Extend a test of namespace imports such that it accesses the object inside a
with statement (inside a sloppy function).
Drive-by-fix: remove duplicate initialization of embedder data (probably due to
bad merge).
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2405603003
Cr-Commit-Position: refs/heads/master@{#40129}
Also add a test for when the first argument is null or undefined, as there are no tests that cover this currently.
BUG=v8:5364
Review-Url: https://codereview.chromium.org/2399423003
Cr-Commit-Position: refs/heads/master@{#40127}
The spurious failures were caused by the compiled module
template and its corresponding owning object getting out of
sync due to memory allocations (which may trigger GC)
between the points each were fetched.
Specifically, the {original} was first obtained; then a GC
may happen when cloning the {code_table}. At this point,
the {original}'s owner may have been collected, getting us
down the path of not cloning. When time comes to patch up
globals, we incorrectly try to patch them assuming the
global start is at 0 (nullptr), which in fact it isn't.
This change roots early, in a GC-free area, both objects.
Additionally, it avoids publishing to the instances chain
the new instance until the very end. This way:
- the objects used to create the new instance offer a
consistent view
- the instances chain does not see the object we try to
form. If something fails, we can safely retry.
- since the owner is rooted, the state of the front of the
instances chain stays unchanged - with the same compiled
module we started from. So the early belief that we needed
to clone is not invalidated by any interspersed GC.
This situation suffers from a sub-optimality discussed in
the design document, in that, in a memory constrained
system, the following snippet may surprisingly fail:
var m = new WebAssembly.Module(...);
var i1 = new WebAssembly.Instance(m);
i1 = null;
var i2 = new WebAssembly.Instance(m); //may fail.
This will be addressed subsequently.
BUG=v8:5451
Review-Url: https://codereview.chromium.org/2395063002
Cr-Commit-Position: refs/heads/master@{#40126}
If an inner function only declares a variable but doesn't use it, Parser
and PreParser produced different unresolved variables, and that confused
the pessimistic context allocation.
This is continuation to https://codereview.chromium.org/2388183003/
This CL fixes more complicated declarations (which are not just one
identifier). For this, PreParser needs to accumulate identifiers used
in expressions.
In addition, this CL manifests FLAG_lazy_inner_functions in tests, so that
we get clusterfuzz coverage for it.
BUG=chromium:650969, v8:5501
Review-Url: https://codereview.chromium.org/2400613003
Cr-Commit-Position: refs/heads/master@{#40112}
There were once plans to generate cross-context code with TurboFan,
however that doesn't fit into the model anymore, and so all of this
is essentially dead untested code (and thus most likely already broken
in subtle ways). With this mode still in place it would also be a lot
harder to make inlining based on SharedFunctionInfo work.
BUG=v8:2206,v8:5499
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2406803002
Cr-Commit-Position: refs/heads/master@{#40109}
This implements namespace imports (import * as foo from "bar"), except for the
@@iterator property on namespace objects (to be done later).
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2388153003
Cr-Commit-Position: refs/heads/master@{#40096}
- Added gating code in the module-decoder to allow SIMD code only when
it can be decoded correctly
- SIMD128 values should not be exported to JS
- Try/Catch should not be available in asmjs modules
- Trivial fixes for S128 values
BUG=chromium:648079
R=ahaas@chromium.org, titzer@chromium.org, bradnelson@chromium.org
Review-Url: https://codereview.chromium.org/2400863003
Cr-Commit-Position: refs/heads/master@{#40067}
This patch sets `this` to be undefined when calling resolve and reject
functions attached to the deferred.
BUG=v8:5476
Review-Url: https://codereview.chromium.org/2399053003
Cr-Commit-Position: refs/heads/master@{#40056}
Imports and exports in 0xC can be much more than functions, including
tables, memories, and globals. This CL refactors the underlying
organization of imports and exports to support these new import types.
BUG=
Committed: https://crrev.com/599f8a83420346d9cba5ff97bd2a7520468207b6
Review-Url: https://codereview.chromium.org/2390113003
Cr-Original-Commit-Position: refs/heads/master@{#40033}
Cr-Commit-Position: refs/heads/master@{#40050}
Imports and exports in 0xC can be much more than functions, including
tables, memories, and globals. This CL refactors the underlying
organization of imports and exports to support these new import types.
BUG=
Review-Url: https://codereview.chromium.org/2390113003
Cr-Commit-Position: refs/heads/master@{#40033}
Fixes:
- Remove OsrGuards on frame specialization (for asm.js).
- Handle the rename in the walk for native context.
- Fix LoadContext effect wiring for Osr context chains.
Review-Url: https://codereview.chromium.org/2388303006
Cr-Commit-Position: refs/heads/master@{#40021}
Allow fround to take values without dots for globals (the spec allows this
subtly).
Drop over-restrictive assert preventing floating point globals from working.
BUG=v8:4203
R=jpp@chromium.org,aseemgarg@chromium.org
Review-Url: https://codereview.chromium.org/2397823003
Cr-Commit-Position: refs/heads/master@{#40013}
This makes sure we run the module tests against all variants using
Ignition as the first compilation tier. It will henceforth extend the
test coverage to the BytecodeGraphBuilder as well.
R=neis@chromium.org
Review-Url: https://codereview.chromium.org/2397733002
Cr-Commit-Position: refs/heads/master@{#39992}
Reason for revert:
Tanks the world.
Original issue's description:
> [turbofan] Osr value typing + dynamic type checks on entry.
>
> This introduces a new OsrGuard node that is inserted during graph building
> to guard the inferred type of the OSR value.
>
> The type of the OSR value is inferred by running the typer before OSR
> deconstruction, and then taking the type from the phi that takes the
> OSR value. After the deconstruction, we throw the types away.
>
> At the moment we only support the SignedSmall OSR type and we always
> pick the tagged representation. Later, we might want to support more
> types (such as Number) and pick better representations (int32/float64).
>
> This CL also removes the OSR deconstruction tests because they build
> unrealistic graph (no effect chain, no loop termination). I considered
> adding the effect chains to the tests, but this would make the tests
> even more brittle.
>
> Committed: https://crrev.com/1f5dc90a900d222da44bee3eff171a2ba1e3c076
> Cr-Commit-Position: refs/heads/master@{#39971}
TBR=bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2395783002
Cr-Commit-Position: refs/heads/master@{#39985}
The implementation of MemorySize with RelocatableInt32Constants is
problematic if MemorySize is placed close to a GrowMemory instruction in
the code. The use of a runtime function guarantees that the order in
which MemorySize and GrowMemory is executed is correct.
R=titzer@chromium.org
BUG=chromium:651961
TEST=mjsunit/regress/wasm/regression-651961
Committed: https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689
Review-Url: https://codereview.chromium.org/2386183004
Cr-Original-Commit-Position: refs/heads/master@{#39972}
Cr-Commit-Position: refs/heads/master@{#39980}
Reason for revert:
Patch problem
Original issue's description:
> [wasm] Call a runtime function for a MemorySize instruction.
>
> The implementation of MemorySize with RelocatableInt32Constants is
> problematic if MemorySize is placed close to a GrowMemory instruction in
> the code. The use of a runtime function guarantees that the order in
> which MemorySize and GrowMemory is executed is correct.
>
> R=titzer@chromium.org
> BUG=chromium:651961
> TEST=mjsunit/regress/wasm/regression-651961
>
> Committed: https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689
> Cr-Commit-Position: refs/heads/master@{#39972}
TBR=titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:651961
Review-Url: https://codereview.chromium.org/2391223002
Cr-Commit-Position: refs/heads/master@{#39973}
The implementation of MemorySize with RelocatableInt32Constants is
problematic if MemorySize is placed close to a GrowMemory instruction in
the code. The use of a runtime function guarantees that the order in
which MemorySize and GrowMemory is executed is correct.
R=titzer@chromium.org
BUG=chromium:651961
TEST=mjsunit/regress/wasm/regression-651961
Review-Url: https://codereview.chromium.org/2386183004
Cr-Commit-Position: refs/heads/master@{#39972}
This introduces a new OsrGuard node that is inserted during graph building
to guard the inferred type of the OSR value.
The type of the OSR value is inferred by running the typer before OSR
deconstruction, and then taking the type from the phi that takes the
OSR value. After the deconstruction, we throw the types away.
At the moment we only support the SignedSmall OSR type and we always
pick the tagged representation. Later, we might want to support more
types (such as Number) and pick better representations (int32/float64).
This CL also removes the OSR deconstruction tests because they build
unrealistic graph (no effect chain, no loop termination). I considered
adding the effect chains to the tests, but this would make the tests
even more brittle.
Review-Url: https://codereview.chromium.org/2384113002
Cr-Commit-Position: refs/heads/master@{#39971}
This fixes a gc stress bug. We cannot rely on an ordering of
clearing of the weak cells, so we explicitly reset the weak
link to the owning instance, when finalizing a compiled
module. In turn, this serves as a reliable signal when GCs
happen while instantiating, allowing us to correctly link the
new instance.
BUG=chromium:652425
Review-Url: https://codereview.chromium.org/2393443003
Cr-Commit-Position: refs/heads/master@{#39964}
Previously, b6e9f625c1 fixed self-assignment
in parameters to throw. But it failed to deal with the case of
destructuring with defaults. This patch extends that previous approach
to always treat the end of a parameter as its initializer position,
whether it has an initializer or not.
This is the minimal change to make it easy to merge; a follow-up
will rename the field of Parameter from "initializer_end_position"
to "end_position".
BUG=v8:5454
Review-Url: https://codereview.chromium.org/2390943002
Cr-Commit-Position: refs/heads/master@{#39962}
In some (rare) cases, the context depth passed to a dynamic variable lookup can
be zero. In these cases, the fast path for the lookup (i.e. load from context or
global) can always be taken, as there is no need to search the current context.
However, with no slow path checks, the bytecode graph builder had a null
environment for the slow path, causing segfaults when this graph was built.
This patch adds a null check for the slow path environment, and skips building
the slow path if the environment is null.
BUG=chromium:652186
Review-Url: https://codereview.chromium.org/2385123002
Cr-Commit-Position: refs/heads/master@{#39949}
If an inner function only declares a variable but doesn't use it, Parser
and PreParser produced different unresolved variables, and that confused
the pessimistic context allocation.
BUG=chromium:650969
Review-Url: https://codereview.chromium.org/2388183003
Cr-Commit-Position: refs/heads/master@{#39947}
Currently the parameter is first parsed as a reference, and then translated into a parameter. The reference stays around though, and gets resolved to the parameter. That automatically creates a use. Now that I drop all unresolved references when we abort preparsing, that also drops the unresolved reference.
Instead, mark the variable as used when its marked as forced context allocation. That's what happens in almost all other cases.
This raises the question: does it really make sense to parse parameters this ways? It seems pretty generic, but neither fast nor memory-efficient ... Did I misunderstand something?
Just land if you think the CL looks good as is.
BUG=chromium:651613
Review-Url: https://codereview.chromium.org/2386623002
Cr-Commit-Position: refs/heads/master@{#39935}
This is essentially CL/2275293002, with the difference that the effect
dependencies are now updated correctly.
BUG=
Review-Url: https://codereview.chromium.org/2378773013
Cr-Commit-Position: refs/heads/master@{#39919}
Before evaluating a module, all variables declared at the top-level
in _any_ of the modules in the dependency graph must be initialized.
This is observable because a module A can access a variable imported
from module B (e.g. a function) at a point when module B's body hasn't
been evaluated yet.
We achieve this by implementing modules internally as generators with
two states (not initialized, initialized).
R=adamk@chromium.org
BUG=v8:1569
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_win_dbg
Committed: https://crrev.com/f4dfb6fbe1cdd9a0f287a1a9c496e1f69f6f5d20
Committed: https://crrev.com/8c52a411583e870bd5ed100864caa58f491c5d88
Review-Url: https://codereview.chromium.org/2375793002
Cr-Original-Original-Commit-Position: refs/heads/master@{#39871}
Cr-Original-Commit-Position: refs/heads/master@{#39892}
Cr-Commit-Position: refs/heads/master@{#39900}
Reason for revert:
Speculative revert for christmas tree
Original issue's description:
> Reland: [modules] Properly initialize declared variables.
>
> Before evaluating a module, all variables declared at the top-level
> in _any_ of the modules in the dependency graph must be initialized.
> This is observable because a module A can access a variable imported
> from module B (e.g. a function) at a point when module B's body hasn't
> been evaluated yet.
>
> We achieve this by implementing modules internally as generators with
> two states (not initialized, initialized).
>
> R=adamk@chromium.org
> BUG=v8:1569
> CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_win_dbg
>
> Committed: https://crrev.com/f4dfb6fbe1cdd9a0f287a1a9c496e1f69f6f5d20
> Committed: https://crrev.com/8c52a411583e870bd5ed100864caa58f491c5d88
> Cr-Original-Commit-Position: refs/heads/master@{#39871}
> Cr-Commit-Position: refs/heads/master@{#39892}
TBR=adamk@chromium.org,mstarzinger@chromium.org,machenbach@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2387593002
Cr-Commit-Position: refs/heads/master@{#39896}
Before evaluating a module, all variables declared at the top-level
in _any_ of the modules in the dependency graph must be initialized.
This is observable because a module A can access a variable imported
from module B (e.g. a function) at a point when module B's body hasn't
been evaluated yet.
We achieve this by implementing modules internally as generators with
two states (not initialized, initialized).
R=adamk@chromium.org
BUG=v8:1569
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_win_dbg
Committed: https://crrev.com/f4dfb6fbe1cdd9a0f287a1a9c496e1f69f6f5d20
Review-Url: https://codereview.chromium.org/2375793002
Cr-Original-Commit-Position: refs/heads/master@{#39871}
Cr-Commit-Position: refs/heads/master@{#39892}
Note that the offset can still be out of bounds, even after grow memory. The calculation of the remaining size can overflow.
R=gdeepti@chromium.org
BUG=chromium:644670
Review-Url: https://codereview.chromium.org/2376153003
Cr-Commit-Position: refs/heads/master@{#39886}
Making new nodes inside of exception-handled blocks fiddles around with the
current environment to merge the exception paths. In particular, the current
environment pointer is mutated. This patch ensures that when we merge the fast
and slow paths of the LdaContextLookup, we actually merge the correct
environment and do not accidentally merge the exceptional environment.
BUG=chromium:651394
Review-Url: https://codereview.chromium.org/2379043002
Cr-Commit-Position: refs/heads/master@{#39878}
Reason for revert:
Suspect for causing win64 debug problems:
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20debug/builds/12646
Original issue's description:
> [modules] Properly initialize declared variables.
>
> Before evaluating a module, all variables declared at the top-level
> in _any_ of the modules in the dependency graph must be initialized.
> This is observable because a module A can access a variable imported
> from module B (e.g. a function) at a point when module B's body hasn't
> been evaluated yet.
>
> We achieve this by implementing modules internally as generators with
> two states (not initialized, initialized).
>
> R=adamk@chromium.org
> BUG=v8:1569
>
> Committed: https://crrev.com/f4dfb6fbe1cdd9a0f287a1a9c496e1f69f6f5d20
> Cr-Commit-Position: refs/heads/master@{#39871}
TBR=adamk@chromium.org,mstarzinger@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2379063002
Cr-Commit-Position: refs/heads/master@{#39873}
Before evaluating a module, all variables declared at the top-level
in _any_ of the modules in the dependency graph must be initialized.
This is observable because a module A can access a variable imported
from module B (e.g. a function) at a point when module B's body hasn't
been evaluated yet.
We achieve this by implementing modules internally as generators with
two states (not initialized, initialized).
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2375793002
Cr-Commit-Position: refs/heads/master@{#39871}
The module size is encoded as a HeapNumber, and needs to be
explicitly cloned.
BUG=chromium:647649
Review-Url: https://codereview.chromium.org/2347333002
Cr-Commit-Position: refs/heads/master@{#39845}
- Store instruction with an offset bigger than GrowMemory offset should handle out of bounds correctly
- Refactor to separate runnning from compile so arguments can be passed in to module builder tests.
BUG=chromium:644670
R=ahaas@chromium.org, titzer@chromium.org
Review-Url: https://codereview.chromium.org/2373613004
Cr-Commit-Position: refs/heads/master@{#39840}
TurboFan lowering (see [0]) of ConsString creation cannot ensure that
the first part of the cons string is non-empty without introducing a phi
and negatively impacting performance.
This modifies ConsStringIterator to allow empty first parts of
ConsStrings.
BUG=v8:5440
Review-Url: https://codereview.chromium.org/2377983002
Cr-Commit-Position: refs/heads/master@{#39817}
Even after https://codereview.chromium.org/2371963002 we still did not
always store a Smi into the JSTypedArray::length field, the runtime
function %TypedArrayInitializeFromArrayLike was still storing whatever
it got from the JavaScript code, which is highly dependent on internal
decisions of the ICs and the representation selection in the optimizing
compilers, so that's pretty fragile.
R=verwaest@chromium.org
BUG=chromium:650933
Review-Url: https://codereview.chromium.org/2377943002
Cr-Commit-Position: refs/heads/master@{#39802}
[0xC] Convert to stack machine semantics.
[0xC] Use section codes instead of names.
[0xC] Add elements section decoding.
[0xC] Decoding of globals section.
[0xC] Decoding of memory section.
[0xC] Decoding of imports section.
[0xC] Decoding of exports section.
[0xC] Decoding of data section.
[0xC] Remove CallImport bytecode.
[0xC] Function bodies have an implicit block.
[0xC] Remove the bottom label from loops.
[0xC] Add signatures to blocks.
[0xC] Remove arities from branches.
Add tests for init expression decoding.
Rework compilation of import wrappers and how they are patched.
Rework function indices in debugging.
Fix ASM->WASM builder for stack machine.
Reorganize asm.js foreign functions due to import indices change.
R=ahaas@chromium.org,rossberg@chromium.org,bradnelson@chromium.org
BUG=chromium:575167
LOG=Y
Committed: https://crrev.com/76eb976a67273b8c03c744f64ad850b0432554b9
Review-Url: https://codereview.chromium.org/2345593003
Cr-Original-Commit-Position: refs/heads/master@{#39678}
Cr-Commit-Position: refs/heads/master@{#39795}
We must not throw when seeing a cycle while trying to resolve a name through
star exports. (It may be surprising that we do have to throw when seeing an
ambiguity, but this is what the spec says.)
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2376563002
Cr-Commit-Position: refs/heads/master@{#39787}
This makes sure we only replace load operations for fields on virtual
objects. Even though data flow information for non-virtual (escaping)
allocations is available, it might be inaccurate in certain situations
where object state hasn't been cleared.
R=jarin@chromium.org
TEST=mjsunit/compiler/regress-escape-analysis-indirect
Review-Url: https://codereview.chromium.org/2369953002
Cr-Commit-Position: refs/heads/master@{#39776}
The call to RegExpSubclassExec may refer to a different exec method
since splitter is newly constructed previously to the call.
BUG=v8:5351
Review-Url: https://codereview.chromium.org/2370733003
Cr-Commit-Position: refs/heads/master@{#39774}
Reason for revert:
Stability thief found, relanding speculative reverts.
Original issue's description:
> Revert of Preparse inner functions (new try) (patchset #21 id:420001 of https://codereview.chromium.org/2352593002/ )
>
> Reason for revert:
> We currently have some stability issues on Canary. Let's reland this after we verified that we "fixed" Canary again.
>
> Original issue's description:
> > Preparse inner functions (new try)
> >
> > This is an overly pessimistic approach where PreParser only keeps
> > track of unresolved variables, but doesn't declare anything. This
> > will result in context-allocating variables in the outer function
> > unnecessarily, if the variable names clash with variable names
> > used by the inner function (even if the variables are not the
> > same). However, we have been unable to prove that this approach
> > wouldn't be good enough for the practical purposes.
> >
> > Fixes after the previous try ( https://codereview.chromium.org/2322243002/ ):
> > Keep the context-allocation decision stable when compiling fully eagerly.
> >
> > Tests which exercise this functionality:
> > mjsunit/fixed-context-shapes-when-recompiling.js
> >
> > Design document (chromium):
> >
> > https://docs.google.com/a/chromium.org/document/d/1rRv5JJZ0JpOZAZN2CSUwZPFJiBAdRnTiSYhazseNHFg/edit?usp=sharing
> >
> > BUG=
> >
> > Committed: https://crrev.com/7c73cf32c60484cdf37c84f1d61b4640e87068d7
> > Cr-Commit-Position: refs/heads/master@{#39719}
>
> TBR=verwaest@chromium.org,adamk@chromium.org,marja@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=
>
> Committed: https://crrev.com/1e6296b2a7cfc307fd9e722e619f42965da4a267
> Cr-Commit-Position: refs/heads/master@{#39730}
TBR=verwaest@chromium.org,adamk@chromium.org,marja@chromium.org,hablich@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2377513006
Cr-Commit-Position: refs/heads/master@{#39755}
Ignition collects type feedback for binary and compare operations in type
feedback vector and FCG uses Binary/CompareOpICs to collect type feedback.
The feedback collected by ignition is not used by crankshaft. This hits the
performance, when trying to optimize functions that did not tier upto FCG.
This cl merges the feedback collected by ignition and FCG when passing to
crankshaft.
BUG=v8:4280
Review-Url: https://codereview.chromium.org/2361043002
Cr-Commit-Position: refs/heads/master@{#39753}
If we want to allow this in the future, we must force context-allocation for all
variables that are declared at the module level but not MODULE-allocated.
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2373573003
Cr-Commit-Position: refs/heads/master@{#39745}
Use an unordered_map<Module, unordered_set<String>> to keep track
of visited Module/ExportName pairs during ResolveExport.
This required adding a Hash() method to Module, which is accomplished
by allocating a Symbol and storing it in the SharedFunctionInfo::name
slot, then delegating the hash to that Symbol.
Also added a helper method Module::shared() to easily get ahold of
the SharedFunctionInfo and call it in the appropriate places instead
of re-doing the ternary operator.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2367623004
Cr-Commit-Position: refs/heads/master@{#39743}
Reason for revert:
Tanks EarleyBoyer.
Original issue's description:
> [compiler] Properly guard the speculative optimizations for instanceof.
>
> Add a general feedback slot for instanceof similar to what we already have
> for for-in, which basically has a fast (indicated by the uninitialized
> sentinel) and a slow (indicated by the megamorphic sentinel) mode. Now
> we can only take the fast path when the feedback slot says it hasn't
> seen any funky inputs and nothing funky appeared in the prototype chain.
> In the TurboFan code we also deoptimize whenever we see a funky object
> (i.e. a proxy or an object that requires access checks) in the prototype
> chain (similar to what Crankshaft already did).
>
> Drive-by-fix: Also make Crankshaft respect the mode and therefore
> address the deopt loop in Crankshaft around instanceof.
>
> We might want to introduce an InstanceOfIC mechanism at some point and
> track the map of the right-hand side.
>
> BUG=v8:5267
> R=mvstanton@chromium.org
>
> Committed: https://crrev.com/a0484bc6116ebc2b855de87d862945e2ae07169b
> Cr-Commit-Position: refs/heads/master@{#39718}
TBR=mvstanton@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2365223003
Cr-Commit-Position: refs/heads/master@{#39736}
Reason for revert:
We currently have some stability issues on Canary. Let's reland this after we verified that we "fixed" Canary again.
Original issue's description:
> Preparse inner functions (new try)
>
> This is an overly pessimistic approach where PreParser only keeps
> track of unresolved variables, but doesn't declare anything. This
> will result in context-allocating variables in the outer function
> unnecessarily, if the variable names clash with variable names
> used by the inner function (even if the variables are not the
> same). However, we have been unable to prove that this approach
> wouldn't be good enough for the practical purposes.
>
> Fixes after the previous try ( https://codereview.chromium.org/2322243002/ ):
> Keep the context-allocation decision stable when compiling fully eagerly.
>
> Tests which exercise this functionality:
> mjsunit/fixed-context-shapes-when-recompiling.js
>
> Design document (chromium):
>
> https://docs.google.com/a/chromium.org/document/d/1rRv5JJZ0JpOZAZN2CSUwZPFJiBAdRnTiSYhazseNHFg/edit?usp=sharing
>
> BUG=
>
> Committed: https://crrev.com/7c73cf32c60484cdf37c84f1d61b4640e87068d7
> Cr-Commit-Position: refs/heads/master@{#39719}
TBR=verwaest@chromium.org,adamk@chromium.org,marja@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2373443003
Cr-Commit-Position: refs/heads/master@{#39730}
The WebAssembly spec requires a HasProperty() check for the maximum
property of the descriptor object which is used to set up a
WebAssembly.Memory object or a WebAssembly.Table object.
The original implementation only approximated the HasProperty() check.
It used Get() to get the value of the maximum property of the descriptor
object and compared the resulting value to {undefined}. However, this
approximation is incorrect if the property exists but its value is
{undefined}.
R=titzer@chromium.org, franzih@chromium.org
BUG=chromium:649461
TEST=mjsunit/wasm/memory
Review-Url: https://codereview.chromium.org/2367673003
Cr-Commit-Position: refs/heads/master@{#39722}
This is an overly pessimistic approach where PreParser only keeps
track of unresolved variables, but doesn't declare anything. This
will result in context-allocating variables in the outer function
unnecessarily, if the variable names clash with variable names
used by the inner function (even if the variables are not the
same). However, we have been unable to prove that this approach
wouldn't be good enough for the practical purposes.
Fixes after the previous try ( https://codereview.chromium.org/2322243002/ ):
Keep the context-allocation decision stable when compiling fully eagerly.
Tests which exercise this functionality:
mjsunit/fixed-context-shapes-when-recompiling.js
Design document (chromium):
https://docs.google.com/a/chromium.org/document/d/1rRv5JJZ0JpOZAZN2CSUwZPFJiBAdRnTiSYhazseNHFg/edit?usp=sharing
BUG=
Review-Url: https://codereview.chromium.org/2352593002
Cr-Commit-Position: refs/heads/master@{#39719}
Add a general feedback slot for instanceof similar to what we already have
for for-in, which basically has a fast (indicated by the uninitialized
sentinel) and a slow (indicated by the megamorphic sentinel) mode. Now
we can only take the fast path when the feedback slot says it hasn't
seen any funky inputs and nothing funky appeared in the prototype chain.
In the TurboFan code we also deoptimize whenever we see a funky object
(i.e. a proxy or an object that requires access checks) in the prototype
chain (similar to what Crankshaft already did).
Drive-by-fix: Also make Crankshaft respect the mode and therefore
address the deopt loop in Crankshaft around instanceof.
We might want to introduce an InstanceOfIC mechanism at some point and
track the map of the right-hand side.
BUG=v8:5267
R=mvstanton@chromium.org
Review-Url: https://codereview.chromium.org/2370693002
Cr-Commit-Position: refs/heads/master@{#39718}
If DevTools is turned on in the middle of doing some things with async
functions, then more items may be popped from the Promise stack than were
pushed to it. In this sort of case, it's OK to have a catch misprediction,
but a crash is unacceptable. This patch defensively handles this edge
case where the Promise stack is unexpectedly empty for that reason.
BUG=v8:5167
Review-Url: https://codereview.chromium.org/2361333003
Cr-Commit-Position: refs/heads/master@{#39705}
This patch tracks the stack of async functions differently from other
Promise async stack tracking. With this patch, the stack trace of a
callstack of async functions should look similarly to the call stack
if all of the functions were synchronous. An example can be found in
the updated test expectations: https://codereview.chromium.org/2362923002 .
The new stack traces are implemented using existing mechanisms in the
inspector. The inspector has two ways to save async stack traces: recurring
and non-recurring stacks. An example of a non-recurring stack is setTimeout,
and a recurring one is saved for setInterval. Recurring stacks are deleted
only when a special "cancel" function is called, rather than being deleted
after being used the first time. Previous Promise async stack tracking always
used non-recurring stacks.
For async functions, this patch saves a recurring stack. The top frame of
the stack is duplicated, as the resuming function contains a similar frame;
the devtools frontend is responsible for removing or marking this frame,
which it can do based on seeing the [async function] line which follows it.
The second frame will instead be provided by the resuming execution
context. The recurring stack is saved when the async function is entered, and
it is deleted from a finally block. The id of the stack is saved in the outer
Promise being constructed by the async function. When an intermediate
throwaway Promise will be triggered as a reaction, it will be identified as
such based on its debugging metadata, and the corresponding async function's
recurring stack will be used.
BUG=v8:4483
Review-Url: https://codereview.chromium.org/2357423002
Cr-Commit-Position: refs/heads/master@{#39695}
Resolve imports and indirect exports at instantiation time.
With this CL we have some basic functionality for modules working. Not yet
supported: star exports, namespace imports, cycle detection, proper variable
initialisation in mutually recursive modules.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2362083002
Cr-Commit-Position: refs/heads/master@{#39689}
Reason for revert:
Main suspect for tsan:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/11893
Also changes layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/10036
+mips builder:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Mips%20-%20builder/builds/4032
Original issue's description:
> [wasm] Master CL for Binary 0xC changes.
>
> [0xC] Convert to stack machine semantics.
> [0xC] Use section codes instead of names.
> [0xC] Add elements section decoding.
> [0xC] Decoding of globals section.
> [0xC] Decoding of memory section.
> [0xC] Decoding of imports section.
> [0xC] Decoding of exports section.
> [0xC] Decoding of data section.
> [0xC] Remove CallImport bytecode.
> [0xC] Function bodies have an implicit block.
> [0xC] Remove the bottom label from loops.
> [0xC] Add signatures to blocks.
> [0xC] Remove arities from branches.
> Add tests for init expression decoding.
> Rework compilation of import wrappers and how they are patched.
> Rework function indices in debugging.
> Fix ASM->WASM builder for stack machine.
> Reorganize asm.js foreign functions due to import indices change.
>
> R=ahaas@chromium.org,rossberg@chromium.org,bradnelson@chromium.org
> BUG=chromium:575167
> LOG=Y
>
> Committed: https://crrev.com/76eb976a67273b8c03c744f64ad850b0432554b9
> Cr-Commit-Position: refs/heads/master@{#39678}
TBR=ahaas@chromium.org,bradnelson@chromium.org,mtrofin@chromium.org,rossberg@chromium.org,bradnelson@google.com,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:575167
Review-Url: https://codereview.chromium.org/2361053004
Cr-Commit-Position: refs/heads/master@{#39685}
[0xC] Convert to stack machine semantics.
[0xC] Use section codes instead of names.
[0xC] Add elements section decoding.
[0xC] Decoding of globals section.
[0xC] Decoding of memory section.
[0xC] Decoding of imports section.
[0xC] Decoding of exports section.
[0xC] Decoding of data section.
[0xC] Remove CallImport bytecode.
[0xC] Function bodies have an implicit block.
[0xC] Remove the bottom label from loops.
[0xC] Add signatures to blocks.
[0xC] Remove arities from branches.
Add tests for init expression decoding.
Rework compilation of import wrappers and how they are patched.
Rework function indices in debugging.
Fix ASM->WASM builder for stack machine.
Reorganize asm.js foreign functions due to import indices change.
R=ahaas@chromium.org,rossberg@chromium.org,bradnelson@chromium.org
BUG=chromium:575167
LOG=Y
Review-Url: https://codereview.chromium.org/2345593003
Cr-Commit-Position: refs/heads/master@{#39678}
This makes sure the {EscapeAnalysisReducer} inserts proper {TypeGuard}
nodes if the replacement node is not a subtype of the original node.
This happens predominantly for code that has been made unreachable by
type checks.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-640497
BUG=chromium:640497
Review URL: https://codereview.chromium.org/2363573003 .
Cr-Commit-Position: refs/heads/master@{#39656}
This add support for ConsString objects allocated inline to the escape
analysis pass. The raw hash field in such strings needs special handling
similar to existing raw fields. This also contains materialization code
within the deoptimizer as usual.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-648737
BUG=chromium:648737
Review-Url: https://codereview.chromium.org/2357153002
Cr-Commit-Position: refs/heads/master@{#39594}
This removes an optimization from the code generator that tries to
materialize certain constants (i.e. context and closure) from the
stackframe when possible. This does not work with Harmony tail calls
which are split into several instructions. There have already been
numerous bugs in this optimization, it is too fragile in its current
form.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-648539
BUG=chromium:648539
Review-Url: https://codereview.chromium.org/2357583003
Cr-Commit-Position: refs/heads/master@{#39583}
After parsing a function, if there's no masking declaration in the function scope, DeclareFunctionVar will also bind the function name to a variable. It will either bind it to the const/const-legacy function_ variable, or to a dynamic non-local if the function calls sloppy eval.
Even if the variable is masked or sloppy eval is called, we still declare the function-var. The client immediately sets up the variable by assigning the resulting function to it.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2274133002
Cr-Commit-Position: refs/heads/master@{#39581}
- Add a new container object to store the data required for
PromiseResolveThenableJob.
- Create a new runtime function to enqueue the microtask event with
the required data.
This patches causes a 4% regression in the bluebird benchmark.
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2314903004
Cr-Commit-Position: refs/heads/master@{#39571}
This patch ensures that variables like .new_target aren't overwritable
using with scopes. It does this by ensuring that scope analysis does
not consider with scopes (or eval scopes) for such 'synthetic variables',
similarly to how the 'this' variable was already handled.
The patch also adds a DCHECK for the dynamic parallel to this case,
replacing a previous unreachable path for a particular instance.
BUG=v8:5405
Review-Url: https://codereview.chromium.org/2353623002
Cr-Commit-Position: refs/heads/master@{#39567}
This patch uses temporaries rather than unresolved variables for
.promise and .debug_is_active. For .promise, a new field is added
to the FunctionState, similarly to .generator_object. This change
fixes a bug where .promise was locally shadowable by with, affecting
program semantics.
BUG=v8:5405
Review-Url: https://codereview.chromium.org/2359513002
Cr-Commit-Position: refs/heads/master@{#39566}
To improve performance, this patch makes Promise.all and Promise.race not
perform correct catch prediction when the debugger is not open. The case
may come up if Promise.race or Promise.all is called, then DevTools is
open, then a component Promise is rejected. In this case, the user would
falsely get an exception event even if the "pause on caught exceptions"
box is unchecked. There are tests which triggered this case; however, it
seems both unlikely and and acceptable to have an event in this case.
Many analogous events are already produced when DevTools is enabled
during the operation of a program.
BUG=v8:3093
Review-Url: https://codereview.chromium.org/2350363002
Cr-Commit-Position: refs/heads/master@{#39565}
This patch knits together Promises returned by async/await such that when
one async function awaits the result of another one, catch prediction works
across the boundaries, whether the exception comes synchronously or
asynchronously. Edges are added in three places:
- When a locally uncaught await happens, if the value passed into await
is a Promise, from the awaited value to the Promise under construction
in the broader async function
- From a "throwaway" Promise, which may be found on the Promise debug
stack, to the Promise under construction in the async function that
surrounds it
- When a Promise is resolved with another Promise (e.g., when returning a
Promise from an async function)
In this reland, the caught tests are broken up into four parts to avoid
timeouts.
BUG=v8:5167
Review-Url: https://codereview.chromium.org/2346363004
Cr-Commit-Position: refs/heads/master@{#39564}
The implicit assignment to the induction variable in a ForInStatement
has been ignored by the AST loop assignment analysis. This was hidden
for cases where the parser introduced a ".for" temporary, but triggers
when the variable is declared outside the loop.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-647887
BUG=chromium:647887
Review-Url: https://codereview.chromium.org/2356733002
Cr-Commit-Position: refs/heads/master@{#39551}
Extract String feedback on Add operation and utilize to lower ConsString
creation in JSTypedLowering when we know that a String addition will
definitely result in the creation of a ConsString.
Note that Crankshaft has to guard the potential length overflow of the
resulting string with an eager deoptimization exit, while we can safely
throw an exception in that case.
Also note that the bytecode pipeline does not currently provide the
String feedback for the addition, which has to be added.
BUG=v8:5267
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2354853002
Cr-Commit-Position: refs/heads/master@{#39540}
This would've caught the "preparser tracking only unresolved variables
but no declarations is not enough" bug.
BUG=
Review-Url: https://codereview.chromium.org/2350683002
Cr-Commit-Position: refs/heads/master@{#39532}
Crankshaft just unconditionally deoptimizes the code when the length of
a string addition result would overflow. In order to protect against
deopt loops we insert a global protector cell.
We will use the same mechanism for inlining certain string additions
into TurboFan as well, and protecting against overflow (we will also
extend this to deal with String.prototype.concat and friends once we
get there).
BUG=v8:5404
R=jarin@chromium.org,hpayer@chromium.org
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux64_msan_rel
Committed: https://crrev.com/cb19257a926a55209a6d6858ce26d51a0447ba71
Review-Url: https://codereview.chromium.org/2348293002
Cr-Original-Commit-Position: refs/heads/master@{#39511}
Cr-Commit-Position: refs/heads/master@{#39525}
Reason for revert:
Need to break up test into smaller tests to avoid timeouts
Original issue's description:
> Async/await Promise dependency graph
>
> This patch knits together Promises returned by async/await such that when
> one async function awaits the result of another one, catch prediction works
> across the boundaries, whether the exception comes synchronously or
> asynchronously. Edges are added in three places:
> - When a locally uncaught await happens, if the value passed into await
> is a Promise, from the awaited value to the Promise under construction
> in the broader async function
> - From a "throwaway" Promise, which may be found on the Promise debug
> stack, to the Promise under construction in the async function that
> surrounds it
> - When a Promise is resolved with another Promise (e.g., when returning a
> Promise from an async function)
>
> BUG=v8:5167
>
> Committed: https://crrev.com/7265fdde7c76b9f875b40b0b139515936d491d64
> Cr-Commit-Position: refs/heads/master@{#39522}
TBR=adamk@chromium.org,jgruber@chromium.org,kozyatinskiy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5167
Review-Url: https://codereview.chromium.org/2351953002
Cr-Commit-Position: refs/heads/master@{#39523}
This patch knits together Promises returned by async/await such that when
one async function awaits the result of another one, catch prediction works
across the boundaries, whether the exception comes synchronously or
asynchronously. Edges are added in three places:
- When a locally uncaught await happens, if the value passed into await
is a Promise, from the awaited value to the Promise under construction
in the broader async function
- From a "throwaway" Promise, which may be found on the Promise debug
stack, to the Promise under construction in the async function that
surrounds it
- When a Promise is resolved with another Promise (e.g., when returning a
Promise from an async function)
BUG=v8:5167
Review-Url: https://codereview.chromium.org/2317383002
Cr-Commit-Position: refs/heads/master@{#39522}
This patch closes a memory leak in async/await where the desugaring
was creating a situation analagous to that described in v8:5002.
Intermediate Promises were being kept alive, so a long-running loop
would cause linear memory usage on the heap. This patch returns
undefined to the 'then' callback passed into PerformPromiseThen
in order to avoid this hazard. Test expectations are fixed to remove
expecting extraneous events which occurred on Promises that are
now not given unnecessarily complex resolution paths before being
thrown away.
This patch is a reland; originally, tests which exercised the memory
exhaustion were checked in. Although it's possible to find good parameters
for running such tests locally, it is difficult to automate the tests
between the rock of timeouts and the hard place of too-small heaps
causing memory exhaustion in some modes even when there is no leak.
BUG=v8:5390
Review-Url: https://codereview.chromium.org/2352933002
Cr-Commit-Position: refs/heads/master@{#39520}
Reason for revert:
Mean https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/10910
Original issue's description:
> [crankshaft] Protect against deopt loops from string length overflows.
>
> Crankshaft just unconditionally deoptimizes the code when the length of
> a string addition result would overflow. In order to protect against
> deopt loops we insert a global protector cell.
>
> We will use the same mechanism for inlining certain string additions
> into TurboFan as well, and protecting against overflow (we will also
> extend this to deal with String.prototype.concat and friends once we
> get there).
>
> BUG=v8:5404
> R=jarin@chromium.org,hpayer@chromium.org
>
> Committed: https://crrev.com/cb19257a926a55209a6d6858ce26d51a0447ba71
> Cr-Commit-Position: refs/heads/master@{#39511}
TBR=hpayer@chromium.org,jarin@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5404
Review-Url: https://codereview.chromium.org/2357433002
Cr-Commit-Position: refs/heads/master@{#39518}
Handle the case of asm.js modules that return a single function
instead of a collection of them.
R=mtrofin@chromium.org
TEST=mjsunit/asm/asm-wasm
BUG=v8:4203
BUG=v8:5356
Review-Url: https://codereview.chromium.org/2348383003
Cr-Commit-Position: refs/heads/master@{#39515}
Reason for revert:
Still causes issues on bot (sometimes!)
Original issue's description:
> Reland of Fix async/await memory leak (patchset #1 id:1 of https://codereview.chromium.org/2354473002/ )
>
> Reason for revert:
> Relanding with faster-running test
>
> Original issue's description:
> > Revert of Fix async/await memory leak (patchset #5 id:80001 of https://codereview.chromium.org/2334323006/ )
> >
> > Reason for revert:
> > newly introduced test async-await-loop times out: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/10894/steps/Ignition%20-%20turbofan%20%28flakes%29/logs/async-await-loop
> >
> > Original issue's description:
> > > Fix async/await memory leak
> > >
> > > This patch closes a memory leak in async/await where the desugaring
> > > was creating a situation analagous to that described in v8:5002.
> > > Intermediate Promises were being kept alive, so a long-running loop
> > > would cause linear memory usage on the heap. This patch returns
> > > undefined to the 'then' callback passed into PerformPromiseThen
> > > in order to avoid this hazard. Test expectations are fixed to remove
> > > expecting extraneous events which occurred on Promises that are
> > > now not given unnecessarily complex resolution paths before being
> > > thrown away.
> > >
> > > BUG=v8:5390
> > >
> > > Committed: https://crrev.com/a0ba18e9634c5e2d439033ab61a77cff54f9af35
> > > Cr-Commit-Position: refs/heads/master@{#39479}
> >
> > TBR=adamk@chromium.org,caitp@igalia.com,littledan@chromium.org
> > NOTRY=true
> > BUG=v8:5390
> >
> > Committed: https://crrev.com/196db1999da130019bbf8e3bd65977f840e8afaf
> > Cr-Commit-Position: refs/heads/master@{#39493}
>
> TBR=adamk@chromium.org,caitp@igalia.com,hablich@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> BUG=v8:5390
>
> Committed: https://crrev.com/e51482f01f26e0013e6377e85c4d2c41900e403c
> Cr-Commit-Position: refs/heads/master@{#39508}
TBR=adamk@chromium.org,caitp@igalia.com,hablich@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5390
Review-Url: https://codereview.chromium.org/2348403003
Cr-Commit-Position: refs/heads/master@{#39512}
Crankshaft just unconditionally deoptimizes the code when the length of
a string addition result would overflow. In order to protect against
deopt loops we insert a global protector cell.
We will use the same mechanism for inlining certain string additions
into TurboFan as well, and protecting against overflow (we will also
extend this to deal with String.prototype.concat and friends once we
get there).
BUG=v8:5404
R=jarin@chromium.org,hpayer@chromium.org
Review-Url: https://codereview.chromium.org/2348293002
Cr-Commit-Position: refs/heads/master@{#39511}
Reason for revert:
Relanding with faster-running test
Original issue's description:
> Revert of Fix async/await memory leak (patchset #5 id:80001 of https://codereview.chromium.org/2334323006/ )
>
> Reason for revert:
> newly introduced test async-await-loop times out: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/10894/steps/Ignition%20-%20turbofan%20%28flakes%29/logs/async-await-loop
>
> Original issue's description:
> > Fix async/await memory leak
> >
> > This patch closes a memory leak in async/await where the desugaring
> > was creating a situation analagous to that described in v8:5002.
> > Intermediate Promises were being kept alive, so a long-running loop
> > would cause linear memory usage on the heap. This patch returns
> > undefined to the 'then' callback passed into PerformPromiseThen
> > in order to avoid this hazard. Test expectations are fixed to remove
> > expecting extraneous events which occurred on Promises that are
> > now not given unnecessarily complex resolution paths before being
> > thrown away.
> >
> > BUG=v8:5390
> >
> > Committed: https://crrev.com/a0ba18e9634c5e2d439033ab61a77cff54f9af35
> > Cr-Commit-Position: refs/heads/master@{#39479}
>
> TBR=adamk@chromium.org,caitp@igalia.com,littledan@chromium.org
> NOTRY=true
> BUG=v8:5390
>
> Committed: https://crrev.com/196db1999da130019bbf8e3bd65977f840e8afaf
> Cr-Commit-Position: refs/heads/master@{#39493}
TBR=adamk@chromium.org,caitp@igalia.com,hablich@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
BUG=v8:5390
Review-Url: https://codereview.chromium.org/2348403002
Cr-Commit-Position: refs/heads/master@{#39508}
According to the ES6 specification, in "for in/of" loops like:
for (var v of [1,2,3]) return f(...);
the call to f() should not be considered a tail call. This was
not working properly, i.e., the case without declarations:
var v;
for (v of [1,2,3]) return f(...);
R=adamk@chromium.org, ishell@chromium.org
BUG=
LOG=N
Review-Url: https://codereview.chromium.org/2343823002
Cr-Commit-Position: refs/heads/master@{#39497}
Reason for revert:
newly introduced test async-await-loop times out: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/10894/steps/Ignition%20-%20turbofan%20%28flakes%29/logs/async-await-loop
Original issue's description:
> Fix async/await memory leak
>
> This patch closes a memory leak in async/await where the desugaring
> was creating a situation analagous to that described in v8:5002.
> Intermediate Promises were being kept alive, so a long-running loop
> would cause linear memory usage on the heap. This patch returns
> undefined to the 'then' callback passed into PerformPromiseThen
> in order to avoid this hazard. Test expectations are fixed to remove
> expecting extraneous events which occurred on Promises that are
> now not given unnecessarily complex resolution paths before being
> thrown away.
>
> BUG=v8:5390
>
> Committed: https://crrev.com/a0ba18e9634c5e2d439033ab61a77cff54f9af35
> Cr-Commit-Position: refs/heads/master@{#39479}
TBR=adamk@chromium.org,caitp@igalia.com,littledan@chromium.org
NOTRY=true
BUG=v8:5390
Review-Url: https://codereview.chromium.org/2354473002
Cr-Commit-Position: refs/heads/master@{#39493}
We'd like wasm regressions to live under a subfolder of the mjsunit
regression folder.
BUG=
Review-Url: https://codereview.chromium.org/2344373002
Cr-Commit-Position: refs/heads/master@{#39483}
This patch closes a memory leak in async/await where the desugaring
was creating a situation analagous to that described in v8:5002.
Intermediate Promises were being kept alive, so a long-running loop
would cause linear memory usage on the heap. This patch returns
undefined to the 'then' callback passed into PerformPromiseThen
in order to avoid this hazard. Test expectations are fixed to remove
expecting extraneous events which occurred on Promises that are
now not given unnecessarily complex resolution paths before being
thrown away.
BUG=v8:5390
Review-Url: https://codereview.chromium.org/2334323006
Cr-Commit-Position: refs/heads/master@{#39479}
In ignition, arguments to function calls and function constructors are
pushed onto the stack before calling the function. It is required to check
that stack does not overflow when pushing the arguments.
BUG=v8:4280
LOG=N
Review-Url: https://codereview.chromium.org/2335513004
Cr-Commit-Position: refs/heads/master@{#39470}
Ensure we can serialize a wasm compiled module even after it was
instantiated a few times.
BUG=
Review-Url: https://codereview.chromium.org/2339933003
Cr-Commit-Position: refs/heads/master@{#39463}
Reason for revert:
With fixes for frozen RegExps in https://codereview.chromium.org/2339443002 , it should be web-compatible to put RegExps in strict mode again, per spec.
Original issue's description:
> Revert of Put RegExp js code in strict mode (patchset #2 id:20001 of https://codereview.chromium.org/1776883005/ )
>
> Reason for revert:
> Found to break SAP Web IDE, and these semantics are not shipped in any other browser.
> Revert to legacy semantics while assessing web compatibility.
>
> BUG=chromium:624318
>
> Original issue's description:
> > Put RegExp js code in strict mode
> >
> > src/js/regexp.js was one of the few files that was left in sloppy
> > mode. The ES2017 draft specification requires that writes to
> > lastIndex throw when the property is non-writable, and test262
> > tests enforce this behavior. This patch puts that file in strict
> > mode.
> >
> > BUG=v8:4504
> > R=yangguo@chromium.org
> > LOG=Y
> >
> > Committed: https://crrev.com/80b1b2a45bbd9bf3d08e4e6516acfaaa8f438213
> > Cr-Commit-Position: refs/heads/master@{#34801}
>
> TBR=yangguo@chromium.org,adamk@chromium.org
>
> Committed: https://crrev.com/34880eb3dcf7492d44c0a3b45b6c888189f2c3c3
> Cr-Commit-Position: refs/heads/master@{#37449}
TBR=adamk@chromium.org,yangguo@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:624318
Review-Url: https://codereview.chromium.org/2344773002
Cr-Commit-Position: refs/heads/master@{#39456}
This CL implements the throw wasm opcode. This is a pre-requisite for
implementing try-catches in wasm.
BUG=
Review-Url: https://codereview.chromium.org/2339053003
Cr-Commit-Position: refs/heads/master@{#39449}
This handles the case where generating bytecode for inlining purposes
causes a stack overflow. We just abort inlining but also need to clear
pending exceptions.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-647217
BUG=chromium:647217
Review-Url: https://codereview.chromium.org/2339383002
Cr-Commit-Position: refs/heads/master@{#39448}
The semantics of the {BailoutId} representing an OSR entry point is
different between the interpreter and the full code generator. These
semantics are hard-coded in various graph builders. We need to ensure
that the correct graph builder is chosen for OSR compilations.
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-5380
BUG=v8:5380
Review-Url: https://codereview.chromium.org/2341663002
Cr-Commit-Position: refs/heads/master@{#39444}
Handle the "synchronous case" by marking try/catch blocks introduced for
async functions as ASYNC_AWAIT and traversing up the stack, finding successive
Promises and returning caught if any of them are predicted to be caught.
BUG=v8:5167
Review-Url: https://codereview.chromium.org/2325813002
Cr-Commit-Position: refs/heads/master@{#39433}
This adds a regression test for a bug where {OsrPoll} instructions
within the bytecode stream ended up outside of actual loops. This has
been fixed already, by merging {OsrPoll} into the backwards branch.
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-645888
BUG=chromium:645888
Review-Url: https://codereview.chromium.org/2337033002
Cr-Commit-Position: refs/heads/master@{#39385}
To make better inlining decisions, it's good to have call counts for poly/mega-morphic cases. This CL makes it work for calls, and another will follow to better unify the code between constructor calls and normal calls (and thence, to record megamorphic call counts there as well).
BUG=
Review-Url: https://codereview.chromium.org/2325083003
Cr-Commit-Position: refs/heads/master@{#39377}
This change avoids needing to keep around an unused compiled
module. Instead, the result of compiling the wasm bytes is
given to the first instance. The module object and that instance object
point to the same compiled module. Instances are, then, cloned from
the compiled module the module object points to. When an instance is
collected, we make sure that the module object still has a clone
available, and, if the last instance is GC-ed, we also reset the compiled
module so that it does not reference its heap, so that it (==heap) may
be collected.
This is achieved by linking the clones in a double-linked list and
registering a finalizer for each. When we create an instance, we tie it
in the front of the list, making the module object point to it (O(1)). When
the finalizer is called, we relink the list over the dying object (O(1)). The
costliest operation is finalizing the last instance, since we need to visit
all wasm functions and reset heap references.
BUG=v8:5316
Committed: https://crrev.com/01f5af515728aebe6c5246f4f7dd6c573e8748af
Review-Url: https://codereview.chromium.org/2305903002
Cr-Original-Commit-Position: refs/heads/master@{#39153}
Cr-Commit-Position: refs/heads/master@{#39361}
The raw pointer to the parameter_map might get stale in case of accessors present on
the arguments object.
Drive-by-fix: use nullptr instead of the_hole with isolate access.
BUG=chromium:645680
Review-Url: https://codereview.chromium.org/2332503002
Cr-Commit-Position: refs/heads/master@{#39359}
The whitelist is populated with those inline intrinsics that are lowered
in JSIntrinsicInlining and were not previously blacklisted. Thus the only
additional FrameStates this CL adds are those where the caller tries to
call the INLINE version of an intrinsic but ends up calling the RUNTIME
version instead.
R=bmeurer@chromium.org
BUG=chromium:644631
Review-Url: https://codereview.chromium.org/2331543002
Cr-Commit-Position: refs/heads/master@{#39357}
This adds partial support of exports to the runtime system and
to the interpreter. It introduces a new HeapObject JSModule that
maps each of the module's export names to a Cell containing the
exported value.
Several aspects of this implementation are subject to change in
follow-up CLs.
BUG=v8:1569
Committed: https://crrev.com/241a0412eed919395a2e163b30b9b66071ce5c17
Review-Url: https://codereview.chromium.org/2302783002
Cr-Original-Commit-Position: refs/heads/master@{#39341}
Cr-Commit-Position: refs/heads/master@{#39352}
Reason for revert:
Failures related to deopt.
Original issue's description:
> [modules] Basic support of exports
>
> This adds partial support of exports to the runtime system and
> to the interpreter. It introduces a new HeapObject JSModule that
> maps each of the module's export names to a Cell containing the
> exported value.
>
> Several aspects of this implementation are subject to change in
> follow-up CLs.
>
> BUG=v8:1569
>
> Committed: https://crrev.com/241a0412eed919395a2e163b30b9b66071ce5c17
> Cr-Commit-Position: refs/heads/master@{#39341}
TBR=adamk@chromium.org,rmcilroy@chromium.org,ulan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2328283002
Cr-Commit-Position: refs/heads/master@{#39345}
This adds partial support of exports to the runtime system and
to the interpreter. It introduces a new HeapObject JSModule that
maps each of the module's export names to a Cell containing the
exported value.
Several aspects of this implementation are subject to change in
follow-up CLs.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2302783002
Cr-Commit-Position: refs/heads/master@{#39341}
This fixes a corner-case where the bytecode was using the <new.target>
register directly without going through the local variable. The value
might be clobbered because the deoptimizer doesn't properly restore the
value. The label will causes bytecode pipeline to be flushed and hence
ensure {BytecodeRegisterOptimizer} doesn't reuse <new.target> anymore.
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-645103
BUG=chromium:645103
Review-Url: https://codereview.chromium.org/2325133002
Cr-Commit-Position: refs/heads/master@{#39306}
Before this change, the spread desugaring would naively call
`%AppendElement($R, the_hole)` and in some cases $R would have
a non-holey elements kind, putting the array into the bad state
of exposing holes to author code.
This patch avoids calling %AppendElement with a hole, instead
simply incrementing $R.length when it sees a hole in the literal
(this is safe because $R is known to be an Array). The existing
logic for elements transitions takes care of giving the array a
holey ElementsKind.
BUG=chromium:644215
Review-Url: https://codereview.chromium.org/2321533003
Cr-Commit-Position: refs/heads/master@{#39294}
This CL fixes %DebugPrint for FAST_HOLEY_DOUBLE_ELEMENTS and now properly
distinguishes TheHole and NaN values.
BUG=
Review-Url: https://codereview.chromium.org/2294913004
Cr-Commit-Position: refs/heads/master@{#39293}
Adds support to collect allocation site feedback for Array function calls
to the call bytecode handler.
BUG=v8:4280, v8:4780
LOG=N
Review-Url: https://codereview.chromium.org/2307903002
Cr-Commit-Position: refs/heads/master@{#39283}
This fixes the materialization of JSFunction objects to not rely on a
context being available. The context has been cleared because it might
be de-materiallized itself.
R=bmeurer@chromium.org
TEST=mjsunit/compiler/escape-analysis-materialize
BUG=chromium:644245
Review-Url: https://codereview.chromium.org/2320983002
Cr-Commit-Position: refs/heads/master@{#39277}
This adds support to the deoptimizer to materialize ContextExtension
objects that have been de-materialized by escape analysis. This is
follow-up to the inline allocation of such objects during the create
lowering phase (i.e. JSCreateWithContext and JSCreateCatchContext).
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-644245
BUG=chromium:644245
Review-Url: https://codereview.chromium.org/2317353003
Cr-Commit-Position: refs/heads/master@{#39270}
When lowering Array.prototype.push/.pop to the fast inlined version, we
first need to ensure that all prototypes (including the Object.prototype)
are stable.
R=mvstanton@chromium.org
BUG=chromium:644689
Review-Url: https://codereview.chromium.org/2319533005
Cr-Commit-Position: refs/heads/master@{#39266}
The optimization is not correct for unsigned output types, and we the
overall complexity seems too high. We need to find a better way to
take into account the input/output type restrictions.
Also added a regression test for the unsigned output bug.
BUG=v8:5267,v8:5270,v8:5357
TBR=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2320013002
Cr-Commit-Position: refs/heads/master@{#39262}
The trouble here is that the type of the induction variable might be
a bit ahead of the increment (JSAdd) operation's type. When we update
the type of the increment, we might only update the induction variable
type while the JSAdd type might be stale. If the induction variable typing
needs to fall back to normal phi typing (e.g., when the increment is not
an integer anymore), it might use the stale type.
To get around this, we fake monotonicity if we fallback to normal phi
typing. Another option would be to force re-typing of the increment
operation, but that seems to be harder to maintain.
BUG=chromium:644633
Review-Url: https://codereview.chromium.org/2320803002
Cr-Commit-Position: refs/heads/master@{#39261}
While fixing the bug, removed code duplication from super load/store
runtime calls, and inlined calls of Object::ReadAbsentProperty (left
over from strong mode).
BUG=v8:5335
Review-Url: https://codereview.chromium.org/2311413002
Cr-Commit-Position: refs/heads/master@{#39257}
We were previously incorrectly changing:
sub r0, 0, r1
cmp r2, r0
b.cond <addr>
to:
cmn r2, r1
b.cond <addr>
for all conditions. This is incorrect for conditions involving the C (carry)
and V (overflow) flags, and in particular in the case where r1 = INT_MIN.
The optimization is still safe to perform for Equal and NotEqual since they
do not depend on the C and V flags.
BUG=
Review-Url: https://codereview.chromium.org/2318043002
Cr-Commit-Position: refs/heads/master@{#39246}
Migrate the isNaN, isFinite, Number.isFinite, Number.isInteger,
Number.isSafeInteger and Number.isNaN predicates to TurboFan
builtins and make them optimizable (for certain input types) in
JavaScript callees being optimized by TurboFan. That means both
the baseline and the optimized version is now always at maximum,
consistent performance. Especially TurboFan suffered from poor
baseline (and optimized) performance because it cannot play the
same weird tricks that Crankshaft plays for %_IsSmi.
This also adds a bunch of new tests to properly cover the use
of the Harmony predicates in optimized code.
R=franzih@chromium.org
BUG=v8:5049,v8:5267
Review-Url: https://codereview.chromium.org/2313073002
Cr-Commit-Position: refs/heads/master@{#39242}
In ignition, allocation site mementos were disabled when creating array
literals. Enabled them in this cl.
BUG=v8:4280
LOG=N
Review-Url: https://codereview.chromium.org/2294913006
Cr-Commit-Position: refs/heads/master@{#39234}
This moves scope-related logic (such as looking up variables) to Scope
where it belongs, and enables PreParser to do more Scope-related
operations in the future.
BUG=
Review-Url: https://codereview.chromium.org/2301183003
Cr-Commit-Position: refs/heads/master@{#39233}
Lexically declared "arguments" in sloppy mode will throw redeclaration error
currently, this patch fixes it by delaying the declaration of arguments until we
fully parse parameter list and function body.
BUG=v8:4577
LOG=N
Committed: https://crrev.com/70a613dd0a5f5d205b46559b55702764464851fa
Review-Url: https://codereview.chromium.org/2290753003
Cr-Original-Commit-Position: refs/heads/master@{#39109}
Cr-Commit-Position: refs/heads/master@{#39230}
Move the code to perform function name inference for properties into
parsing the properties themselves, instead of the containing object.
This allows us to avoid unnecessary calls when parsing shorthand
properties and methods and simplifies the logic in the remaining cases.
Also fixes an edge case bug: inferring the name of the getter in
`class { static get constructor(){} }`.
Review-Url: https://codereview.chromium.org/2313723005
Cr-Commit-Position: refs/heads/master@{#39222}
This adds handling of {IrOpcode::kObjectIsReceiver} nodes to the escape
status analysis. Such uses are treated as escaping for now until we add
dedicated handling to the escape analysis reducer.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-631027
BUG=chromium:631027
Review-Url: https://codereview.chromium.org/2317623003
Cr-Commit-Position: refs/heads/master@{#39205}
The constructor and new.target arguments were passed to CallConstruct in
the wrong order by BytecodeGraphBuilder, which caused subclassing to be
incorrect when optimizing from bytecode.
Also clean up some unecessary functions in interpreter.cc found while
figuring this out.
BUG=chromium:642409
Review-Url: https://codereview.chromium.org/2312103002
Cr-Commit-Position: refs/heads/master@{#39204}
This handles the case where preparation of bytecode might fail inside
Compiler::EnsureBytecode due to the underlying function being a fully
validated asm.js module. We simply bailout of bytecode preparation.
R=bradnelson@chromium.org
TEST=mjsunit/regress/regress-crbug-644111
BUG=chromium:644111
Review-Url: https://codereview.chromium.org/2309853002
Cr-Commit-Position: refs/heads/master@{#39187}
Disable the propagation of truncations through Phi, Select or TypeGuard
if the output representation is tagged, because when the truncations are
taken we don't necessarily reflect this in the types and therefore we
might end up in a situation where we produce a word32 value, the type
says Number, and now we need to change that to tagged, which is not
possible since we don't know how to interpret the bits, i.e. whether the
value is Signed32 or Unsigned32.
BUG=chromium:644048
Review-Url: https://codereview.chromium.org/2311903002
Cr-Commit-Position: refs/heads/master@{#39186}
Reason for revert:
Performance regressions: crbug.com/644087
Clusterfuzz: crbug.com/644074
We'll reland all regexp changes at once when the port is complete and at least performance-neutral, since the partial port requires slow workarounds.
Original issue's description:
> [regexp] Port RegExp getters and setters
>
> BUG=v8:5339
>
> Committed: https://crrev.com/ac0eb5e05af40e16ae9402bb8a62600b32cc2ec9
> Committed: https://crrev.com/7711b1a16f864ed6ea56fa40274ff3f6287bbe34
> Cr-Original-Commit-Position: refs/heads/master@{#39076}
> Cr-Commit-Position: refs/heads/master@{#39088}
TBR=bmeurer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5339
Review-Url: https://codereview.chromium.org/2313713002
Cr-Commit-Position: refs/heads/master@{#39176}
Reason for revert:
mac gc stress failures:
https://build.chromium.org/p/client.v8/builders/V8%20Mac%20GC%20Stress/builds/8341
Original issue's description:
> [wasm] reuse the first compiled module.
>
> This change avoids needing to keep around an unused compiled
> module. Instead, the result of compiling the wasm bytes is
> given to the first instance. The module object and that instance object
> point to the same compiled module. Instances are, then, cloned from
> the compiled module the module object points to. When an instance is
> collected, we make sure that the module object still has a clone
> available, and, if the last instance is GC-ed, we also reset the compiled
> module so that it does not reference its heap, so that it (==heap) may
> be collected.
>
> This is achieved by linking the clones in a double-linked list and
> registering a finalizer for each. When we create an instance, we tie it
> in the front of the list, making the module object point to it (O(1)). When
> the finalizer is called, we relink the list over the dying object (O(1)). The
> costliest operation is finalizing the last instance, since we need to visit
> all wasm functions and reset heap references.
>
> BUG=v8:5316
>
> Committed: https://crrev.com/01f5af515728aebe6c5246f4f7dd6c573e8748af
> Cr-Commit-Position: refs/heads/master@{#39153}
TBR=bradnelson@chromium.org,verwaest@chromium.org,vogelheim@chromium.org,yangguo@chromium.org,mtrofin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5316
Review-Url: https://codereview.chromium.org/2306403002
Cr-Commit-Position: refs/heads/master@{#39154}
This change avoids needing to keep around an unused compiled
module. Instead, the result of compiling the wasm bytes is
given to the first instance. The module object and that instance object
point to the same compiled module. Instances are, then, cloned from
the compiled module the module object points to. When an instance is
collected, we make sure that the module object still has a clone
available, and, if the last instance is GC-ed, we also reset the compiled
module so that it does not reference its heap, so that it (==heap) may
be collected.
This is achieved by linking the clones in a double-linked list and
registering a finalizer for each. When we create an instance, we tie it
in the front of the list, making the module object point to it (O(1)). When
the finalizer is called, we relink the list over the dying object (O(1)). The
costliest operation is finalizing the last instance, since we need to visit
all wasm functions and reset heap references.
BUG=v8:5316
Review-Url: https://codereview.chromium.org/2305903002
Cr-Commit-Position: refs/heads/master@{#39153}
This disables notification of wasm script 'compilation' since
OnAfterCompile actually triggers a JS call (which is disallowed during
stack trace collection).
BUG=641065
Review-Url: https://codereview.chromium.org/2304943002
Cr-Commit-Position: refs/heads/master@{#39139}
Collect type feedback in the bytecode handler for 'new' bytecode. The
earlier cl (https://codereview.chromium.org/2153433002/) was reverted
because that implementation did not collect allocation site feedback.
This regressed delta blue by an order of magnitude. This implementation
includes collection of allocation site feedback.
Reland of https://codereview.chromium.org/2190293003/ with a bug fix.
BUG=v8:4280, v8:4780
LOG=N
Review-Url: https://codereview.chromium.org/2225923003
Cr-Commit-Position: refs/heads/master@{#39120}
Reason for revert:
Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/9470
Original issue's description:
> Allow lexically declared "arguments" in function scope in sloppy mode.
>
> Lexically declared "arguments" in sloppy mode will throw redeclaration error
> currently, this patch fixes it by delaying the declaration of arguments until we
> fully parse parameter list and function body.
>
> BUG=v8:4577
> LOG=N
>
> Committed: https://crrev.com/70a613dd0a5f5d205b46559b55702764464851fa
> Cr-Commit-Position: refs/heads/master@{#39109}
TBR=adamk@chromium.org,mythria@chromium.org,lpy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4577
Review-Url: https://codereview.chromium.org/2304853002
Cr-Commit-Position: refs/heads/master@{#39115}
Lexically declared "arguments" in sloppy mode will throw redeclaration error
currently, this patch fixes it by delaying the declaration of arguments until we
fully parse parameter list and function body.
BUG=v8:4577
LOG=N
Review-Url: https://codereview.chromium.org/2290753003
Cr-Commit-Position: refs/heads/master@{#39109}
We use a signaling NaN to represent the hole in
FAST_HOLEY_DOUBLE_ELEMENTS backing stores, but on Intel processors, the
C++ compiler may decide to (or be forced to due to calling conventions)
use X87 registers for double values. However transfering to X87
registers automatically quietens the NaNs and there's no way to disable
this. Therefore we should just always load the hole NaN from the canonical
place identified by the address_of_hole_nan external reference instead,
which might even be more efficient in some cases.
R=jarin@chromium.org, jkummerow@chromium.org
BUG=v8:5332
Review-Url: https://codereview.chromium.org/2303643002
Cr-Commit-Position: refs/heads/master@{#39062}
This patch arranges that property names are parsed in a single pass,
reporting the name as well as the type of the property, instead of
parsing qualifiers like 'static' or 'get' initially as names and then
re-parsing. This change is easier to reason about, very slightly (4%)
faster in some cases (although slower in other, less common ones, though
this slowdown will be fixed in an upcoming patch), and is a prerequisite
for separating the parsing of object and class literal properties, which
will become increasingly important as ECMAScript adds more class features.
This is a reland of https://codereview.chromium.org/2278153004/,
which fixes the issue causing the revert and adds more tests.
Review-Url: https://codereview.chromium.org/2300503002
Cr-Commit-Position: refs/heads/master@{#39056}
Previously, fast holey elements accessors would detect element presence
by simply doing a hole check on any slot within the backing store's
capacity. This relied on the (mostly-true but brittle) assumption that
slots beyond the length are always correctly zapped with The Hole.
Review-Url: https://codereview.chromium.org/2297253002
Cr-Commit-Position: refs/heads/master@{#39051}
When we try to further fold previously folded allocations in Crankshaft
GVN we don't properly transform the allocations involved, which causes
the mechanism to leave holes in the new/old space (and thereby violate
the iterability property of the new/old space).
BUG=chromium:621868
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2297983003
Cr-Commit-Position: refs/heads/master@{#39040}
This removes two bits of duplication:
- Parsing of each AssignmentExpression, which previously was called
first outside the loop and then inside the loop.
- Parsing of arrow rest parameters, which previously was handled
separately for the one-arg and N-arg cases.
The only change in behavior is in a few error messages.
Review-Url: https://codereview.chromium.org/2279363002
Cr-Commit-Position: refs/heads/master@{#39030}
Test ensuring globals are isolated between instances. Also
added support for globals section to mjsunit's
WebModuleBuilder as a prerequisite.
BUG=
Review-Url: https://codereview.chromium.org/2296993002
Cr-Commit-Position: refs/heads/master@{#39028}
If the input of grow-memory was not representable as a SMI, then the
input was not passed correctly to the runtime, which caused a crash.
With this CL the input of grow-memory is checked before the runtime is
called.
R=titzer@chromium.org, gdeepti@chromium.org
TEST=mjsunit/wasm/grow-memory.js:testGrowMemoryTrapsWithNonSmiInput()
Review-Url: https://codereview.chromium.org/2288773002
Cr-Commit-Position: refs/heads/master@{#39022}
With this CL we use isolate->native_context() to provide a context for
the CEntryStub of the runtime call. The native_context() is sufficient
here because Runtime::kWasmThrowTypeError does not use the context.
R=titzer@chromium.org
TEST=mjsunit/wasm/ffi-error.js
BUG=chromium:639492
Review-Url: https://codereview.chromium.org/2291043002
Cr-Commit-Position: refs/heads/master@{#39014}
Tail calls don't make sense from async functions and generators, as
each activation of these functions needs to make a new, distnict,
non-reused generator object. These tail calls are not required per
spec. This patch disables both syntactic and implicit tail calls
in async functions and generators.
R=neis
BUG=v8:5301,chromium:639270
Review-Url: https://codereview.chromium.org/2278413003
Cr-Commit-Position: refs/heads/master@{#38986}
This removes test/webkit/fast/js/stack-overflow-arrity-catch.js, which tests that the stack overflows in a very particular way. It doesn't seem to test anything important, and only used to work because we didn't inline into try-blocks.
BUG=
R=jarin
Review-Url: https://codereview.chromium.org/2216353002
Cr-Commit-Position: refs/heads/master@{#38976}
- Make constants more interesting.
- Add an addition to be done after the inlined call in the try-block.
- On command line, have a bit more output.
- New alternative that deopts from unoptimized code.
BUG=
R=jarin
Review-Url: https://codereview.chromium.org/2285743002
Cr-Commit-Position: refs/heads/master@{#38974}
These tests were spliced out of changelist 2216353002 and extended.
BUG=
Review-Url: https://codereview.chromium.org/2245263003
Cr-Commit-Position: refs/heads/master@{#38906}
Reason for revert:
Octane/Mandreel aborts with an exception now:
TypeError: __FUNCTION_TABLE__[(r2 >> 2)] is not a function
Original issue's description:
> [turbofan] Insert dummy values when changing from None type.
>
> Currently we choose the MachineRepresentation::kNone representation for
> values of Type::None, and when converting values from the kNone representation
> we use "impossible" conversions that will crash at runtime. This
> assumes that the impossible conversions should never be hit (the only
> way to produce the impossible values is to perform an always-failing
> runtime check on a value, such as Smi-checking a string). Note that
> this assumes that the runtime check is executed before the impossible
> convesrion.
>
> Introducing BitwiseOr type feedback broke this in two ways:
>
> - we always pick Word32 representation for bitwise-or, so the
> impossible conversion does not trigger (it only triggers with
> None representation), and we could end up with unsupported
> conversions from Word32.
>
> - even if we inserted impossible conversions, they are pure conversions.
> Since untagging, bitwise-or operations are also pure, we could hoist
> all these before the smi check of the inputs and we could hit the
> impossible conversions before we get to the smi check.
>
> This CL addresses this by just providing dummy values for conversions
> from the Type::None type. It also removes the impossible-to-* conversions.
>
> BUG=chromium:638132
>
> Committed: https://crrev.com/c83b21ab755f1420b6da85b3ff43d7e96ead9bbe
> Cr-Commit-Position: refs/heads/master@{#38883}
TBR=mstarzinger@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:638132
Review-Url: https://codereview.chromium.org/2280613002
Cr-Commit-Position: refs/heads/master@{#38893}
There's no point in running the LoadElimination on asm.js functions and
it would take serious amount of effort to actually make it correct for
the deprecated parts of the pipeline.
R=jarin@chromium.org
BUG=v8:5308
Review-Url: https://codereview.chromium.org/2276273002
Cr-Commit-Position: refs/heads/master@{#38884}
Currently we choose the MachineRepresentation::kNone representation for
values of Type::None, and when converting values from the kNone representation
we use "impossible" conversions that will crash at runtime. This
assumes that the impossible conversions should never be hit (the only
way to produce the impossible values is to perform an always-failing
runtime check on a value, such as Smi-checking a string). Note that
this assumes that the runtime check is executed before the impossible
convesrion.
Introducing BitwiseOr type feedback broke this in two ways:
- we always pick Word32 representation for bitwise-or, so the
impossible conversion does not trigger (it only triggers with
None representation), and we could end up with unsupported
conversions from Word32.
- even if we inserted impossible conversions, they are pure conversions.
Since untagging, bitwise-or operations are also pure, we could hoist
all these before the smi check of the inputs and we could hit the
impossible conversions before we get to the smi check.
This CL addresses this by just providing dummy values for conversions
from the Type::None type. It also removes the impossible-to-* conversions.
BUG=chromium:638132
Review-Url: https://codereview.chromium.org/2266823002
Cr-Commit-Position: refs/heads/master@{#38883}
This patch fixes up one last case of redundant ExceptionEvents being
triggered in the debugger for Promises--it makes the default reject
handler for Promises (e.g., if the second argument for
Promise.prototype.then is missing) appear to the debugger as a
rethrow.
R=adamk@chromium.org,jgruber@chromium.org
BUG=v8:5167
Review-Url: https://codereview.chromium.org/2278643002
Cr-Commit-Position: refs/heads/master@{#38876}
Unfortunately, I was unable to produce a repro without asm.js. In normal
JavaScript, the bounds check renaming saves us.
I have not done anything about the index variable aliasing and handling
of differently sized elements yet!
BUG=chromium:639210, v8:5266
Review-Url: https://codereview.chromium.org/2270793004
Cr-Commit-Position: refs/heads/master@{#38874}
This preserves the original shared code of the underlying function when
bytecode is provided. The method in question should only ensure bytecode
is present, but should avoid switching compilation tiers of the given
function. It might be that the function was fast-tracked to baseline by
inlining without going through the interpreted tier first.
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-635923
BUG=chromium:635923
Review-Url: https://codereview.chromium.org/2278543002
Cr-Commit-Position: refs/heads/master@{#38866}
Don't bother using %_IsJSReceiver, which immediately gets lowered to
ObjectIsReceiver anyways (by the JSIntrinsicLowering), but requires
some complicated rewiring of effect/control chains.
R=mstarzinger@chromium.org
BUG=chromium:640369
Review-Url: https://codereview.chromium.org/2271973003
Cr-Commit-Position: refs/heads/master@{#38864}
To make async/await catch prediction work well, this patch regularizes
the exception events sent to DevTools from various places in the Promise
lifecycle. The core is that there should be an exception event when the
rejection first starts, rather than when it is propagated.
- Several cases within Promise code which propagate errors are
modified to not trigger a new ExceptionEvent in that case, such
as .then on a rejected Promise and returning a rejected Promise
from .then, as well as Promise.race and Promise.all.
- Make Promise.reject() create an ExceptionEvent, subject to catch
prediction based on the Promise stack. This is important
so that, e.g., if "await Promise.reject()" will trigger a new
throw (rather than a silent rethrow of something that never
triggered an event in the first place).
BUG=v8:5167
Review-Url: https://codereview.chromium.org/2244003003
Cr-Commit-Position: refs/heads/master@{#38847}
This makes sure the deoptimizer picks bytecode prepared for debugging
when materializing an interpreted frame if one is available. This is
normally done by the interpreter entry trampoline and hence needs to be
replicated by the deoptimizer.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2271443003
Cr-Commit-Position: refs/heads/master@{#38815}
Make use of %IsAsmWasmCode in place of Wasm.instantiateModuleFromAsm,
in order to reduce the surface area of the Wasm object,
and to focus on testing asm.js coming in via the parser.
Ignore extra CONST_LEGACY assignment introduced by the parser
when modules have the form:
(function Foo(a, b, c) {..});
This requires both a validator and AsmWasmBuilder change.
Move stdlib use collection to import time,
to reject modules that import a function, even if not used.
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=jpp@chromium.org,titzer@chromium.org
Review-Url: https://codereview.chromium.org/2264913002
Cr-Commit-Position: refs/heads/master@{#38806}
This flag was shipped on in 52, so it's due for removal. The patch includes
removing the deprecated and unused-in-Blink API Promise::Chain, and many
test updates.
R=adamk@chromium.org
BUG=v8:4633
Review-Url: https://codereview.chromium.org/2267033002
Cr-Commit-Position: refs/heads/master@{#38804}
Includes fast paths in the runtime for
DictionaryElementsAccessor, FastSmiOrObjectElementsAccessor,
FastDoubleElementsAccessor, TypedElementsAccessor, and
SloppyArgumentsElementsAccessor.
BUG=
Review-Url: https://codereview.chromium.org/2232063002
Cr-Commit-Position: refs/heads/master@{#38800}
This detects loops with integer decrements.
Drive-by fix: Add lower bounds to lower_bounds
zone vector instead of upper_bounds.
BUG=
Review-Url: https://codereview.chromium.org/2260153002
Cr-Commit-Position: refs/heads/master@{#38772}
Record which asm.js stdlib members are used and add a check that NaN is actually correctly set. Other stdlib members to be added in a later change.
Also add a stdlib argument to Wasm.instantiateModuleFromAsm, in preparation for that function to be replaced by normal asm.js instantiation.
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=jpp@chromium.org,titzer@chromium.org
Review-Url: https://codereview.chromium.org/2251433002
Cr-Commit-Position: refs/heads/master@{#38760}
Unify the representation selection rules for NumberAdd/Subtract and
SpeculativeNumberAdd/Subtract wrt. Int32Add/Sub selection. We can
safely use Int32Add/Sub as long as the inputs are in the safe additive
integer range and the output is either truncated to Word32 or provably
in Signed32 or Unsigned32 range.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2253293005
Cr-Commit-Position: refs/heads/master@{#38746}
As required by the spec, ToJS now throws a TypeError fit I64 values
instead of truncating the I64 value to I32. To throw a TypeError I
introduced a new runtime function because the existing
Runtime::kThrowWasmError does not throw a TypeError. Since we have calls
to two runtime functions now, and an additional one is needed for stack
checks, I extracted the call to runtime functions into a helper function.
R=titzer@chromium.org
TEST=mjsunit/wasm/ffi-error.js:I64InSignatureThrows
Review-Url: https://codereview.chromium.org/2254803002
Cr-Commit-Position: refs/heads/master@{#38718}
This fixes canonicalization of {SharedFunctionInfo} objects in the
{Compiler::GetSharedFunctionInfo} method when bytecode is preserved.
Eager compilation is only triggered when no code is present.
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-638551
BUG=chromium:638551
Review-Url: https://codereview.chromium.org/2245263006
Cr-Commit-Position: refs/heads/master@{#38709}
Ensures SMI values have SMI type even if they have a dot (e.g., 1.0).
Adds SMI_WITH_DOT type to maintain this.
BUG=chromium:638134
Review-Url: https://codereview.chromium.org/2248693005
Cr-Commit-Position: refs/heads/master@{#38698}
This fixes the case where a module is instantiated twice via the same
closure when in the meantime another closure has destroyed and removed
the WASM data attached to the SharedFunctionInfo.
R=bradnelson@chromium.org
TEST=mjsunit/asm/asm-validation
BUG=v8:4203
Review-Url: https://codereview.chromium.org/2253613004
Cr-Commit-Position: refs/heads/master@{#38696}
Reason for revert:
WebGL tests have been updated and rolled (at https://codereview.chromium.org/2227023002), so this should no longer fail outdated tests.
Original issue's description:
> Revert of Amend DataView, ArrayBuffer, and TypedArray methods to use ToIndex. (patchset #8 id:140001 of https://codereview.chromium.org/2090353003/ )
>
> Reason for revert:
> Speculative revert to unblock roll: https://codereview.chromium.org/2107223003/
>
> Original issue's description:
> > Amend DataView, ArrayBuffer, and TypedArray methods to use ToIndex.
> >
> > The spec was modified to relax some requirements which implementors had not been
> > enforcing. Part of this process involved introducing a new abstract operation
> > ToIndex, which had partial overlap with our existing semantics as well as some
> > differences (most notably treating undefined as 0). Test262 tests were introduced to
> > check for the new semantics, some of which we were failing. This patch amends the
> > parts of our implementation corresponding to specification algorithms which use
> > ToIndex to follow its semantics precisely.
> >
> > BUG=v8:4784,v8:5120
> >
> > Committed: https://crrev.com/09720349ea058d178521ec58d0a5676443a5a132
> > Cr-Commit-Position: refs/heads/master@{#37406}
>
> TBR=littledan@chromium.org,adamk@chromium.org,bakkot@google.com
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:4784,v8:5120
>
> Committed: https://crrev.com/b1f7f1f4e41a723d5f997738a07e35a031713b8f
> Cr-Commit-Position: refs/heads/master@{#37417}
TBR=littledan@chromium.org,adamk@chromium.org,hablich@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:4784,v8:5120
Review-Url: https://codereview.chromium.org/2247073004
Cr-Commit-Position: refs/heads/master@{#38689}
Our previous per-arch instantiation thunks for asm.js
didn't support modules that had or were called with anything other
than 3 arguments. Adding support for this.
Addding a runtime test method to check if asm validation succeeded.
Adding a test of validation with different argument count combinations.
R=mstarzinger@chromium.org
TEST=mjsunit/asm/asm-validator.js
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
Review-Url: https://codereview.chromium.org/2229723002
Cr-Commit-Position: refs/heads/master@{#38688}
Async functions are implemented via special generator functions; special in the
sense that they generally do not immediately yield. However, our generators
implementation still assumed that every generator function initially yields
(concretely: before doing the state dispatch in a loop header). This CL fixes
that.
R=littledan@chromium.org, rmcilroy@chromium.org
BUG=chromium:638019
Review-Url: https://codereview.chromium.org/2253033002
Cr-Commit-Position: refs/heads/master@{#38684}
At the moment, two NumberConstant nodes get different type even if their
value is the same because we always allocate a new heap number for
each number constant. This can lead to replacing a node with a node of
disjoint type in value numbering, which can result in incorrect code
down the line because of inconsistent types.
This fix makes sure that we only replace a node with a sub-type
node. Once we introduce a proper type for number constants, we can
move back to the intersection typing in value numbering.
Unfortunately, it is quite hard to write a repro for this because we cache NumberConstant nodes. We only throw away cached values that have too many conflicts (>5), so the test has to contain values that fall into the same bucket. That's where the magic floating point numbers in the test come from (they have the same low 8-bits of their hashes).
BUG=chromium:633497
Review-Url: https://codereview.chromium.org/2251833002
Cr-Commit-Position: refs/heads/master@{#38675}
Properly deoptimize if the left hand side of a CheckedInt32Mod is
negative and the result of the operation is zero.
R=jarin@chromium.org
BUG=v8:5286
Review-Url: https://codereview.chromium.org/2243803002
Cr-Commit-Position: refs/heads/master@{#38615}
This bug was triggered by a very specific combination:
* A context-allocated variable at script scope.
* OSR optimization.
* A scheduled breakpoint, which triggers at stack checks.
Stack checks differ from other possible breakpoint locations in that
the context (among other things) may be in a register and not on the
stack, making it impossible to recover during deoptimization. The
frame_inspector then returns undefined when asked for the context.
In GetFrameDetails, handle this case by omitting all context-allocated
variables.
BUG=v8:5279
Review-Url: https://codereview.chromium.org/2245603002
Cr-Commit-Position: refs/heads/master@{#38611}
This adds a very first version of inlined Array.prototype.pop into
TurboFan optimized code. We currently limit the inlining to fast
object or smi elements, until the unclear situation around hole NaNs
is resolved and we have a clear semantics inside the compiler.
It's also probably overly defensive in when it's safe to inline
the call to Array.prototype.pop, but we can always extend that
later once we have sufficient trust in the implementation and see
an actual need to extend it.
BUG=v8:2229,v8:3952,v8:5267
R=epertoso@chromium.org
Review-Url: https://codereview.chromium.org/2239703002
Cr-Commit-Position: refs/heads/master@{#38578}
With this CL all kinds of Callable can imported into wasm. Please take a special look at the context that is used now in the WasmToJSWrapper.
BUG=633895
TEST=mjsunit/wasm/ffi.js
Review-Url: https://codereview.chromium.org/2208703002
Cr-Commit-Position: refs/heads/master@{#38569}
This patch adds additional tests for async functions and generators, in how
they interact with destructuring, default arguments and shadow parameter
copying.
BUG=v8:5167
Review-Url: https://codereview.chromium.org/2229243002
Cr-Commit-Position: refs/heads/master@{#38560}
This switches the interface of the runtime profiler to use frames as
opposed to functions for performing on-stack replacement. Requests for
such replacements need to target a specific frame. This will enable us
to activate bytecode as well as baseline code for the same function.
The existing %OptimizeOsr runtime function also had to adapted and now
takes an optional stack depth to target a specific stack frame.
R=bmeurer@chromium.org
BUG=v8:4764
Review-Url: https://codereview.chromium.org/2230783004
Cr-Commit-Position: refs/heads/master@{#38548}
The scopes of suspended generators can now be accessed through GeneratorMirror
(similar to FrameMirror).
BUG=v8:5235
Review-Url: https://codereview.chromium.org/2228393002
Cr-Commit-Position: refs/heads/master@{#38530}
We now deopt when the lhs of a mod is negative and the rhs is 1 too (previously, we erroneusly returned 0 instead of -0).
BUG=v8:5278
R=bmeurer@chromium.org
Review-Url: https://codereview.chromium.org/2233713002
Cr-Commit-Position: refs/heads/master@{#38525}
For holey/growing keyed stores, we need to check that there are no
setters in the prototype chain and protect against changes to that
via code dependencies.
R=verwaest@chromium.org
BUG=v8:5275,v8:5276
Review-Url: https://codereview.chromium.org/2231683002
Cr-Commit-Position: refs/heads/master@{#38514}
When we compile a growing store in TurboFan, we don't pass a (native)
context to the %GrowArrayElements fallback function, as the whole logic
is actually context independent. However, that means that we need to
bailout early in case the object is a prototype, which requires context
dependent checks in the array protector code.
R=cbruni@chromium.org
BUG=chromium:635798
Review-Url: https://codereview.chromium.org/2224253003
Cr-Commit-Position: refs/heads/master@{#38491}