Commit Graph

27667 Commits

Author SHA1 Message Date
Benedikt Meurer
d0cfc9bfb8 [turbofan] Support inline receiver allocation for class constructors.
There's actually no need to restrict the inline allocation of
receivers for class constructors anymore; the relevant issues
were addressed in the compiler and runtime several weeks ago.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1532453004 .

Cr-Commit-Position: refs/heads/master@{#32925}
2015-12-17 05:46:37 +00:00
zhengxing.li
e0a3ff0f5c X87: [proxies] fix access issue when having proxies on the prototype-chain of global objects.
port 2c75e3d2ab (r32903)

  original commit message:
  We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code
  without access-checks (see proxies-cross-realm-ecxeption.js).

BUG=

Review URL: https://codereview.chromium.org/1534663002

Cr-Commit-Position: refs/heads/master@{#32924}
2015-12-17 04:48:27 +00:00
v8-autoroll
23384259d5 Update V8 DEPS.
Rolling v8/third_party/android_tools to f4c36ad89b2696b37d9cd7ca7d984b691888b188

Rolling v8/tools/clang to 67c5521f1878f7929f8f0afc74b31627b3bbffb3

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review URL: https://codereview.chromium.org/1530413002

Cr-Commit-Position: refs/heads/master@{#32923}
2015-12-17 04:47:26 +00:00
zhengxing.li
da4a7325c0 X87: [Interpreter] Save bytecode offset in interpreter stack frames.
port 025d476cf5 (r32906)

  original commit message:
  Adds a slot for the bytecode offset to interpreter stack frames and
  saves it on calls, and restores after calls.

  Also fixes RawMachineAssembler::Return() to call MergeControlToEnd.

BUG=

Review URL: https://codereview.chromium.org/1535613003

Cr-Commit-Position: refs/heads/master@{#32922}
2015-12-17 04:46:26 +00:00
balazs.kilvady
bc55af3c97 MIPS: Fix [proxies] fix access issue when having proxies on the prototype-chain of global objects.
Port 2c75e3d2ab

Original commit message:
We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code without access-checks (see proxies-cross-realm-ecxeption.js).

BUG=

Review URL: https://codereview.chromium.org/1526253006

Cr-Commit-Position: refs/heads/master@{#32921}
2015-12-16 20:49:07 +00:00
mbrandy
c36a1b978c PPC: [Interpreter] Save bytecode offset in interpreter stack frames.
Port 025d476cf5

Original commit message:
    Adds a slot for the bytecode offset to interpreter stack frames and
    saves it on calls, and restores after calls.

    Also fixes RawMachineAssembler::Return() to call MergeControlToEnd.

R=rmcilroy@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1531873002

Cr-Commit-Position: refs/heads/master@{#32920}
2015-12-16 20:45:01 +00:00
mbrandy
9418a710c1 PPC: [turbofan] Change TruncateFloat32ToUint64 to TryTruncateFloat32ToUint64.
Port 97161a29ed

Original commit message:
    TryTruncateFloat32ToUint64 converts a float32 to a uint64. Additionally it
    provides an optional second return value which indicates whether the conversion
    succeeded (i.e. float32 value was within uint64 range) or not.

    Additionally I fixed a bug on x64 and mips64 in the implementation of
    TryTruncateFloat64ToUint64. Cases where the input value was between -1 and 0
    were handled incorrectly.

R=ahaas@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1533613002

Cr-Commit-Position: refs/heads/master@{#32919}
2015-12-16 20:18:33 +00:00
mbrandy
fab09bbbc5 PPC: Reland "[turbofan] Instruction scheduler for Turbofan."
Port 89bb66de85

Original commit message:
    Original CL: https://codereview.chromium.org/1375253002/

    Implement machine instruction scheduling after instruction selection.

R=baptiste.afsa@arm.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1534433004

Cr-Commit-Position: refs/heads/master@{#32918}
2015-12-16 20:12:44 +00:00
mbrandy
9fc48575a3 PPC: Fix "[fullcodegen] Add support for %_GetSuperConstructor."
Use appropriate load instruction for 32-bit mode.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:3330
LOG=n

Review URL: https://codereview.chromium.org/1532673002

Cr-Commit-Position: refs/heads/master@{#32917}
2015-12-16 20:11:49 +00:00
mbrandy
4903f82c6a PPC: [turbofan] Make MachineType a pair of enums.
Port bb2a830deb
Port 56673804e0

Original commit messages:
    MachineType is now a class with two enum fields:
    - MachineRepresentation
    - MachineSemantic

    Both enums are usable on their own, and this change switches some places
    from using MachineType to use just MachineRepresentation. Most notably:
    - register allocator now uses just the representation.
    - Phi and Select nodes only refer to representations.

   Store nodes use only MachineRepresentation, not MachineType.

R=jarin@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1523373003

Cr-Commit-Position: refs/heads/master@{#32916}
2015-12-16 20:03:39 +00:00
mbrandy
7c06eaf492 PPC: Fix "[proxies] fix access issue when having proxies on the prototype-chain of global objects."
Port 2c75e3d2ab

R=cbruni@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1530233003

Cr-Commit-Position: refs/heads/master@{#32915}
2015-12-16 19:57:14 +00:00
mbrandy
99b8e7c88d PPC: [turbofan] Change TruncateFloat32ToInt64 to TryTruncateFloat32ToInt64.
Port 28261daa47

Original commit message:
    This operator now provides a second output which indicates whether the
    conversion from float32 to int64 was successful or not. The second output
    returns 0 if the conversion fails, or something else if the conversion succeeds.

    The second output can be ignored, which means that the operator can be used the
    same as the original operator.

R=ahaas@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1530273002

Cr-Commit-Position: refs/heads/master@{#32914}
2015-12-16 19:56:00 +00:00
mythria
a4162898d8 [Interpreter] Add support for Load / Store to Lookup slots.
Adds support for loading and storing lookup variables.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1524803003

Cr-Commit-Position: refs/heads/master@{#32913}
2015-12-16 17:25:00 +00:00
oth
d0304f91ee [Interpreter] Add support for break statements in labelled blocks.
BUG=V8:4280
LOG=N

Review URL: https://codereview.chromium.org/1524893003

Cr-Commit-Position: refs/heads/master@{#32912}
2015-12-16 17:06:30 +00:00
oth
d3168202f5 [Interpreter] Local flow control in the bytecode graph builder.
This change adds support for local control flow when building graphs
from bytecode. The change ensures loop emitted from the bytecode
generator are in natural order so the only back branches are for loops.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1502243002

Cr-Commit-Position: refs/heads/master@{#32911}
2015-12-16 16:29:45 +00:00
mvstanton
6540e736f3 Bugfix: Make sure not to overwrite the empty optimized code map root.
BUG=chromium:568765
LOG=N
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1534453002

Cr-Commit-Position: refs/heads/master@{#32910}
2015-12-16 16:28:02 +00:00
akodat
aeb8073c4a Add Isolate::DiscardThreadSpecificMetadata method to embedder API.
If many threads use the same Isolate (or many Isolates) and then
terminate, their PerIsolateThreadData objects are never cleaned
up, resulting in a slow memory leak and, worse, the
PerIsolateThreadData chain getting larger and larger, adversely
affecting performance.

In this situation, embedders will now be encouraged to apply
DiscardThreadSpecificMetadata against any Isolate a thread is
done with, especially if the thread is about to terminate.

Note that it is harmless to run DiscardThreadSpecificMetadata
against an Isolate for which a thread has no thread data and
per-Isolate thread data can be reestablished if a thread starts
using an Isolate again after running DiscardThreadSpecificMetadata
against it.

It is, however, an embedder error to run
DiscardThreadSpecificMetadata against an Isolate in thread with a
Locker for the Isolate in the stack or against an Entered Isolate.

This change cannot cause any change in behavior in existing apps
as the only added coded can only be reached via the new
DiscardThreadSpecificMetadata method.

R=Jakob, jochen
BUG=

Review URL: https://codereview.chromium.org/1522703002

Cr-Commit-Position: refs/heads/master@{#32909}
2015-12-16 15:49:49 +00:00
ahaas
2358a5be4c [turbofan] Fixed a bug in TryTruncateFloatXXToInt64 with INT64_MIN.
On x64 and arm64 TryTruncateFloatXXToInt64 incorrectly failed when the
input was INT64_MIN.

R=bradnelson@chromium.org, mstarzinger@chromium.org, v8-arm-ports@googlegroups.com

Review URL: https://codereview.chromium.org/1526293002

Cr-Commit-Position: refs/heads/master@{#32908}
2015-12-16 15:34:34 +00:00
agrieve
ba1d9af8bf Map arm64 and mips64el -> x64 for mksnapshot
BUG=chromium:568883
LOG=n

Review URL: https://codereview.chromium.org/1517983002

Cr-Commit-Position: refs/heads/master@{#32907}
2015-12-16 15:17:37 +00:00
rmcilroy
025d476cf5 [Interpreter] Save bytecode offset in interpreter stack frames.
Adds a slot for the bytecode offset to interpreter stack frames and
saves it on calls, and restores after calls.

Also fixes RawMachineAssembler::Return() to call MergeControlToEnd.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1512543002

Cr-Commit-Position: refs/heads/master@{#32906}
2015-12-16 15:14:21 +00:00
adamk
c6e7d658e5 Stage destructuring assignment
BUG=v8:811
LOG=y

Review URL: https://codereview.chromium.org/1515613009

Cr-Commit-Position: refs/heads/master@{#32905}
2015-12-16 14:51:40 +00:00
bmeurer
eb61c2f3bf [turbofan] Always use the map write barrier when storing to the map field.
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1534443002

Cr-Commit-Position: refs/heads/master@{#32904}
2015-12-16 14:45:16 +00:00
cbruni
2c75e3d2ab [proxies] fix access issue when having proxies on the prototype-chain of global objects.
We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code without access-checks (see proxies-cross-realm-ecxeption.js).

Review URL: https://codereview.chromium.org/1521953002

Cr-Commit-Position: refs/heads/master@{#32903}
2015-12-16 14:31:39 +00:00
neis
f723b12336 [proxies] Recognize arraylike proxies in Object.prototype.toString.
We must print "[object Array]" for proxies that satisfy Array.isArray.

Cosmetic change on the side: move ObjectProtoToString from JSObject to Object
since it deals with arbitrary objects.

R=adamk@chromium.org, verwaest@chromium.org
BUG=v8:1543
LOG=n

Review URL: https://codereview.chromium.org/1526023002

Cr-Commit-Position: refs/heads/master@{#32902}
2015-12-16 14:27:23 +00:00
bmeurer
01662f1b1d [turbofan] Add support for CreateIterResultObject.
Introduce JSCreateIterResultObject operator, as a way to optimize the
%_CreateIterResultObject intrinsic, which is used to provide uniform,
non-polymorphic result objects for iterators (and generators).  We
cannot utilize the existing JSCreate operator here, because there's no
constructor function for iterator result objects (as required by the
spec).

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1531753002

Cr-Commit-Position: refs/heads/master@{#32901}
2015-12-16 14:26:24 +00:00
neis
d0ef84b340 [proxies] Make Array.prototype.concat work correctly with proxies.
R=rossberg
BUG=v8:1543
LOG=n

Review URL: https://codereview.chromium.org/1525983002

Cr-Commit-Position: refs/heads/master@{#32900}
2015-12-16 14:17:25 +00:00
mlippautz
2bb51df9bd Reland of "[cctest] Add tests for aborting compaction of pages"
Tests for
* aborting a full page.
* partially aborting a page.
* partially aborting a page with pointers between aborted pages.
* partially aborting a page with store buffer entries.

Also introduces force_oom() which prohibits a old space to
expand

BUG=chromium:524425
LOG=N

CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel,v8_linux_nosnap_dbg,v8_win_nosnap_shared_rel,v8_win_nosnap_shared_compile_rel

Review URL: https://codereview.chromium.org/1518803005

Cr-Commit-Position: refs/heads/master@{#32899}
2015-12-16 14:06:51 +00:00
yangguo
65d3009e03 [regexp] clear QuickCheckDetails for backward reads.
R=erik.corry@gmail.com
BUG=chromium:570241
LOG=N

Review URL: https://codereview.chromium.org/1528333002

Cr-Commit-Position: refs/heads/master@{#32898}
2015-12-16 13:43:23 +00:00
yangguo
2bb6e197ed [debugger] simplify step over recursive function call.
The problem is this: when stepping over a recursive function call,
the recursive function is flooded with one-shot break points so that
we break after the call, but since the callee is the same function,
the callee is also flooded, resulting a break in the callee. That
however would have been a "step in" instead of "step over".

The original solution was to recognize this by comparing FP. If we
end up in Debug::Break, we still have to check the current FP against
the remembered FP to see whether we are on the same stack height.
If we are deeper, then it's not a "step over", and we do not trigger
a debug break event. In that case, we queue up the step-over, and
temporarily step out until we hit the desired stack height. Note that
in order to step out, we flood the caller, which in our example is
the same function as the callee. So we break at every flooded break
location, and comparing with FP to make sure we stepped out prevents
us from triggering debug break events.

The new solution simply ignores breaks when the FP compare fails.
We simply carry on until we hit a break where the FP compare succeeds.
There is no need to do a step out. The number of calls to Debug::Break
that do not trigger a debug break event due to failing FP compare is
the same. But the code is a lot easier to read.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1527253002

Cr-Commit-Position: refs/heads/master@{#32897}
2015-12-16 13:33:38 +00:00
jochen
4d1906d2a7 Update DEPS entry for tracing to point at correct location
While not really fitting our directory layout, the DEPS entry needs to
be at exactly the same position as it is in chromium, otherwise either
standalone or chromium build won't work :-/

BUG=none
R=machenbach@chromium.org
LOG=y

Review URL: https://codereview.chromium.org/1526843004

Cr-Commit-Position: refs/heads/master@{#32896}
2015-12-16 12:17:06 +00:00
aseemgarg
1c8130bd89 Add for loop to asm-to-wasm
TEST=asm-wasm.js
R=titzer@chromium.org,bradnelson@google.com
BUG=

Review URL: https://codereview.chromium.org/1523843003

Cr-Commit-Position: refs/heads/master@{#32895}
2015-12-16 12:10:33 +00:00
ahaas
7ae140fe91 [wasm] Fixed FxxNeg for inputs of NaN.
The new implementation also changes the sign bit if the input is NaN.
(https://github.com/WebAssembly/v8-native-prototype/issues/99)

R=bradnelson@chromium.org

Review URL: https://codereview.chromium.org/1532513002

Cr-Commit-Position: refs/heads/master@{#32894}
2015-12-16 11:45:30 +00:00
ahaas
13412d6693 [wasm] Fixed a problem with float32 stack parameters on 32 bit machines.
The code generation for pushing call parameters on the stack does not
distinguish between float32 and float64 parameters because both are
stored in the same registers. Therefore float32 parameters require two
words on the stack.  The wasm linkage, however, only considered one word
on the stack for float32 parameters, which caused the problem that
float32 parameters were not located correctly on the stack. I fixed the
problem by considering two words for float32 parameters on the stack.

R=bradnelson@chromium.org

Review URL: https://codereview.chromium.org/1529773003

Cr-Commit-Position: refs/heads/master@{#32893}
2015-12-16 11:43:52 +00:00
jkummerow
35e5b6824e [proxies] Fix bogus cast in HasOwnPropertyImplementation
BUG=v8:1543,chromium:570120
LOG=n

Review URL: https://codereview.chromium.org/1530873002

Cr-Commit-Position: refs/heads/master@{#32892}
2015-12-16 11:42:47 +00:00
cbruni
654efd0a4d [proxies] Implement Proxy.name
LOG=n
BUG=v8:1543

Review URL: https://codereview.chromium.org/1531683002

Cr-Commit-Position: refs/heads/master@{#32891}
2015-12-16 11:25:17 +00:00
bmeurer
fe88e54792 [es6] Consistently use %_GetSuperConstructor to implement super calls.
Following up on https://crrev.com/1517243002, we use the
%_GetSuperConstructor consistently for all super calls now
(inlining the intrinsic code in fullcodegen).

R=mstarzinger@chromium.org
BUG=v8:3330
LOG=n

Review URL: https://codereview.chromium.org/1529113002

Cr-Commit-Position: refs/heads/master@{#32890}
2015-12-16 11:08:09 +00:00
yangguo
0e8f233cc4 [harmony] unstage regexp lookbehind assertions.
R=hablich@chromium.org
BUG=v8:4545
LOG=Y

Review URL: https://codereview.chromium.org/1524233003

Cr-Commit-Position: refs/heads/master@{#32889}
2015-12-16 10:52:59 +00:00
caitpotter88
8f63710a3d [es6] strict eval/arguments and strong undefined in AssignmentPattern
BUG=v8:4613
LOG=N
R=adamk@chromium.org

Review URL: https://codereview.chromium.org/1522693002

Cr-Commit-Position: refs/heads/master@{#32888}
2015-12-16 10:48:00 +00:00
Miran.Karic
291219dafa Fix invalid access to layout descriptor in Map::CopyInitialMap()
Fix invalid usage of layout_descriptor() function on 32-bit arch's,
which doesn't perform necessary checks. Test failure is observed only on
mips32 big-endian, and on mips32 little-endian as an alignment issue,
but the problem appears to be generic for all 32-bit arch's.

TEST=test/mjsunit/es6/classes-subclass-builtins.js
BUG=

Review URL: https://codereview.chromium.org/1522203004

Cr-Commit-Position: refs/heads/master@{#32887}
2015-12-16 09:23:08 +00:00
bmeurer
0e052bb834 [turbofan] Ship TurboFan with super calls and property references.
R=hablich@chromium.org

Review URL: https://codereview.chromium.org/1531653002

Cr-Commit-Position: refs/heads/master@{#32886}
2015-12-16 08:48:01 +00:00
yangguo
8bee91a58b [debugger] remove step count parameter from prepare step.
And tons of changes to debugger tests.

R=bmeurer@chromium.org
BUG=chromium:569835
LOG=N

Review URL: https://codereview.chromium.org/1525173003

Cr-Commit-Position: refs/heads/master@{#32885}
2015-12-16 08:39:54 +00:00
yangguo
0a1e909f43 [json parser] remove dead code path.
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1529823002

Cr-Commit-Position: refs/heads/master@{#32884}
2015-12-16 08:39:00 +00:00
bmeurer
fa13da2e2b [stubs] Fix TypeOfStub to properly return "undefined" for undetectable.
The TypeOfStub didn't test the undetectable bit properly if the instance
was also callable, and therefore returned "object" for document.all
(which is both undetectable and callable).

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
R=yangguo@chromium.org
BUG=chromium:567998
LOG=n

Committed: https://crrev.com/02cc310370df7e51ac4f705038820066fdfd0cdc
Cr-Commit-Position: refs/heads/master@{#32852}

Review URL: https://codereview.chromium.org/1527863003

Cr-Commit-Position: refs/heads/master@{#32883}
2015-12-16 08:30:00 +00:00
bmeurer
b742026a22 [runtime] Remove two obsolete intrinsics.
The %HeapObjectGetMap and %MapGetInstanceType intrinsics are obsolete
because they are unsafe, so we can drop the code.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1532493002

Cr-Commit-Position: refs/heads/master@{#32882}
2015-12-16 08:26:36 +00:00
bmeurer
fe104b0dc3 [turbofan] Fix type of JSCreateClosure to be Function.
The JSCreateClosure operator always produces a function, so the type
should reflect that.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1532503002

Cr-Commit-Position: refs/heads/master@{#32881}
2015-12-16 08:13:43 +00:00
bmeurer
476296b96b [turbofan] Use correct lazy frame state for JSCreate.
If JSCreate (which corresponds to %NewObject) would ever trigger a lazy
deopt, we would deopt after the constructor call, skipping all the
initialization and what else in the constructor function, which is
wrong. Instead we can use the eager bailout point right before the
constructor function, because allocation is not observable and so we can
safely repeat the %NewObject in case of lazy bailout.

R=yangguo@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1530583004

Cr-Commit-Position: refs/heads/master@{#32880}
2015-12-16 07:52:33 +00:00
yangguo
44a8fec8a1 [regexp] break recursion in mutually recursive capture/back references.
TBR=adamk@chromium.org
R=erik.corry@gmail.com
BUG=v8:4616
LOG=N

Review URL: https://codereview.chromium.org/1522353002

Cr-Commit-Position: refs/heads/master@{#32879}
2015-12-16 06:58:58 +00:00
bmeurer
f910ed8e21 [turbofan] Flatten cons strings before embedding them into optimized code.
Flatten ConsString objects in JSGraph, to make sure we consistently
flatten all cons strings no matter which pass creates them.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1529053003

Cr-Commit-Position: refs/heads/master@{#32878}
2015-12-16 06:42:51 +00:00
yangguo
b68f7e4c33 [debugger] remove some dead code.
credits to gcov.

R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1522273003

Cr-Commit-Position: refs/heads/master@{#32877}
2015-12-16 06:33:07 +00:00
bmeurer
7b59723d68 [turbofan] Implement proper caching of heap constants in the JSGraph.
With the handle canonicalization we can now easily cache heap constant
nodes based on the location of the HeapObject handle location.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1523323005

Cr-Commit-Position: refs/heads/master@{#32876}
2015-12-16 06:24:56 +00:00