Commit Graph

6460 Commits

Author SHA1 Message Date
neis
9606a938a6 [modules] Extend a namespace test.
Extend a test of namespace imports such that it accesses the object inside a
with statement (inside a sloppy function).

Drive-by-fix: remove duplicate initialization of embedder data (probably due to
bad merge).

R=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2405603003
Cr-Commit-Position: refs/heads/master@{#40129}
2016-10-10 16:56:36 +00:00
petermarshall
8b48aa1cda [builtins] Move StringIncludes to a builtin.
Also add a test for when the first argument is null or undefined, as there are no tests that cover this currently.

BUG=v8:5364

Review-Url: https://codereview.chromium.org/2399423003
Cr-Commit-Position: refs/heads/master@{#40127}
2016-10-10 15:01:32 +00:00
mtrofin
b75a0c4a55 [wasm] Fix wasm instantiation flakes
The spurious failures were caused by the compiled module
template and its corresponding owning object getting out of
sync due to memory allocations (which may trigger GC)
between the points each were fetched.

Specifically, the {original} was first obtained; then a GC
may happen when cloning the {code_table}. At this point,
the {original}'s owner may have been collected, getting us
down the path of not cloning. When time comes to patch up
globals, we incorrectly try to patch them assuming the
global start is at 0 (nullptr), which in fact it isn't.

This change roots early, in a GC-free area, both objects.
Additionally, it avoids publishing to the instances chain
the new instance until the very end. This way:
- the objects used to create the new instance offer a
consistent view
- the instances chain does not see the object we try to
form. If something fails, we can safely retry.
- since the owner is rooted, the state of the front of the
instances chain stays unchanged - with the same compiled
module we started from. So the early belief that we needed
to clone is not invalidated by any interspersed GC.

This situation suffers from a sub-optimality discussed in
the design document, in that, in a memory constrained
system, the following snippet may surprisingly fail:

var m = new WebAssembly.Module(...);
var i1 = new WebAssembly.Instance(m);
i1 = null;
var i2 = new WebAssembly.Instance(m); //may fail.

This will be addressed subsequently.

BUG=v8:5451

Review-Url: https://codereview.chromium.org/2395063002
Cr-Commit-Position: refs/heads/master@{#40126}
2016-10-10 14:53:58 +00:00
titzer
d20dabb090 [wasm] Base address for data segments can also be the value of a global variable.
R=rossberg@chromium.org
BUG=chromium:575167
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux64_msan_rel

Committed: https://crrev.com/640ae3f9d20dcae915dbfa978bf48944cd4d0dc3
Review-Url: https://codereview.chromium.org/2403823002
Cr-Original-Commit-Position: refs/heads/master@{#40121}
Cr-Commit-Position: refs/heads/master@{#40125}
2016-10-10 14:42:10 +00:00
machenbach
a6fb296a78 Revert of [wasm] Base address for data segments can also be the value of a global variable. (patchset #1 id:1 of https://codereview.chromium.org/2403823002/ )
Reason for revert:
msan not happy:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/11332

Original issue's description:
> [wasm] Base address for data segments can also be the value of a global variable.
>
> R=rossberg@chromium.org
> BUG=chromium:575167
>
> Committed: https://crrev.com/640ae3f9d20dcae915dbfa978bf48944cd4d0dc3
> Cr-Commit-Position: refs/heads/master@{#40121}

TBR=rossberg@chromium.org,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:575167

Review-Url: https://codereview.chromium.org/2402373002
Cr-Commit-Position: refs/heads/master@{#40123}
2016-10-10 14:12:52 +00:00
titzer
640ae3f9d2 [wasm] Base address for data segments can also be the value of a global variable.
R=rossberg@chromium.org
BUG=chromium:575167

Review-Url: https://codereview.chromium.org/2403823002
Cr-Commit-Position: refs/heads/master@{#40121}
2016-10-10 13:26:26 +00:00
marja
e474e5ffc8 PreParsing inner functions: Fix declaration-only variables, part 2.
If an inner function only declares a variable but doesn't use it, Parser
and PreParser produced different unresolved variables, and that confused
the pessimistic context allocation.

This is continuation to https://codereview.chromium.org/2388183003/

This CL fixes more complicated declarations (which are not just one
identifier). For this, PreParser needs to accumulate identifiers used
in expressions.

In addition, this CL manifests FLAG_lazy_inner_functions in tests, so that
we get clusterfuzz coverage for it.

BUG=chromium:650969, v8:5501

Review-Url: https://codereview.chromium.org/2400613003
Cr-Commit-Position: refs/heads/master@{#40112}
2016-10-10 09:22:34 +00:00
bmeurer
f6bd23f244 [turbofan] Enforce native context specialization.
There were once plans to generate cross-context code with TurboFan,
however that doesn't fit into the model anymore, and so all of this
is essentially dead untested code (and thus most likely already broken
in subtle ways). With this mode still in place it would also be a lot
harder to make inlining based on SharedFunctionInfo work.

BUG=v8:2206,v8:5499
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2406803002
Cr-Commit-Position: refs/heads/master@{#40109}
2016-10-10 05:53:51 +00:00
neis
57ba0ae10e [modules] Implement namespace imports.
This implements namespace imports (import * as foo from "bar"), except for the
@@iterator property on namespace objects (to be done later).

R=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2388153003
Cr-Commit-Position: refs/heads/master@{#40096}
2016-10-07 19:37:28 +00:00
machenbach
b072d014d8 [test] Skip more flaky wasm tests for gc stress
BUG=v8:5451,v8:5496
TBR=mtrofin@chromium.org, titzer@chromium.org, ahaas@chromium.org
NOTRY=true
NOTREECHECKS=true

Review-Url: https://codereview.chromium.org/2399343003
Cr-Commit-Position: refs/heads/master@{#40091}
2016-10-07 16:36:57 +00:00
titzer
e3ff4cf8c9 [wasm] Implement importing of WebAssembly.Memory.
R=mtrofin@chromium.org,gdeepti@chromium.org
BUG=chromium:575167

Review-Url: https://codereview.chromium.org/2392943006
Cr-Commit-Position: refs/heads/master@{#40076}
2016-10-07 09:34:27 +00:00
gdeepti
19dab886a4 [wasm] Simd128 types should not be available in asmjs modules.
- Added gating code in the module-decoder to allow SIMD code only when
 it can be decoded correctly
 - SIMD128 values should not be exported to JS
 - Try/Catch should not be available in asmjs modules
 - Trivial fixes for S128  values

BUG=chromium:648079

R=ahaas@chromium.org, titzer@chromium.org, bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2400863003
Cr-Commit-Position: refs/heads/master@{#40067}
2016-10-07 07:52:19 +00:00
adamk
3aeaf49781 [modules] Add basic path normalization to d8's module loader
d8 now elides './' when constructing absolute paths.
'../' is still not normalized.

R=neis@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2393243002
Cr-Commit-Position: refs/heads/master@{#40057}
2016-10-06 19:32:37 +00:00
gsathya
9d836ec64a [promises] fix deferred object leak
This patch sets `this` to be undefined when calling resolve and reject
functions attached to the deferred.

BUG=v8:5476

Review-Url: https://codereview.chromium.org/2399053003
Cr-Commit-Position: refs/heads/master@{#40056}
2016-10-06 18:29:35 +00:00
titzer
e97ca6ec47 [wasm] Refactor import handling for 0xC.
Imports and exports in 0xC can be much more than functions, including
tables, memories, and globals. This CL refactors the underlying
organization of imports and exports to support these new import types.

BUG=

Committed: https://crrev.com/599f8a83420346d9cba5ff97bd2a7520468207b6
Review-Url: https://codereview.chromium.org/2390113003
Cr-Original-Commit-Position: refs/heads/master@{#40033}
Cr-Commit-Position: refs/heads/master@{#40050}
2016-10-06 15:43:22 +00:00
hablich
3b1b544c20 Revert of [wasm] Refactor import handling for 0xC. (patchset #10 id:180001 of https://codereview.chromium.org/2390113003/ )
Reason for revert:
Failes a few GC stress tests.https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/6253

Original issue's description:
> [wasm] Refactor import handling for 0xC.
>
> Imports and exports in 0xC can be much more than functions, including
> tables, memories, and globals. This CL refactors the underlying
> organization of imports and exports to support these new import types.
>
> BUG=
>
> Committed: https://crrev.com/599f8a83420346d9cba5ff97bd2a7520468207b6
> Cr-Commit-Position: refs/heads/master@{#40033}

TBR=mtrofin@chromium.org,ahaas@chromium.org,bradnelson@chromium.org,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2395133002
Cr-Commit-Position: refs/heads/master@{#40038}
2016-10-06 13:43:23 +00:00
titzer
599f8a8342 [wasm] Refactor import handling for 0xC.
Imports and exports in 0xC can be much more than functions, including
tables, memories, and globals. This CL refactors the underlying
organization of imports and exports to support these new import types.

BUG=

Review-Url: https://codereview.chromium.org/2390113003
Cr-Commit-Position: refs/heads/master@{#40033}
2016-10-06 12:30:50 +00:00
jarin
5d6b514192 Reland of "[turbofan] Osr value typing + dynamic type checks on entry. (patchset #5 id:80001 of https://codereview.chromium.org/2384113002/ )"
Fixes:

- Remove OsrGuards on frame specialization (for asm.js).
- Handle the rename in the walk for native context.
- Fix LoadContext effect wiring for Osr context chains.

Review-Url: https://codereview.chromium.org/2388303006
Cr-Commit-Position: refs/heads/master@{#40021}
2016-10-06 06:42:29 +00:00
bradnelson
e901ccdd18 [wasm] [asm.js] Fix asm.js issues around floating point globals.
Allow fround to take values without dots for globals (the spec allows this
subtly).

Drop over-restrictive assert preventing floating point globals from working.

BUG=v8:4203
R=jpp@chromium.org,aseemgarg@chromium.org

Review-Url: https://codereview.chromium.org/2397823003
Cr-Commit-Position: refs/heads/master@{#40013}
2016-10-05 19:46:25 +00:00
mstarzinger
c22e4278ec [interpreter] Module tests in all Ignition variants.
This makes sure we run the module tests against all variants using
Ignition as the first compilation tier. It will henceforth extend the
test coverage to the BytecodeGraphBuilder as well.

R=neis@chromium.org

Review-Url: https://codereview.chromium.org/2397733002
Cr-Commit-Position: refs/heads/master@{#39992}
2016-10-05 13:06:09 +00:00
machenbach
9fc7bbb13e [test] Skip asm-wasm for gc_stress and ignition
BUG=v8:5451
NOTRY=true
TBR=titzer@chromium.org, ahaas@chromium.org, rmcilroy@chromium.org

Review-Url: https://codereview.chromium.org/2389703006
Cr-Commit-Position: refs/heads/master@{#39989}
2016-10-05 12:12:02 +00:00
jarin
ff81734cb9 Revert of [turbofan] Osr value typing + dynamic type checks on entry. (patchset #5 id:80001 of https://codereview.chromium.org/2384113002/ )
Reason for revert:
Tanks the world.

Original issue's description:
> [turbofan] Osr value typing + dynamic type checks on entry.
>
> This introduces a new OsrGuard node that is inserted during graph building
> to guard the inferred type of the OSR value.
>
> The type of the OSR value is inferred by running the typer before OSR
> deconstruction, and then taking the type from the phi that takes the
> OSR value. After the deconstruction, we throw the types away.
>
> At the moment we only support the SignedSmall OSR type and we always
> pick the tagged representation. Later, we might want to support more
> types (such as Number) and pick better representations (int32/float64).
>
> This CL also removes the OSR deconstruction tests because they build
> unrealistic graph (no effect chain, no loop termination). I considered
> adding the effect chains to the tests, but this would make the tests
> even more brittle.
>
> Committed: https://crrev.com/1f5dc90a900d222da44bee3eff171a2ba1e3c076
> Cr-Commit-Position: refs/heads/master@{#39971}

TBR=bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2395783002
Cr-Commit-Position: refs/heads/master@{#39985}
2016-10-05 10:34:33 +00:00
ahaas
aa93e6ca95 [wasm] Call a runtime function for a MemorySize instruction.
The implementation of MemorySize with RelocatableInt32Constants is
problematic if MemorySize is placed close to a GrowMemory instruction in
the code. The use of a runtime function guarantees that the order in
which MemorySize and GrowMemory is executed is correct.

R=titzer@chromium.org
BUG=chromium:651961
TEST=mjsunit/regress/wasm/regression-651961

Committed: https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689
Review-Url: https://codereview.chromium.org/2386183004
Cr-Original-Commit-Position: refs/heads/master@{#39972}
Cr-Commit-Position: refs/heads/master@{#39980}
2016-10-05 09:12:08 +00:00
ahaas
9701e79127 Revert of [wasm] Call a runtime function for a MemorySize instruction. (patchset #2 id:20001 of https://codereview.chromium.org/2386183004/ )
Reason for revert:
Patch problem

Original issue's description:
> [wasm] Call a runtime function for a MemorySize instruction.
>
> The implementation of MemorySize with RelocatableInt32Constants is
> problematic if MemorySize is placed close to a GrowMemory instruction in
> the code. The use of a runtime function guarantees that the order in
> which MemorySize and GrowMemory is executed is correct.
>
> R=titzer@chromium.org
> BUG=chromium:651961
> TEST=mjsunit/regress/wasm/regression-651961
>
> Committed: https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689
> Cr-Commit-Position: refs/heads/master@{#39972}

TBR=titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:651961

Review-Url: https://codereview.chromium.org/2391223002
Cr-Commit-Position: refs/heads/master@{#39973}
2016-10-05 06:12:18 +00:00
ahaas
2c12a9a42d [wasm] Call a runtime function for a MemorySize instruction.
The implementation of MemorySize with RelocatableInt32Constants is
problematic if MemorySize is placed close to a GrowMemory instruction in
the code. The use of a runtime function guarantees that the order in
which MemorySize and GrowMemory is executed is correct.

R=titzer@chromium.org
BUG=chromium:651961
TEST=mjsunit/regress/wasm/regression-651961

Review-Url: https://codereview.chromium.org/2386183004
Cr-Commit-Position: refs/heads/master@{#39972}
2016-10-05 06:06:58 +00:00
jarin
1f5dc90a90 [turbofan] Osr value typing + dynamic type checks on entry.
This introduces a new OsrGuard node that is inserted during graph building
to guard the inferred type of the OSR value.

The type of the OSR value is inferred by running the typer before OSR
deconstruction, and then taking the type from the phi that takes the
OSR value. After the deconstruction, we throw the types away.

At the moment we only support the SignedSmall OSR type and we always
pick the tagged representation. Later, we might want to support more
types (such as Number) and pick better representations (int32/float64).

This CL also removes the OSR deconstruction tests because they build
unrealistic graph (no effect chain, no loop termination). I considered
adding the effect chains to the tests, but this would make the tests
even more brittle.

Review-Url: https://codereview.chromium.org/2384113002
Cr-Commit-Position: refs/heads/master@{#39971}
2016-10-05 05:56:54 +00:00
jarin
a974970cff [turbofan] Check instruction input/output count limits in instruction selector.
BUG=chromium:625966

Review-Url: https://codereview.chromium.org/2390303002
Cr-Commit-Position: refs/heads/master@{#39970}
2016-10-05 05:43:35 +00:00
mtrofin
c938f0df22 [wasm] explicitly mark off unlinked wasm module instances
This fixes a gc stress bug. We cannot rely on an ordering of
clearing of the weak cells, so we explicitly reset the weak
link to the owning instance, when finalizing a compiled
module. In turn, this serves as a reliable signal when GCs
happen while instantiating, allowing us to correctly link the
new instance.

BUG=chromium:652425

Review-Url: https://codereview.chromium.org/2393443003
Cr-Commit-Position: refs/heads/master@{#39964}
2016-10-04 21:23:24 +00:00
adamk
3c39bac440 Don't skip hole checks inside patterns in parameter lists
Previously, b6e9f625c1 fixed self-assignment
in parameters to throw. But it failed to deal with the case of
destructuring with defaults. This patch extends that previous approach
to always treat the end of a parameter as its initializer position,
whether it has an initializer or not.

This is the minimal change to make it easy to merge; a follow-up
will rename the field of Parameter from "initializer_end_position"
to "end_position".

BUG=v8:5454

Review-Url: https://codereview.chromium.org/2390943002
Cr-Commit-Position: refs/heads/master@{#39962}
2016-10-04 17:04:19 +00:00
jgruber
7d26871d2d [stubs] Port String.prototype.substr to TurboFan
BUG=v8:5415

Review-Url: https://codereview.chromium.org/2373493002
Cr-Commit-Position: refs/heads/master@{#39951}
2016-10-04 12:00:28 +00:00
leszeks
4ad3579119 [ignition] Fix building lookup graph when search depth is 0
In some (rare) cases, the context depth passed to a dynamic variable lookup can
be zero. In these cases, the fast path for the lookup (i.e. load from context or
global) can always be taken, as there is no need to search the current context.

However, with no slow path checks, the bytecode graph builder had a null
environment for the slow path, causing segfaults when this graph was built.

This patch adds a null check for the slow path environment, and skips building
the slow path if the environment is null.

BUG=chromium:652186

Review-Url: https://codereview.chromium.org/2385123002
Cr-Commit-Position: refs/heads/master@{#39949}
2016-10-04 11:08:11 +00:00
marja
22ff09e06a PreParsing inner functions: Fix declaration-only variables.
If an inner function only declares a variable but doesn't use it, Parser
and PreParser produced different unresolved variables, and that confused
the pessimistic context allocation.

BUG=chromium:650969

Review-Url: https://codereview.chromium.org/2388183003
Cr-Commit-Position: refs/heads/master@{#39947}
2016-10-04 09:38:46 +00:00
verwaest
9feab2d208 Mark param as used when we force context allocation due to implement access through arguments
Currently the parameter is first parsed as a reference, and then translated into a parameter. The reference stays around though, and gets resolved to the parameter. That automatically creates a use. Now that I drop all unresolved references when we abort preparsing, that also drops the unresolved reference.

Instead, mark the variable as used when its marked as forced context allocation. That's what happens in almost all other cases.

This raises the question: does it really make sense to parse parameters this ways? It seems pretty generic, but neither fast nor memory-efficient ... Did I misunderstand something?

Just land if you think the CL looks good as is.

BUG=chromium:651613

Review-Url: https://codereview.chromium.org/2386623002
Cr-Commit-Position: refs/heads/master@{#39935}
2016-10-03 17:21:20 +00:00
jpp
7ed565b6a5 [WASM] Implements catch for the wasm low level exception mechanism.
This is essentially CL/2275293002, with the difference that the effect
dependencies are now updated correctly.

BUG=

Review-Url: https://codereview.chromium.org/2378773013
Cr-Commit-Position: refs/heads/master@{#39919}
2016-09-30 16:09:32 +00:00
neis
427242326c Reland: [modules] Properly initialize declared variables.
Before evaluating a module, all variables declared at the top-level
in _any_ of the modules in the dependency graph must be initialized.
This is observable because a module A can access a variable imported
from module B (e.g. a function) at a point when module B's body hasn't
been evaluated yet.

We achieve this by implementing modules internally as generators with
two states (not initialized, initialized).

R=adamk@chromium.org
BUG=v8:1569
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_win_dbg

Committed: https://crrev.com/f4dfb6fbe1cdd9a0f287a1a9c496e1f69f6f5d20
Committed: https://crrev.com/8c52a411583e870bd5ed100864caa58f491c5d88
Review-Url: https://codereview.chromium.org/2375793002
Cr-Original-Original-Commit-Position: refs/heads/master@{#39871}
Cr-Original-Commit-Position: refs/heads/master@{#39892}
Cr-Commit-Position: refs/heads/master@{#39900}
2016-09-30 07:53:57 +00:00
bmeurer
669cb71e60 Revert of Reland: [modules] Properly initialize declared variables. (patchset #6 id:100001 of https://codereview.chromium.org/2375793002/ )
Reason for revert:
Speculative revert for christmas tree

Original issue's description:
> Reland: [modules] Properly initialize declared variables.
>
> Before evaluating a module, all variables declared at the top-level
> in _any_ of the modules in the dependency graph must be initialized.
> This is observable because a module A can access a variable imported
> from module B (e.g. a function) at a point when module B's body hasn't
> been evaluated yet.
>
> We achieve this by implementing modules internally as generators with
> two states (not initialized, initialized).
>
> R=adamk@chromium.org
> BUG=v8:1569
> CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_win_dbg
>
> Committed: https://crrev.com/f4dfb6fbe1cdd9a0f287a1a9c496e1f69f6f5d20
> Committed: https://crrev.com/8c52a411583e870bd5ed100864caa58f491c5d88
> Cr-Original-Commit-Position: refs/heads/master@{#39871}
> Cr-Commit-Position: refs/heads/master@{#39892}

TBR=adamk@chromium.org,mstarzinger@chromium.org,machenbach@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2387593002
Cr-Commit-Position: refs/heads/master@{#39896}
2016-09-30 04:22:41 +00:00
neis
8c52a41158 Reland: [modules] Properly initialize declared variables.
Before evaluating a module, all variables declared at the top-level
in _any_ of the modules in the dependency graph must be initialized.
This is observable because a module A can access a variable imported
from module B (e.g. a function) at a point when module B's body hasn't
been evaluated yet.

We achieve this by implementing modules internally as generators with
two states (not initialized, initialized).

R=adamk@chromium.org
BUG=v8:1569
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_win_dbg

Committed: https://crrev.com/f4dfb6fbe1cdd9a0f287a1a9c496e1f69f6f5d20
Review-Url: https://codereview.chromium.org/2375793002
Cr-Original-Commit-Position: refs/heads/master@{#39871}
Cr-Commit-Position: refs/heads/master@{#39892}
2016-09-29 22:24:56 +00:00
adamk
a2a9b4a7ea Revert of [wasm] Remove improper assembler check for grow memory. (patchset #2 id:20001 of https://codereview.chromium.org/2376153003/ )
Reason for revert:
grow-memory test now fails on Linux dbg, blocking the CQ:

https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/11217

Original issue's description:
> [wasm] Remove improper assembler check for grow memory.
>
> Note that the offset can still be out of bounds, even after grow memory. The calculation of the remaining size can overflow.
>
> R=gdeepti@chromium.org
> BUG=chromium:644670
>
> Committed: https://crrev.com/e6071a9c067e07304329250e040b652fb82e9b5e
> Cr-Commit-Position: refs/heads/master@{#39886}

TBR=gdeepti@chromium.org,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:644670

Review-Url: https://codereview.chromium.org/2378973003
Cr-Commit-Position: refs/heads/master@{#39889}
2016-09-29 21:54:57 +00:00
titzer
e6071a9c06 [wasm] Remove improper assembler check for grow memory.
Note that the offset can still be out of bounds, even after grow memory. The calculation of the remaining size can overflow.

R=gdeepti@chromium.org
BUG=chromium:644670

Review-Url: https://codereview.chromium.org/2376153003
Cr-Commit-Position: refs/heads/master@{#39886}
2016-09-29 18:04:00 +00:00
titzer
424cd4cf84 [wasm] Implement WebAssembly.validate()
R=bradnelson@chromium.org,mtrofin@chromium.org
BUG=chromium:575167

Review-Url: https://codereview.chromium.org/2384513002
Cr-Commit-Position: refs/heads/master@{#39885}
2016-09-29 18:02:58 +00:00
machenbach
5bb978461f Revert of [WASM] Implements catch for the wasm low level exception mechanism. (patchset #16 id:300001 of https://codereview.chromium.org/2275293002/ )
Reason for revert:
nosse4 errors:
https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/13524
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/11215

Original issue's description:
> [WASM] Implements catch for the wasm low level exception mechanism.
>
> BUG=
>
> Committed: https://crrev.com/93e5425c46453764779bd557628d61fae670027a
> Cr-Commit-Position: refs/heads/master@{#39881}

TBR=titzer@chromium.org,bradnelson@chromium.org,jpp@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2383613002
Cr-Commit-Position: refs/heads/master@{#39884}
2016-09-29 18:00:52 +00:00
jpp
93e5425c46 [WASM] Implements catch for the wasm low level exception mechanism.
BUG=

Review-Url: https://codereview.chromium.org/2275293002
Cr-Commit-Position: refs/heads/master@{#39881}
2016-09-29 15:59:29 +00:00
caitp
3c52ac79cd Reland "[builtins] migrate C++ String Iterator builtins to baseline TurboFan"
Migrate newly added C++ String Iterator builtins to TFJ builtins, per
step 4. of the String Iterator Baseline Implementation section of the design doc

BUG=v8:5388
R=bmeurer@chromium.org, mstarzinger@chromium.org, jkummerow@chromium.org

Committed: https://crrev.com/f9a2c8b1112c4e915df8bc5f7ea1fccdf7a33ff8
Cr-Commit-Position: refs/heads/master@{#39765}

patch from issue 2358263002 at patchset 260001 (http://crrev.com/2358263002#ps260001)

Review-Url: https://codereview.chromium.org/2381053002
Cr-Commit-Position: refs/heads/master@{#39879}
2016-09-29 15:49:19 +00:00
leszeks
537c855882 [ignition] BytecodeGraphBuilder: Merge correct environment in try block
Making new nodes inside of exception-handled blocks fiddles around with the
current environment to merge the exception paths. In particular, the current
environment pointer is mutated. This patch ensures that when we merge the fast
and slow paths of the LdaContextLookup, we actually merge the correct
environment and do not accidentally merge the exceptional environment.

BUG=chromium:651394

Review-Url: https://codereview.chromium.org/2379043002
Cr-Commit-Position: refs/heads/master@{#39878}
2016-09-29 15:18:06 +00:00
machenbach
7496c9de94 Revert of [modules] Properly initialize declared variables. (patchset #5 id:80001 of https://codereview.chromium.org/2375793002/ )
Reason for revert:
Suspect for causing win64 debug problems:
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20debug/builds/12646

Original issue's description:
> [modules] Properly initialize declared variables.
>
> Before evaluating a module, all variables declared at the top-level
> in _any_ of the modules in the dependency graph must be initialized.
> This is observable because a module A can access a variable imported
> from module B (e.g. a function) at a point when module B's body hasn't
> been evaluated yet.
>
> We achieve this by implementing modules internally as generators with
> two states (not initialized, initialized).
>
> R=adamk@chromium.org
> BUG=v8:1569
>
> Committed: https://crrev.com/f4dfb6fbe1cdd9a0f287a1a9c496e1f69f6f5d20
> Cr-Commit-Position: refs/heads/master@{#39871}

TBR=adamk@chromium.org,mstarzinger@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2379063002
Cr-Commit-Position: refs/heads/master@{#39873}
2016-09-29 15:10:30 +00:00
neis
f4dfb6fbe1 [modules] Properly initialize declared variables.
Before evaluating a module, all variables declared at the top-level
in _any_ of the modules in the dependency graph must be initialized.
This is observable because a module A can access a variable imported
from module B (e.g. a function) at a point when module B's body hasn't
been evaluated yet.

We achieve this by implementing modules internally as generators with
two states (not initialized, initialized).

R=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2375793002
Cr-Commit-Position: refs/heads/master@{#39871}
2016-09-29 14:20:56 +00:00
verwaest
fecd09ce32 Readd default function variables upon scope reset for preparse abort
BUG=chromium:651327

Review-Url: https://codereview.chromium.org/2380993003
Cr-Commit-Position: refs/heads/master@{#39864}
2016-09-29 13:29:15 +00:00
mtrofin
aff5ab1132 [wasm] fix for GC during instantiation.
BUG=chromium:651070

Review-Url: https://codereview.chromium.org/2371403003
Cr-Commit-Position: refs/heads/master@{#39848}
2016-09-29 04:24:42 +00:00
mtrofin
df490c3484 [wasm] Fix for cloning module heap size value
The module size is encoded as a HeapNumber, and needs to be
explicitly cloned.

BUG=chromium:647649

Review-Url: https://codereview.chromium.org/2347333002
Cr-Commit-Position: refs/heads/master@{#39845}
2016-09-29 00:48:28 +00:00
gdeepti
64e43be959 Fix bounds check of a store instruction after a grow_memory instruction
- Store instruction with an offset bigger than GrowMemory offset should handle out of bounds correctly
 - Refactor to separate runnning from compile so arguments can be passed in to module builder tests.

BUG=chromium:644670

R=ahaas@chromium.org, titzer@chromium.org

Review-Url: https://codereview.chromium.org/2373613004
Cr-Commit-Position: refs/heads/master@{#39840}
2016-09-28 20:56:01 +00:00
bradnelson
21e46b05a2 [wasm] [asm.js] Fix various asm.js issues.
Several of the asm.js tests were disabled and wrong (mismatched number of args
on the stdlib functions).

Fixing issue around negation and float + doubles.

Renaming function for IsNegate to IsInvert (to reflect what it actually does).

Added tests for negate and invert.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
R=aseemgarg@chromium.org,jpp@chromium.org

Review-Url: https://codereview.chromium.org/2377903002
Cr-Commit-Position: refs/heads/master@{#39836}
2016-09-28 16:37:04 +00:00
ishell
8d8c134b12 [ic][mips][mips64] Ensure store handlers return value in proper register.
BUG=chromium:650973

Review-Url: https://codereview.chromium.org/2374003002
Cr-Commit-Position: refs/heads/master@{#39823}
2016-09-28 11:46:44 +00:00
bmeurer
3304ea9122 [intrinsics] Nuke the %_StringCharFromCode intrinsic.
As of https://codereview.chromium.org/2348493003 there are no users of
this intrinsic left in the code, and we don't want to have any new users
of it. The runtime function remains as it serves as a fallback for the
optimized code (Crankshaft code actually).

BUG=v8:5049
R=mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2378693002
Cr-Commit-Position: refs/heads/master@{#39822}
2016-09-28 11:24:21 +00:00
jgruber
da27e0c886 Allow empty first parts of ConsStrings
TurboFan lowering (see [0]) of ConsString creation cannot ensure that
the first part of the cons string is non-empty without introducing a phi
and negatively impacting performance.

This modifies ConsStringIterator to allow empty first parts of
ConsStrings.

BUG=v8:5440

Review-Url: https://codereview.chromium.org/2377983002
Cr-Commit-Position: refs/heads/master@{#39817}
2016-09-28 09:46:56 +00:00
ishell
632e261a3a [es8] Remove syntactic tail calls support.
BUG=v8:4915

Review-Url: https://codereview.chromium.org/2372513003
Cr-Commit-Position: refs/heads/master@{#39808}
2016-09-28 08:25:45 +00:00
bmeurer
15a449b141 [typedarray] Properly initialize JSTypedArray::length with Smi.
Even after https://codereview.chromium.org/2371963002 we still did not
always store a Smi into the JSTypedArray::length field, the runtime
function %TypedArrayInitializeFromArrayLike was still storing whatever
it got from the JavaScript code, which is highly dependent on internal
decisions of the ICs and the representation selection in the optimizing
compilers, so that's pretty fragile.

R=verwaest@chromium.org
BUG=chromium:650933

Review-Url: https://codereview.chromium.org/2377943002
Cr-Commit-Position: refs/heads/master@{#39802}
2016-09-28 05:49:37 +00:00
bradnelson
53b228239e [wasm] asm.js: Work around parser converting !0 and !1 to boolean.
!0 -> true and !1 -> false etc in the parser.
This clashes with some of the typing logic in asm.js,
and can show up in some real programs in the wild (at least in past asm.js
versions).

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
R=aseemgarg@chromium.org,jpp@chromium.org

Review-Url: https://codereview.chromium.org/2372823004
Cr-Commit-Position: refs/heads/master@{#39798}
2016-09-27 23:20:21 +00:00
titzer
28392ab196 [wasm] Master CL for Binary 0xC changes.
[0xC] Convert to stack machine semantics.
[0xC] Use section codes instead of names.
[0xC] Add elements section decoding.
[0xC] Decoding of globals section.
[0xC] Decoding of memory section.
[0xC] Decoding of imports section.
[0xC] Decoding of exports section.
[0xC] Decoding of data section.
[0xC] Remove CallImport bytecode.
[0xC] Function bodies have an implicit block.
[0xC] Remove the bottom label from loops.
[0xC] Add signatures to blocks.
[0xC] Remove arities from branches.
Add tests for init expression decoding.
Rework compilation of import wrappers and how they are patched.
Rework function indices in debugging.
Fix ASM->WASM builder for stack machine.
Reorganize asm.js foreign functions due to import indices change.

R=ahaas@chromium.org,rossberg@chromium.org,bradnelson@chromium.org
BUG=chromium:575167
LOG=Y

Committed: https://crrev.com/76eb976a67273b8c03c744f64ad850b0432554b9
Review-Url: https://codereview.chromium.org/2345593003
Cr-Original-Commit-Position: refs/heads/master@{#39678}
Cr-Commit-Position: refs/heads/master@{#39795}
2016-09-27 20:46:30 +00:00
neis
b7913f33a3 [modules] Don't throw when detecting cycle while processing star exports.
We must not throw when seeing a cycle while trying to resolve a name through
star exports.  (It may be surprising that we do have to throw when seeing an
ambiguity, but this is what the spec says.)

R=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2376563002
Cr-Commit-Position: refs/heads/master@{#39787}
2016-09-27 17:31:37 +00:00
mstarzinger
437a33efd2 [turbofan] Fix indirect escapes in escape analysis.
This makes sure we only replace load operations for fields on virtual
objects. Even though data flow information for non-virtual (escaping)
allocations is available, it might be inaccurate in certain situations
where object state hasn't been cleared.

R=jarin@chromium.org
TEST=mjsunit/compiler/regress-escape-analysis-indirect

Review-Url: https://codereview.chromium.org/2369953002
Cr-Commit-Position: refs/heads/master@{#39776}
2016-09-27 14:53:17 +00:00
jgruber
515994b8ca [regexp] Don't cache exec method in Regexp.proto[@@split]
The call to RegExpSubclassExec may refer to a different exec method
since splitter is newly constructed previously to the call.

BUG=v8:5351

Review-Url: https://codereview.chromium.org/2370733003
Cr-Commit-Position: refs/heads/master@{#39774}
2016-09-27 14:02:33 +00:00
verwaest
c0ded71713 Don't reset parameters if we aborted preparsing, rebuild them from the params_ list
BUG=

Review-Url: https://codereview.chromium.org/2372703004
Cr-Commit-Position: refs/heads/master@{#39769}
2016-09-27 13:05:32 +00:00
caitp
8fea775784 [builtins] adapt arguments for Builtins::kIteratorPrototypeIterator
BUG=chromium:650172
R=mstarzinger@chromium.org, bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2368323002
Cr-Commit-Position: refs/heads/master@{#39760}
2016-09-27 11:05:42 +00:00
cbruni
1f9863aa18 Reland of Preparse inner functions (new try) (patchset #1 id:1 of https://codereview.chromium.org/2373443003/ )
Reason for revert:
Stability thief found, relanding speculative reverts.

Original issue's description:
> Revert of Preparse inner functions (new try) (patchset #21 id:420001 of https://codereview.chromium.org/2352593002/ )
>
> Reason for revert:
> We currently have some stability issues on Canary. Let's reland this after we verified that we "fixed" Canary again.
>
> Original issue's description:
> > Preparse inner functions (new try)
> >
> > This is an overly pessimistic approach where PreParser only keeps
> > track of unresolved variables, but doesn't declare anything. This
> > will result in context-allocating variables in the outer function
> > unnecessarily, if the variable names clash with variable names
> > used by the inner function (even if the variables are not the
> > same). However, we have been unable to prove that this approach
> > wouldn't be good enough for the practical purposes.
> >
> > Fixes after the previous try ( https://codereview.chromium.org/2322243002/ ):
> > Keep the context-allocation decision stable when compiling fully eagerly.
> >
> > Tests which exercise this functionality:
> > mjsunit/fixed-context-shapes-when-recompiling.js
> >
> > Design document (chromium):
> >
> > https://docs.google.com/a/chromium.org/document/d/1rRv5JJZ0JpOZAZN2CSUwZPFJiBAdRnTiSYhazseNHFg/edit?usp=sharing
> >
> > BUG=
> >
> > Committed: https://crrev.com/7c73cf32c60484cdf37c84f1d61b4640e87068d7
> > Cr-Commit-Position: refs/heads/master@{#39719}
>
> TBR=verwaest@chromium.org,adamk@chromium.org,marja@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=
>
> Committed: https://crrev.com/1e6296b2a7cfc307fd9e722e619f42965da4a267
> Cr-Commit-Position: refs/heads/master@{#39730}

TBR=verwaest@chromium.org,adamk@chromium.org,marja@chromium.org,hablich@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2377513006
Cr-Commit-Position: refs/heads/master@{#39755}
2016-09-27 09:48:34 +00:00
mythria
245e5b323c [Ignition] Use binary operation feedback from Ignition to Crankshaft.
Ignition collects type feedback for binary and compare operations in type
feedback vector and FCG uses Binary/CompareOpICs to collect type feedback.
The feedback collected by ignition is not used by crankshaft. This hits the
performance, when trying to optimize functions that did not tier upto FCG.
This cl merges the feedback collected by ignition and FCG when passing to
crankshaft.

BUG=v8:4280

Review-Url: https://codereview.chromium.org/2361043002
Cr-Commit-Position: refs/heads/master@{#39753}
2016-09-27 08:03:40 +00:00
neis
841458036a [modules] Add tests for the name property of default-exported functions.
R=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2372873002
Cr-Commit-Position: refs/heads/master@{#39746}
2016-09-27 00:48:28 +00:00
neis
9f5ef0a453 [modules] Never do lazy parsing in modules.
If we want to allow this in the future, we must force context-allocation for all
variables that are declared at the module level but not MODULE-allocated.

R=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2373573003
Cr-Commit-Position: refs/heads/master@{#39745}
2016-09-26 23:19:57 +00:00
jkummerow
142f9dfcad [crankshaft] TypedArrayInitialize: force length to be a Smi
BUG=chromium:650404

Review-Url: https://codereview.chromium.org/2371963002
Cr-Commit-Position: refs/heads/master@{#39744}
2016-09-26 23:00:45 +00:00
adamk
b48eb56905 [modules] Detect and throw exceptions for cyclic dependencies
Use an unordered_map<Module, unordered_set<String>> to keep track
of visited Module/ExportName pairs during ResolveExport.

This required adding a Hash() method to Module, which is accomplished
by allocating a Symbol and storing it in the SharedFunctionInfo::name
slot, then delegating the hash to that Symbol.

Also added a helper method Module::shared() to easily get ahold of
the SharedFunctionInfo and call it in the appropriate places instead
of re-doing the ternary operator.

BUG=v8:1569

Review-Url: https://codereview.chromium.org/2367623004
Cr-Commit-Position: refs/heads/master@{#39743}
2016-09-26 22:42:42 +00:00
neis
0614eb5471 [modules] Add tests for empty imports.
R=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2369133002
Cr-Commit-Position: refs/heads/master@{#39739}
2016-09-26 18:56:01 +00:00
bmeurer
b9cdb630dd Revert of [compiler] Properly guard the speculative optimizations for instanceof. (patchset #3 id:40001 of https://codereview.chromium.org/2370693002/ )
Reason for revert:
Tanks EarleyBoyer.

Original issue's description:
> [compiler] Properly guard the speculative optimizations for instanceof.
>
> Add a general feedback slot for instanceof similar to what we already have
> for for-in, which basically has a fast (indicated by the uninitialized
> sentinel) and a slow (indicated by the megamorphic sentinel) mode. Now
> we can only take the fast path when the feedback slot says it hasn't
> seen any funky inputs and nothing funky appeared in the prototype chain.
> In the TurboFan code we also deoptimize whenever we see a funky object
> (i.e. a proxy or an object that requires access checks) in the prototype
> chain (similar to what Crankshaft already did).
>
> Drive-by-fix: Also make Crankshaft respect the mode and therefore
> address the deopt loop in Crankshaft around instanceof.
>
> We might want to introduce an InstanceOfIC mechanism at some point and
> track the map of the right-hand side.
>
> BUG=v8:5267
> R=mvstanton@chromium.org
>
> Committed: https://crrev.com/a0484bc6116ebc2b855de87d862945e2ae07169b
> Cr-Commit-Position: refs/heads/master@{#39718}

TBR=mvstanton@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2365223003
Cr-Commit-Position: refs/heads/master@{#39736}
2016-09-26 17:40:35 +00:00
hablich
1e6296b2a7 Revert of Preparse inner functions (new try) (patchset #21 id:420001 of https://codereview.chromium.org/2352593002/ )
Reason for revert:
We currently have some stability issues on Canary. Let's reland this after we verified that we "fixed" Canary again.

Original issue's description:
> Preparse inner functions (new try)
>
> This is an overly pessimistic approach where PreParser only keeps
> track of unresolved variables, but doesn't declare anything. This
> will result in context-allocating variables in the outer function
> unnecessarily, if the variable names clash with variable names
> used by the inner function (even if the variables are not the
> same). However, we have been unable to prove that this approach
> wouldn't be good enough for the practical purposes.
>
> Fixes after the previous try ( https://codereview.chromium.org/2322243002/ ):
> Keep the context-allocation decision stable when compiling fully eagerly.
>
> Tests which exercise this functionality:
> mjsunit/fixed-context-shapes-when-recompiling.js
>
> Design document (chromium):
>
> https://docs.google.com/a/chromium.org/document/d/1rRv5JJZ0JpOZAZN2CSUwZPFJiBAdRnTiSYhazseNHFg/edit?usp=sharing
>
> BUG=
>
> Committed: https://crrev.com/7c73cf32c60484cdf37c84f1d61b4640e87068d7
> Cr-Commit-Position: refs/heads/master@{#39719}

TBR=verwaest@chromium.org,adamk@chromium.org,marja@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2373443003
Cr-Commit-Position: refs/heads/master@{#39730}
2016-09-26 14:03:45 +00:00
ahaas
7bffaaac2c [wasm] Do a proper HasProperty() check in the memory and table setup.
The WebAssembly spec requires a HasProperty() check for the maximum
property of the descriptor object which is used to set up a
WebAssembly.Memory object or a WebAssembly.Table object.

The original implementation only approximated the HasProperty() check.
It used Get() to get the value of the maximum property of the descriptor
object and compared the resulting value to {undefined}. However, this
approximation is incorrect if the property exists but its value is
{undefined}.

R=titzer@chromium.org, franzih@chromium.org
BUG=chromium:649461
TEST=mjsunit/wasm/memory

Review-Url: https://codereview.chromium.org/2367673003
Cr-Commit-Position: refs/heads/master@{#39722}
2016-09-26 13:08:01 +00:00
marja
7c73cf32c6 Preparse inner functions (new try)
This is an overly pessimistic approach where PreParser only keeps
track of unresolved variables, but doesn't declare anything. This
will result in context-allocating variables in the outer function
unnecessarily, if the variable names clash with variable names
used by the inner function (even if the variables are not the
same). However, we have been unable to prove that this approach
wouldn't be good enough for the practical purposes.

Fixes after the previous try ( https://codereview.chromium.org/2322243002/ ):
Keep the context-allocation decision stable when compiling fully eagerly.

Tests which exercise this functionality:
mjsunit/fixed-context-shapes-when-recompiling.js

Design document (chromium):

https://docs.google.com/a/chromium.org/document/d/1rRv5JJZ0JpOZAZN2CSUwZPFJiBAdRnTiSYhazseNHFg/edit?usp=sharing

BUG=

Review-Url: https://codereview.chromium.org/2352593002
Cr-Commit-Position: refs/heads/master@{#39719}
2016-09-26 12:36:32 +00:00
bmeurer
a0484bc611 [compiler] Properly guard the speculative optimizations for instanceof.
Add a general feedback slot for instanceof similar to what we already have
for for-in, which basically has a fast (indicated by the uninitialized
sentinel) and a slow (indicated by the megamorphic sentinel) mode. Now
we can only take the fast path when the feedback slot says it hasn't
seen any funky inputs and nothing funky appeared in the prototype chain.
In the TurboFan code we also deoptimize whenever we see a funky object
(i.e. a proxy or an object that requires access checks) in the prototype
chain (similar to what Crankshaft already did).

Drive-by-fix: Also make Crankshaft respect the mode and therefore
address the deopt loop in Crankshaft around instanceof.

We might want to introduce an InstanceOfIC mechanism at some point and
track the map of the right-hand side.

BUG=v8:5267
R=mvstanton@chromium.org

Review-Url: https://codereview.chromium.org/2370693002
Cr-Commit-Position: refs/heads/master@{#39718}
2016-09-26 12:32:33 +00:00
jarin
3218ef30b8 [turbofan] Fix restriction type for modulus in representation inference.
BUG=chromium:650215

Review-Url: https://codereview.chromium.org/2373453002
Cr-Commit-Position: refs/heads/master@{#39715}
2016-09-26 11:45:07 +00:00
ahaas
10d7ad9d94 [wasm] Bound the table size by Smi::kMaxValue.
BUG=chromium:649283
R=titzer@chromium.org
TEST=mjsunit/wasm/table

Review-Url: https://codereview.chromium.org/2358923003
Cr-Commit-Position: refs/heads/master@{#39711}
2016-09-26 10:15:15 +00:00
littledan
cd049c2c76 Fix crash from turning on DevTools in the middle of catch prediction
If DevTools is turned on in the middle of doing some things with async
functions, then more items may be popped from the Promise stack than were
pushed to it. In this sort of case, it's OK to have a catch misprediction,
but a crash is unacceptable. This patch defensively handles this edge
case where the Promise stack is unexpectedly empty for that reason.

BUG=v8:5167

Review-Url: https://codereview.chromium.org/2361333003
Cr-Commit-Position: refs/heads/master@{#39705}
2016-09-24 03:31:13 +00:00
neis
6168959875 [modules] Support star exports.
R=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2362153003
Cr-Commit-Position: refs/heads/master@{#39700}
2016-09-24 01:47:01 +00:00
adamk
756f669003 [modules] Initialize requested_modules before recursing in Module::Instantiate
Also fix recursive call to avoid going back through the API.

R=neis@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2366063002
Cr-Commit-Position: refs/heads/master@{#39696}
2016-09-23 23:46:12 +00:00
littledan
f296dad962 Improve stack traces for async functions
This patch tracks the stack of async functions differently from other
Promise async stack tracking. With this patch, the stack trace of a
callstack of async functions should look similarly to the call stack
if all of the functions were synchronous. An example can be found in
the updated test expectations: https://codereview.chromium.org/2362923002 .

The new stack traces are implemented using existing mechanisms in the
inspector. The inspector has two ways to save async stack traces: recurring
and non-recurring stacks. An example of a non-recurring stack is setTimeout,
and a recurring one is saved for setInterval. Recurring stacks are deleted
only when a special "cancel" function is called, rather than being deleted
after being used the first time. Previous Promise async stack tracking always
used non-recurring stacks.

For async functions, this patch saves a recurring stack. The top frame of
the stack is duplicated, as the resuming function contains a similar frame;
the devtools frontend is responsible for removing or marking this frame,
which it can do based on seeing the [async function] line which follows it.
The second frame will instead be provided by the resuming execution
context. The recurring stack is saved when the async function is entered, and
it is deleted from a finally block. The id of the stack is saved in the outer
Promise being constructed by the async function. When an intermediate
throwaway Promise will be triggered as a reaction, it will be identified as
such based on its debugging metadata, and the corresponding async function's
recurring stack will be used.

BUG=v8:4483

Review-Url: https://codereview.chromium.org/2357423002
Cr-Commit-Position: refs/heads/master@{#39695}
2016-09-23 22:24:03 +00:00
neis
d7858e35f6 [modules] Do basic linking.
Resolve imports and indirect exports at instantiation time.

With this CL we have some basic functionality for modules working.  Not yet
supported: star exports, namespace imports, cycle detection, proper variable
initialisation in mutually recursive modules.

BUG=v8:1569

Review-Url: https://codereview.chromium.org/2362083002
Cr-Commit-Position: refs/heads/master@{#39689}
2016-09-23 19:03:01 +00:00
machenbach
e1eee748dd Revert of [wasm] Master CL for Binary 0xC changes. (patchset #26 id:490001 of https://codereview.chromium.org/2345593003/ )
Reason for revert:
Main suspect for tsan:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/11893

Also changes layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/10036

+mips builder:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Mips%20-%20builder/builds/4032

Original issue's description:
> [wasm] Master CL for Binary 0xC changes.
>
> [0xC] Convert to stack machine semantics.
> [0xC] Use section codes instead of names.
> [0xC] Add elements section decoding.
> [0xC] Decoding of globals section.
> [0xC] Decoding of memory section.
> [0xC] Decoding of imports section.
> [0xC] Decoding of exports section.
> [0xC] Decoding of data section.
> [0xC] Remove CallImport bytecode.
> [0xC] Function bodies have an implicit block.
> [0xC] Remove the bottom label from loops.
> [0xC] Add signatures to blocks.
> [0xC] Remove arities from branches.
> Add tests for init expression decoding.
> Rework compilation of import wrappers and how they are patched.
> Rework function indices in debugging.
> Fix ASM->WASM builder for stack machine.
> Reorganize asm.js foreign functions due to import indices change.
>
> R=ahaas@chromium.org,rossberg@chromium.org,bradnelson@chromium.org
> BUG=chromium:575167
> LOG=Y
>
> Committed: https://crrev.com/76eb976a67273b8c03c744f64ad850b0432554b9
> Cr-Commit-Position: refs/heads/master@{#39678}

TBR=ahaas@chromium.org,bradnelson@chromium.org,mtrofin@chromium.org,rossberg@chromium.org,bradnelson@google.com,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:575167

Review-Url: https://codereview.chromium.org/2361053004
Cr-Commit-Position: refs/heads/master@{#39685}
2016-09-23 17:58:24 +00:00
bmeurer
0702ea3000 [turbofan] Don't take into account source size for inlining heuristics.
The source size is not a real indicator for whether or not to inline a
certain function.

R=ishell@chromium.org, jarin@chromium.org
BUG=v8:3354,v8:5267

Committed: 1b33028607
Review-Url: https://codereview.chromium.org/2361813002
Cr-Commit-Position: refs/heads/master@{#39681}
2016-09-23 16:23:34 +00:00
titzer
76eb976a67 [wasm] Master CL for Binary 0xC changes.
[0xC] Convert to stack machine semantics.
[0xC] Use section codes instead of names.
[0xC] Add elements section decoding.
[0xC] Decoding of globals section.
[0xC] Decoding of memory section.
[0xC] Decoding of imports section.
[0xC] Decoding of exports section.
[0xC] Decoding of data section.
[0xC] Remove CallImport bytecode.
[0xC] Function bodies have an implicit block.
[0xC] Remove the bottom label from loops.
[0xC] Add signatures to blocks.
[0xC] Remove arities from branches.
Add tests for init expression decoding.
Rework compilation of import wrappers and how they are patched.
Rework function indices in debugging.
Fix ASM->WASM builder for stack machine.
Reorganize asm.js foreign functions due to import indices change.

R=ahaas@chromium.org,rossberg@chromium.org,bradnelson@chromium.org
BUG=chromium:575167
LOG=Y

Review-Url: https://codereview.chromium.org/2345593003
Cr-Commit-Position: refs/heads/master@{#39678}
2016-09-23 15:56:54 +00:00
verwaest
7f025eb626 Remove ARGUMENTS_VARIABLE and fix crankshaft to properly detect the arguments object and keep it alive when inlining .apply
BUG=

Review-Url: https://codereview.chromium.org/2367483003
Cr-Commit-Position: refs/heads/master@{#39670}
2016-09-23 14:27:02 +00:00
machenbach
99160dc1c1 Revert of [turbofan] Don't take into account source size for inlining heuristics. (patchset #4 id:60001 of https://codereview.chromium.org/2361813002/ )
Reason for revert:
timeouts on windows:
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20debug/builds/12504

Original issue's description:
> [turbofan] Don't take into account source size for inlining heuristics.
>
> The source size is not a real indicator for whether or not to inline a
> certain function.
>
> R=ishell@chromium.org, jarin@chromium.org
> BUG=v8:3354,v8:5267
>
> Committed: 1b33028607

TBR=ishell@chromium.org,jarin@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3354,v8:5267

Review-Url: https://codereview.chromium.org/2362853003
Cr-Commit-Position: refs/heads/master@{#39661}
2016-09-23 12:43:45 +00:00
Benedikt Meurer
1b33028607 [turbofan] Don't take into account source size for inlining heuristics.
The source size is not a real indicator for whether or not to inline a
certain function.

R=ishell@chromium.org, jarin@chromium.org
BUG=v8:3354,v8:5267

Review URL: https://codereview.chromium.org/2361813002 .

Cr-Commit-Position: refs/heads/master@{#39659}
2016-09-23 11:47:19 +00:00
Benedikt Meurer
d2626e30d9 [interpreter] Fix word32 vs word64 bug in CodeStubAssembler::UpdateFeedback.
R=epertoso@chromium.org

Review URL: https://codereview.chromium.org/2360233004 .

Cr-Commit-Position: refs/heads/master@{#39658}
2016-09-23 11:41:11 +00:00
Michael Starzinger
4b2c6d03e4 [turbofan] Add proper type guards to escape analysis.
This makes sure the {EscapeAnalysisReducer} inserts proper {TypeGuard}
nodes if the replacement node is not a subtype of the original node.
This happens predominantly for code that has been made unreachable by
type checks.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-640497
BUG=chromium:640497

Review URL: https://codereview.chromium.org/2363573003 .

Cr-Commit-Position: refs/heads/master@{#39656}
2016-09-23 11:02:13 +00:00
lpy
68ee0a4f90 Add regression test for crbug.com/648740.
BUG=648740

Review-Url: https://codereview.chromium.org/2362563002
Cr-Commit-Position: refs/heads/master@{#39643}
2016-09-22 20:44:05 +00:00
verwaest
df7ecd1c1a Declare the arguments object before creating the function var, to make sure it masks it
BUG=chromium:649067

Review-Url: https://codereview.chromium.org/2362463003
Cr-Commit-Position: refs/heads/master@{#39642}
2016-09-22 19:16:42 +00:00
gsathya
ba41697cbd [promises] PromiseResolveThenableJob: change then to be a JSReceiver
BUG=v8:649078

Review-Url: https://codereview.chromium.org/2362503003
Cr-Commit-Position: refs/heads/master@{#39609}
2016-09-21 23:56:20 +00:00
littledan
74bf86abf5 Disable slow async function tests in gc_stress
BUG=v8:5411

Review-Url: https://codereview.chromium.org/2354333003
Cr-Commit-Position: refs/heads/master@{#39603}
2016-09-21 18:13:02 +00:00
ahaas
4c1d574b22 [wasm] FromJS throws a TypeError for I64 values.
This behavior is required by the WebAssembly spec.

TEST=mjsunit/wasm/ffi-error.js:I64ParamsInSignatureThrows

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2360653002
Cr-Commit-Position: refs/heads/master@{#39600}
2016-09-21 15:33:05 +00:00
mstarzinger
b097c6c4f1 [turbofan] Support for ConsString by escape analysis.
This add support for ConsString objects allocated inline to the escape
analysis pass. The raw hash field in such strings needs special handling
similar to existing raw fields. This also contains materialization code
within the deoptimizer as usual.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-648737
BUG=chromium:648737

Review-Url: https://codereview.chromium.org/2357153002
Cr-Commit-Position: refs/heads/master@{#39594}
2016-09-21 12:30:00 +00:00
ahaas
698bbe418a [wasm] Set up Table and Memory constructors
Set up Wasm Table and Memory constructors

This only provides skeletons so far: the constructors work, but the
types are not wired up with the import/export mechanism yet; methods are
still nops.

Also, fix errors generated from Wasm to be proper Error/TypeError
instances instead of just strings.

I took over this CL from rossberg@chromium.org. The original CL is
https://codereview.chromium.org/2342623002

R=titzer@chromium.org, rossberg@chromium.org

Review-Url: https://codereview.chromium.org/2350643003
Cr-Commit-Position: refs/heads/master@{#39588}
2016-09-21 10:40:32 +00:00
cbruni
2fd6d6093e [elements] Handlify raw parameter_map pointers for SloppyArgumentsAccessor
Handlify pointers in IncludesValueImpl and DirectCollectElementIndicesImpl.

BUG=chromium:648373

Review-Url: https://codereview.chromium.org/2354773006
Cr-Commit-Position: refs/heads/master@{#39586}
2016-09-21 10:22:53 +00:00
mstarzinger
81f4342994 [turbofan] Remove bogus constant materialization from frame.
This removes an optimization from the code generator that tries to
materialize certain constants (i.e. context and closure) from the
stackframe when possible. This does not work with Harmony tail calls
which are split into several instructions. There have already been
numerous bugs in this optimization, it is too fragile in its current
form.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-648539
BUG=chromium:648539

Review-Url: https://codereview.chromium.org/2357583003
Cr-Commit-Position: refs/heads/master@{#39583}
2016-09-21 09:31:32 +00:00
verwaest
65bae443a2 Add function-var to variables_ so LookupRecursive doesn't need to special-case it
After parsing a function, if there's no masking declaration in the function scope, DeclareFunctionVar will also bind the function name to a variable. It will either bind it to the const/const-legacy function_ variable, or to a dynamic non-local if the function calls sloppy eval.

Even if the variable is masked or sloppy eval is called, we still declare the function-var. The client immediately sets up the variable by assigning the resulting function to it.

BUG=v8:5209

Review-Url: https://codereview.chromium.org/2274133002
Cr-Commit-Position: refs/heads/master@{#39581}
2016-09-21 09:15:29 +00:00
gsathya
8c87ae9b88 [promises] Move PromiseResolveThenableJob to c++
- Add a new container object to store the data required for
PromiseResolveThenableJob.

- Create a new runtime function to enqueue the microtask event with
the required data.

This patches causes a 4% regression in the bluebird benchmark.

BUG=v8:5343

Review-Url: https://codereview.chromium.org/2314903004
Cr-Commit-Position: refs/heads/master@{#39571}
2016-09-21 03:49:50 +00:00
littledan
dcd61b9020 Filter out synthetic variables from with scopes
This patch ensures that variables like .new_target aren't overwritable
using with scopes. It does this by ensuring that scope analysis does
not consider with scopes (or eval scopes) for such 'synthetic variables',
similarly to how the 'this' variable was already handled.
The patch also adds a DCHECK for the dynamic parallel to this case,
replacing a previous unreachable path for a particular instance.

BUG=v8:5405

Review-Url: https://codereview.chromium.org/2353623002
Cr-Commit-Position: refs/heads/master@{#39567}
2016-09-20 22:14:54 +00:00
littledan
bd078193a0 Remove synthetic unresolved variables from async/await desugaring
This patch uses temporaries rather than unresolved variables for
.promise and .debug_is_active. For .promise, a new field is added
to the FunctionState, similarly to .generator_object. This change
fixes a bug where .promise was locally shadowable by with, affecting
program semantics.

BUG=v8:5405

Review-Url: https://codereview.chromium.org/2359513002
Cr-Commit-Position: refs/heads/master@{#39566}
2016-09-20 21:31:32 +00:00
littledan
377358516f Make Promise.all/Promise.race catch prediction conditional on DevTools
To improve performance, this patch makes Promise.all and Promise.race not
perform correct catch prediction when the debugger is not open. The case
may come up if Promise.race or Promise.all is called, then DevTools is
open, then a component Promise is rejected. In this case, the user would
falsely get an exception event even if the "pause on caught exceptions"
box is unchecked. There are tests which triggered this case; however, it
seems both unlikely and and acceptable to have an event in this case.
Many analogous events are already produced when DevTools is enabled
during the operation of a program.

BUG=v8:3093

Review-Url: https://codereview.chromium.org/2350363002
Cr-Commit-Position: refs/heads/master@{#39565}
2016-09-20 19:34:35 +00:00
littledan
1b414e283a Reland Async/await Promise dependency graph
This patch knits together Promises returned by async/await such that when
one async function awaits the result of another one, catch prediction works
across the boundaries, whether the exception comes synchronously or
asynchronously. Edges are added in three places:
- When a locally uncaught await happens, if the value passed into await
  is a Promise, from the awaited value to the Promise under construction
  in the broader async function
- From a "throwaway" Promise, which may be found on the Promise debug
  stack, to the Promise under construction in the async function that
  surrounds it
- When a Promise is resolved with another Promise (e.g., when returning a
  Promise from an async function)

In this reland, the caught tests are broken up into four parts to avoid
timeouts.

BUG=v8:5167

Review-Url: https://codereview.chromium.org/2346363004
Cr-Commit-Position: refs/heads/master@{#39564}
2016-09-20 19:04:26 +00:00
mstarzinger
4dab7b5a1d [turbofan] Fix loop assignment analysis on ForInStatements.
The implicit assignment to the induction variable in a ForInStatement
has been ignored by the AST loop assignment analysis. This was hidden
for cases where the parser introduced a ".for" temporary, but triggers
when the variable is declared outside the loop.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-647887
BUG=chromium:647887

Review-Url: https://codereview.chromium.org/2356733002
Cr-Commit-Position: refs/heads/master@{#39551}
2016-09-20 12:37:33 +00:00
bmeurer
29dd7fc5ed [turbofan] Lower ConsString creation in JSTypedLowering.
Extract String feedback on Add operation and utilize to lower ConsString
creation in JSTypedLowering when we know that a String addition will
definitely result in the creation of a ConsString.

Note that Crankshaft has to guard the potential length overflow of the
resulting string with an eager deoptimization exit, while we can safely
throw an exception in that case.

Also note that the bytecode pipeline does not currently provide the
String feedback for the addition, which has to be added.

BUG=v8:5267
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2354853002
Cr-Commit-Position: refs/heads/master@{#39540}
2016-09-20 11:00:39 +00:00
marja
df9d8c01f2 Add a missing test for ensuring that context shapes stay the same when recompiling.
This would've caught the "preparser tracking only unresolved variables
but no declarations is not enough" bug.

BUG=

Review-Url: https://codereview.chromium.org/2350683002
Cr-Commit-Position: refs/heads/master@{#39532}
2016-09-20 09:35:40 +00:00
bmeurer
d86038db25 [crankshaft] Protect against deopt loops from string length overflows.
Crankshaft just unconditionally deoptimizes the code when the length of
a string addition result would overflow. In order to protect against
deopt loops we insert a global protector cell.

We will use the same mechanism for inlining certain string additions
into TurboFan as well, and protecting against overflow (we will also
extend this to deal with String.prototype.concat and friends once we
get there).

BUG=v8:5404
R=jarin@chromium.org,hpayer@chromium.org
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux64_msan_rel

Committed: https://crrev.com/cb19257a926a55209a6d6858ce26d51a0447ba71
Review-Url: https://codereview.chromium.org/2348293002
Cr-Original-Commit-Position: refs/heads/master@{#39511}
Cr-Commit-Position: refs/heads/master@{#39525}
2016-09-20 05:59:35 +00:00
littledan
100336f5dc Revert of Async/await Promise dependency graph (patchset #30 id:550001 of https://codereview.chromium.org/2317383002/ )
Reason for revert:
Need to break up test into smaller tests to avoid timeouts

Original issue's description:
> Async/await Promise dependency graph
>
> This patch knits together Promises returned by async/await such that when
> one async function awaits the result of another one, catch prediction works
> across the boundaries, whether the exception comes synchronously or
> asynchronously. Edges are added in three places:
> - When a locally uncaught await happens, if the value passed into await
>   is a Promise, from the awaited value to the Promise under construction
>   in the broader async function
> - From a "throwaway" Promise, which may be found on the Promise debug
>   stack, to the Promise under construction in the async function that
>   surrounds it
> - When a Promise is resolved with another Promise (e.g., when returning a
>   Promise from an async function)
>
> BUG=v8:5167
>
> Committed: https://crrev.com/7265fdde7c76b9f875b40b0b139515936d491d64
> Cr-Commit-Position: refs/heads/master@{#39522}

TBR=adamk@chromium.org,jgruber@chromium.org,kozyatinskiy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5167

Review-Url: https://codereview.chromium.org/2351953002
Cr-Commit-Position: refs/heads/master@{#39523}
2016-09-20 01:09:51 +00:00
littledan
7265fdde7c Async/await Promise dependency graph
This patch knits together Promises returned by async/await such that when
one async function awaits the result of another one, catch prediction works
across the boundaries, whether the exception comes synchronously or
asynchronously. Edges are added in three places:
- When a locally uncaught await happens, if the value passed into await
  is a Promise, from the awaited value to the Promise under construction
  in the broader async function
- From a "throwaway" Promise, which may be found on the Promise debug
  stack, to the Promise under construction in the async function that
  surrounds it
- When a Promise is resolved with another Promise (e.g., when returning a
  Promise from an async function)

BUG=v8:5167

Review-Url: https://codereview.chromium.org/2317383002
Cr-Commit-Position: refs/heads/master@{#39522}
2016-09-19 23:59:03 +00:00
bradnelson
7e07d3f669 [wasm] asm.js: Add asm_wasm variant to test asm.js->wasm pipeline.
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5406
LOG=N
R=mstarzinger@chromium.org,machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2309833003
Cr-Commit-Position: refs/heads/master@{#39521}
2016-09-19 23:57:13 +00:00
littledan
bf43f883c1 Reland of Fix async/await memory leak (patchset #1 id:1 of https://codereview.chromium.org/2348403003/ )
This patch closes a memory leak in async/await where the desugaring
was creating a situation analagous to that described in v8:5002.
Intermediate Promises were being kept alive, so a long-running loop
would cause linear memory usage on the heap. This patch returns
undefined to the 'then' callback passed into PerformPromiseThen
in order to avoid this hazard. Test expectations are fixed to remove
expecting extraneous events which occurred on Promises that are
now not given unnecessarily complex resolution paths before being
thrown away.

This patch is a reland; originally, tests which exercised the memory
exhaustion were checked in. Although it's possible to find good parameters
for running such tests locally, it is difficult to automate the tests
between the rock of timeouts and the hard place of too-small heaps
causing memory exhaustion in some modes even when there is no leak.

BUG=v8:5390

Review-Url: https://codereview.chromium.org/2352933002
Cr-Commit-Position: refs/heads/master@{#39520}
2016-09-19 23:51:52 +00:00
machenbach
53510f6a80 Revert of [crankshaft] Protect against deopt loops from string length overflows. (patchset #1 id:1 of https://codereview.chromium.org/2348293002/ )
Reason for revert:
Mean https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/10910

Original issue's description:
> [crankshaft] Protect against deopt loops from string length overflows.
>
> Crankshaft just unconditionally deoptimizes the code when the length of
> a string addition result would overflow. In order to protect against
> deopt loops we insert a global protector cell.
>
> We will use the same mechanism for inlining certain string additions
> into TurboFan as well, and protecting against overflow (we will also
> extend this to deal with String.prototype.concat and friends once we
> get there).
>
> BUG=v8:5404
> R=jarin@chromium.org,hpayer@chromium.org
>
> Committed: https://crrev.com/cb19257a926a55209a6d6858ce26d51a0447ba71
> Cr-Commit-Position: refs/heads/master@{#39511}

TBR=hpayer@chromium.org,jarin@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5404

Review-Url: https://codereview.chromium.org/2357433002
Cr-Commit-Position: refs/heads/master@{#39518}
2016-09-19 21:50:15 +00:00
bradnelson
a4737793cb [wasm] Support asm.js modules with a single function.
Handle the case of asm.js modules that return a single function
instead of a collection of them.

R=mtrofin@chromium.org
TEST=mjsunit/asm/asm-wasm
BUG=v8:4203
BUG=v8:5356

Review-Url: https://codereview.chromium.org/2348383003
Cr-Commit-Position: refs/heads/master@{#39515}
2016-09-19 21:01:34 +00:00
littledan
3f366186e9 Revert of Fix async/await memory leak (patchset #5 id:160001 of https://codereview.chromium.org/2348403002/ )
Reason for revert:
Still causes issues on bot (sometimes!)

Original issue's description:
> Reland of Fix async/await memory leak (patchset #1 id:1 of https://codereview.chromium.org/2354473002/ )
>
> Reason for revert:
> Relanding with faster-running test
>
> Original issue's description:
> > Revert of Fix async/await memory leak (patchset #5 id:80001 of https://codereview.chromium.org/2334323006/ )
> >
> > Reason for revert:
> > newly introduced test async-await-loop times out: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/10894/steps/Ignition%20-%20turbofan%20%28flakes%29/logs/async-await-loop
> >
> > Original issue's description:
> > > Fix async/await memory leak
> > >
> > > This patch closes a memory leak in async/await where the desugaring
> > > was creating a situation analagous to that described in v8:5002.
> > > Intermediate Promises were being kept alive, so a long-running loop
> > > would cause linear memory usage on the heap. This patch returns
> > > undefined to the 'then' callback passed into PerformPromiseThen
> > > in order to avoid this hazard. Test expectations are fixed to remove
> > > expecting extraneous events which occurred on Promises that are
> > > now not given unnecessarily complex resolution paths before being
> > > thrown away.
> > >
> > > BUG=v8:5390
> > >
> > > Committed: https://crrev.com/a0ba18e9634c5e2d439033ab61a77cff54f9af35
> > > Cr-Commit-Position: refs/heads/master@{#39479}
> >
> > TBR=adamk@chromium.org,caitp@igalia.com,littledan@chromium.org
> > NOTRY=true
> > BUG=v8:5390
> >
> > Committed: https://crrev.com/196db1999da130019bbf8e3bd65977f840e8afaf
> > Cr-Commit-Position: refs/heads/master@{#39493}
>
> TBR=adamk@chromium.org,caitp@igalia.com,hablich@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> BUG=v8:5390
>
> Committed: https://crrev.com/e51482f01f26e0013e6377e85c4d2c41900e403c
> Cr-Commit-Position: refs/heads/master@{#39508}

TBR=adamk@chromium.org,caitp@igalia.com,hablich@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5390

Review-Url: https://codereview.chromium.org/2348403003
Cr-Commit-Position: refs/heads/master@{#39512}
2016-09-19 21:01:31 +00:00
bmeurer
cb19257a92 [crankshaft] Protect against deopt loops from string length overflows.
Crankshaft just unconditionally deoptimizes the code when the length of
a string addition result would overflow. In order to protect against
deopt loops we insert a global protector cell.

We will use the same mechanism for inlining certain string additions
into TurboFan as well, and protecting against overflow (we will also
extend this to deal with String.prototype.concat and friends once we
get there).

BUG=v8:5404
R=jarin@chromium.org,hpayer@chromium.org

Review-Url: https://codereview.chromium.org/2348293002
Cr-Commit-Position: refs/heads/master@{#39511}
2016-09-19 21:01:30 +00:00
littledan
e51482f01f Reland of Fix async/await memory leak (patchset #1 id:1 of https://codereview.chromium.org/2354473002/ )
Reason for revert:
Relanding with faster-running test

Original issue's description:
> Revert of Fix async/await memory leak (patchset #5 id:80001 of https://codereview.chromium.org/2334323006/ )
>
> Reason for revert:
> newly introduced test async-await-loop times out: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/10894/steps/Ignition%20-%20turbofan%20%28flakes%29/logs/async-await-loop
>
> Original issue's description:
> > Fix async/await memory leak
> >
> > This patch closes a memory leak in async/await where the desugaring
> > was creating a situation analagous to that described in v8:5002.
> > Intermediate Promises were being kept alive, so a long-running loop
> > would cause linear memory usage on the heap. This patch returns
> > undefined to the 'then' callback passed into PerformPromiseThen
> > in order to avoid this hazard. Test expectations are fixed to remove
> > expecting extraneous events which occurred on Promises that are
> > now not given unnecessarily complex resolution paths before being
> > thrown away.
> >
> > BUG=v8:5390
> >
> > Committed: https://crrev.com/a0ba18e9634c5e2d439033ab61a77cff54f9af35
> > Cr-Commit-Position: refs/heads/master@{#39479}
>
> TBR=adamk@chromium.org,caitp@igalia.com,littledan@chromium.org
> NOTRY=true
> BUG=v8:5390
>
> Committed: https://crrev.com/196db1999da130019bbf8e3bd65977f840e8afaf
> Cr-Commit-Position: refs/heads/master@{#39493}

TBR=adamk@chromium.org,caitp@igalia.com,hablich@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
BUG=v8:5390

Review-Url: https://codereview.chromium.org/2348403002
Cr-Commit-Position: refs/heads/master@{#39508}
2016-09-19 18:41:05 +00:00
nikolaos
d5dcce33bf [parser] Fix tail calls in for in/of loops
According to the ES6 specification, in "for in/of" loops like:

   for (var v of [1,2,3]) return f(...);

the call to f() should not be considered a tail call.  This was
not working properly, i.e., the case without declarations:

   var v;
   for (v of [1,2,3]) return f(...);

R=adamk@chromium.org, ishell@chromium.org
BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2343823002
Cr-Commit-Position: refs/heads/master@{#39497}
2016-09-19 09:47:56 +00:00
hablich
196db1999d Revert of Fix async/await memory leak (patchset #5 id:80001 of https://codereview.chromium.org/2334323006/ )
Reason for revert:
newly introduced test async-await-loop times out: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/10894/steps/Ignition%20-%20turbofan%20%28flakes%29/logs/async-await-loop

Original issue's description:
> Fix async/await memory leak
>
> This patch closes a memory leak in async/await where the desugaring
> was creating a situation analagous to that described in v8:5002.
> Intermediate Promises were being kept alive, so a long-running loop
> would cause linear memory usage on the heap. This patch returns
> undefined to the 'then' callback passed into PerformPromiseThen
> in order to avoid this hazard. Test expectations are fixed to remove
> expecting extraneous events which occurred on Promises that are
> now not given unnecessarily complex resolution paths before being
> thrown away.
>
> BUG=v8:5390
>
> Committed: https://crrev.com/a0ba18e9634c5e2d439033ab61a77cff54f9af35
> Cr-Commit-Position: refs/heads/master@{#39479}

TBR=adamk@chromium.org,caitp@igalia.com,littledan@chromium.org
NOTRY=true
BUG=v8:5390

Review-Url: https://codereview.chromium.org/2354473002
Cr-Commit-Position: refs/heads/master@{#39493}
2016-09-19 08:12:54 +00:00
mtrofin
7d008c0d1b [wasm] moved regression test under test/mjsunit/regression/wasm
We'd like wasm regressions to live under a subfolder of the mjsunit
regression folder.

BUG=

Review-Url: https://codereview.chromium.org/2344373002
Cr-Commit-Position: refs/heads/master@{#39483}
2016-09-17 00:29:10 +00:00
littledan
a0ba18e963 Fix async/await memory leak
This patch closes a memory leak in async/await where the desugaring
was creating a situation analagous to that described in v8:5002.
Intermediate Promises were being kept alive, so a long-running loop
would cause linear memory usage on the heap. This patch returns
undefined to the 'then' callback passed into PerformPromiseThen
in order to avoid this hazard. Test expectations are fixed to remove
expecting extraneous events which occurred on Promises that are
now not given unnecessarily complex resolution paths before being
thrown away.

BUG=v8:5390

Review-Url: https://codereview.chromium.org/2334323006
Cr-Commit-Position: refs/heads/master@{#39479}
2016-09-16 18:46:13 +00:00
mythria
7f3d15aad4 [Interpreter] Adds stackcheck in InterpreterPushArgsAndCall/Construct builtins.
In ignition, arguments to function calls and function constructors are
pushed onto the stack before calling the function. It is required to check
that stack does not overflow when pushing the arguments.

BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/2335513004
Cr-Commit-Position: refs/heads/master@{#39470}
2016-09-16 10:28:44 +00:00
nikolaos
be20666469 [parser] Fix unfinalized block scope in non-lexical for each
In release mode, statements like:

    var i;
    for (i of [0]) { let j; debugger; }

would end up with one more block scope than in the debug modes.

R=adamk@chromium.org, marja@chromium.org
BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2347633002
Cr-Commit-Position: refs/heads/master@{#39465}
2016-09-16 08:40:06 +00:00
mtrofin
d4ec15f93e [wasm] additional serialization test
Ensure we can serialize a wasm compiled module even after it was
instantiated a few times.

BUG=

Review-Url: https://codereview.chromium.org/2339933003
Cr-Commit-Position: refs/heads/master@{#39463}
2016-09-16 05:19:56 +00:00
littledan
6b7430fab1 Reland of Put RegExp js code in strict mode (patchset #2 id:20001 of https://codereview.chromium.or… (patchset #2 id:20001 of https://codereview.chromium.org/2112713003/ )
Reason for revert:
With fixes for frozen RegExps in https://codereview.chromium.org/2339443002 , it should be web-compatible to put RegExps in strict mode again, per spec.

Original issue's description:
> Revert of Put RegExp js code in strict mode (patchset #2 id:20001 of https://codereview.chromium.org/1776883005/ )
>
> Reason for revert:
> Found to break SAP Web IDE, and these semantics are not shipped in any other browser.
> Revert to legacy semantics while assessing web compatibility.
>
> BUG=chromium:624318
>
> Original issue's description:
> > Put RegExp js code in strict mode
> >
> > src/js/regexp.js was one of the few files that was left in sloppy
> > mode. The ES2017 draft specification requires that writes to
> > lastIndex throw when the property is non-writable, and test262
> > tests enforce this behavior. This patch puts that file in strict
> > mode.
> >
> > BUG=v8:4504
> > R=yangguo@chromium.org
> > LOG=Y
> >
> > Committed: https://crrev.com/80b1b2a45bbd9bf3d08e4e6516acfaaa8f438213
> > Cr-Commit-Position: refs/heads/master@{#34801}
>
> TBR=yangguo@chromium.org,adamk@chromium.org
>
> Committed: https://crrev.com/34880eb3dcf7492d44c0a3b45b6c888189f2c3c3
> Cr-Commit-Position: refs/heads/master@{#37449}

TBR=adamk@chromium.org,yangguo@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:624318

Review-Url: https://codereview.chromium.org/2344773002
Cr-Commit-Position: refs/heads/master@{#39456}
2016-09-15 19:21:12 +00:00
jpp
5855e44c1a [V8][Wasm] Wasm throws.
This CL implements the throw wasm opcode. This is a pre-requisite for
implementing try-catches in wasm.

BUG=

Review-Url: https://codereview.chromium.org/2339053003
Cr-Commit-Position: refs/heads/master@{#39449}
2016-09-15 15:04:45 +00:00
mstarzinger
c2cf8b11ed [turbofan] Handle stack overflow during inlining.
This handles the case where generating bytecode for inlining purposes
causes a stack overflow. We just abort inlining but also need to clear
pending exceptions.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-647217
BUG=chromium:647217

Review-Url: https://codereview.chromium.org/2339383002
Cr-Commit-Position: refs/heads/master@{#39448}
2016-09-15 14:05:13 +00:00
mstarzinger
b848716c98 [compiler] Fix confusion about OSR BailoutId semantics.
The semantics of the {BailoutId} representing an OSR entry point is
different between the interpreter and the full code generator. These
semantics are hard-coded in various graph builders. We need to ensure
that the correct graph builder is chosen for OSR compilations.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-5380
BUG=v8:5380

Review-Url: https://codereview.chromium.org/2341663002
Cr-Commit-Position: refs/heads/master@{#39444}
2016-09-15 11:00:42 +00:00
littledan
7776370c58 Async/await catch prediction for "the synchronous case"
Handle the "synchronous case" by marking try/catch blocks introduced for
async functions as ASYNC_AWAIT and traversing up the stack, finding successive
Promises and returning caught if any of them are predicted to be caught.

BUG=v8:5167

Review-Url: https://codereview.chromium.org/2325813002
Cr-Commit-Position: refs/heads/master@{#39433}
2016-09-15 01:16:45 +00:00
jgruber
6b3cd5804d [regexp] Fix incorrect range checks in AtSurrogatePair
R=littledan@chromium.org
BUG=v8:5339

Review-Url: https://codereview.chromium.org/2337763003
Cr-Commit-Position: refs/heads/master@{#39403}
2016-09-14 07:55:31 +00:00
jgruber
8df547d402 [regexp] Avoid unneeded accesses to lastIndex
This implements https://github.com/tc39/ecma262/pull/627/.

BUG=v8:5360

Review-Url: https://codereview.chromium.org/2339443002
Cr-Commit-Position: refs/heads/master@{#39402}
2016-09-14 07:39:44 +00:00
mstarzinger
85289749f4 [interpreter] Add regression test for bogus OSR entry.
This adds a regression test for a bug where {OsrPoll} instructions
within the bytecode stream ended up outside of actual loops. This has
been fixed already, by merging {OsrPoll} into the backwards branch.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-645888
BUG=chromium:645888

Review-Url: https://codereview.chromium.org/2337033002
Cr-Commit-Position: refs/heads/master@{#39385}
2016-09-13 13:23:21 +00:00
mvstanton
2ab3fcf42f Record call counts also for megamorphic calls.
To make better inlining decisions, it's good to have call counts for poly/mega-morphic cases. This CL makes it work for calls, and another will follow to better unify the code between constructor calls and normal calls (and thence, to record megamorphic call counts there as well).

BUG=

Review-Url: https://codereview.chromium.org/2325083003
Cr-Commit-Position: refs/heads/master@{#39377}
2016-09-13 11:04:22 +00:00
mtrofin
b4dc310aab [wasm] reuse the first compiled module.
This change avoids needing to keep around an unused compiled
module. Instead, the result of compiling the wasm bytes is
given to the first instance. The module object and that instance object
point to the same compiled module. Instances are, then, cloned from
the compiled module the module object points to. When an instance is
collected, we make sure that the module object still has a clone
available, and, if the last instance is GC-ed, we also reset the compiled
module so that it does not reference its heap, so that it (==heap) may
be collected.

This is achieved by linking the clones in a double-linked list and
registering a finalizer for each. When we create an instance, we tie it
in the front of the list, making the module object point to it (O(1)). When
the finalizer is called, we relink the list over the dying object (O(1)). The
costliest operation is finalizing the last instance, since we need to visit
all wasm functions and reset heap references.

BUG=v8:5316

Committed: https://crrev.com/01f5af515728aebe6c5246f4f7dd6c573e8748af
Review-Url: https://codereview.chromium.org/2305903002
Cr-Original-Commit-Position: refs/heads/master@{#39153}
Cr-Commit-Position: refs/heads/master@{#39361}
2016-09-12 23:13:19 +00:00
cbruni
621f4af720 [elements] Handlify SloppyArguments IndexOfValueImpl
The raw pointer to the parameter_map might get stale in case of accessors present on
the arguments object.
Drive-by-fix: use nullptr instead of the_hole with isolate access.

BUG=chromium:645680

Review-Url: https://codereview.chromium.org/2332503002
Cr-Commit-Position: refs/heads/master@{#39359}
2016-09-12 17:32:09 +00:00
jarin
e031451cd7 [turbofan] Another fix for induction variable typing monotonicity.
BUG=chromium:645851

Review-Url: https://codereview.chromium.org/2332633002
Cr-Commit-Position: refs/heads/master@{#39358}
2016-09-12 17:05:11 +00:00
adamk
58325e616d [turbofan] Switch from a whitelist to a blacklist for NeedsFrameStateInput
The whitelist is populated with those inline intrinsics that are lowered
in JSIntrinsicInlining and were not previously blacklisted. Thus the only
additional FrameStates this CL adds are those where the caller tries to
call the INLINE version of an intrinsic but ends up calling the RUNTIME
version instead.

R=bmeurer@chromium.org
BUG=chromium:644631

Review-Url: https://codereview.chromium.org/2331543002
Cr-Commit-Position: refs/heads/master@{#39357}
2016-09-12 16:12:57 +00:00
neis
21cb110547 [modules] Basic support of exports
This adds partial support of exports to the runtime system and
to the interpreter. It introduces a new HeapObject JSModule that
maps each of the module's export names to a Cell containing the
exported value.

Several aspects of this implementation are subject to change in
follow-up CLs.

BUG=v8:1569

Committed: https://crrev.com/241a0412eed919395a2e163b30b9b66071ce5c17
Review-Url: https://codereview.chromium.org/2302783002
Cr-Original-Commit-Position: refs/heads/master@{#39341}
Cr-Commit-Position: refs/heads/master@{#39352}
2016-09-12 12:55:37 +00:00
neis
429ff47e2b Revert of [modules] Basic support of exports (patchset #10 id:180001 of https://codereview.chromium.org/2302783002/ )
Reason for revert:
Failures related to deopt.

Original issue's description:
> [modules] Basic support of exports
>
> This adds partial support of exports to the runtime system and
> to the interpreter. It introduces a new HeapObject JSModule that
> maps each of the module's export names to a Cell containing the
> exported value.
>
> Several aspects of this implementation are subject to change in
> follow-up CLs.
>
> BUG=v8:1569
>
> Committed: https://crrev.com/241a0412eed919395a2e163b30b9b66071ce5c17
> Cr-Commit-Position: refs/heads/master@{#39341}

TBR=adamk@chromium.org,rmcilroy@chromium.org,ulan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2328283002
Cr-Commit-Position: refs/heads/master@{#39345}
2016-09-12 11:34:24 +00:00
neis
241a0412ee [modules] Basic support of exports
This adds partial support of exports to the runtime system and
to the interpreter. It introduces a new HeapObject JSModule that
maps each of the module's export names to a Cell containing the
exported value.

Several aspects of this implementation are subject to change in
follow-up CLs.

BUG=v8:1569

Review-Url: https://codereview.chromium.org/2302783002
Cr-Commit-Position: refs/heads/master@{#39341}
2016-09-12 10:51:27 +00:00
gdeepti
2a4b5933b8 [wasm] GrowMemory should use array_buffer_allocator instead of realloc.
- Using realloc is still unsafe as the allocator, using array_buffer_allocator
  - Fixing tests to avoid overlapping stores, adding more tests

BUG=v8:5344

R=ahaas@chromium.org, mlippautz@chromium.org

Review-Url: https://codereview.chromium.org/2319983002
Cr-Commit-Position: refs/heads/master@{#39329}
2016-09-12 07:33:03 +00:00
mstarzinger
0681deb914 [interpreter] Fix destroyed new.target register use.
This fixes a corner-case where the bytecode was using the <new.target>
register directly without going through the local variable. The value
might be clobbered because the deoptimizer doesn't properly restore the
value. The label will causes bytecode pipeline to be flushed and hence
ensure {BytecodeRegisterOptimizer} doesn't reuse <new.target> anymore.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-645103
BUG=chromium:645103

Review-Url: https://codereview.chromium.org/2325133002
Cr-Commit-Position: refs/heads/master@{#39306}
2016-09-09 12:20:20 +00:00
adamk
e4273007b6 Properly handle holes following spreads in array literals
Before this change, the spread desugaring would naively call
`%AppendElement($R, the_hole)` and in some cases $R would have
a non-holey elements kind, putting the array into the bad state
of exposing holes to author code.

This patch avoids calling %AppendElement with a hole, instead
simply incrementing $R.length when it sees a hole in the literal
(this is safe because $R is known to be an Array). The existing
logic for elements transitions takes care of giving the array a
holey ElementsKind.

BUG=chromium:644215

Review-Url: https://codereview.chromium.org/2321533003
Cr-Commit-Position: refs/heads/master@{#39294}
2016-09-08 18:50:41 +00:00
cbruni
cd86053fac [printing] Fix DCHECK failure when printing FAST_HOLEY_DOUBLE_ELEMENTS
This CL fixes %DebugPrint for FAST_HOLEY_DOUBLE_ELEMENTS and now properly
distinguishes TheHole and NaN values.

BUG=

Review-Url: https://codereview.chromium.org/2294913004
Cr-Commit-Position: refs/heads/master@{#39293}
2016-09-08 18:31:42 +00:00
caitp
646f1f0a4a [JSON] call replacer function with correct holder in JSON.stringify
BUG=v8:5363
R=adamk@chromium.org, littledan@chromium.org, cbruni@chromium.org

Review-Url: https://codereview.chromium.org/2328523002
Cr-Commit-Position: refs/heads/master@{#39291}
2016-09-08 17:57:56 +00:00
mythria
9a31162d9d [Interpreter] Collect allocation site feedback in call bytecode handler.
Adds support to collect allocation site feedback for Array function calls
to the call bytecode handler.

BUG=v8:4280, v8:4780
LOG=N

Review-Url: https://codereview.chromium.org/2307903002
Cr-Commit-Position: refs/heads/master@{#39283}
2016-09-08 14:50:09 +00:00
ahaas
853892a516 [wasm] Do not produce code for br_if if its condition does not validate.
I could not reproduce the bug in either a unittest nor a cctest. That's
why I created an mjsunit test now.

BUG=chromium:644682
R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2319213003
Cr-Commit-Position: refs/heads/master@{#39282}
2016-09-08 14:41:04 +00:00
mstarzinger
9d6872cdf1 [deoptimizer] Materialize JSFunction objects without context.
This fixes the materialization of JSFunction objects to not rely on a
context being available. The context has been cleared because it might
be de-materiallized itself.

R=bmeurer@chromium.org
TEST=mjsunit/compiler/escape-analysis-materialize
BUG=chromium:644245

Review-Url: https://codereview.chromium.org/2320983002
Cr-Commit-Position: refs/heads/master@{#39277}
2016-09-08 12:15:50 +00:00
mstarzinger
9984d6f689 [deoptimizer] Support materialization of ContextExtension.
This adds support to the deoptimizer to materialize ContextExtension
objects that have been de-materialized by escape analysis. This is
follow-up to the inline allocation of such objects during the create
lowering phase (i.e. JSCreateWithContext and JSCreateCatchContext).

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-644245
BUG=chromium:644245

Review-Url: https://codereview.chromium.org/2317353003
Cr-Commit-Position: refs/heads/master@{#39270}
2016-09-08 10:33:20 +00:00
bmeurer
4ed27fc836 [turbofan] Ensure that all prototypes are stable for push/pop.
When lowering Array.prototype.push/.pop to the fast inlined version, we
first need to ensure that all prototypes (including the Object.prototype)
are stable.

R=mvstanton@chromium.org
BUG=chromium:644689

Review-Url: https://codereview.chromium.org/2319533005
Cr-Commit-Position: refs/heads/master@{#39266}
2016-09-08 08:48:32 +00:00
bmeurer
91ed540ee6 [turbofan] Revert "Avoid overflow checks on SpeculativeNumberAdd/Subtract/Multiply."
The optimization is not correct for unsigned output types, and we the
overall complexity seems too high. We need to find a better way to
take into account the input/output type restrictions.

Also added a regression test for the unsigned output bug.

BUG=v8:5267,v8:5270,v8:5357
TBR=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2320013002
Cr-Commit-Position: refs/heads/master@{#39262}
2016-09-08 04:20:31 +00:00
jarin
b4f8a7c900 [turbofan] Ensure monotonicity for induction variable typing.
The trouble here is that the type of the induction variable might be
a bit ahead of the increment (JSAdd) operation's type. When we update
the type of the increment, we might only update the induction variable
type while the JSAdd type might be stale. If the induction variable typing
needs to fall back to normal phi typing (e.g., when the increment is not
an integer anymore), it might use the stale type.

To get around this, we fake monotonicity if we fallback to normal phi
typing. Another option would be to force re-typing of the increment
operation, but that seems to be harder to maintain.

BUG=chromium:644633

Review-Url: https://codereview.chromium.org/2320803002
Cr-Commit-Position: refs/heads/master@{#39261}
2016-09-08 03:51:11 +00:00
adamk
624bc966b3 Super property loads and stores should throw if [[Prototype]] is null
While fixing the bug, removed code duplication from super load/store
runtime calls, and inlined calls of Object::ReadAbsentProperty (left
over from strong mode).

BUG=v8:5335

Review-Url: https://codereview.chromium.org/2311413002
Cr-Commit-Position: refs/heads/master@{#39257}
2016-09-07 17:14:14 +00:00
bjaideep
b7625e70dc PPC64: disable regress/regress-353551 due to stack overflow
Testcase regress/regress-353551 fails with stack overflow error on
ppc64, increasing stack-size to 1100 resolves the issue, but will
cause other platforms to fail similar to
https://codereview.chromium.org/2072533002.
For now, disabling the testcase on ppc64.

R=machenbach@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2314343002
Cr-Commit-Position: refs/heads/master@{#39253}
2016-09-07 14:24:35 +00:00
georgia.kouveli
fdb0f07887 [arm64] Use CMN for cmp(a,sub(0,b)) only when checking equality/inequality.
We were previously incorrectly changing:
  sub r0, 0, r1
  cmp r2, r0
  b.cond <addr>
to:
  cmn r2, r1
  b.cond <addr>

for all conditions. This is incorrect for conditions involving the C (carry)
and V (overflow) flags, and in particular in the case where r1 = INT_MIN.
The optimization is still safe to perform for Equal and NotEqual since they
do not depend on the C and V flags.

BUG=

Review-Url: https://codereview.chromium.org/2318043002
Cr-Commit-Position: refs/heads/master@{#39246}
2016-09-07 12:43:00 +00:00
bmeurer
7ac19fe598 [builtins] Migrate Number predicates and make them optimizable.
Migrate the isNaN, isFinite, Number.isFinite, Number.isInteger,
Number.isSafeInteger and Number.isNaN predicates to TurboFan
builtins and make them optimizable (for certain input types) in
JavaScript callees being optimized by TurboFan. That means both
the baseline and the optimized version is now always at maximum,
consistent performance. Especially TurboFan suffered from poor
baseline (and optimized) performance because it cannot play the
same weird tricks that Crankshaft plays for %_IsSmi.

This also adds a bunch of new tests to properly cover the use
of the Harmony predicates in optimized code.

R=franzih@chromium.org
BUG=v8:5049,v8:5267

Review-Url: https://codereview.chromium.org/2313073002
Cr-Commit-Position: refs/heads/master@{#39242}
2016-09-07 10:14:40 +00:00
mythria
119f311245 [Interpreter] Enable allocation site mementos in CreateArrayLiterals.
In ignition, allocation site mementos were disabled when creating array
literals. Enabled them in this cl.

BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/2294913006
Cr-Commit-Position: refs/heads/master@{#39234}
2016-09-07 09:06:17 +00:00
marja
8ee581af4b Move sloppy block function hoisting logic from Parser to Scope.
This moves scope-related logic (such as looking up variables) to Scope
where it belongs, and enables PreParser to do more Scope-related
operations in the future.

BUG=

Review-Url: https://codereview.chromium.org/2301183003
Cr-Commit-Position: refs/heads/master@{#39233}
2016-09-07 08:48:32 +00:00
lpy
7a38b927c8 Reland - Allow lexically declared "arguments" in function scope in sloppy mode.
Lexically declared "arguments" in sloppy mode will throw redeclaration error
currently, this patch fixes it by delaying the declaration of arguments until we
fully parse parameter list and function body.

BUG=v8:4577
LOG=N

Committed: https://crrev.com/70a613dd0a5f5d205b46559b55702764464851fa
Review-Url: https://codereview.chromium.org/2290753003
Cr-Original-Commit-Position: refs/heads/master@{#39109}
Cr-Commit-Position: refs/heads/master@{#39230}
2016-09-07 06:54:54 +00:00
jarin
595be2dbe7 [turbofan] Tests for simplified lowering of unsigned min/max (it did not have code coverage).
Review-Url: https://codereview.chromium.org/2305523004
Cr-Commit-Position: refs/heads/master@{#39223}
2016-09-06 20:08:24 +00:00
bakkot
2aab10f5b3 [parser] Simplify parse-time function name inference for properties
Move the code to perform function name inference for properties into
parsing the properties themselves, instead of the containing object.

This allows us to avoid unnecessary calls when parsing shorthand
properties and methods and simplifies the logic in the remaining cases.

Also fixes an edge case bug: inferring the name of the getter in
`class { static get constructor(){} }`.

Review-Url: https://codereview.chromium.org/2313723005
Cr-Commit-Position: refs/heads/master@{#39222}
2016-09-06 18:49:49 +00:00
mstarzinger
553d504923 [turbofan] Handle ObjectIsReceiver in escape analysis.
This adds handling of {IrOpcode::kObjectIsReceiver} nodes to the escape
status analysis. Such uses are treated as escaping for now until we add
dedicated handling to the escape analysis reducer.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-631027
BUG=chromium:631027

Review-Url: https://codereview.chromium.org/2317623003
Cr-Commit-Position: refs/heads/master@{#39205}
2016-09-06 11:59:31 +00:00
rmcilroy
c950256013 [Turbofan] Fix CallSuper argument order in BytecodeGraphBuilder.
The constructor and new.target arguments were passed to CallConstruct in
the wrong order by BytecodeGraphBuilder, which caused subclassing to be
incorrect when optimizing from bytecode.

Also clean up some unecessary functions in interpreter.cc found while
figuring this out.

BUG=chromium:642409

Review-Url: https://codereview.chromium.org/2312103002
Cr-Commit-Position: refs/heads/master@{#39204}
2016-09-06 11:53:19 +00:00
mstarzinger
cc1249b779 [compiler] Bytecode preparation fails for asm.js modules.
This handles the case where preparation of bytecode might fail inside
Compiler::EnsureBytecode due to the underlying function being a fully
validated asm.js module. We simply bailout of bytecode preparation.

R=bradnelson@chromium.org
TEST=mjsunit/regress/regress-crbug-644111
BUG=chromium:644111

Review-Url: https://codereview.chromium.org/2309853002
Cr-Commit-Position: refs/heads/master@{#39187}
2016-09-05 23:03:07 +00:00
mvstanton
8af781ea82 [turbofan] Don't propagate truncations if output is tagged.
Disable the propagation of truncations through Phi, Select or TypeGuard
if the output representation is tagged, because when the truncations are
taken we don't necessarily reflect this in the types and therefore we
might end up in a situation where we produce a word32 value, the type
says Number, and now we need to change that to tagged, which is not
possible since we don't know how to interpret the bits, i.e. whether the
value is Signed32 or Unsigned32.

BUG=chromium:644048

Review-Url: https://codereview.chromium.org/2311903002
Cr-Commit-Position: refs/heads/master@{#39186}
2016-09-05 20:54:56 +00:00
jgruber
ee7f14cb54 Revert of [regexp] Port RegExp getters and setters (patchset #5 id:80001 of https://codereview.chromium.org/2305573002/ )
Reason for revert:
Performance regressions: crbug.com/644087
Clusterfuzz: crbug.com/644074

We'll reland all regexp changes at once when the port is complete and at least performance-neutral, since the partial port requires slow workarounds.

Original issue's description:
> [regexp] Port RegExp getters and setters
>
> BUG=v8:5339
>
> Committed: https://crrev.com/ac0eb5e05af40e16ae9402bb8a62600b32cc2ec9
> Committed: https://crrev.com/7711b1a16f864ed6ea56fa40274ff3f6287bbe34
> Cr-Original-Commit-Position: refs/heads/master@{#39076}
> Cr-Commit-Position: refs/heads/master@{#39088}

TBR=bmeurer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5339

Review-Url: https://codereview.chromium.org/2313713002
Cr-Commit-Position: refs/heads/master@{#39176}
2016-09-05 13:48:46 +00:00
jkummerow
685be31203 Reland of [stubs] Port KeyedLoadIC_Generic stub to TurboFan
And also handle dictionary elements loads in the dispatcher.

This is a reland with fix for negative indices into DICTIONARY_ELEMENTS.
Original review: https://codereview.chromium.org/2245683002/

Review-Url: https://codereview.chromium.org/2313683002
Cr-Commit-Position: refs/heads/master@{#39172}
2016-09-05 13:18:08 +00:00
machenbach
359a00bf6f Revert of [wasm] reuse the first compiled module (patchset #12 id:220001 of https://codereview.chromium.org/2305903002/ )
Reason for revert:
mac gc stress failures:
https://build.chromium.org/p/client.v8/builders/V8%20Mac%20GC%20Stress/builds/8341

Original issue's description:
> [wasm] reuse the first compiled module.
>
> This change avoids needing to keep around an unused compiled
> module. Instead, the result of compiling the wasm bytes is
> given to the first instance. The module object and that instance object
> point to the same compiled module. Instances are, then, cloned from
> the compiled module the module object points to. When an instance is
> collected, we make sure that the module object still has a clone
> available, and, if the last instance is GC-ed, we also reset the compiled
> module so that it does not reference its heap, so that it (==heap) may
> be collected.
>
> This is achieved by linking the clones in a double-linked list and
> registering a finalizer for each. When we create an instance, we tie it
> in the front of the list, making the module object point to it (O(1)). When
> the finalizer is called, we relink the list over the dying object (O(1)). The
> costliest operation is finalizing the last instance, since we need to visit
> all wasm functions and reset heap references.
>
> BUG=v8:5316
>
> Committed: https://crrev.com/01f5af515728aebe6c5246f4f7dd6c573e8748af
> Cr-Commit-Position: refs/heads/master@{#39153}

TBR=bradnelson@chromium.org,verwaest@chromium.org,vogelheim@chromium.org,yangguo@chromium.org,mtrofin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5316

Review-Url: https://codereview.chromium.org/2306403002
Cr-Commit-Position: refs/heads/master@{#39154}
2016-09-05 10:49:53 +00:00
mtrofin
01f5af5157 [wasm] reuse the first compiled module.
This change avoids needing to keep around an unused compiled
module. Instead, the result of compiling the wasm bytes is
given to the first instance. The module object and that instance object
point to the same compiled module. Instances are, then, cloned from
the compiled module the module object points to. When an instance is
collected, we make sure that the module object still has a clone
available, and, if the last instance is GC-ed, we also reset the compiled
module so that it does not reference its heap, so that it (==heap) may
be collected.

This is achieved by linking the clones in a double-linked list and
registering a finalizer for each. When we create an instance, we tie it
in the front of the list, making the module object point to it (O(1)). When
the finalizer is called, we relink the list over the dying object (O(1)). The
costliest operation is finalizing the last instance, since we need to visit
all wasm functions and reset heap references.

BUG=v8:5316

Review-Url: https://codereview.chromium.org/2305903002
Cr-Commit-Position: refs/heads/master@{#39153}
2016-09-05 10:08:44 +00:00
jgruber
300f4413eb Do not call into JS from WasmDebugInfo::GetFunctionScript
This disables notification of wasm script 'compilation' since
OnAfterCompile actually triggers a JS call (which is disallowed during
stack trace collection).

BUG=641065

Review-Url: https://codereview.chromium.org/2304943002
Cr-Commit-Position: refs/heads/master@{#39139}
2016-09-02 14:56:56 +00:00
jgruber
64c518d06d Do not include Error.captureStackTrace in the trace
BUG=v8:5342

Review-Url: https://codereview.chromium.org/2307783002
Cr-Commit-Position: refs/heads/master@{#39124}
2016-09-02 09:51:42 +00:00
mythria
7e5b8feed3 [Interpreter] Collect type feedback for 'new' in the bytecode handler
Collect type feedback in the bytecode handler for 'new' bytecode. The
earlier cl (https://codereview.chromium.org/2153433002/) was reverted
because that implementation did not collect allocation site feedback.
This regressed delta blue by an order of magnitude. This implementation
includes collection of allocation site feedback.

Reland of https://codereview.chromium.org/2190293003/ with a bug fix.

BUG=v8:4280, v8:4780
LOG=N

Review-Url: https://codereview.chromium.org/2225923003
Cr-Commit-Position: refs/heads/master@{#39120}
2016-09-02 08:26:57 +00:00
nikolaos
628e9e3eb8 Fix bug with nested spreads as patterns
R=adamk@chromium.org, littledan@chromium.org
BUG=v8:5337
LOG=N

Review-Url: https://codereview.chromium.org/2297303003
Cr-Commit-Position: refs/heads/master@{#39118}
2016-09-02 07:53:00 +00:00
bmeurer
86af343749 [test] Add regression test for http://crbug.com/642056.
The bug itself was already fixed in ToT as part of
http://crrev.com/2263273003.

R=machenbach@chromium.org
BUG=chromium:642056

Review-Url: https://codereview.chromium.org/2306913002
Cr-Commit-Position: refs/heads/master@{#39117}
2016-09-02 07:08:29 +00:00
machenbach
d67fedb12c Revert of Allow lexically declared "arguments" in function scope in sloppy mode. (patchset #5 id:100001 of https://codereview.chromium.org/2290753003/ )
Reason for revert:
Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/9470

Original issue's description:
> Allow lexically declared "arguments" in function scope in sloppy mode.
>
> Lexically declared "arguments" in sloppy mode will throw redeclaration error
> currently, this patch fixes it by delaying the declaration of arguments until we
> fully parse parameter list and function body.
>
> BUG=v8:4577
> LOG=N
>
> Committed: https://crrev.com/70a613dd0a5f5d205b46559b55702764464851fa
> Cr-Commit-Position: refs/heads/master@{#39109}

TBR=adamk@chromium.org,mythria@chromium.org,lpy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4577

Review-Url: https://codereview.chromium.org/2304853002
Cr-Commit-Position: refs/heads/master@{#39115}
2016-09-02 06:23:57 +00:00
gdeepti
53cb7e5ffc Populate relocation information correctly for RelocatableInt32Constants.
BUG=v8:5304
R=ahaas@chromium.org, titzer@chromium.org

Review-Url: https://codereview.chromium.org/2277443009
Cr-Commit-Position: refs/heads/master@{#39112}
2016-09-02 01:39:21 +00:00
lpy
70a613dd0a Allow lexically declared "arguments" in function scope in sloppy mode.
Lexically declared "arguments" in sloppy mode will throw redeclaration error
currently, this patch fixes it by delaying the declaration of arguments until we
fully parse parameter list and function body.

BUG=v8:4577
LOG=N

Review-Url: https://codereview.chromium.org/2290753003
Cr-Commit-Position: refs/heads/master@{#39109}
2016-09-01 22:10:34 +00:00
jarin
25504a220f [turbofan] Fix typing rule for Math.sign.
Review-Url: https://codereview.chromium.org/2306583002
Cr-Commit-Position: refs/heads/master@{#39103}
2016-09-01 20:06:27 +00:00
jgruber
7711b1a16f [regexp] Port RegExp getters and setters
BUG=v8:5339

Committed: https://crrev.com/ac0eb5e05af40e16ae9402bb8a62600b32cc2ec9
Review-Url: https://codereview.chromium.org/2305573002
Cr-Original-Commit-Position: refs/heads/master@{#39076}
Cr-Commit-Position: refs/heads/master@{#39088}
2016-09-01 13:41:28 +00:00
machenbach
6c25d789ba Revert of [regexp] Port RegExp getters and setters (patchset #4 id:60001 of https://codereview.chromium.org/2305573002/ )
Reason for revert:
Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/9437

Original issue's description:
> [regexp] Port RegExp getters and setters
>
> BUG=v8:5339
>
> Committed: https://crrev.com/ac0eb5e05af40e16ae9402bb8a62600b32cc2ec9
> Cr-Commit-Position: refs/heads/master@{#39076}

TBR=bmeurer@chromium.org,jgruber@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5339

Review-Url: https://codereview.chromium.org/2301963002
Cr-Commit-Position: refs/heads/master@{#39085}
2016-09-01 12:50:40 +00:00
jgruber
ac0eb5e05a [regexp] Port RegExp getters and setters
BUG=v8:5339

Review-Url: https://codereview.chromium.org/2305573002
Cr-Commit-Position: refs/heads/master@{#39076}
2016-09-01 11:22:21 +00:00
jarin
39d65198ed [turbofan] Fix Math.sign.
Review-Url: https://codereview.chromium.org/2294143004
Cr-Commit-Position: refs/heads/master@{#39073}
2016-09-01 10:26:12 +00:00
bmeurer
432790c92c [turbofan] Only check semantic axis for Type::None.
R=jarin@chromium.org
BUG=chromium:643073

Review-Url: https://codereview.chromium.org/2299903002
Cr-Commit-Position: refs/heads/master@{#39065}
2016-09-01 07:11:21 +00:00
bmeurer
64a7bd3877 [turbofan] Don't treat the hole NaN as constant inside the compiler.
We use a signaling NaN to represent the hole in
FAST_HOLEY_DOUBLE_ELEMENTS backing stores, but on Intel processors, the
C++ compiler may decide to (or be forced to due to calling conventions)
use X87 registers for double values. However transfering to X87
registers automatically quietens the NaNs and there's no way to disable
this. Therefore we should just always load the hole NaN from the canonical
place identified by the address_of_hole_nan external reference instead,
which might even be more efficient in some cases.

R=jarin@chromium.org, jkummerow@chromium.org
BUG=v8:5332

Review-Url: https://codereview.chromium.org/2303643002
Cr-Commit-Position: refs/heads/master@{#39062}
2016-09-01 06:02:19 +00:00
bakkot
8d5a267b19 Refactor object/class literal property name parsing
This patch arranges that property names are parsed in a single pass,
reporting the name as well as the type of the property, instead of
parsing qualifiers like 'static' or 'get' initially as names and then
re-parsing. This change is easier to reason about, very slightly (4%)
faster in some cases (although slower in other, less common ones, though
this slowdown will be fixed in an upcoming patch), and is a prerequisite
for separating the parsing of object and class literal properties, which
will become increasingly important as ECMAScript adds more class features.

This is a reland of https://codereview.chromium.org/2278153004/,
which fixes the issue causing the revert and adds more tests.

Review-Url: https://codereview.chromium.org/2300503002
Cr-Commit-Position: refs/heads/master@{#39056}
2016-08-31 21:14:14 +00:00
jkummerow
e1cb562224 [elements] Fix GetEntryForIndexImpl to honor array length
Previously, fast holey elements accessors would detect element presence
by simply doing a hole check on any slot within the backing store's
capacity. This relied on the (mostly-true but brittle) assumption that
slots beyond the length are always correctly zapped with The Hole.

Review-Url: https://codereview.chromium.org/2297253002
Cr-Commit-Position: refs/heads/master@{#39051}
2016-08-31 17:46:34 +00:00
bmeurer
7b79224b21 [crankshaft] Disable further folding already folded allocations.
When we try to further fold previously folded allocations in Crankshaft
GVN we don't properly transform the allocations involved, which causes
the mechanism to leave holes in the new/old space (and thereby violate
the iterability property of the new/old space).

BUG=chromium:621868
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2297983003
Cr-Commit-Position: refs/heads/master@{#39040}
2016-08-31 09:48:45 +00:00
adamk
9c00c88902 Remove duplicated code from comma-separated Expression parsing
This removes two bits of duplication:
  - Parsing of each AssignmentExpression, which previously was called
    first outside the loop and then inside the loop.
  - Parsing of arrow rest parameters, which previously was handled
    separately for the one-arg and N-arg cases.

The only change in behavior is in a few error messages.

Review-Url: https://codereview.chromium.org/2279363002
Cr-Commit-Position: refs/heads/master@{#39030}
2016-08-31 01:24:19 +00:00
mtrofin
03f3da45e1 [wasm] mjsunit support for I32 globals and test
Test ensuring globals are isolated between instances. Also
added support for globals section to mjsunit's
WebModuleBuilder as a prerequisite.

BUG=

Review-Url: https://codereview.chromium.org/2296993002
Cr-Commit-Position: refs/heads/master@{#39028}
2016-08-31 00:36:18 +00:00
ahaas
9f747be5a7 [wasm] Check the input of grow-memory before calling the runtime.
If the input of grow-memory was not representable as a SMI, then the
input was not passed correctly to the runtime, which caused a crash.
With this CL the input of grow-memory is checked before the runtime is
called.

R=titzer@chromium.org, gdeepti@chromium.org
TEST=mjsunit/wasm/grow-memory.js:testGrowMemoryTrapsWithNonSmiInput()

Review-Url: https://codereview.chromium.org/2288773002
Cr-Commit-Position: refs/heads/master@{#39022}
2016-08-30 17:00:24 +00:00
epertoso
bdf5566281 [turbofan] Treat the INT32 state of a truncating binary op IC as number or oddball on 32-bit machines.
This was causing a few unexpected deopt loops.

BUG=v8:5320

Review-Url: https://codereview.chromium.org/2292873002
Cr-Commit-Position: refs/heads/master@{#39019}
2016-08-30 14:13:34 +00:00
ahaas
510246f6e2 [wasm] Use the native_context for the TypeError in ToJS()
With this CL we use isolate->native_context() to provide a context for
the CEntryStub of the runtime call. The native_context() is sufficient
here because Runtime::kWasmThrowTypeError does not use the context.

R=titzer@chromium.org
TEST=mjsunit/wasm/ffi-error.js
BUG=chromium:639492

Review-Url: https://codereview.chromium.org/2291043002
Cr-Commit-Position: refs/heads/master@{#39014}
2016-08-30 12:46:02 +00:00
bmeurer
864cdc124c [test] Speed-up regression test for growing stores.
TBR=machenbach@chromium.org
BUG=chromium:635798,chromium:638295

Review-Url: https://codereview.chromium.org/2288813003
Cr-Commit-Position: refs/heads/master@{#38991}
2016-08-30 04:04:32 +00:00
littledan
5af4cd9840 Disallow tail calls from async functions and generators
Tail calls don't make sense from async functions and generators, as
each activation of these functions needs to make a new, distnict,
non-reused generator object. These tail calls are not required per
spec. This patch disables both syntactic and implicit tail calls
in async functions and generators.

R=neis
BUG=v8:5301,chromium:639270

Review-Url: https://codereview.chromium.org/2278413003
Cr-Commit-Position: refs/heads/master@{#38986}
2016-08-29 18:31:35 +00:00
bgeron
791118fca5 [turbofan] Also inline into try blocks.
This removes test/webkit/fast/js/stack-overflow-arrity-catch.js, which tests that the stack overflows in a very particular way. It doesn't seem to test anything important, and only used to work because we didn't inline into try-blocks.

BUG=
R=jarin

Review-Url: https://codereview.chromium.org/2216353002
Cr-Commit-Position: refs/heads/master@{#38976}
2016-08-29 11:27:06 +00:00
bgeron
d90d76bdb5 [turbofan] Improve inline-exception tests.
- Make constants more interesting.
- Add an addition to be done after the inlined call in the try-block.
- On command line, have a bit more output.
- New alternative that deopts from unoptimized code.

BUG=
R=jarin

Review-Url: https://codereview.chromium.org/2285743002
Cr-Commit-Position: refs/heads/master@{#38974}
2016-08-29 11:17:16 +00:00
verwaest
5558a50878 Merge DeclarationScope::temps_ and Scope::ordered_variables_ into Scope::locals_
BUG=v8:5209

Review-Url: https://codereview.chromium.org/2272083003
Cr-Commit-Position: refs/heads/master@{#38920}
2016-08-25 19:12:00 +00:00
jarin
2a97b1bcb1 Reland of [turbofan] Insert dummy values when changing from None type.
This reverts commit a55fdb1e7c, relands
https://codereview.chromium.org/2266823002/.

BUG=chromium:638132

Review-Url: https://codereview.chromium.org/2277283002
Cr-Commit-Position: refs/heads/master@{#38917}
2016-08-25 16:58:13 +00:00
bgeron
244d9ccd40 [turbofan] Tests for inlining calls, constructors, property access inside try..catch..finally.
These tests were spliced out of changelist 2216353002 and extended.

BUG=

Review-Url: https://codereview.chromium.org/2245263003
Cr-Commit-Position: refs/heads/master@{#38906}
2016-08-25 12:50:48 +00:00
bmeurer
a55fdb1e7c Revert of [turbofan] Insert dummy values when changing from None type. (patchset #5 id:80001 of https://codereview.chromium.org/2266823002/ )
Reason for revert:
Octane/Mandreel aborts with an exception now:

TypeError: __FUNCTION_TABLE__[(r2 >> 2)] is not a function

Original issue's description:
> [turbofan] Insert dummy values when changing from None type.
>
> Currently we choose the MachineRepresentation::kNone representation for
> values of Type::None, and when converting values from the kNone representation
> we use "impossible" conversions that will crash at runtime. This
> assumes that the impossible conversions should never be hit (the only
> way to produce the impossible values is to perform an always-failing
> runtime check on a value, such as Smi-checking a string). Note that
> this assumes that the runtime check is executed before the impossible
> convesrion.
>
> Introducing BitwiseOr type feedback broke this in two ways:
>
> - we always pick Word32 representation for bitwise-or, so the
>   impossible conversion does not trigger (it only triggers with
>   None representation), and we could end up with unsupported
>   conversions from Word32.
>
> - even if we inserted impossible conversions, they are pure conversions.
>   Since untagging, bitwise-or operations are also pure, we could hoist
>   all these before the smi check of the inputs and we could hit the
>   impossible conversions before we get to the smi check.
>
> This CL addresses this by just providing dummy values for conversions
> from the Type::None type. It also removes the impossible-to-* conversions.
>
> BUG=chromium:638132
>
> Committed: https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe
> Cr-Commit-Position: refs/heads/master@{#38883}

TBR=mstarzinger@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:638132

Review-Url: https://codereview.chromium.org/2280613002
Cr-Commit-Position: refs/heads/master@{#38893}
2016-08-25 08:50:23 +00:00
bmeurer
b471d4ab5c [turbofan] Disable LoadElimination completely for asm.js.
There's no point in running the LoadElimination on asm.js functions and
it would take serious amount of effort to actually make it correct for
the deprecated parts of the pipeline.

R=jarin@chromium.org
BUG=v8:5308

Review-Url: https://codereview.chromium.org/2276273002
Cr-Commit-Position: refs/heads/master@{#38884}
2016-08-25 06:14:59 +00:00
jarin
c83b21ab75 [turbofan] Insert dummy values when changing from None type.
Currently we choose the MachineRepresentation::kNone representation for
values of Type::None, and when converting values from the kNone representation
we use "impossible" conversions that will crash at runtime. This
assumes that the impossible conversions should never be hit (the only
way to produce the impossible values is to perform an always-failing
runtime check on a value, such as Smi-checking a string). Note that
this assumes that the runtime check is executed before the impossible
convesrion.

Introducing BitwiseOr type feedback broke this in two ways:

- we always pick Word32 representation for bitwise-or, so the
  impossible conversion does not trigger (it only triggers with
  None representation), and we could end up with unsupported
  conversions from Word32.

- even if we inserted impossible conversions, they are pure conversions.
  Since untagging, bitwise-or operations are also pure, we could hoist
  all these before the smi check of the inputs and we could hit the
  impossible conversions before we get to the smi check.

This CL addresses this by just providing dummy values for conversions
from the Type::None type. It also removes the impossible-to-* conversions.

BUG=chromium:638132

Review-Url: https://codereview.chromium.org/2266823002
Cr-Commit-Position: refs/heads/master@{#38883}
2016-08-25 06:06:58 +00:00
littledan
aae17eb31b Do not trigger ExceptionEvents for another forwarding case
This patch fixes up one last case of redundant ExceptionEvents being
triggered in the debugger for Promises--it makes the default reject
handler for Promises (e.g., if the second argument for
Promise.prototype.then is missing) appear to the debugger as a
rethrow.

R=adamk@chromium.org,jgruber@chromium.org
BUG=v8:5167

Review-Url: https://codereview.chromium.org/2278643002
Cr-Commit-Position: refs/heads/master@{#38876}
2016-08-24 20:38:13 +00:00
jarin
dc330f2bd3 [turbofan] Fix merging of empty and non-empty state in load elimination.
Unfortunately, I was unable to produce a repro without asm.js. In normal
JavaScript, the bounds check renaming saves us.

I have not done anything about the index variable aliasing and handling
of differently sized elements yet!

BUG=chromium:639210, v8:5266

Review-Url: https://codereview.chromium.org/2270793004
Cr-Commit-Position: refs/heads/master@{#38874}
2016-08-24 17:14:24 +00:00
mstarzinger
b52aecac7e [compiler] Make Compiler::EnsureBytecode not switch tiers.
This preserves the original shared code of the underlying function when
bytecode is provided. The method in question should only ensure bytecode
is present, but should avoid switching compilation tiers of the given
function. It might be that the function was fast-tracked to baseline by
inlining without going through the interpreted tier first.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-635923
BUG=chromium:635923

Review-Url: https://codereview.chromium.org/2278543002
Cr-Commit-Position: refs/heads/master@{#38866}
2016-08-24 14:09:59 +00:00
bmeurer
6646d73b6f [turbofan] Use ObjectIsReceiver directly for inlining.
Don't bother using %_IsJSReceiver, which immediately gets lowered to
ObjectIsReceiver anyways (by the JSIntrinsicLowering), but requires
some complicated rewiring of effect/control chains.

R=mstarzinger@chromium.org
BUG=chromium:640369

Review-Url: https://codereview.chromium.org/2271973003
Cr-Commit-Position: refs/heads/master@{#38864}
2016-08-24 11:09:32 +00:00
littledan
013e49f73c Change which ExceptionEvents are triggered by Promises
To make async/await catch prediction work well, this patch regularizes
the exception events sent to DevTools from various places in the Promise
lifecycle. The core is that there should be an exception event when the
rejection first starts, rather than when it is propagated.

- Several cases within Promise code which propagate errors are
  modified to not trigger a new ExceptionEvent in that case, such
  as .then on a rejected Promise and returning a rejected Promise
  from .then, as well as Promise.race and Promise.all.
- Make Promise.reject() create an ExceptionEvent, subject to catch
  prediction based on the Promise stack. This is important
  so that, e.g., if "await Promise.reject()" will trigger a new
  throw (rather than a silent rethrow of something that never
  triggered an event in the first place).

BUG=v8:5167

Review-Url: https://codereview.chromium.org/2244003003
Cr-Commit-Position: refs/heads/master@{#38847}
2016-08-24 00:20:50 +00:00
mstarzinger
09a7ac5fca [deoptimizer] Potentially deopt into debug bytecode.
This makes sure the deoptimizer picks bytecode prepared for debugging
when materializing an interpreted frame if one is available. This is
normally done by the interpreter entry trampoline and hence needs to be
replicated by the deoptimizer.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2271443003
Cr-Commit-Position: refs/heads/master@{#38815}
2016-08-23 11:55:47 +00:00
bradnelson
e5f5ac7d2b [wasm] asm.js - Remove Wasm.instantiateModuleFromAsm, use asm.js directly.
Make use of %IsAsmWasmCode in place of Wasm.instantiateModuleFromAsm,
in order to reduce the surface area of the Wasm object,
and to focus on testing asm.js coming in via the parser.

Ignore extra CONST_LEGACY assignment introduced by the parser
when modules have the form:
(function Foo(a, b, c) {..});
This requires both a validator and AsmWasmBuilder change.

Move stdlib use collection to import time,
to reject modules that import a function, even if not used.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=jpp@chromium.org,titzer@chromium.org

Review-Url: https://codereview.chromium.org/2264913002
Cr-Commit-Position: refs/heads/master@{#38806}
2016-08-23 04:07:23 +00:00
littledan
b2a257f9ff Remove --promise-extra flag
This flag was shipped on in 52, so it's due for removal. The patch includes
removing the deprecated and unused-in-Blink API Promise::Chain, and many
test updates.

R=adamk@chromium.org
BUG=v8:4633

Review-Url: https://codereview.chromium.org/2267033002
Cr-Commit-Position: refs/heads/master@{#38804}
2016-08-22 21:35:06 +00:00
mattloring
da5d713d73 [builtins] Array indexOf in TurboFan/Runtime
Includes fast paths in the runtime for
DictionaryElementsAccessor, FastSmiOrObjectElementsAccessor,
FastDoubleElementsAccessor, TypedElementsAccessor, and
SloppyArgumentsElementsAccessor.

BUG=

Review-Url: https://codereview.chromium.org/2232063002
Cr-Commit-Position: refs/heads/master@{#38800}
2016-08-22 18:37:08 +00:00
bradnelson
2d46ef23b1 [wasm] asm.js - Check stdlib functions are valid.
Check remaining asm.js stdlib functions for validitity at instatiation.

Fail when a member is referenced, even if not used.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=jpp@chromium.org,titzer@chromium.org

Review-Url: https://codereview.chromium.org/2267633002
Cr-Commit-Position: refs/heads/master@{#38796}
2016-08-22 17:17:57 +00:00
franzih
6e665b094e [turbofan] Induction variable bound analysis for decrements.
This detects loops with integer decrements.

Drive-by fix: Add lower bounds to lower_bounds
zone vector instead of upper_bounds.

BUG=

Review-Url: https://codereview.chromium.org/2260153002
Cr-Commit-Position: refs/heads/master@{#38772}
2016-08-22 09:21:42 +00:00
bradnelson
561bfcb70d [wasm] asm.js - Check stdlib.NaN is valid, prepare for the rest.
Record which asm.js stdlib members are used and add a check that NaN is actually correctly set. Other stdlib members to be added in a later change.

Also add a stdlib argument to Wasm.instantiateModuleFromAsm, in preparation for that function to be replaced by normal asm.js instantiation.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=jpp@chromium.org,titzer@chromium.org

Review-Url: https://codereview.chromium.org/2251433002
Cr-Commit-Position: refs/heads/master@{#38760}
2016-08-19 18:26:24 +00:00
verwaest
10c72887b5 Move asm_module_ and asm_function_ down to DeclarationScope
BUG=v8:5209

Review-Url: https://codereview.chromium.org/2253913002
Cr-Commit-Position: refs/heads/master@{#38753}
2016-08-19 13:29:34 +00:00
bmeurer
99edc1b8e7 [turbofan] Unify Int32Add/Sub representation selection rules.
Unify the representation selection rules for NumberAdd/Subtract and
SpeculativeNumberAdd/Subtract wrt. Int32Add/Sub selection. We can
safely use Int32Add/Sub as long as the inputs are in the safe additive
integer range and the output is either truncated to Word32 or provably
in Signed32 or Unsigned32 range.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2253293005
Cr-Commit-Position: refs/heads/master@{#38746}
2016-08-19 09:50:22 +00:00
ahaas
bb187a106e [wasm] Add stack checks at the beginning of each function.
TEST=mjsunit/wasm/stack.js:testStackOverflow

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2256603002
Cr-Commit-Position: refs/heads/master@{#38742}
2016-08-19 08:54:39 +00:00
mtrofin
d64bd5f506 [wasm] removed redundant load line from mjsunit test
BUG=

Review-Url: https://codereview.chromium.org/2261643002
Cr-Commit-Position: refs/heads/master@{#38735}
2016-08-19 06:13:12 +00:00
ahaas
92b7c728e2 [wasm] Throw a type error if an I64 is exported to JS.
As required by the spec, ToJS now throws a TypeError fit I64 values
instead of truncating the I64 value to I32. To throw a TypeError I
introduced a new runtime function because the existing
Runtime::kThrowWasmError does not throw a TypeError. Since we have calls
to two runtime functions now, and an additional one is needed for stack
checks, I extracted the call to runtime functions into a helper function.

R=titzer@chromium.org

TEST=mjsunit/wasm/ffi-error.js:I64InSignatureThrows

Review-Url: https://codereview.chromium.org/2254803002
Cr-Commit-Position: refs/heads/master@{#38718}
2016-08-18 14:33:08 +00:00
mstarzinger
8ab555cc15 [interpreter] Fix canonicalization when preserving bytecode.
This fixes canonicalization of {SharedFunctionInfo} objects in the
{Compiler::GetSharedFunctionInfo} method when bytecode is preserved.
Eager compilation is only triggered when no code is present.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-638551
BUG=chromium:638551

Review-Url: https://codereview.chromium.org/2245263006
Cr-Commit-Position: refs/heads/master@{#38709}
2016-08-18 10:42:40 +00:00
neis
074aa90ca5 [test] Fix copy&paste error in bug link.
TBR=littledan@chromium.org
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2259793002
Cr-Commit-Position: refs/heads/master@{#38701}
2016-08-18 08:44:32 +00:00
rmcilroy
477495c886 [Parser] Track ContainsDot for SMI values.
Ensures SMI values have SMI type even if they have a dot (e.g., 1.0).
Adds SMI_WITH_DOT type to maintain this.

BUG=chromium:638134

Review-Url: https://codereview.chromium.org/2248693005
Cr-Commit-Position: refs/heads/master@{#38698}
2016-08-18 08:15:43 +00:00
mstarzinger
f9763eb275 [wasm] Fix asm.js module instantiation on retry.
This fixes the case where a module is instantiated twice via the same
closure when in the meantime another closure has destroyed and removed
the WASM data attached to the SharedFunctionInfo.

R=bradnelson@chromium.org
TEST=mjsunit/asm/asm-validation
BUG=v8:4203

Review-Url: https://codereview.chromium.org/2253613004
Cr-Commit-Position: refs/heads/master@{#38696}
2016-08-18 07:44:30 +00:00
mtrofin
93b7251f74 [wasm] binary and test for hosts' integration tests
Ensure wasm binaries intended to be used in hosts of v8, such as
chromium, are up to date.

See https://codereview.chromium.org/2255673003/

BUG=v8:5072

Review-Url: https://codereview.chromium.org/2259693002
Cr-Commit-Position: refs/heads/master@{#38694}
2016-08-18 03:18:14 +00:00
bakkot
95e0ba65ec Reland of Amends the TypedArray constructor to use the path for primitives for all (patchset #1 id:1 of https://codereview.chromium.org/2120763002/ )
Reason for revert:
WebGL tests have been updated and rolled (at https://codereview.chromium.org/2227023002), so this should no longer fail outdated tests.

Original issue's description:
> Revert of Amends the TypedArray constructor to use the path for primitives for all (patchset #4 id:60001 of https://codereview.chromium.org/2096873002/ )
>
> Reason for revert:
> Speculative revert to unblock roll https://codereview.chromium.org/2114113002/
>
> Original issue's description:
> > Amends the TypedArray constructor to use the path for primitives for all
> > types of primitives, not just undefined, booleans, numbers, and strings.
> > (The missing cases were null and Symbol.) This is required by the
> > specification, and there are test262 tests which we were failing due to
> > this bug.
> >
> > BUG=v8:5124
> >
> > Committed: https://crrev.com/f788bd9cce19815cba746e47bb65abfe25c16208
> > Committed: https://crrev.com/f772c22cd1c492aa0235a8e6012d0386146d2eb2
> > Cr-Original-Commit-Position: refs/heads/master@{#37234}
> > Cr-Commit-Position: refs/heads/master@{#37407}
>
> TBR=littledan@chromium.org,bakkot@google.com
> NOTREECHECKS=true
> BUG=v8:5124
>
> Committed: https://crrev.com/9c0aef52fa672db856ebfac7f4bdcd7d7b103663
> Cr-Commit-Position: refs/heads/master@{#37487}

TBR=littledan@chromium.org,hablich@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5124

Review-Url: https://codereview.chromium.org/2255543002
Cr-Commit-Position: refs/heads/master@{#38691}
2016-08-17 17:44:11 +00:00
bakkot
a3c13435aa Reland of Amend DataView, ArrayBuffer, and TypedArray methods to use ToIndex. (patchset #2 id:170001 of https://codereview.chromium.org/2113593002/ )
Reason for revert:
WebGL tests have been updated and rolled (at https://codereview.chromium.org/2227023002), so this should no longer fail outdated tests.

Original issue's description:
> Revert of Amend DataView, ArrayBuffer, and TypedArray methods to use ToIndex. (patchset #8 id:140001 of https://codereview.chromium.org/2090353003/ )
>
> Reason for revert:
> Speculative revert to unblock roll: https://codereview.chromium.org/2107223003/
>
> Original issue's description:
> > Amend DataView, ArrayBuffer, and TypedArray methods to use ToIndex.
> >
> > The spec was modified to relax some requirements which implementors had not been
> > enforcing. Part of this process involved introducing a new abstract operation
> > ToIndex, which had partial overlap with our existing semantics as well as some
> > differences (most notably treating undefined as 0). Test262 tests were introduced to
> > check for the new semantics, some of which we were failing. This patch amends the
> > parts of our implementation corresponding to specification algorithms which use
> > ToIndex to follow its semantics precisely.
> >
> > BUG=v8:4784,v8:5120
> >
> > Committed: https://crrev.com/09720349ea058d178521ec58d0a5676443a5a132
> > Cr-Commit-Position: refs/heads/master@{#37406}
>
> TBR=littledan@chromium.org,adamk@chromium.org,bakkot@google.com
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:4784,v8:5120
>
> Committed: https://crrev.com/b1f7f1f4e41a723d5f997738a07e35a031713b8f
> Cr-Commit-Position: refs/heads/master@{#37417}

TBR=littledan@chromium.org,adamk@chromium.org,hablich@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:4784,v8:5120

Review-Url: https://codereview.chromium.org/2247073004
Cr-Commit-Position: refs/heads/master@{#38689}
2016-08-17 17:38:56 +00:00
bradnelson
d0e52555f0 [wasm] Support validation of asm.js modules with != 3 args.
Our previous per-arch instantiation thunks for asm.js
didn't support modules that had or were called with anything other
than 3 arguments. Adding support for this.

Addding a runtime test method to check if asm validation succeeded.

Adding a test of validation with different argument count combinations.

R=mstarzinger@chromium.org
TEST=mjsunit/asm/asm-validator.js
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203

Review-Url: https://codereview.chromium.org/2229723002
Cr-Commit-Position: refs/heads/master@{#38688}
2016-08-17 17:22:30 +00:00
neis
7fe4d930c9 [interpreter] Don't assume generator functions do an initial yield.
Async functions are implemented via special generator functions; special in the
sense that they generally do not immediately yield.  However, our generators
implementation still assumed that every generator function initially yields
(concretely: before doing the state dispatch in a loop header).  This CL fixes
that.

R=littledan@chromium.org, rmcilroy@chromium.org
BUG=chromium:638019

Review-Url: https://codereview.chromium.org/2253033002
Cr-Commit-Position: refs/heads/master@{#38684}
2016-08-17 15:03:43 +00:00
jarin
b190d13331 [turbofan] Only do value numbering when types are compatible.
At the moment, two NumberConstant nodes get different type even if their
value is the same because we always allocate a new heap number for
each number constant. This can lead to replacing a node with a node of
disjoint type in value numbering, which can result in incorrect code
down the line because of inconsistent types.

This fix makes sure that we only replace a node with a sub-type
node. Once we introduce a proper type for number constants, we can
move back to the intersection typing in value numbering.

Unfortunately, it is quite hard to write a repro for this because we cache NumberConstant nodes. We only throw away cached values that have too many conflicts (>5), so the test has to contain values that fall into the same bucket. That's where the magic floating point numbers in the test come from (they have the same low 8-bits of their hashes).

BUG=chromium:633497

Review-Url: https://codereview.chromium.org/2251833002
Cr-Commit-Position: refs/heads/master@{#38675}
2016-08-17 08:45:26 +00:00
verwaest
860a3ce26f Declare 'this' as DYNAMIC_GLOBAL on the script_scope
Follow-up cleanup to https://codereview.chromium.org/2231813003

BUG=

Review-Url: https://codereview.chromium.org/2237873002
Cr-Commit-Position: refs/heads/master@{#38643}
2016-08-16 07:44:10 +00:00
caitp
a9e470797b [parser] improve inferred function names for async arrow functions
No longer include the "async" keyword, or an async arrow function's single
identifier parameter as part of its inferred name.

BUG=v8:5281, v8:4483
R=adamk@chromium.org, littledan@chromium.org, marja@chromium.org

Review-Url: https://codereview.chromium.org/2235423003
Cr-Commit-Position: refs/heads/master@{#38627}
2016-08-12 22:47:11 +00:00
yangguo
f03bebc77d [debugger] add mixed-stack tests.
R=jgruber@chromium.org, mstarzinger@chromium.org
BUG=v8:5265

Review-Url: https://codereview.chromium.org/2246483002
Cr-Commit-Position: refs/heads/master@{#38621}
2016-08-12 13:51:19 +00:00
bmeurer
665f0e4020 [turbofan] Fix CheckedInt32Mod lowering for -0 case with negative left hand side.
Properly deoptimize if the left hand side of a CheckedInt32Mod is
negative and the result of the operation is zero.

R=jarin@chromium.org
BUG=v8:5286

Review-Url: https://codereview.chromium.org/2243803002
Cr-Commit-Position: refs/heads/master@{#38615}
2016-08-12 12:13:51 +00:00
jgruber
d252808011 Handle missing context when getting frame details
This bug was triggered by a very specific combination:

* A context-allocated variable at script scope.
* OSR optimization.
* A scheduled breakpoint, which triggers at stack checks.

Stack checks differ from other possible breakpoint locations in that
the context (among other things) may be in a register and not on the
stack, making it impossible to recover during deoptimization. The
frame_inspector then returns undefined when asked for the context.

In GetFrameDetails, handle this case by omitting all context-allocated
variables.

BUG=v8:5279

Review-Url: https://codereview.chromium.org/2245603002
Cr-Commit-Position: refs/heads/master@{#38611}
2016-08-12 11:20:19 +00:00
yangguo
1b43aab528 [debugger] add test for debug evaluate.
This test would have failed prior to 58524d6df3.

R=verwaest@chromium.org

Review-Url: https://codereview.chromium.org/2235323003
Cr-Commit-Position: refs/heads/master@{#38610}
2016-08-12 11:18:59 +00:00
verwaest
e77a78cd2d Cleanup scope resolution
BUG=v8:5209

Review-Url: https://codereview.chromium.org/2230323004
Cr-Commit-Position: refs/heads/master@{#38580}
2016-08-11 13:26:06 +00:00
bmeurer
b8f475045c [turbofan] Add inlined Array.prototype.pop support.
This adds a very first version of inlined Array.prototype.pop into
TurboFan optimized code. We currently limit the inlining to fast
object or smi elements, until the unclear situation around hole NaNs
is resolved and we have a clear semantics inside the compiler.

It's also probably overly defensive in when it's safe to inline
the call to Array.prototype.pop, but we can always extend that
later once we have sufficient trust in the implementation and see
an actual need to extend it.

BUG=v8:2229,v8:3952,v8:5267
R=epertoso@chromium.org

Review-Url: https://codereview.chromium.org/2239703002
Cr-Commit-Position: refs/heads/master@{#38578}
2016-08-11 13:13:21 +00:00
ahaas
8d4910893c [wasm] Allow import function to be any kind of callables.
With this CL all kinds of Callable can imported into wasm. Please take a special look at the context that is used now in the WasmToJSWrapper.

BUG=633895
TEST=mjsunit/wasm/ffi.js

Review-Url: https://codereview.chromium.org/2208703002
Cr-Commit-Position: refs/heads/master@{#38569}
2016-08-11 08:33:54 +00:00
gdeepti
fe555065ea Revert runtime lowering of wasm SIMD ops
This CL reverts the runtime lowering introduced here -
https://codereview.chromium.org/1991143002/
Additional ops to the runtime pass will cause GC issues as WASM frames may
have outgoing arguments to runtime calls that have pointers that aren't scanned.

Preserving decoding of SIMD opcodes and macros for native implementations.

R=bbudge@chromium.org, mtrofin@chromium.org, bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2235013002
Cr-Commit-Position: refs/heads/master@{#38564}
2016-08-10 21:39:21 +00:00
littledan
7ea3b09982 Destructuring/default tests for generators and async functions
This patch adds additional tests for async functions and generators, in how
they interact with destructuring, default arguments and shadow parameter
copying.

BUG=v8:5167

Review-Url: https://codereview.chromium.org/2229243002
Cr-Commit-Position: refs/heads/master@{#38560}
2016-08-10 19:32:29 +00:00
mstarzinger
685210ecb0 [interpreter] Switch profiler to use frames for OSR.
This switches the interface of the runtime profiler to use frames as
opposed to functions for performing on-stack replacement. Requests for
such replacements need to target a specific frame. This will enable us
to activate bytecode as well as baseline code for the same function.

The existing %OptimizeOsr runtime function also had to adapted and now
takes an optional stack depth to target a specific stack frame.

R=bmeurer@chromium.org
BUG=v8:4764

Review-Url: https://codereview.chromium.org/2230783004
Cr-Commit-Position: refs/heads/master@{#38548}
2016-08-10 15:59:31 +00:00
jgruber
4cff8218b8 Allow access to scopes of suspended generator objects
The scopes of suspended generators can now be accessed through GeneratorMirror
(similar to FrameMirror).

BUG=v8:5235

Review-Url: https://codereview.chromium.org/2228393002
Cr-Commit-Position: refs/heads/master@{#38530}
2016-08-10 11:14:45 +00:00
epertoso
9e14155da9 [turbofan] Fix CheckedInt32Mod lowering.
We now deopt when the lhs of a mod is negative and the rhs is 1 too (previously, we erroneusly returned 0 instead of -0).

BUG=v8:5278
R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2233713002
Cr-Commit-Position: refs/heads/master@{#38525}
2016-08-10 09:24:59 +00:00
bmeurer
7060bab81c [turbofan] Properly guard keyed stores wrt. setters in the prototype chain.
For holey/growing keyed stores, we need to check that there are no
setters in the prototype chain and protect against changes to that
via code dependencies.

R=verwaest@chromium.org
BUG=v8:5275,v8:5276

Review-Url: https://codereview.chromium.org/2231683002
Cr-Commit-Position: refs/heads/master@{#38514}
2016-08-10 06:30:22 +00:00
mtrofin
c001a9ecc1 [wasm] Serialization/Deserialization of compiled module
Implementation of serialization/deserialization for compiled wasm
module.

BUG=v8:5072

Review-Url: https://codereview.chromium.org/2205973003
Cr-Commit-Position: refs/heads/master@{#38498}
2016-08-09 15:19:38 +00:00
bmeurer
78727d4362 [runtime] %GrowArrayElements doesn't have a native context in TurboFan.
When we compile a growing store in TurboFan, we don't pass a (native)
context to the %GrowArrayElements fallback function, as the whole logic
is actually context independent. However, that means that we need to
bailout early in case the object is a prototype, which requires context
dependent checks in the array protector code.

R=cbruni@chromium.org
BUG=chromium:635798

Review-Url: https://codereview.chromium.org/2224253003
Cr-Commit-Position: refs/heads/master@{#38491}
2016-08-09 13:03:07 +00:00
mstarzinger
20e34ace72 [test] Mark flaky tests after variant split.
R=machenbach@chromium.org
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2227703002
Cr-Commit-Position: refs/heads/master@{#38486}
2016-08-09 12:05:06 +00:00
mstarzinger
b531266da1 [test] Split Ignition mjsunit expectations for variants.
R=rmcilroy@chromium.org

Review-Url: https://codereview.chromium.org/2227663002
Cr-Commit-Position: refs/heads/master@{#38483}
2016-08-09 11:06:38 +00:00
rmcilroy
c1ae15d930 [Interpreter] Don't try to create bytecode array if HasStackOverflow().
BUG=chromium:635429

Review-Url: https://codereview.chromium.org/2228503004
Cr-Commit-Position: refs/heads/master@{#38474}
2016-08-09 07:24:13 +00:00