicated
context chain to the original after execution. Changes to the
global object or script contexts still stick. Calling functions
that bind to the original context chain also have their expected
side effects.

As far as I can tell, DevTools is not interested in modifying
local variable values. Modifying global variable values still
works as expected. However, I have not yet removed the old
implementation, but merely keep it behind a flag.

R=mstarzinger@chromium.org, rossberg@chromium.org

Committed: https://crrev.com/92caa9b85eefffbef51c67428397951bd2e2c330
Cr-Commit-Position: refs/heads/master@{#32841}

Review URL: https://codereview.chromium.org/1513183003

Cr-Commit-Position: refs/heads/master@{#32857}
2015-12-15 09:54:46 +00:00
yangguo
6d8a2611c0 [debugger] flood function for stepping on throw.
We used to flood the handler when preparing for stepping,
even if we may not throw. Instead, we now flood the
handler only when we actually throw.

This also solves an issue with step-next when we throw and
leave the function unexpectedly. In combination with
microtasks, this could cause a crash.

R=mstarzinger@chromium.org
BUG=chromium:568477
LOG=N

Review URL: https://codereview.chromium.org/1527593002

Cr-Commit-Position: refs/heads/master@{#32856}
2015-12-15 09:33:39 +00:00
machenbach
a2f2e913f8 Revert of [debugger] debug-evaluate should not not modify local values. (patchset #2 id:20001 of https://codereview.chromium.org/1513183003/ )
Reason for revert:
[Sheriff] Layout test changes.

Original issue's description:
> [debugger] debug-evaluate should not not modify local values.
>
> Debug evaluate no longer writes back changes to the replicated
> context chain to the original after execution. Changes to the
> global object or script contexts still stick. Calling functions
> that bind to the original context chain also have their expected
> side effects.
>
> As far as I can tell, DevTools is not interested in modifying
> local variable values. Modifying global variable values still
> works as expected. However, I have not yet removed the old
> implementation, but merely keep it behind a flag.
>
> R=mstarzinger@chromium.org, rossberg@chromium.org
>
> Committed: https://crrev.com/92caa9b85eefffbef51c67428397951bd2e2c330
> Cr-Commit-Position: refs/heads/master@{#32841}

TBR=mstarzinger@chromium.org,rossberg@chromium.org,yangguo@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1526553003

Cr-Commit-Position: refs/heads/master@{#32845}
2015-12-14 17:19:46 +00:00
yangguo
92caa9b85e [debugger] debug-evaluate should not not modify local values.
Debug evaluate no longer writes back changes to the replicated
context chain to the original after execution. Changes to the
global object or script contexts still stick. Calling functions
that bind to the original context chain also have their expected
side effects.

As far as I can tell, DevTools is not interested in modifying
local variable values. Modifying global variable values still
works as expected. However, I have not yet removed the old
implementation, but merely keep it behind a flag.

R=mstarzinger@chromium.org, rossberg@chromium.org

Review URL: https://codereview.chromium.org/1513183003

Cr-Commit-Position: refs/heads/master@{#32841}
2015-12-14 14:54:28 +00:00
cbruni
df2a92972b [proxy] fixing for-in for proxies, fixing harmony/proxy.js tests, improving error messages and some drive-by fixes
BUG=v8:1543
LOG=n

patch from issue 1519473002 at patchset 1 (http://crrev.com/1519473002#ps1)

Review URL: https://codereview.chromium.org/1516843002

Cr-Commit-Position: refs/heads/master@{#32801}
2015-12-11 14:56:00 +00:00
littledan
46cb23c24b Disable new regression tests with noi18n
BUG=chromium:487322
R=adamk
LOG=N

Review URL: https://codereview.chromium.org/1514993002

Cr-Commit-Position: refs/heads/master@{#32770}
2015-12-10 22:52:44 +00:00
littledan
bff3074d73 Allow ICU to normalize time zones
There's at least one case of a time zone alias: Asia/Kathmandu aliases
Asia/Katmandu. ICU seems to normalize to the (deprecated) latter choice.
V8 internationalization choked on this change; this patch interprets
ICU's output more precisely and allows it.

BUG=chromium:487322
R=jungshik,adamk
LOG=Y

Review URL: https://codereview.chromium.org/1509273007

Cr-Commit-Position: refs/heads/master@{#32769}
2015-12-10 20:13:45 +00:00
adamk
eb67f85439 Fix FuncNameInferrer usage in ParseAssignmentExpression
Without this fix, AssignmentExpressions that happen to be arrow functions
would lead to unbalanced Enter/Leave calls on the fni_, causing thrashing
while trying to infer function names. Symptoms include slow parsing
or OOM (when we create too many AstConsStrings).

To try to keep this from happening in the future, added an RAII helper
class to handle Entering/Leaving FNI state.

The included regression test crashes on my workstation without the patch.
Note that it's too slow in debug mode (as well as under TurboFan),
so I've skipped it there.

BUG=v8:4595
LOG=y

Review URL: https://codereview.chromium.org/1507283003

Cr-Commit-Position: refs/heads/master@{#32768}
2015-12-10 19:19:35 +00:00
jkummerow
989f44f126 Fix mix-up in HasEnumerableElements()
Only JSArrays ever have packed elements; holey elements can be on any kind of object.

BUG=chromium:568525
LOG=n
R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1515963002

Cr-Commit-Position: refs/heads/master@{#32755}
2015-12-10 15:01:49 +00:00
balazs.kilvady
9597b019bc MIPS: Fix NaN tests.
BUG=
TEST=mjsunit/regress/regress-undefined-nan, mjsunit/regress/regress-undefined-nan3, mjsunit/regress/regress-2596

Review URL: https://codereview.chromium.org/1507363002

Cr-Commit-Position: refs/heads/master@{#32741}
2015-12-10 10:06:17 +00:00
adamk
2f9c68cfb1 Pass --harmony-object-observe in tests that depend on it
This is in preparation for turning the flag off by default.

BUG=chromium:552100
LOG=n

Review URL: https://codereview.chromium.org/1511293002

Cr-Commit-Position: refs/heads/master@{#32729}
2015-12-09 20:34:16 +00:00
verwaest
454c1faeef Make Error.prototype.toString spec compliant; and fix various side-effect-free error printing methods
R=yangguo@chromium.org
LOG=n

Committed: https://crrev.com/5dffa35350d0f57402806e6bd87a914e1d5933e4
Cr-Commit-Position: refs/heads/master@{#32695}

Review URL: https://codereview.chromium.org/1507273002

Cr-Commit-Position: refs/heads/master@{#32720}
2015-12-09 17:03:08 +00:00
machenbach
4c7e0f456f Revert of Make Error.prototype.toString spec compliant; and fix various side-effect-free error printing metho… (patchset #2 id:20001 of https://codereview.chromium.org/1507273002/ )
Reason for revert:
[Sheriff] Breaks layout tests. Please rebase upstream first:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/3334

Original issue's description:
> Make Error.prototype.toString spec compliant; and fix various side-effect-free error printing methods
>
> R=yangguo@chromium.org
> LOG=n
>
> Committed: https://crrev.com/5dffa35350d0f57402806e6bd87a914e1d5933e4
> Cr-Commit-Position: refs/heads/master@{#32695}

TBR=yangguo@chromium.org,bmeurer@chromium.org,verwaest@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1510173002

Cr-Commit-Position: refs/heads/master@{#32700}
2015-12-09 10:23:04 +00:00
verwaest
5dffa35350 Make Error.prototype.toString spec compliant; and fix various side-effect-free error printing methods
R=yangguo@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1507273002

Cr-Commit-Position: refs/heads/master@{#32695}
2015-12-09 08:52:25 +00:00
neis
4e2c0dd7a9 [proxies] Make Object.{freeze,seal} behave correctly for proxies.
- Add JSReceiver::SetIntegrityLevel, with a fast path for regular objects.
- Make Object.{freeze,seal} call this via %Object{Freeze,Seal}, thus no longer
  using broken or deprecated functions from v8natives.js.
- Add JSReceiver::OwnPropertyKeys convenience function.
- Reenable harmony/proxies-hash.js test.

R=rossberg
BUG=v8:1543
LOG=N

Review URL: https://codereview.chromium.org/1489423002

Cr-Commit-Position: refs/heads/master@{#32651}
2015-12-07 11:01:35 +00:00
jochen
086d459847 [crankshaft] Loads and stores to typed arrays have to reference the backing store holder
The backing store is only held alive indirectly via the array buffer
referenced by the holder (typed array), so it's not enough to keep the
elements alive (or even just the external pointer loaded from the
elements).

R=mstarzinger@chromium.org,bmeurer@chromium.org
LOG=n
BUG=v8:1827

Review URL: https://codereview.chromium.org/1493983004

Cr-Commit-Position: refs/heads/master@{#32644}
2015-12-07 08:37:42 +00:00
machenbach
0f2ed07f45 Revert of Clean up promises and fix an edge case bug (patchset #4 id:60001 of https://codereview.chromium.org/1488783002/ )
Reason for revert:
[Sheriff] Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/3266

Please request rebase upstream first.

Original issue's description:
> Clean up promises and fix an edge case bug
>
> This patch builds on previous Promise spec compliance work by
> cleaning out some old code which existed to support
> Promise.prototype.chain, rephrasing some code to correspond more
> closely to the specification, and removing some incorrect brand
> checking. A test is added for a bug in an edge case which was fixed.
>
> R=rossberg
> BUG=v8:3641
> LOG=Y
>
> Committed: https://crrev.com/1deb89c8fd3cb69714ae0a24e3b5a4e78f6b73b4
> Cr-Commit-Position: refs/heads/master@{#32627}

TBR=rossberg@chromium.org,caitpotter88@gmail.com,littledan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3641

Review URL: https://codereview.chromium.org/1501763004

Cr-Commit-Position: refs/heads/master@{#32629}
2015-12-05 08:51:20 +00:00
littledan
1deb89c8fd Clean up promises and fix an edge case bug
This patch builds on previous Promise spec compliance work by
cleaning out some old code which existed to support
Promise.prototype.chain, rephrasing some code to correspond more
closely to the specification, and removing some incorrect brand
checking. A test is added for a bug in an edge case which was fixed.

R=rossberg
BUG=v8:3641
LOG=Y

Review URL: https://codereview.chromium.org/1488783002

Cr-Commit-Position: refs/heads/master@{#32627}
2015-12-04 18:56:17 +00:00
machenbach
154a493cb7 Revert of [es6] Correctify and unify ArrayBuffer and SharedArrayBuffer constructors. (patchset #2 id:20001 of https://codereview.chromium.org/1500543002/ )
Reason for revert:
Blocks the roll:
https://codereview.chromium.org/1497763004/

Original issue's description:
> [es6] Correctify and unify ArrayBuffer and SharedArrayBuffer constructors.
>
> The ArrayBuffer and SharedArrayBuffer constructors should raise an
> exception when called with no arguments or undefined length.  Also
> unified the ArrayBuffer and SharedArrayBuffer implementations as C++
> builtins, and removed some (now) obsolete runtime entries.
>
> R=yangguo@chromium.org
>
> Committed: https://crrev.com/3235ccbb7826ceec2188f6ebab98fc851b54f60e
> Cr-Commit-Position: refs/heads/master@{#32590}

TBR=yangguo@chromium.org,cbruni@chromium.org,adamk@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1501673002

Cr-Commit-Position: refs/heads/master@{#32606}
2015-12-04 10:38:48 +00:00
bmeurer
3235ccbb78 [es6] Correctify and unify ArrayBuffer and SharedArrayBuffer constructors.
The ArrayBuffer and SharedArrayBuffer constructors should raise an
exception when called with no arguments or undefined length.  Also
unified the ArrayBuffer and SharedArrayBuffer implementations as C++
builtins, and removed some (now) obsolete runtime entries.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1500543002

Cr-Commit-Position: refs/heads/master@{#32590}
2015-12-03 21:16:31 +00:00
machenbach
15cb3fde7d Reland of [debugger] do not restart frames that reference new.target for liveedit. (patchset #1 id:1 of https://codereview.chromium.org/1493863004/ )
Reason for revert:
Didn't help...

Original issue's description:
> Revert of [debugger] do not restart frames that reference new.target for liveedit. (patchset #1 id:1 of https://codereview.chromium.org/1493363002/ )
>
> Reason for revert:
> [Sheriff] Speculative revert for https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/3225
>
> Original issue's description:
> > [debugger] do not restart frames that reference new.target for liveedit.
> >
> > R=mstarzinger@chromium.org
> >
> > Committed: https://crrev.com/6fca870240bdbb07a365189b5eb0c98fa65b3682
> > Cr-Commit-Position: refs/heads/master@{#32572}
>
> TBR=mstarzinger@chromium.org,yangguo@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
>
> Committed: https://crrev.com/1a61dab34b9849f3f70a42ce69317e22758c53a1
> Cr-Commit-Position: refs/heads/master@{#32582}

TBR=mstarzinger@chromium.org,yangguo@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1492393003

Cr-Commit-Position: refs/heads/master@{#32587}
2015-12-03 20:21:36 +00:00
machenbach
1a61dab34b Revert of [debugger] do not restart frames that reference new.target for liveedit. (patchset #1 id:1 of https://codereview.chromium.org/1493363002/ )
Reason for revert:
[Sheriff] Speculative revert for https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/3225

Original issue's description:
> [debugger] do not restart frames that reference new.target for liveedit.
>
> R=mstarzinger@chromium.org
>
> Committed: https://crrev.com/6fca870240bdbb07a365189b5eb0c98fa65b3682
> Cr-Commit-Position: refs/heads/master@{#32572}

TBR=mstarzinger@chromium.org,yangguo@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1493863004

Cr-Commit-Position: refs/heads/master@{#32582}
2015-12-03 18:39:16 +00:00
yangguo
6fca870240 [debugger] do not restart frames that reference new.target for liveedit.
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1493363002

Cr-Commit-Position: refs/heads/master@{#32572}
2015-12-03 15:19:17 +00:00
verwaest
324ab7076c For non-prototype objects constructed using base==new.target, use the cached constructor to render the name.
BUG=chromium:563791
LOG=y

Review URL: https://codereview.chromium.org/1494673004

Cr-Commit-Position: refs/heads/master@{#32556}
2015-12-03 12:41:27 +00:00
kozyatinskiy
cab2512a5e Removed support deprecated (//@|/*@) source(URL|MappingURL)=
LOG=Y
BUG=chromium:558998
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1495633002

Cr-Commit-Position: refs/heads/master@{#32528}
2015-12-02 19:53:47 +00:00
verwaest
9bee67509c Don't EnsureHasInitialMap on non-constructors.
non-constructors are not allowed to have initial maps. The optimizing compilers used to add initial maps unconditionally to functions used as right-hand-side in instanceof.

BUG=

Review URL: https://codereview.chromium.org/1490003003

Cr-Commit-Position: refs/heads/master@{#32497}
2015-12-02 10:39:46 +00:00
mstarzinger
82e6bed4db Deprecate the %IsConstructCall intrinsic completely.
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1479233002

Cr-Commit-Position: refs/heads/master@{#32470}
2015-12-01 15:58:55 +00:00
bmeurer
c83db2d071 [x86] Sane default for Label::Distance on JumpIfRoot/JumpIfNotRoot.
R=jarin@chromium.org
BUG=chromium:563929
LOG=n

Review URL: https://codereview.chromium.org/1483343002

Cr-Commit-Position: refs/heads/master@{#32456}
2015-12-01 12:23:25 +00:00
jkummerow
3cb3a6fe4a [crankshaft] Fix crash when case labels inline endless loops
The fix is to bail out of compilation in that case.

BUG=chromium:551287
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1483373002

Cr-Commit-Position: refs/heads/master@{#32454}
2015-12-01 12:17:31 +00:00
adamk
6c6dd449c3 Defer CONST_LEGACY redeclaration errors until runtime in harmony mode
This fixes a corner-case in redeclaration handling, where the ES2015
early error case got mixed up with legacy const handling in the parser.

Redeclaration using ES2015 'let' and 'const' should be early errors,
but legacy 'const' redeclaration has historically been a runtime error,
and should stay that way until legacy 'const' is gone.

The fix here is uglier than it might be due to
https://code.google.com/p/v8/issues/detail?id=4577, which keeps us
from simplifying the mess of if/else-if in the current code.

BUG=v8:4576
LOG=n

Review URL: https://codereview.chromium.org/1485943002

Cr-Commit-Position: refs/heads/master@{#32429}
2015-12-01 01:19:59 +00:00
neis
9334308a12 Rename %_IsSpecObject to %_IsJSReceiver.
This depends on issue 1476403004.

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1479293002

Cr-Commit-Position: refs/heads/master@{#32401}
2015-11-30 11:56:45 +00:00
verwaest
469675ee3f Fix name shown by devtools for subclasses.
This replaces internal GetConstructorName with toStringTag, .constructor's name
and class_name. This entirely changes how the name is computed for use in
devtools.

BUG=chromium:529177
LOG=n

Review URL: https://codereview.chromium.org/1435273002

Cr-Commit-Position: refs/heads/master@{#32374}
2015-11-27 13:10:25 +00:00
yangguo
81e131ce48 [debugger] flood function for stepping before calling it.
R=verwaest@chromium.org

Committed: https://crrev.com/93eb633214e0f97bf70ae30d2a07b7fbbaa78266
Cr-Commit-Position: refs/heads/master@{#32285}

Review URL: https://codereview.chromium.org/1463803002

Cr-Commit-Position: refs/heads/master@{#32339}
2015-11-26 14:12:18 +00:00
machenbach
df3dee87a7 Revert of [debugger] flood function for stepping before calling it. (patchset #7 id:120001 of https://codereview.chromium.org/1463803002/ )
Reason for revert:
[Sheriff] Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/3074

Original issue's description:
> [debugger] flood function for stepping before calling it.
>
> R=verwaest@chromium.org
>
> Committed: https://crrev.com/93eb633214e0f97bf70ae30d2a07b7fbbaa78266
> Cr-Commit-Position: refs/heads/master@{#32285}

TBR=verwaest@chromium.org,mstarzinger@chromium.org,yangguo@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1474943005

Cr-Commit-Position: refs/heads/master@{#32299}
2015-11-25 19:26:46 +00:00
yangguo
93eb633214 [debugger] flood function for stepping before calling it.
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1463803002

Cr-Commit-Position: refs/heads/master@{#32285}
2015-11-25 15:45:47 +00:00
yangguo
1db01d6d5d Revert of Removed support deprecated (//@|/*@) source(URL|MappingURL)= (patchset #1 id:1 of https://codereview.chromium.org/1474543005/ )
Reason for revert:
Failing layout tests:

inspector/tracing/timeline-event-causes.html
virtual/syncpaint/inspector/tracing/timeline-event-causes.html
inspector/animation/animation-timeline-fill.html
virtual/threaded/inspector/tracing/timeline-event-causes.html
inspector/tracing/timeline-script-id.html
inspector/sources/debugger-ui/source-url-comment.html
inspector/console/console-log-linkify-stack-in-errors.html
virtual/syncpaint/inspector/tracing/timeline-script-id.html
virtual/threaded/inspector/tracing/timeline-script-id.html

Original issue's description:
> Removed support deprecated (//@|/*@) source(URL|MappingURL)=
>
> LOG=Y
> BUG=chromium:558998
> R=yangguo@chromium.org
>
> Committed: https://crrev.com/c1e5f005d79c436d90f474f8bc6448c4555a619f
> Cr-Commit-Position: refs/heads/master@{#32249}

TBR=machenbach@chromium.org,kozyatinskiy@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:558998

Review URL: https://codereview.chromium.org/1481513002

Cr-Commit-Position: refs/heads/master@{#32259}
2015-11-25 10:28:02 +00:00
kozyatinskiy
c1e5f005d7 Removed support deprecated (//@|/*@) source(URL|MappingURL)=
LOG=Y
BUG=chromium:558998
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1474543005

Cr-Commit-Position: refs/heads/master@{#32249}
2015-11-25 08:02:27 +00:00
verwaest
8e28e851ee Install ConstructNonConstructable as construct stub for non-constructables.
BUG=

Review URL: https://codereview.chromium.org/1467473002

Cr-Commit-Position: refs/heads/master@{#32223}
2015-11-24 17:17:00 +00:00
verwaest
469d9bfa8d Introduce a BuiltinsConstructStub that sets up new.target and does a [[call]] per ES6 9.3.2
BUG=

Review URL: https://codereview.chromium.org/1448933002

Cr-Commit-Position: refs/heads/master@{#32120}
2015-11-19 16:11:09 +00:00
bmeurer
3c9ac974f2 [turbofan] Unstable prototype maps are not supported currently.
We currently assume that all prototype maps are stable, which is
not guaranteed for certain keyed access patterns. So we explicitly
disallow optimizing the element access there for now.

BUG=chromium:557807, v8:4470
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1456973004

Cr-Commit-Position: refs/heads/master@{#32101}
2015-11-19 06:21:06 +00:00
adamk
7d1d978654 Rename destructuring flag to "--harmony-destructuring-bind"
This is in preparation for the addition of --harmony-destructuring-assignment.

BUG=v8:811
LOG=n

Review URL: https://codereview.chromium.org/1450193002

Cr-Commit-Position: refs/heads/master@{#32098}
2015-11-18 23:30:09 +00:00
jkummerow
107699483d Fix PropertyDescriptor::ToObject
When adding properties to the result object, that object's prototype chain should be ignored.

Review URL: https://codereview.chromium.org/1458873002

Cr-Commit-Position: refs/heads/master@{#32085}
2015-11-18 13:56:51 +00:00
yangguo
5bcddae76f [crankshaft] only compile string index access with element key.
R=bmeurer@chromium.org
BUG=chromium:554831
LOG=N

Review URL: https://codereview.chromium.org/1455883004

Cr-Commit-Position: refs/heads/master@{#32084}
2015-11-18 13:53:34 +00:00
mstarzinger
279f2aad93 [turbofan] Fix deoptimization from array literal spread.
This fixes the array literal expression stack tracking in the presence
of spread expressions. Deoptimization within a spread expression was
borked.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-deopt-in-array-literal-spread

Review URL: https://codereview.chromium.org/1455953002

Cr-Commit-Position: refs/heads/master@{#32079}
2015-11-18 11:45:41 +00:00
mstarzinger
1321075391 [turbofan] Fix several OSR entries within literals.
With do-expressions any expression used within literals can turn into an
OSR entry-point. This means the literal object being constructed is then
renamed to an OSR value and needs to be reloaded from the environment.

R=rossberg@chromium.org
TEST=mjsunit/regress/regress-osr-in-literal

Review URL: https://codereview.chromium.org/1453733002

Cr-Commit-Position: refs/heads/master@{#32050}
2015-11-17 15:25:30 +00:00
mstarzinger
0c1c80b2af [turbofan] Fix several OSR entries within class literals.
With do-expressions any expression used within literals can turn into an
OSR entry-point. This means the literal object being constructed is then
renamed to an OSR value and needs to be reloaded from the environment.

R=rossberg@chromium.org
TEST=mjsunit/regress/regress-osr-in-literal

Review URL: https://codereview.chromium.org/1452193003

Cr-Commit-Position: refs/heads/master@{#32048}
2015-11-17 14:51:35 +00:00
mstarzinger
f8a7236119 [turbofan] Fix several OSR entries within literals.
With do-expressions any expression used within literals can turn into an
OSR entry-point. This means the literal object being constructed is then
renamed to an OSR value and needs to be reloaded from the environment.

R=rossberg@chromium.org
TEST=mjsunit/regress/regress-osr-in-literal

Review URL: https://codereview.chromium.org/1451423002

Cr-Commit-Position: refs/heads/master@{#32047}
2015-11-17 14:25:30 +00:00
jarin
a77f9179e0 [turbofan] Check for dead node in the common operator reducer.
BUG=chromium:556543
LOG=n

Review URL: https://codereview.chromium.org/1450883003

Cr-Commit-Position: refs/heads/master@{#32025}
2015-11-17 09:03:10 +00:00
adamk
e971005638 Run the materialized literal reindexer on default parameter initializers
R=rossberg@chromium.org
BUG=chromium:554865
LOG=n

Review URL: https://codereview.chromium.org/1442653004

Cr-Commit-Position: refs/heads/master@{#31989}
2015-11-13 17:11:05 +00:00
mstarzinger
c42f188ce2 [turbofan] Fix OSR entry in case label.
With do-expressions any expression used as a case label can turn into an
OSR entry-point. This means the value being switched over is renamed to
an OSR value and needs to be reloaded from the environment at each case.

R=rossberg@chromium.org
TEST=mjsunit/regress/regress-osr-in-case-label

Review URL: https://codereview.chromium.org/1438123007

Cr-Commit-Position: refs/heads/master@{#31986}
2015-11-13 16:05:28 +00:00
cbruni
24e058d0ed [runtime] support new Proxy() instead of Proxy.create and install getPrototypeOf trap
LOG=N
BUG=v8:1543

Review URL: https://codereview.chromium.org/1417063011

Cr-Commit-Position: refs/heads/master@{#31983}
2015-11-13 14:14:07 +00:00
mstarzinger
83e9ea1e49 [turbofan] Ensure inlined constructor calls still throw.
This makes sure that inlining a constructor call to a function which
cannot be used as a constructor (e.g. strong mode function) still does
throw correctly when the implicit receiver is created.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-inline-strong-as-construct
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1447443002

Cr-Commit-Position: refs/heads/master@{#31982}
2015-11-13 14:05:48 +00:00
yangguo
a7e50a5e06 [JSON stringifier] Reintroduce fast path with bail out to slow path.
R=verwaest@chromium.org
BUG=chromium:554946
LOG=N

Review URL: https://codereview.chromium.org/1442963002

Cr-Commit-Position: refs/heads/master@{#31977}
2015-11-13 10:09:47 +00:00
yangguo
6df9a1db8c [JSON stringifier] Correctly load array elements.
BUG=chromium:554946
LOG=y
R=jkummerow@chromium.org, jochen@chromium.org

Review URL: https://codereview.chromium.org/1435083003

Cr-Commit-Position: refs/heads/master@{#31968}
2015-11-12 19:30:58 +00:00
yangguo
ee9020ddd9 Serializer: attach alignment to deferred objects.
R=jkummerow@chromium.org
BUG=chromium:523919
LOG=N

Review URL: https://codereview.chromium.org/1440983002

Cr-Commit-Position: refs/heads/master@{#31956}
2015-11-12 11:28:31 +00:00
verwaest
2ebd5fc7c9 Fix Array.prototype.slice with arguments object with negative length.
BUG=

Review URL: https://codereview.chromium.org/1436813002

Cr-Commit-Position: refs/heads/master@{#31941}
2015-11-11 11:50:38 +00:00
adamk
9a8c0119ef Properly handle parsing a '%'-prefixed runtime call as a binding pattern
R=rossberg@chromium.org
BUG=chromium:552302
LOG=n

Review URL: https://codereview.chromium.org/1425723004

Cr-Commit-Position: refs/heads/master@{#31890}
2015-11-09 15:32:25 +00:00
yangguo
742ae613ec Do not switch to two-byte string in String.fromCharCode if avoidable.
R=bmeurer@chromium.org
BUG=v8:4536
LOG=N

Review URL: https://codereview.chromium.org/1427743008

Cr-Commit-Position: refs/heads/master@{#31872}
2015-11-09 08:53:42 +00:00
ishell
37a9be505a Regression test for JSRegExp literals sharing.
JSRegExp's properties backing stores must not be shared.

BUG=chromium:548580
LOG=N

Review URL: https://codereview.chromium.org/1429743006

Cr-Commit-Position: refs/heads/master@{#31867}
2015-11-07 08:19:27 +00:00
bmeurer
925a2006f5 [turbofan] Fix wrong parameter indices in JSFrameSpecialization.
We forgot to add the number of arguments parameter in
JSFrameSpecialization, which was added before the context.

R=jarin@chromium.org
BUG=chromium:552304
LOG=n

Review URL: https://codereview.chromium.org/1429233004

Cr-Commit-Position: refs/heads/master@{#31856}
2015-11-06 13:12:51 +00:00
yangguo
2237ba0dba Implement flag and source getters on RegExp.prototype.
R=littledan@chromium.org
BUG=v8:3715, v8:4528
LOG=Y

Committed: https://crrev.com/60e8877e161fe6175e19fafce2d6ed1c3999cdb1
Cr-Commit-Position: refs/heads/master@{#31753}

Committed: https://crrev.com/b5c80a31ad266eb38a0cf2ff756be59c66d34aa5
Cr-Commit-Position: refs/heads/master@{#31773}

Committed: https://crrev.com/85494e90bb63a3a9e19a1bf862cb6bfcb0162ee9
Cr-Commit-Position: refs/heads/master@{#31782}

Committed: https://crrev.com/152163c1646b45f5fc5d31a4ec2eb55d7f4a2ffc
Cr-Commit-Position: refs/heads/master@{#31804}

Review URL: https://codereview.chromium.org/1419823010

Cr-Commit-Position: refs/heads/master@{#31824}
2015-11-05 13:08:55 +00:00
verwaest
44c44521ae Remove CallFunctionStub, always call through the Call builtin (also from CallIC).
This fixes receiver conversion since the Call builtin does it correctly.

BUG=v8:4526
LOG=n

Review URL: https://codereview.chromium.org/1407373007

Cr-Commit-Position: refs/heads/master@{#31823}
2015-11-05 12:46:01 +00:00
bmeurer
a210c3757e [runtime] Remove the very dangerous %_CallFunction intrinsic.
The %_CallFunction doesn't implement the call sequence properly, it
doesn't do the receiver wrapping, nor does it check for
classConstructor. Also the eager deoptimization for %_CallFunction was
seriously b0rked (we must have been lucky with TurboFan so far).

R=yangguo@chromium.org
BUG=v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1419813010

Cr-Commit-Position: refs/heads/master@{#31821}
2015-11-05 11:48:21 +00:00
yangguo
ca49355aba Revert of Implement flag and source getters on RegExp.prototype. (patchset #6 id:110001 of https://codereview.chromium.org/1419823010/ )
Reason for revert:
browser_tests failure with --gtest_filter=ExternallyConnectableMessagingTest.EnablingAndDisabling

Original issue's description:
> Implement flag and source getters on RegExp.prototype.
>
> R=littledan@chromium.org
> BUG=v8:3715, v8:4528
> LOG=Y
>
> Committed: https://crrev.com/60e8877e161fe6175e19fafce2d6ed1c3999cdb1
> Cr-Commit-Position: refs/heads/master@{#31753}
>
> Committed: https://crrev.com/b5c80a31ad266eb38a0cf2ff756be59c66d34aa5
> Cr-Commit-Position: refs/heads/master@{#31773}
>
> Committed: https://crrev.com/85494e90bb63a3a9e19a1bf862cb6bfcb0162ee9
> Cr-Commit-Position: refs/heads/master@{#31782}
>
> Committed: https://crrev.com/152163c1646b45f5fc5d31a4ec2eb55d7f4a2ffc
> Cr-Commit-Position: refs/heads/master@{#31804}

TBR=littledan@chromium.org,jochen@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3715, v8:4528

Review URL: https://codereview.chromium.org/1426413002

Cr-Commit-Position: refs/heads/master@{#31818}
2015-11-05 09:08:51 +00:00
yangguo
152163c164 Implement flag and source getters on RegExp.prototype.
R=littledan@chromium.org
BUG=v8:3715, v8:4528
LOG=Y

Committed: https://crrev.com/60e8877e161fe6175e19fafce2d6ed1c3999cdb1
Cr-Commit-Position: refs/heads/master@{#31753}

Committed: https://crrev.com/b5c80a31ad266eb38a0cf2ff756be59c66d34aa5
Cr-Commit-Position: refs/heads/master@{#31773}

Committed: https://crrev.com/85494e90bb63a3a9e19a1bf862cb6bfcb0162ee9
Cr-Commit-Position: refs/heads/master@{#31782}

Review URL: https://codereview.chromium.org/1419823010

Cr-Commit-Position: refs/heads/master@{#31804}
2015-11-04 20:42:33 +00:00
hablich
a77aa3a2b4 Revert of Implement flag and source getters on RegExp.prototype. (patchset #6 id:110001 of https://codereview.chromium.org/1419823010/ )
Reason for revert:
Breaks Chromium tests and blocks the roll: http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_chromeos_rel_ng/builds/124490

Original issue's description:
> Implement flag and source getters on RegExp.prototype.
>
> R=littledan@chromium.org
> BUG=v8:3715, v8:4528
> LOG=Y
>
> Committed: https://crrev.com/60e8877e161fe6175e19fafce2d6ed1c3999cdb1
> Cr-Commit-Position: refs/heads/master@{#31753}
>
> Committed: https://crrev.com/b5c80a31ad266eb38a0cf2ff756be59c66d34aa5
> Cr-Commit-Position: refs/heads/master@{#31773}
>
> Committed: https://crrev.com/85494e90bb63a3a9e19a1bf862cb6bfcb0162ee9
> Cr-Commit-Position: refs/heads/master@{#31782}

TBR=littledan@chromium.org,jochen@chromium.org,ulan@chromium.org,yangguo@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3715, v8:4528

Review URL: https://codereview.chromium.org/1432683002

Cr-Commit-Position: refs/heads/master@{#31801}
2015-11-04 18:34:27 +00:00
yangguo
85494e90bb Implement flag and source getters on RegExp.prototype.
R=littledan@chromium.org
BUG=v8:3715, v8:4528
LOG=Y

Committed: https://crrev.com/60e8877e161fe6175e19fafce2d6ed1c3999cdb1
Cr-Commit-Position: refs/heads/master@{#31753}

Committed: https://crrev.com/b5c80a31ad266eb38a0cf2ff756be59c66d34aa5
Cr-Commit-Position: refs/heads/master@{#31773}

Review URL: https://codereview.chromium.org/1419823010

Cr-Commit-Position: refs/heads/master@{#31782}
2015-11-04 12:28:48 +00:00
yangguo
5ee1a75c6d Revert of Implement flag and source getters on RegExp.prototype. (patchset #3 id:50001 of https://codereview.chromium.org/1419823010/ )
Reason for revert:
Performance issue.

Original issue's description:
> Implement flag and source getters on RegExp.prototype.
>
> R=littledan@chromium.org
> BUG=v8:3715, v8:4528
> LOG=Y
>
> Committed: https://crrev.com/60e8877e161fe6175e19fafce2d6ed1c3999cdb1
> Cr-Commit-Position: refs/heads/master@{#31753}
>
> Committed: https://crrev.com/b5c80a31ad266eb38a0cf2ff756be59c66d34aa5
> Cr-Commit-Position: refs/heads/master@{#31773}

TBR=littledan@chromium.org,jochen@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3715, v8:4528

Review URL: https://codereview.chromium.org/1409013006

Cr-Commit-Position: refs/heads/master@{#31780}
2015-11-04 10:58:24 +00:00
yangguo
b5c80a31ad Implement flag and source getters on RegExp.prototype.
R=littledan@chromium.org
BUG=v8:3715, v8:4528
LOG=Y

Committed: https://crrev.com/60e8877e161fe6175e19fafce2d6ed1c3999cdb1
Cr-Commit-Position: refs/heads/master@{#31753}

Review URL: https://codereview.chromium.org/1419823010

Cr-Commit-Position: refs/heads/master@{#31773}
2015-11-04 09:11:19 +00:00
machenbach
16e25179ec Revert of Implement flag and source getters on RegExp.prototype. (patchset #3 id:50001 of https://codereview.chromium.org/1419823010/ )
Reason for revert:
[Sheriff] Changes layout tests. Please rebase upstream first. E.g.:
http://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/2686

Original issue's description:
> Implement flag and source getters on RegExp.prototype.
>
> R=littledan@chromium.org
> BUG=v8:3715, v8:4528
> LOG=Y
>
> Committed: https://crrev.com/60e8877e161fe6175e19fafce2d6ed1c3999cdb1
> Cr-Commit-Position: refs/heads/master@{#31753}

TBR=littledan@chromium.org,jochen@chromium.org,ulan@chromium.org,yangguo@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3715, v8:4528

Review URL: https://codereview.chromium.org/1427733005

Cr-Commit-Position: refs/heads/master@{#31758}
2015-11-03 17:28:13 +00:00
ishell
babe50f083 Reland "[es6] Fix Function and GeneratorFunction built-ins subclassing."
Original issue's description:
> [es6] Fix Function and GeneratorFunction built-ins subclassing.
>
> BUG=v8:3101, v8:3330
> LOG=Y
>
> Committed: https://crrev.com/99e7f872d3d0a5fb799dcbafb05537cda491314a
> Cr-Commit-Position: refs/heads/master@{#31708}

The problem was in another CL, this is a clean reland with improved tests.

BUG=v8:3101, v8:3330
LOG=Y

Review URL: https://codereview.chromium.org/1415683007

Cr-Commit-Position: refs/heads/master@{#31756}
2015-11-03 16:42:43 +00:00
yangguo
60e8877e16 Implement flag and source getters on RegExp.prototype.
R=littledan@chromium.org
BUG=v8:3715, v8:4528
LOG=Y

Review URL: https://codereview.chromium.org/1419823010

Cr-Commit-Position: refs/heads/master@{#31753}
2015-11-03 16:17:03 +00:00
jkummerow
b4d46bc5a0 Fix accessor map transitions vs. Object.defineProperty
BUG=v8:4534
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1413723011

Cr-Commit-Position: refs/heads/master@{#31750}
2015-11-03 14:41:53 +00:00
yangguo
538197dada RegExp.prototype is an ordinary object.
R=littledan@chromium.org
BUG=v8:4003
LOG=N

Review URL: https://codereview.chromium.org/1423993006

Cr-Commit-Position: refs/heads/master@{#31730}
2015-11-03 06:18:44 +00:00
ishell
2210cc84de Revert of [es6] Fix Function and GeneratorFunction built-ins subclassing. (patchset #4 id:80001 of https://codereview.chromium.org/1428823002/ )
Reason for revert:
Buildbot failures

Original issue's description:
> [es6] Fix Function and GeneratorFunction built-ins subclassing.
>
> BUG=v8:3101, v8:3330
> LOG=Y
>
> Committed: https://crrev.com/99e7f872d3d0a5fb799dcbafb05537cda491314a
> Cr-Commit-Position: refs/heads/master@{#31708}

TBR=verwaest@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3101, v8:3330

Review URL: https://codereview.chromium.org/1413723008

Cr-Commit-Position: refs/heads/master@{#31709}
2015-11-02 11:59:14 +00:00
ishell
99e7f872d3 [es6] Fix Function and GeneratorFunction built-ins subclassing.
BUG=v8:3101, v8:3330
LOG=Y

Review URL: https://codereview.chromium.org/1428823002

Cr-Commit-Position: refs/heads/master@{#31708}
2015-11-02 11:45:51 +00:00
jkummerow
70a2f537f6 Fix cached EnumLength retrieval in JSObject::NumberOfOwnProperties
BUG=chromium:549162
LOG=n
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1424293002

Cr-Commit-Position: refs/heads/master@{#31677}
2015-10-30 10:35:43 +00:00
mstarzinger
26f90c95cc [turbofan] Fix super property calls to act as method calls.
This fixes [NAMED|KEYED]_SUPER_PROPERTY_CALL to perform a method call
instead of a function call. The difference is visible for sloppy mode
targets that convert primitive receivers.

R=rossberg@chromium.org
TEST=mjsunit/regress/regress-4525
BUG=v8:4525
LOG=n

Review URL: https://codereview.chromium.org/1419173004

Cr-Commit-Position: refs/heads/master@{#31664}
2015-10-29 17:19:39 +00:00
mstarzinger
d3c4adfd78 [turbofan] Fix and rework deopt in call to super property.
This refactors the handling of calls of type Call::PROPERTY_CALL to
super properties in AstGraphBuilder::VisitCall. It ensures that the
operand stack is kept in sync with full-codegen so that deopts while
evaluating sub-expressions behave as expected.

R=rossberg@chromium.org
TEST=mjsunit/regress/regress-4521
BUG=v8:4521
LOG=n

Review URL: https://codereview.chromium.org/1426893003

Cr-Commit-Position: refs/heads/master@{#31652}
2015-10-29 12:32:49 +00:00
yangguo
200315cb26 Make AstRawString deduplication encoding-agnostic.
R=jkummerow@chromium.org
BUG=v8:4450
LOG=N

Review URL: https://codereview.chromium.org/1411103006

Cr-Commit-Position: refs/heads/master@{#31624}
2015-10-28 11:28:55 +00:00
mstarzinger
f8465b45f7 [turbofan] Fix OSR-ed callee trigged ty do-expressions.
This fixes a missing SSA-renaming of the callee value used in the frame
state of a call node. An OSR-entry within do-expressions contained in
one of the argument expression can trigger that renaming.

R=rossberg@chromium.org
TEST=mjsunit/regress/regress-crbug-546968
BUG=chromium:546968
LOG=n

Review URL: https://codereview.chromium.org/1430483002

Cr-Commit-Position: refs/heads/master@{#31613}
2015-10-27 17:21:10 +00:00
bmeurer
7709e41aec [turbofan] Try hard(er) to use smi representation for float64 values.
Previously ChangeLowering would always box float64 values when going to
tagged representation, but that introduces a lot of deoptimizer loops
and polymorphism into TurboFan, which is unfortunate and unnecessary.

This adds some logic to ChangeFloat64ToTagged to try harder to create a
Smi when going from Float64 to Tagged, instead of always allocating a
HeapNumber.  This might need some additional tweaking, but at least it
makes it possible to start comparing TurboFan and Crankshaft for some
regular JavaScript.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1420913003

Cr-Commit-Position: refs/heads/master@{#31609}
2015-10-27 16:18:15 +00:00
mstarzinger
e121aabe39 [turbofan] Fix representation type for JSArray::length.
This fixes the representation type for values in JSArray::length fields
when JSNativeContextSpecialization lowers loads. Only arrays with fast
elements kind are guaranteed to have a Smi represented length.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-4515
BUG=v8:4515, v8:4493, v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1410393006

Cr-Commit-Position: refs/heads/master@{#31558}
2015-10-26 12:04:16 +00:00
verwaest
b694266bb1 Fix Object.preventExtensions, .seal, .freeze on typed arrays
BUG=v8:4460
LOG=n

Review URL: https://codereview.chromium.org/1419823008

Cr-Commit-Position: refs/heads/master@{#31556}
2015-10-26 11:08:02 +00:00
verwaest
f464f12a8b Ensure we never inline class constructors in Crankshaft, as it currently is entirely unsupported.
BUG=v8:3330
LOG=n

Review URL: https://codereview.chromium.org/1415723005

Cr-Commit-Position: refs/heads/master@{#31480}
2015-10-22 14:39:07 +00:00
jkummerow
fdfab67243 [Crankshaft] Don't do HMathFloorOfDiv optimization for kUint32 values
BUG=v8:4507
LOG=y
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1409353005

Cr-Commit-Position: refs/heads/master@{#31474}
2015-10-22 13:22:09 +00:00
bmeurer
d168a1e844 [turbofan] We cannot unconditionally flatten cons strings in the JSGraph.
It is not always safe to allocate new heap objects in the JSGraph. We
might have to revisit this later once we do the canonicalization for
HeapConstants.

R=jarin@chromium.org
BUG=chromium:545364
LOG=n

Review URL: https://codereview.chromium.org/1413373002

Cr-Commit-Position: refs/heads/master@{#31421}
2015-10-20 15:48:07 +00:00
bmeurer
2abd768e87 [turbofan] Respect effect input when lowering JSToBoolean for string inputs.
This allows us to re-enable the mjsunit/tools/profile test case.

R=jarin@chromium.org
BUG=v8:4493
LOG=n

Review URL: https://codereview.chromium.org/1418643002

Cr-Commit-Position: refs/heads/master@{#31416}
2015-10-20 15:24:26 +00:00
littledan
c227dd5734 Refactor array construction for map, filter
This patch refactors array methods to have the
InnerArray{Map,Filter} methods convert to a GlobalArray
rather than the callers.

BUG=chromium:544991
R=yangguo,adamk
CC=mstarzinger,jochen
LOG=Y

Review URL: https://codereview.chromium.org/1408213004

Cr-Commit-Position: refs/heads/master@{#31403}
2015-10-20 09:57:08 +00:00
mvstanton
2f2302f08b VectorICs: Bugfix in KeyedStore dispatcher.
The dispatcher failed to MISS properly when configured as a monomorphic
keyed string store, causing a crash.

BUG=v8:4495
LOG=N
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1415533003

Cr-Commit-Position: refs/heads/master@{#31362}
2015-10-19 09:51:46 +00:00
jarin
f9a9c6be0e [turbofan] Introduce lazy bailout, masked as a call.
This introduces an explicit lazy bailout. It is wrapped in the call
node, mostly because the lazy deoptimization processing is married
to the call processing in the instruction selector and the code generator.

It is still a terrible hack.

R=bmeurer@chromium.org,mstarzinger@chromium.org
BUG=chromium:543994,v8:4195
LOG=n

Review URL: https://codereview.chromium.org/1412443003

Cr-Commit-Position: refs/heads/master@{#31353}
2015-10-19 06:21:26 +00:00
yangguo
30715157fa Install iterator meta objects via utils object.
R=cbruni@chromium.org, hpayer@chromium.org

Review URL: https://codereview.chromium.org/1411653002

Cr-Commit-Position: refs/heads/master@{#31331}
2015-10-16 11:27:33 +00:00
yangguo
f2bfa12654 Do not coerce lastIndex of a global RegExp in @@match and @@replace.
R=rossberg@chromium.org
BUG=v8:4471
LOG=N

Review URL: https://codereview.chromium.org/1410753002

Cr-Commit-Position: refs/heads/master@{#31330}
2015-10-16 11:25:37 +00:00
jkummerow
102e3e87e7 [arm64] Fix jssp based spill slot accesses in Crankshaft
Review URL: https://codereview.chromium.org/1401703003

Cr-Commit-Position: refs/heads/master@{#31304}
2015-10-15 13:34:15 +00:00
adamk
b646cb3e50 Take Symbol-keyed properties into account in Object.freeze and friends
R=rossberg@chromium.org
BUG=chromium:539875
LOG=y

Review URL: https://codereview.chromium.org/1393373005

Cr-Commit-Position: refs/heads/master@{#31303}
2015-10-15 13:32:57 +00:00
yangguo
73c9be9b31 Debugger: allow stepping into resolver from Promise constructor.
R=rossberg@chromium.org
BUG=chromium:451967
LOG=N

Review URL: https://codereview.chromium.org/1404783002

Cr-Commit-Position: refs/heads/master@{#31296}
2015-10-15 12:27:40 +00:00
mstarzinger
e6a923ab56 [turbofan] Fix various issues with --turbo-inlining enabled.
This is in preparation to enabling --turbo-inlining by default, fixing
various issues when general purpose inlining is running against our
entire test suite.

R=bmeurer@chromium.org
BUG=v8:4493
LOG=n

Review URL: https://codereview.chromium.org/1407533004

Cr-Commit-Position: refs/heads/master@{#31294}
2015-10-15 12:02:06 +00:00
littledan
ab3110e875 Add a lexical scope for the body of a with statement
For an edge case like the following in sloppy mode
  with ({}) function f() {}
a lexical scope needs to be created around the body in order
to hold the function declaration, so it can be hoisted according
to a loose interpretation of Annex B 3.3 (loose because ES2015
does not permit a function declaration as the body of a with
statement). This patch adds that scope.

BUG=chromium:542100
LOG=N
R=adamk

Review URL: https://codereview.chromium.org/1404803002

Cr-Commit-Position: refs/heads/master@{#31269}
2015-10-14 17:37:22 +00:00
littledan
d0618585a7 Fix scopes for body of sloppy-mode for-in/of loop
This patch fixes an obscure edge case for functions defined as the
direct body of a for-of/for-in loop, such as the following:

 for (foo in []) function foo() { return foo; }

Here, the first occurrence of foo should point to the outer scope;
however, before this patch, it pointed to the inner foo in an
invalid way which caused an assertion about the scope chain to fail.
This patch fixes the scope chain by inserting an extra scope for
the body of the loop, not including the header.

BUG=chromium:542099
LOG=N
R=rossberg

Review URL: https://codereview.chromium.org/1396663004

Cr-Commit-Position: refs/heads/master@{#31268}
2015-10-14 17:36:16 +00:00
hpayer
24622f5f12 Bailout for large object allocations in full code EmitFastOneByteArrayJoin.
BUG=chromium:542823
LOG=n

Review URL: https://codereview.chromium.org/1391373004

Cr-Commit-Position: refs/heads/master@{#31257}
2015-10-14 12:44:45 +00:00
yangguo
4f7caf2f57 Debugger: fix stepping when break points are deactivated.
The flag for deactivating break points also affects stepping, since both
are implemented via debug break slots. Fixing this by introducing a new
flag solely responsible for deactivating actual break points.

R=mvstanton@chromium.org
BUG=chromium:119800
LOG=N

Review URL: https://codereview.chromium.org/1402913002

Cr-Commit-Position: refs/heads/master@{#31236}
2015-10-13 12:44:28 +00:00