Commit Graph

45262 Commits

Author SHA1 Message Date
Michael Starzinger
bf19e60cc5 [platform] Remove {PageAllocator::kReadWriteExecute}.
Now that write-protection of code memory is enabled everywhere and V8 is
fully W^X compliant, we can remove the permission mode in question.

R=hpayer@chromium.org
BUG=v8:6792

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I80fe95ac6bb0e2d1ad6d993154ce45d492d941be
Reviewed-on: https://chromium-review.googlesource.com/866855
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50770}
2018-01-22 16:39:05 +00:00
Michael Lippautz
6f55fdc82f [object-stats] Visualizer: Show percentages in details selection
No-try: true
Bug: v8:7266
Change-Id: I778fcf6b8e1abe5eac6e2f0d2600e4c5ec9fe549
Reviewed-on: https://chromium-review.googlesource.com/878821
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50769}
2018-01-22 16:30:05 +00:00
Michal Majewski
edf82ca34d [test] Introduce flag to disable AbortJS function
During GC fuzzing we combine multiple tests and run them inside
a wrapper that needs to ignore all errors/exceptions/asserts to
keep the combined tests running. We will use this flag to ignore
%AbortJS calls.

Bug: v8:6917
Change-Id: Ib426a68228cadbea8364c5e1d29c39dd53129481
Reviewed-on: https://chromium-review.googlesource.com/857514
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michał Majewski <majeski@google.com>
Cr-Commit-Position: refs/heads/master@{#50768}
2018-01-22 15:52:35 +00:00
Michal Majewski
b5e6a1517e [test] Add stress deopt to num fuzzer
Bug: v8:6917
Change-Id: I9f23515de0a1ae89babe41a42ab37fb2dfb67b48
Reviewed-on: https://chromium-review.googlesource.com/876324
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50767}
2018-01-22 15:45:56 +00:00
Michael Lippautz
021f02b579 [object-stats] Add virtual types
- JSObject: Record elements and properties
- JSCollecton: Record table
- Record global caches

Bug: v8:7266
Change-Id: I16b2eb511bed3dc0fb6f7af0e7037c6d42f03885
Reviewed-on: https://chromium-review.googlesource.com/878326
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50766}
2018-01-22 15:37:59 +00:00
Andreas Haas
9f7fb728f8 [wasm] Abort AsyncCompileJobs when a Chrome tab refreshes
When a tab in Chrome gets refreshed, the refreshed page reuses the
isolate of the original page. This means that at the moment,
AsyncCompileJobs which were stared on the original page do not get
aborted and will therefore eventually finish and resolve their promise.
With this CL I abort all running AsyncCompileJobs when V8 gets the tab
refresh signal, i.e. Isolate::ContextDisposedNotification. Note that I
cannot just call CompilationManager::TearDown because it assumes that
there are no pending tasks anymore.

R=clemensh@chromium.org, hpayer@chromium.org

Bug: chromium:803476
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I88d28fdaba6f55b7aa7379c4b5338ae62134fc8a
Reviewed-on: https://chromium-review.googlesource.com/875923
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50765}
2018-01-22 15:20:52 +00:00
Michael Achenbach
174485e9c8 [test] Add master/buildermap to prepare rollout of test processors
Bug: v8:7343
Change-Id: I673a490e04f7bae56199591db69b7f1c84022fc0
Reviewed-on: https://chromium-review.googlesource.com/878541
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50764}
2018-01-22 15:15:32 +00:00
Clemens Hammacher
d3a4d15f5e [assembler] Unify RelocInfo::NONE32 and NONE64
This reloc mode is never encoded, so there is no reason to
differentiate between 32 and 64 bit.
Both are now replaced by RelocInfo::NONE.

R=mstarzinger@chromium.org

Change-Id: I054d99c7dc41f99729fa33617a6f47301b4a31e7
Reviewed-on: https://chromium-review.googlesource.com/878401
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50763}
2018-01-22 15:09:32 +00:00
Sigurd Schneider
efc3f5ff5a [turbofan] Refactor fast-path of String.p.charAt/charCodeAt/codePointAt
Bug: chromium:800594, v8:7092, v8:7270, v8:7270
Change-Id: I30b69b51f793030c6f8a031a88d2dbb26a79d2bf
Reviewed-on: https://chromium-review.googlesource.com/859780
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50762}
2018-01-22 14:49:42 +00:00
Peter Marshall
2cfacb743d [typedarray] Use native context in elements accessor.
A check will fail if the context passed in is not a native context.
Change the code to get the native context from the passed context.

Bug: chromium:804288
Change-Id: Iad314a3dd170355cf524b9230a692a6329564f8a
Reviewed-on: https://chromium-review.googlesource.com/878324
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50761}
2018-01-22 14:27:22 +00:00
Clemens Hammacher
1827b842b9 [assembler][ia32] Fix redundant condition
Immediate::is_zero already checks the reloc info to be none, so the
additional check is redundant.

R=tebbi@chromium.org

Change-Id: I3ec91fe60e8c659b2f38fda0123784a69e4bcbe9
Reviewed-on: https://chromium-review.googlesource.com/878321
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50760}
2018-01-22 14:20:27 +00:00
Michael Starzinger
25ecc45f81 [heap] Remove --write-protect-code-memory feature flag.
R=hpayer@chromium.org
BUG=v8:6792

Change-Id: Id3413994de603dac1b7501c6fe376cdac1f9d7ce
Reviewed-on: https://chromium-review.googlesource.com/866851
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50759}
2018-01-22 14:19:22 +00:00
Clemens Hammacher
d414d80d25 [wasm] Fix printing of reloc info on the native heap
Tag RelocInfo which belongs to native wasm code, and fix printing to
not try to access the Code object for CODE_TARGET, but rather just
print "(wasm trampoline)".

Bug: chromium:801785

R=mstarzinger@chromium.org

Change-Id: I84a37f0c48ed7397cccf677b4d0f0352e5aceb9d
Reviewed-on: https://chromium-review.googlesource.com/875271
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50758}
2018-01-22 13:49:21 +00:00
Leszek Swirski
41b80eeffd [compiler] Propagate liveness across suspends
Suspend points (inside generators and async functions) have slightly
funky semantics when it comes to liveness, as they save and restore a
chunk of the register file as-is. In particular, this means that
granular liveness information is lost, as it is assumed that all
registers in that chunk of the register file are live in a suspend.

Rather than marking that entire chunk of register as live/dead in
suspend/restore, we can instead pattern-match the set of bytecodes in a
suspend point, and propagate liveness across them. This tightens
liveness estimates, and could be used to optimize which values TurboFan
actually saves when suspending.

Bug: chromium:798137
Change-Id: I5840cdbfc2c6edb1d3a48cf025f52615b629cdfc
Reviewed-on: https://chromium-review.googlesource.com/848895
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50757}
2018-01-22 13:15:21 +00:00
Clemens Hammacher
e40a968dd2 [Liftoff] Implement indirect calls
This CL adds support for indirect calls.

R=titzer@chromium.org

Bug: v8:6600
Change-Id: Ia29b87fa1f7be873cd722f934b8007c38794dceb
Reviewed-on: https://chromium-review.googlesource.com/877884
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50756}
2018-01-22 13:13:01 +00:00
Michael Starzinger
f30a86c8d3 [wasm] Fix lazy compilation with native-heap code.
This fixes a corner-case with lazy compilation in WebAssembly where
native-heap code did not expect to see WASM-to-JS wrappers in tables.

R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-803788
BUG=chromium:803788

Change-Id: Ie44b5c9efe2b171e1915295bb95d6cb61dfab3dc
Reviewed-on: https://chromium-review.googlesource.com/878262
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50755}
2018-01-22 13:11:11 +00:00
Michael Achenbach
4224421622 [test] Add swarming option to numfuzz
This is added only to uniformly call all tools by the infra side.

NOTRY=true
TBR=sergiyb@chromium.org

Bug: v8:6917
Change-Id: I85a14ea51abfe1bfc775fd73d2fee02bfb2fb31e
Reviewed-on: https://chromium-review.googlesource.com/878361
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50754}
2018-01-22 12:48:11 +00:00
Michael Achenbach
7497fa1ab6 [test] Add rerun and json output to numfuzz
This adds flags to numfuzz for rerunning flaky tests and for storing
json test results. With those flags added, the infra-side can call
numfuzz with the same API as the standard test-runner.

TBR=sergiyb@chromium.org

Bug: v8:6917
Change-Id: I02d1cd02d90677c83f10e072383f3650c041cab1
Reviewed-on: https://chromium-review.googlesource.com/877890
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50753}
2018-01-22 12:26:36 +00:00
Sigurd Schneider
9e47513ae2 [turbofan] Fix deoptimization framestate in A.p.reduce[Right]
Array.prototype.reduce[Right] used a lazy deoptimization frame
state for an eager deopt point.

Bug: v8:7336, chromium:804096
Change-Id: I720f9e049bd6b396e025fa59192fdbc6b4f18647
Reviewed-on: https://chromium-review.googlesource.com/878120
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50752}
2018-01-22 12:14:06 +00:00
Michael Starzinger
afb42cb35e [liftoff] Fix std::array initializer list.
R=clemensh@chromium.org

Change-Id: I545b1826be1566f7ce1ed6ad920fac0746a0dca9
Reviewed-on: https://chromium-review.googlesource.com/878161
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50751}
2018-01-22 11:36:04 +00:00
Sigurd Schneider
58881f1144 [turbofan] Widen fast-path in Array.p.pop/shift
Allow mixing smi/object packed/unpacked maps in A.p.pop/shift.
Beforehand, mixing smi and object maps caused a deopt.

Bug: v8:7205, v8:7340
Change-Id: Ifec021791e98589be4a56fe97d3cc003f0fb6393
Reviewed-on: https://chromium-review.googlesource.com/878121
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50750}
2018-01-22 10:54:33 +00:00
Andreas Haas
56fe24372c [wasm][streaming] Do not reject promise upon abort without reason
This is the V8 side change of crrev.com/c/876103.

Message:
It can happen that WebAssembly.compileStreaming gets aborted when we
are not allowed to execute JavaScript code, and therefore are also not
allowed to reject the promise returned by WebAssembly.compileStreaming.
This can happen e.g. when the Chrome tab gets refreshed, which aborts
all downloads.

With this CL we do not pass a reason to Abort if we are not allowed to
execute JavaScript code. On the V8 side we can check the reason passed
to Abort and do not reject the promise if there is no reason passed.

CC=mtrofin@chromium.org
R=titzer@chromium.org

Bug: chromium:803838
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ie5cc85c72b60383e9221318c18a4e1812d230692
Reviewed-on: https://chromium-review.googlesource.com/876091
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50749}
2018-01-22 10:47:23 +00:00
Leszek Swirski
5cef3ddd5f [ignition] Make SuspendGenerator return
Instead of requiring the pattern that a SuspendGenerator must be
followed by a Return, make SuspendGenerator return directly. This can,
in the future, simplify some of the reasoning around generator suspends.

Change-Id: I94c0156a89dc0e1c0bc306bc57acf766f3b4deb5
Reviewed-on: https://chromium-review.googlesource.com/857463
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50748}
2018-01-22 10:42:49 +00:00
Michael Achenbach
9d7c40ea76 [test] Fail when no tests are run
TBR=sergiyb@chromium.org

Bug: v8:7337
Change-Id: I1732f6e587305ce4ab41a65f73e943c7eb9e1d15
Reviewed-on: https://chromium-review.googlesource.com/877760
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50747}
2018-01-22 09:57:53 +00:00
Jakob Gruber
e5ecb24859 Revert "Reland: Reimplement Object.entries/values as CSA to optimize performance."
This reverts commit 03e9d415c2.

Reason for revert: Correctness issues, see https://crbug.com/804159.

Bug: chromium:804159

Original change's description:
> Reland: Reimplement Object.entries/values as CSA to optimize performance.
> 
> Add Object.entries/values builtins to debug-evaluate.cc whitelist macro.
> This fix revert commit of https://chromium-review.googlesource.com/c/v8/v8/+/859937
> Original is https://chromium-review.googlesource.com/c/v8/v8/+/810504
> >> Reimplements Object.entries/values as CSA to optimize performance. See more detail about https://bugs.chromium.org/p/v8/issues/ Issue 6804.
> 
> This reverts commit 1b49f725ac.
> 
> Bug: v8:6804
> Change-Id: I57e8b66e1c4ece2abb52e1630a97fbfd4070d810
> Reviewed-on: https://chromium-review.googlesource.com/860679
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50492}

TBR=yangguo@chromium.org,cbruni@chromium.org,jgruber@chromium.org,ishell@chromium.org,brn@b6n.ch

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:6804
Change-Id: I39b1854ca7c2f57819ba377f84560356d3756bfb
Reviewed-on: https://chromium-review.googlesource.com/877886
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50746}
2018-01-22 09:47:43 +00:00
Michael Lippautz
8889faec94 [object-stats] Add overall counter to viewer
No-try: true
Bug: v8:7266
Change-Id: If1f67688e46e443f8e9e38f5481ce591213d2228
Reviewed-on: https://chromium-review.googlesource.com/877883
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50745}
2018-01-22 09:28:33 +00:00
Peter Marshall
096db4f06b [typedarray] Port the TypedArray constructor dispatcher to CSA.
Bug: v8:7102
Change-Id: Id37799cdf989558ca4f771d451f4b45cbf7123bf
Reviewed-on: https://chromium-review.googlesource.com/787434
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50744}
2018-01-22 09:20:14 +00:00
Mostyn Bramley-Moore
b0ac8a1afe [jumbo] avoid RejectPromise and ResolvePromise symbol clashes
These functions are duplicated in module-compiler.cc and therefore
cause jumbo build failures.  It looks like this is planned to be
refactored later by titzer.  So let's just give them new names for
now, to unbreak jumbo builds.

Bug: v8:7316
Change-Id: I4ba0c8dcc8474a4b02a47c16f2da77650861cfe4
Reviewed-on: https://chromium-review.googlesource.com/877279
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Mostyn Bramley-Moore <mostynb@vewd.com>
Cr-Commit-Position: refs/heads/master@{#50743}
2018-01-22 09:14:14 +00:00
Clemens Hammacher
6b145575d6 [wasm][cleanup] Fix field names in CodeSpecialization
The fields are private, so prepend them with "_".
Drive-by: Replace std::map by std::unordered_map and avoid one
redundant lookup in this map.

R=titzer@chromium.org

Change-Id: Id4aad9bb36ec84daf581a79852d56895fc05429d
Reviewed-on: https://chromium-review.googlesource.com/877882
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50742}
2018-01-22 09:10:48 +00:00
Clemens Hammacher
f921f749c4 [Liftoff][cleanup] Fix naming of private fields
The fields in StackTransferRecipe were public some time ago. Now they
are private, so prepend them with "_".

R=titzer@chromium.org

Bug: v8:6600
Change-Id: Ibb94841871fce4c8eca02cb3c369465183bfa5e0
Reviewed-on: https://chromium-review.googlesource.com/877881
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50741}
2018-01-22 09:09:43 +00:00
Michael Achenbach
954daef6d2 [test] Run benchmarks in more variants
TBR=sergiyb@chromium.org

Bug: v8:7337
Change-Id: Ie2f8f9082d2de65b77d1da11ff3569052bf2aed4
Reviewed-on: https://chromium-review.googlesource.com/877880
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50740}
2018-01-22 08:42:03 +00:00
Michaël Zasso
5592d036a1 [gyp] Port [Liftoff] Introduce LiftoffRegister type
Some header files were removed from the source but the change was not
reflected to v8.gyp.

Bug: v8:6600
Change-Id: I9f952835ea9de36bbc889efb50d63482c10f893f
Reviewed-on: https://chromium-review.googlesource.com/877879
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50739}
2018-01-21 11:47:14 +00:00
v8-autoroll
66b7a269ce Update V8 DEPS.
Rolling v8/build: ec59932..5d0c607

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: I7bcebf5758a5993e3612c779a80f515030e54971
Reviewed-on: https://chromium-review.googlesource.com/877564
Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50738}
2018-01-21 04:52:24 +00:00
Michal Majewski
df1b44b63f [test] Fix infinite loop and fail result in the num fuzzer
1. Fix infinite loop caused by time based fuzzing
2. Shallow copy of the result to avoid dropping output
by different processor.

Bug: v8:6917
Change-Id: Icf823e853be9d3cc8dfd46ed2fb954979bf02d2f
Reviewed-on: https://chromium-review.googlesource.com/877761
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50737}
2018-01-20 20:47:14 +00:00
v8-autoroll
69abb960c9 Update V8 DEPS.
Rolling v8/build: 972ab23..ec59932

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/b4706e7..c4b36e2

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: Idb247907b6f3c1d9f67e8021344a66df57cec969
Reviewed-on: https://chromium-review.googlesource.com/877560
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50736}
2018-01-20 04:58:23 +00:00
Anna Henningsen
55b48798eb [heap-profiler] remove bogus DCHECK
A map’s `constructor_or_backpointer` can be any kind of value,
because `fn.prototype = foo` sets that field to `foo` if the
latter is not a `JSReceiver`; so the `DCHECK` that is being
removed here was invalid.

Refs: https://github.com/nodejs/node/issues/18223
Bug: node:18223
Change-Id: Ia6449c07bb724e515d73b162369ab36ab1d89c6b
Reviewed-on: https://chromium-review.googlesource.com/874472
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50735}
2018-01-19 23:46:51 +00:00
Michal Majewski
fb9e22123d [test] Running num fuzzer for specific time
Bug: v8:6917
Change-Id: I7576a3b8a7fb95244b241532f50759e1c88f6a5a
Reviewed-on: https://chromium-review.googlesource.com/876427
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50734}
2018-01-19 20:05:19 +00:00
Michael Lippautz
e5266c24c3 [gm.py] Use autoninja instead of ninja
Avoids detecting local cores and guessing remote jobs.

No-try: true
Change-Id: I4a825b8dd922802c5f539419313888fd3b21b870
Reviewed-on: https://chromium-review.googlesource.com/876009
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50733}
2018-01-19 19:31:58 +00:00
Mike Stanton
cedc81de4c [Sampling Heap Profiler] Tolerate unmaterialized closure during deopt
Samples taken during deoptimization require care in the stack walk
used to gather frames. The top N stack frames may not have JSFunction
objects in place, because those frames represent inlined functions
which may not have closures yet.

Bug: v8:7314
Change-Id: Ib6488aee46a47d5341cab1b1c9c3851592ba6509
Reviewed-on: https://chromium-review.googlesource.com/870036
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#50732}
2018-01-19 18:55:28 +00:00
Michal Majewski
50a91fe9ee [test] Fix subtest creation
Update flags before recalculating outcomes.

Bug: v8:6917
Change-Id: I5f54f7d14fd60f7e35a976e5200d3f7f0e74a5b7
Cq-Include-Trybots: luci.v8.try:v8_linux64_fyi_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/876364
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michał Majewski <majeski@google.com>
Cr-Commit-Position: refs/heads/master@{#50731}
2018-01-19 18:37:08 +00:00
Michael Achenbach
ab4b237e48 [test] Skip slow tests on gc fuzzer
TBR=sergiyb@chromium.org
NOTRY=true

Bug: v8:6972
Change-Id: I011302ff740dc65ab6a50545ad6e51a2ee32c1bc
Reviewed-on: https://chromium-review.googlesource.com/876094
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50730}
2018-01-19 18:34:38 +00:00
peterwmwong
c1b89d9f37 [builtins] Re-enable Map and WeakMap constructor fast path.
If an entry may have side effects (non-fast JS Array), restart and add all entries in slow path.

- Move allocating and setting table into AddConstructorEntries.
- Move handling non-object map entries into LoadKeyValue.
- AddConstructorEntry and LoadKeyValue go to a label when adding a map entry may have side effects.

Bug: chromium:798026, chromium:799364
Change-Id: I3c28594fc4a8379a106413e19e6df9e83eeb5278
Reviewed-on: https://chromium-review.googlesource.com/874786
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Cr-Commit-Position: refs/heads/master@{#50729}
2018-01-19 18:10:48 +00:00
Michal Majewski
61c562b026 [test] Implement gc fuzzer with test processors
Bug: v8:6917
Change-Id: I2a7ecc6897c8ccd6ed862cf2b0b484673ee359f6
Reviewed-on: https://chromium-review.googlesource.com/871310
Commit-Queue: Michał Majewski <majeski@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50728}
2018-01-19 16:58:49 +00:00
Michael Achenbach
eda125998b [test] Temporarily remove benchmarks from deopt fuzzer
The tests currently time out due to too many deopt points and hence too many
tests generated.

TBR=sergiyb@chromium.org

Bug: v8:6900
Change-Id: I0998097024a4ed9c087728bb5ef288ab17d3371e
Reviewed-on: https://chromium-review.googlesource.com/876322
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50727}
2018-01-19 16:12:58 +00:00
Dan Elphick
08b0ff26c5 Fix Array.of crashing when called with lots of parameters
When the array created would exceed the maximum size for a regular heap
object, instead create it using Runtime::kNewArray directly rather than
via AllocateJSArray.

Bug: chromium:803750
Change-Id: I78cd82edf5a813a2ed69272361e0ca07f864c5ba
Reviewed-on: https://chromium-review.googlesource.com/876011
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50726}
2018-01-19 16:11:18 +00:00
Sigurd Schneider
c509d025c7 [turbofan] Inline StringCharCodeAt like Crankshaft did.
This avoids the call to the StringCharCodeAt builtin from
within TurboFan optimized code and instead emits a loop
that does the character load. This (together with previously
reverted CL to the JSCallReducer) almost completely recovers
the performance regression caused when we shipped TurboFan.

Without untrusted code mitigations the benchmark goes from
580ms to roughly 490ms, and with the patch to the JSCallReducer
the time goes down to 280ms, which is very close to what we
had with Crankshaft.

This also renames the LoadFromString helper method in the
EffectControlLinearizer to LoadFromSeqString to make it
clear what it does.

Bug: v8:7326
Change-Id: I6c77209ae01a3eacbd1e8fd40e4ad842eaf1999a
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/876102
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50725}
2018-01-19 15:16:47 +00:00
Michael Lippautz
7015675a44 [object-stats] Allow zooming in histograms
No-try: true
Tbr: cbruni@chromium.org
Bug: v8:7266
Change-Id: I65ad82a8ae7b2b499ba3f2bf9fbec178edf7616a
Reviewed-on: https://chromium-review.googlesource.com/876202
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50724}
2018-01-19 14:37:27 +00:00
Peter Marshall
d84fc353da Reland "[typedarray] Port ConstructByTypedArray to CSA."
This is a reland of a7c91c778c.

Original change's description:
> [typedarray] Port ConstructByTypedArray to CSA.
> 
> This is needed to easily port the constructor dispatcher to CSA.
> 
> Bug: v8:7102
> Change-Id: I9672416495940ca12088a2980a9ecc61364aef9d
> Reviewed-on: https://chromium-review.googlesource.com/785630
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Peter Marshall <petermarshall@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50671}

Bug: v8:7102
Change-Id: I9d839343d9b95f288f806953455c2c26ca8cab06
Reviewed-on: https://chromium-review.googlesource.com/875031
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50723}
2018-01-19 14:14:56 +00:00
Sigurd Schneider
932dc50fbb [turbofan] Enable Array.p.reduce[Right] for holey arrays
Change-Id: If1a3d08c1fca73234d94db6b527f5d11d10aa6cc
Reviewed-on: https://chromium-review.googlesource.com/867032
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50722}
2018-01-19 13:55:56 +00:00
Michael Achenbach
517221dafd [test] Skip slow test for gc fuzzing
TBR=sergiyb@chromium.org
NOTRY=true

Bug: v8:6972
Change-Id: Iada267047a023cf32e49866dbf46f62311a3445c
Reviewed-on: https://chromium-review.googlesource.com/876123
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50721}
2018-01-19 13:49:26 +00:00