We use signed comparison when we compare the difference
between SP and stack limit to the size we are going to push,
but need to use unsigned comparison when we compare SP and
stack limit directly.
R=mvstanton@chromium.org
Bug: chromium:876210
Change-Id: I3ca5233677c42aebadb78920592a7c6d8e33a825
Reviewed-on: https://chromium-review.googlesource.com/1206870
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55675}
Currently, neither IsSharedCrossOrigin nor IsOpaque is set for an empty
script. Hence an exception thrown from it (e.g., an exception thrown
from native promise implementation) is treated as an error with
blink::kNotSharableCrossOrigin. On the other hand, as the script is
empty, there is no meaningful URL attached, which means the
ExecutionContext's URL is used as the script's name in
blink::SourceLocation::FromMessage. In other words, it works virtually
as same as blink::kSharableCrossOrigin corresponding to
ScriptOriginOptions with IsSharedCrossOrigin set and IsOpaque unset.
With this CL, a ScriptOriginOptions with IsSharedCrossOrigin is set
and IsOpaque is not set is attached to the empty script, as a
preliminary step to deprecate kNotSharableCrossOrigin.
Bug: chromium:875153,chromium:876248
Change-Id: I39279a43994337329b8bd9d28b6ca29f0ac30d9c
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1201689
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55673}
This CL implements a generic baseline version of Array.p.unshift
in Torque, enabling us to remove the JS fall-back.
The elements-accessor fast-path is still used, but the check whether
to use it is also moved to Torque.
Support for sparse JSArrays is removed.
Drive-by change: Small refactoring in builtins-array that will
get extended to other array builtins in a follow-up CL.
R=cbruni@chromium.org, jgruber@chromium.org
Bug: v8:7624
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I7b23ce15e7b922eb333f61a408050dedec77c95a
Reviewed-on: https://chromium-review.googlesource.com/1189902
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55670}
Previously in the JS implementation, this would throw (on property
access) but this new behavior is more in line with how all the other
intl objects work.
Bug: v8:5751, chromium:880697
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I0bd073b2a0a6fc1eacd686083d8f1a72252cea53
Reviewed-on: https://chromium-review.googlesource.com/1207579
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55664}
Use pc relative code on poisoning to allow
relocation of bytecode handler. This is allow
v8_enable_embedded_bytecode_handlers on ppc.
Bug: v8:8068
Change-Id: I6e0a1e961e7e903f0935131cfc190c89c404cf67
Reviewed-on: https://chromium-review.googlesource.com/1205610
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Muntasir Mallick <mmallick@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#55660}
The Math.expm1() function can actually return -0, for example in the
case that -0 is passed to it.
Bug: chromium:880207
Change-Id: If3a7a3a1fb6a18075ba0d7816687dfd831ebe293
Reviewed-on: https://chromium-review.googlesource.com/1205072
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55657}
Allow mocking the limits for ArrayBuffer allocation to simulate operating
system OOM.
Fixes:
- Ensure OS limit > hard limit for external memory. This is necessary as
any processing below the hard limit is opportunistic. E.g. a running
sweeper may stall the current marking (GC) round.
- Immediately process AB allocations when under memory pressure. Otherwise,
the allocations may be stuck in a stalled task. Freeing them upon
adding them to the collector still enables parallelism if possible.
This reverts commit f3ad6cdb9c.
Bug: chromium:845409
Change-Id: Ic3e458f2af231bae3d53afcfd6002a0347d3f12b
Reviewed-on: https://chromium-review.googlesource.com/1206872
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55656}
This switches on a restricted register allocation for all
CSA-generated builtins on ia32, which treats the kRootRegister (=ebx)
as unallocatable.
A few builtins are explicitly excluded. These still need to be fixed
in follow-up CLs. But I'd like to bake this in now to ensure we don't
add more code that cannot handle restricted allocation.
All of this is still behind the (disabled-by-default on ia32)
v8_embedded_builtins configuration.
Bug: v8:6666
Change-Id: If5268aa00439406e1f4e0f7ee18496715a95fdd2
Reviewed-on: https://chromium-review.googlesource.com/1206874
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55654}
An unnecessary call to ToString() on the array index caused trips to
the runtime. The fix also includes performance micro-benchmarks so
we'll have a harder time regressing this case in future.
Bug: v8:8112
Change-Id: Iada5bd2e3c6d2246fb1225e7094f3d9c66ddafbd
Reviewed-on: https://chromium-review.googlesource.com/1206355
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55653}
This mostly pushes code around (from the two specialized public ctors
to the ConfigureFlags method), but does include one behavioral change
in that all builtins/stubs/handlers now disables switch jump tables.
Bug: v8:6666
Change-Id: I801d5bdc7a9c4bcc3bc5eb467a7c049404ffaff0
Reviewed-on: https://chromium-review.googlesource.com/1201785
Reviewed-by: Stephan Herhut <herhut@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55652}
This CL adds static assertions (in Liftoff) and DCHECKs (in wasm
compiler) to validate that the size of loaded fields from the wasm
instance object matches the expected size. This is to avoid future bugs
where we change the size of integer fields and forget to update all
code that uses these fields.
R=titzer@chromium.org
Bug: v8:8130, v8:6600
Change-Id: Ib7273800029135b851c0f0b1ca52886783b61fb0
Reviewed-on: https://chromium-review.googlesource.com/1203836
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55651}
The two bool parameters are used for DCHECks in most places. By
introducing more specialized enumes kAccessorGetterProperty and
kAccessorSetterProperty we can simplify the checks.
Bug: v8:7926
Change-Id: I61023f2da0d96ca5a4fba65c6ead309567144786
Reviewed-on: https://chromium-review.googlesource.com/1202822
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55648}
The main goal is to untangle Liftoff from the TF-based wasm compiler,
but since the AccessBuilder does not simplify anything but rather adds
complexity I also removed it from the wasm compiler.
Instead, we now bottleneck all offset computations through the new
ObjectAccess helper.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: I362b7b889d68e89da8c30d3fad7b5bab07bee5c8
Reviewed-on: https://chromium-review.googlesource.com/1204090
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55646}
Shrink embedded.cc by writing out octa words instead of bytes. This
halves the size of the generated file from 28MB to 14MB in a debug build
and reduces compile times for the file from ~2s to ~0.6s.
Bug: v8:8129
Change-Id: I90893c7732d83f4eeedee964cd81958201e3b05c
Reviewed-on: https://chromium-review.googlesource.com/1204111
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55645}
V8 does not require the embedder to open a HandleScope before executing
a v8::Task. However, d8 does open such a HandleScope. Because of that
HandleScope we repeatedly found missing HandleScopes only in Chrome
tests and not in d8 tests. The same is true for the context, which is
not set when Chrome calls a v8::Task.
With this CL we create a SealHandleScope around the execution of a
v8::Task, and we set the context to nullptr, so that d8 matches Chrome
better.
Ideally d8 would not open a HandleScope in the first place, and would
not set a context. Both make d8 behave different than Chrome and thereby
may hide bugs from our testing infrastructure. However, the
implementation of the InspectorClient requires them. I think the
SealHandleScope and resetting the context is a good workaround at the
moment. Yang, do you know if we can get rid of the context there in the
long run?
R=yangguo@chromium.org
Change-Id: I8df0fabde7dfdcdc630d20af4c68f141ac3a454c
Reviewed-on: https://chromium-review.googlesource.com/1177742
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55644}
Path names in import/export statements are relative to the file they are in.
This fixes the logic and unblocks using the messages test suite on Android,
which has cases importing files from mjsunit, which import more files from
there.
Bug: chromium:866862
Change-Id: I8d2ff645f69b67fbdaf4a622d06308e55298b0ce
Reviewed-on: https://chromium-review.googlesource.com/1206570
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55643}
This CL changes the call-site of SmiLexicographicCompare to a fast
c call instead of a runtime call. The runtime function is not deleted
as it is still used in InnerArraySort.
The test is also moved from mjsunit to cctest, to make removal of the
runtime function easier in the future.
R=cbruni@chromium.org, jgruber@chromium.org
Bug: v8:7382
Change-Id: Ie961eeb094c13018e9ec28b68f7c444d7f889036
Reviewed-on: https://chromium-review.googlesource.com/1201587
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55642}
This CL exposes IteratorBuiltinsAssembler::IterableToList as a builtin
to reduce generated code duplication. This follows up on CL 1201882.
Change-Id: I848e17bd1b6756de9e898e9d2f8c93d99699df07
Reviewed-on: https://chromium-review.googlesource.com/1206470
Commit-Queue: Hai Dang <dhai@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55641}
This is a reland of 1c48d52bb1.
It turned out that IterableToList doesn't always behave according to
the ES operation with the same name. Specifically, it allows holey arrays
to take its fast path, which produces an output array with holes where
actually "undefined" elements should appear.
This CL changes the version of IterableToList that is used for spreads
(IterableToListWithSymbolLookup) such that holey arrays take the slow path.
It also includes tests for such situations.
Original change's description:
> [interpreter] Add bytecode for leading array spreads.
>
> This CL improves the performance of creating [...a, b] or [...a].
> If the array literal has a leading spread, this CL emits the bytecode
> [CreateArrayFromIterable] to create the literal. CreateArrayFromIterable
> is implemented by [IterableToListDefault] builtin to create the initial
> array for the leading spread. IterableToListDefault has a fast path to
> clone efficiently if the spread is an actual array.
>
> The bytecode generated is now shorter. Bytecode generation is refactored
> into to BuildCreateArrayLiteral, which allows VisitCallSuper to benefit
> from this optimization also.
> For now, turbofan also lowers the bytecode to the builtin.
>
> The idiomatic use of [...a] to clone the array a now performs better
> than a simple for-loop, but still does not match the performance of slice.
>
> Bug: v8:7980
>
> Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: Ibde659c82d3c7aa1b1777a3d2f6426ac8cc15e35
> Reviewed-on: https://chromium-review.googlesource.com/1181024
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Commit-Queue: Hai Dang <dhai@google.com>
> Cr-Commit-Position: refs/heads/master@{#55520}
Bug: v8:7980
Change-Id: I0b5603a12d2b588327658bf0a9b214bd0f22e237
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1201882
Commit-Queue: Hai Dang <dhai@google.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55639}
GCC may be buggy in how it handles visibility in this case. The
previous nested implementation resulted in a 'lambda1 declared with
greater visibility than the type of its field lambda2' error.
Unnesting the inner lambda works around the error.
Bug: v8:8126
Change-Id: Id822ca80fec9af27c4adc7ff53be3b6d9478f0d7
Reviewed-on: https://chromium-review.googlesource.com/1206310
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55638}
Corrected register calling syntax in assembler-s390.cc and
test-platform.cc.
Generate_CEntry in builtins-s390.cc expects return buffer to be
preserved in r2, but when built with clang r2 isn't preserved, which breaks
300+ tests. It is fixed by writing r2's value into r8 (preserved)
and loading the value back to r2 after the operation.
Change-Id: I184f0111944b6ad8c0ccc8b97407d702dd97d9d8
Reviewed-on: https://chromium-review.googlesource.com/1204530
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55631}
Since there is no `Value::IsInteger` method in the API, we in the
Node.js project are going to rely on what looks like an implementation
detail of the Integer class. It is currently possible to to call
`Integer::Value` on any Number and the value is cast to an integer.
This commit adds tests for this behavior.
Change-Id: I4de09e7c6e0beac7909e5477f7bfe2ed4c9415b9
Reviewed-on: https://chromium-review.googlesource.com/1200983
Commit-Queue: Michaël Zasso <mic.besace@gmail.com>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55629}
Port CreateBreakIterator and BreakIterator.prototype.resolvedOptions to
C++, refactoring the entire class into another one called
JSV8BreakIterator that would be a subclass of JSObject.
TBR: benedikt@chromium.org
Bug: v8:8111
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I9bd1d82ec34b210c8ed59ea6576548d45a34b8d5
Reviewed-on: https://chromium-review.googlesource.com/1198946
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55627}