The multi-return fuzzer was able to generate more than 256 parameters of
the same type. However, the fuzzer itself could not deal with so many
parameters. With this change more than 256 parameters of the same type
can be handled and tested.
R=clemensh@chromium.org
Bug: chromium:807862
Change-Id: I6941eb0ff7e78a8feebc437624fa100adeda4e3d
Reviewed-on: https://chromium-review.googlesource.com/897673
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51089}
This adds a new isolate wide Promise#then protector, which guards the
"then" lookup for all JSPromise instances whose [[Prototype]] is the
initial %PromisePrototype%. Thus arbitrary mutations to the
Promise.prototype (i.e. monkey-patching other methods or installing
new functions) no longer sent you down the slow-path. Use this protector
in Promise.prototype.catch and in Promise.resolve.
Drive-by-fix: Restructure the resolve logic a bit and avoid the
expensive and large SameValue check, which can be turned into a simple
reference equal, as the promise in there is known to be a JSPromise
anyways.
Bug: v8:7253
Change-Id: If68b12c6bc6ca9c4d10552ae84854ebc3b5774f9
Reviewed-on: https://chromium-review.googlesource.com/899302
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51085}
Report an error during scope analysis if we're unable to find a
variable proxy for the given private field. This can happen if we try
to access a private field that was not defined or if we're outside
the class scope.
This doesn't correctly throw an early error when pre parsing a top
level function because we don't track it's variables.
Bug: v8:5368
Change-Id: I0a1193fe0ae213c0732fae5d435e150852a8d87d
Reviewed-on: https://chromium-review.googlesource.com/892093
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51082}
The code was using the "correct" cache key for lookups, but not for
creating new entries, leading to us never hitting the cache for
some Function-constructor cases.
Bug: v8:4958, chromium:801556, chromium:802400, chromium:807192
Change-Id: I4ac2234b97a9f5f71957ef936dc4b588d020916b
Reviewed-on: https://chromium-review.googlesource.com/898096
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51081}
Remove hard-coded scratch registers (r9 and ip) from the code generator in favor
of using the `UseScratchRegisterScope` utility. And as a result, we can free the
r9 register for the allocator to use.
Note that the code generator now has to cope with a single scratch register (ip)
instead of two (ip + r9). Therefore the code sequences emitted by moves aren't
as optimized as they used to be. For instance, we now use a scratch S register
in places where we could use r9. We can optimize them further if we want but
running benchmarks showed no impact so keeping the code simpler was deemed
better for the time being.
Bug: v8:6553
Change-Id: I7fcf244cb1b6578564b503619a041006eaf74626
Reviewed-on: https://chromium-review.googlesource.com/895461
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51080}
This check verifies that all .h files in the src/ directory have an
include guard of the form
#ifndef V8_PATH_TO_FILE_H_
#define V8_PATH_TO_FILE_H_
// ...
#endif // V8_PATH_TO_FILE_H_
The check can be skipped with a magic comment:
// PRESUBMIT_INTENTIONALLY_MISSING_INCLUDE_GUARD
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I0a7b96abec289ad60f64ba8418f1892a6969596d
Reviewed-on: https://chromium-review.googlesource.com/897487
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51079}
A version of the spec change from
https://github.com/tc39/ecma262/pull/988, but applied to the
Async-from-Sync iterator type.
This change does not modify generated bytecode (but maybe it should to
take advantage of load IC feedback for loading "next"). Doing this grows
bytecode by quite a bit, since it's necessary to throw-if-not-an-object
before loading "next" (which currently gets to live in a code stub
instead).
BUG=v8:5855
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I0d2affef664d1069b24c54a553d62e17b49e5a16
Reviewed-on: https://chromium-review.googlesource.com/723136
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51078}
Port ca1d44e35f
Original Commit Message:
If enabled, this mode moves code for isolate-independent builtins off
the JS heap at Isolate creation. The Code object itself is rewritten
to tail-call the off-heap instruction stream.
R=jgruber@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: Ia1b14663c17308101ce5e952fd508c891a098f8d
Reviewed-on: https://chromium-review.googlesource.com/899105
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#51077}
Special case script logging to also log the source of the script, even
if that source is off-heap in an external string.
Bug: v8:7266
Change-Id: I0d35f94f7b27d0d793d1a1a3fb8d3280960b253d
Reviewed-on: https://chromium-review.googlesource.com/899344
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51076}
This is a reland of ef06feded6.
Original change's description:
> Reland "[builtins] Add .incbin cctest"
>
> This is a reland of b012816155.
>
> Original change's description:
> > [builtins] Add .incbin cctest
> >
> > Just to ensure this is portable across all platforms.
> >
> > Credits go to https://github.com/graphitemaster/incbin, bits of the
> > .incbin code were taken from there. Thanks!
> >
> > Reland of https://crrev.com/c/881181
> >
> > Bug: v8:6666
> > Change-Id: I5c0dbf56b1c987fd88607dca69b39d65b59cdefc
> > Reviewed-on: https://chromium-review.googlesource.com/895597
> > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> > Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#51042}
>
> Cq-Include-Trybots: luci.v8.try:v8_win64_msvc_compile_rel
> Bug: v8:6666
> Change-Id: I8fc0963e28996a84ed56c2e740d895e26611abf0
> Reviewed-on: https://chromium-review.googlesource.com/897630
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51054}
Bug: v8:6666
Change-Id: Icc6816e260dac2d8b8f6c9c4a2725b271dac4664
Cq-Include-Trybots: luci.v8.try:v8_win64_msvc_compile_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/898927
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51075}
These 2 test have known issues
Change-Id: I4830e0af0f4f1cf7fd1189316356dd1f7dc2c6eb
Reviewed-on: https://chromium-review.googlesource.com/896721
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#51074}
Copied as-is modulo compile tweaks from Chromium's base.
Copied tests highlighting existing overflow issues with V8's impl...
TimeDelta::Max() will initially be used in V8 to flag events that
never triggered in a TimedHistogram.
Also constexpr'ed a few things while I was in there, it's harmless
at worst and helps a little at best.
Ideally would constexpr all the Time*::From*() methods like in
Chromium but that has inlining implications and I don't know the
impact that could have on V8.
Bug: chromium:807606
Change-Id: If5aa92759d985be070e12af4dd20f0159169048b
Reviewed-on: https://chromium-review.googlesource.com/899342
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Gabriel Charette <gab@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51073}
This creates a uniform PerformPromiseThen builtin, which performs the
operation with the same name from the spec, except that it expects the
handlers to be either undefined or callable already, since this is only
relevant for a single callsite (namely Promise.prototype.then).
Introduce a matching operator JSPerformPromiseThen into TurboFan, which
represents this operation and removes the additional checks in case of
Promise.prototype.then based on the information we can derived from the
receiver maps.
This yields a nice 20-25% improvement on Promise.prototype.then, as
illustrated by the following micro-benchmark
```js
const N = 1e7;
function inc(x) { return x + 1; }
function chain(promise) {
return promise.then(inc).then(value => {
if (value < N) chain(Promise.resolve(value));
});
}
console.time('total');
chain(Promise.resolve(0));
setTimeout(console.timeEnd.bind(console, 'total'));
```
which goes from around 1230ms to 930ms with this patch.
Bug: v8:7253
Change-Id: I5712a863acdbe7da3bb8e621887c7b952148c51a
Reviewed-on: https://chromium-review.googlesource.com/899064
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51071}
All tests are sensitive to internal state, which is incompatible with GC
fuzzing.
TBR=ulan@chromium.org
NOTRY=true
Bug: v8:7360
Change-Id: I4b28f40e099b7395e39725aaf6e9e199939ebd9f
Reviewed-on: https://chromium-review.googlesource.com/899087
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51069}
Record the various types of feedback vector slot separately, to estimate
the relative impact of e.g. load ICs vs call ICs. Also, log the unused
(i.e. uninitialized or premonomorphic) ones separately.
Bug: v8:7266
Change-Id: Ie035cf48969e39f7156dfe523fd9218749b95cfe
Reviewed-on: https://chromium-review.googlesource.com/897813
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51067}
Load mjsunit.js inside the realm as otherwise the functions are not
available in the realm's scope.
This also prints timestamps after each test to easier track down slow
tests.
We also pass --omit-quit to not stop too early.
This also adds the ability to skip certain tests for endurance
fuzzing and skips some tests with known problems.
TBR=ulan@chromium.org,hpayer@chromium.org
Bug: v8:6972, v8:7400
Change-Id: I44464c28bfb10c84f2e59972e7b86945a47ca3b3
Reviewed-on: https://chromium-review.googlesource.com/899008
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51066}
- Adds a DCHECK to AllocatePages to enforce hint address alignment.
- Adds a DCHECK to AllocatePages to make length a multiple of allocation
granularity.
- Properly aligns the hint address in MemoryAllocator::AllocateChunk
to MemoryChunk::kAlignment.
This is to conform more closely to Chromium's page allocator API.
Bug:chromium:756050
Change-Id: Ib991fa80609834107829a9559f4b5b6b0996fc72
Reviewed-on: https://chromium-review.googlesource.com/898095
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51065}
- Adds a DCHECK to FreePages that size is a multiple of allocation
granularity.
- Makes VirtualMemory::Free conform to this.
This is to conform more closely to Chromium's page allocator API.
Bug:chromium:756050
Change-Id: I673e1c225b8bd1009775de1597b575120bd06f8e
Reviewed-on: https://chromium-review.googlesource.com/898008
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51064}
This makes sure that {JSFunction} invocations always load the code start
address into the fixed {kJavaScriptCallCodeStartRegister} register. This
allows us to perform PC-relative operations more effective. For now this
only applies to code with {kCallJSFunction} linkage.
R=jarin@chromium.org
Change-Id: I16a32184c07f5e90b05114dff7530acf46c175f1
Reviewed-on: https://chromium-review.googlesource.com/888700
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51063}
Replace hard-coded uses of `kScratchDoubleReg`, `kScratchDoubleReg2` and
`kScratchQuadReg` with the safer `UseScratchRegisterScope`. The reason for doing
this is to be able to safely use these scratch registers inside the assembler
without having to worry about the code generator using them too.
For instance, using this scope showed us that `TryInlineTruncateDoubleToI` is
using a FP scratch register while the caller, the `DoubleToI` stub, is using it
too. We are safe only because the stub passes the scratch register to
`TryInlineTruncateDoubleToI` as an input. Using the scope forces us to
explicitely use the input register instead of acquiring a new scratch.
Bug: v8:6553
Change-Id: I84c53cd851d31ea33b0e3ef398d7a858b7e3e3c4
Reviewed-on: https://chromium-review.googlesource.com/895460
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#51061}
Especially "invalid function" and "invalid type" could contain much
more information.
Drive-by: Remove unused WasmTrapInvalidIndex.
R=ahaas@chromium.org
Change-Id: I7fd72c095eaad94e3e2d9bfe6ab4a9ce0bb4798b
Reviewed-on: https://chromium-review.googlesource.com/897526
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51059}
We were generating sequences of instructions for generating i32, i64,
f32 and f64 values, but not for generating an instruction without a
result value. This CL adds that.
R=ahaas@chromium.org
Change-Id: I5c17d4182dfc6a827c7cdaa611ba7941b9c5d12f
Reviewed-on: https://chromium-review.googlesource.com/897790
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51058}
Debug info carries more information than just break points. It also carries
debugging-related flags and data for block coverage and type profiling.
In production we won't run into the situation where debug info is created with
the debugger not enabled. But this way seems a bit more robust.
Bug: v8:7396
Change-Id: I6989bbab82a3c597a43dde382a74114f945adf5f
Reviewed-on: https://chromium-review.googlesource.com/898923
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51057}
This is a reland of b012816155.
Original change's description:
> [builtins] Add .incbin cctest
>
> Just to ensure this is portable across all platforms.
>
> Credits go to https://github.com/graphitemaster/incbin, bits of the
> .incbin code were taken from there. Thanks!
>
> Reland of https://crrev.com/c/881181
>
> Bug: v8:6666
> Change-Id: I5c0dbf56b1c987fd88607dca69b39d65b59cdefc
> Reviewed-on: https://chromium-review.googlesource.com/895597
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51042}
Cq-Include-Trybots: luci.v8.try:v8_win64_msvc_compile_rel
Bug: v8:6666
Change-Id: I8fc0963e28996a84ed56c2e740d895e26611abf0
Reviewed-on: https://chromium-review.googlesource.com/897630
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51054}
For stack frame types that don't provide their own Print function, we
used to print nothing at all. Now we print at least the type and the pc.
Bug:
Change-Id: I8453d705589bc83c284ce4eb4e981f2ad32ee901
Reviewed-on: https://chromium-review.googlesource.com/897425
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51053}
This method is now dead code since we introduced PromiseReaction chains
as linked lists.
Bug: v8:7253, v8:7310
Change-Id: I505a23d9ba4de456dbeeba9e603e70218cf6e767
Reviewed-on: https://chromium-review.googlesource.com/897515
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51052}
R=adamk@chromium.org
Change-Id: Ib6b66003aaf8694c1e5eed6db7d2537322eddad8
Reviewed-on: https://chromium-review.googlesource.com/897498
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51051}
This is a preparation CL for OOL free-lists.
Bug: chromium:774108
Change-Id: Ied7853d1d625f650ced135faec4b729d880961c3
Reviewed-on: https://chromium-review.googlesource.com/897809
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51048}
Bug: v8:7387
Change-Id: I831bf8f580d4112d7e0f48d90bbe2f44eff73225
Reviewed-on: https://chromium-review.googlesource.com/897326
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51047}
The flag is enabled by default and provides a quick way to switch
between the old RetainerInfo and the new EmbedderGraph snapshoting
in local testing.
Bug: chromium:749490
Change-Id: I36406597a289090879cfa5051037c8cf35988e59
Reviewed-on: https://chromium-review.googlesource.com/897532
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51045}
This reverts commit b012816155.
Reason for revert: Still breaks the bot:
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20msvc/builds/1217
Original change's description:
> [builtins] Add .incbin cctest
>
> Just to ensure this is portable across all platforms.
>
> Credits go to https://github.com/graphitemaster/incbin, bits of the
> .incbin code were taken from there. Thanks!
>
> Reland of https://crrev.com/c/881181
>
> Bug: v8:6666
> Change-Id: I5c0dbf56b1c987fd88607dca69b39d65b59cdefc
> Reviewed-on: https://chromium-review.googlesource.com/895597
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51042}
TBR=machenbach@chromium.org,jgruber@chromium.org
Change-Id: I41a48908b6e0ff6a28beb8b28a1a9a739302081a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6666
Reviewed-on: https://chromium-review.googlesource.com/897788
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51044}
Just to ensure this is portable across all platforms.
Credits go to https://github.com/graphitemaster/incbin, bits of the
.incbin code were taken from there. Thanks!
Reland of https://crrev.com/c/881181
Bug: v8:6666
Change-Id: I5c0dbf56b1c987fd88607dca69b39d65b59cdefc
Reviewed-on: https://chromium-review.googlesource.com/895597
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51042}