When eagerly parsing arrow functions, expressions in default
parameter initializers are parsed in the enclosing scope,
rather than in the function's scope (since that scope does not
yet exist). This leads to VariableProxies being added to the
wrong scope, and scope chains for FunctionLiterals being incorrect.
This patch addresses these problems by adding a subclass of
AstExpressionVisitor that moves VariableProxies to the proper
scope and fixes up scope chains of FunctionLiterals.
More work likely still needs to be done to make this work completely,
but it's very close to correct.
BUG=v8:4395
LOG=y
Review URL: https://codereview.chromium.org/1405313002
Cr-Commit-Position: refs/heads/master@{#31402}
This fixes the bailout point used by JSCreateScriptContext nodes for
top-level code. The bailout point differs from the Crankshaft one as
parameter slots have not been copied and the context chain was not
extended yet in TurboFan. Hence a new bailout id is required.
R=ishell@chromium.org
TEST=cctest/test-decls/CrossScript --turbo-inlining
Review URL: https://codereview.chromium.org/1413933005
Cr-Commit-Position: refs/heads/master@{#31399}
The boards on the bots do not have FPU, and therefore time out on
this test.
BUG=
NOTRY=true
Review URL: https://codereview.chromium.org/1411313003
Cr-Commit-Position: refs/heads/master@{#31395}
The debugger calls PromiseHasUserDefinedRejectHandler to recursively search the
tree of dependent promises for user-defined reject handlers. If no such reject
handler exists, rejecting the promise is considered an uncaught exception.
Promise.race and Promise.all interupt the link of promise dependency wrt the
search. This change fixes that link.
R=rossberg@chromium.org
BUG=chromium:439585
LOG=N
Review URL: https://codereview.chromium.org/1411083003
Cr-Commit-Position: refs/heads/master@{#31392}
This stages the general purpose inlining mechanism in TurboFan and also
disables the remaining tests that still fail. We do this to get test
coverage early and to avoid regressing inlining as we go along.
R=bmeurer@chromium.org
BUG=v8:4493
LOG=n
Review URL: https://codereview.chromium.org/1412703002
Cr-Commit-Position: refs/heads/master@{#31386}
During eviction of FreeSpace nodes that reside on eviction pages we iterate
throug the list node-by-node, unlinking only those that reside on eviction
pages. We failed to properly update end_ if nodes were evicted are encountering
nodes that that are left as is.
BUG=chromium:539356
LOG=N
R=hpayer@chromium.org
Review URL: https://codereview.chromium.org/1411263002
Cr-Commit-Position: refs/heads/master@{#31383}
Re-land of https://crrev.com/cf13dda1ba25e8293ea143f33c6c5f6233a39c86,
fixing the issue with vector stores.
Class methods always have the class scope on their scope chain in order
to implement strong mode checks. Previously, that scope wasn't attached
to the ClassLiteral for anonymous classes (since the scope contained
no bindings).
This patch simply puts that same scope on the ClassLiteral, anonymous
or not, which simplifies other code that needs to reason about the scope
of a class and its methods.
Review URL: https://codereview.chromium.org/1418433002
Cr-Commit-Position: refs/heads/master@{#31381}
This is exactly what it looks like. A temporary hack that ensures we
can make forward progress with the JSInliner despite other components
have a hard time picking the correct zone. This hack is a hack!
R=bmeurer@chromium.org,jarin@chromium.org
Review URL: https://codereview.chromium.org/1410963003
Cr-Commit-Position: refs/heads/master@{#31380}
Separately collect element keys from property keys to avoid slow
corner-cases. Partly deal with keys generated by Proxies.
BUG=chromium:536790
LOG=N
Review URL: https://codereview.chromium.org/1397063002
Cr-Commit-Position: refs/heads/master@{#31378}
This adds a test case that ensures calling Debug.scripts without any
listener attached fails gracefully. For now we are throwing the string
"illegal access", this might change in the future to be a dedicated
exception.
R=yangguo@chromium.org
TEST=mjsunit/debug-scripts-throw
Review URL: https://codereview.chromium.org/1411193002
Cr-Commit-Position: refs/heads/master@{#31377}
This fixes a small inconsistency when the accessor is on a prototype,
because the property access has to respect the holder (and not always go
to the receiver unconditionally).
R=jarin@chromium.org
BUG=v8:4470
LOG=n
Review URL: https://codereview.chromium.org/1409273005
Cr-Commit-Position: refs/heads/master@{#31375}
Reason for revert:
[Sheriff] Breaks vector stores:
http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20debug%20-%20vector%20stores/builds/536
Original issue's description:
> Always give class literals a block scope
>
> Class methods always have the class scope on their scope chain in order
> to implement strong mode checks. Previously, that scope wasn't attached
> to the ClassLiteral for anonymous classes (since the scope contained
> no bindings).
>
> This patch simply puts that same scope on the ClassLiteral, anonymous
> or not, which simplifies other code that needs to reason about the scope
> of a class and its methods.
>
> Committed: https://crrev.com/cf13dda1ba25e8293ea143f33c6c5f6233a39c86
> Cr-Commit-Position: refs/heads/master@{#31371}
TBR=mstarzinger@chromium.org,adamk@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1416583002
Cr-Commit-Position: refs/heads/master@{#31373}
Class methods always have the class scope on their scope chain in order
to implement strong mode checks. Previously, that scope wasn't attached
to the ClassLiteral for anonymous classes (since the scope contained
no bindings).
This patch simply puts that same scope on the ClassLiteral, anonymous
or not, which simplifies other code that needs to reason about the scope
of a class and its methods.
Review URL: https://codereview.chromium.org/1413903002
Cr-Commit-Position: refs/heads/master@{#31371}
This adds support to also optimize loads from special JSObject field
accessors, like String::length and JSArray::length.
R=jarin@chromium.org
BUG=v8:4470
LOG=n
Review URL: https://codereview.chromium.org/1417503002
Cr-Commit-Position: refs/heads/master@{#31365}
The test suite is ran in 60% of the bots anyway and the
step is very short. For swarming, it's better to run this
together in one step as each step triggers a different bot.
BUG=chromium:535160
LOG=n
NOTRY=true
Review URL: https://codereview.chromium.org/1413023002
Cr-Commit-Position: refs/heads/master@{#31360}
Use %_ToLength for TO_LENGTH, implemented via a ToLengthStub
that supports a fast path for small integers. Everything else is still
handled in the runtime.
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
BUG=v8:4494
LOG=n
Review URL: https://codereview.chromium.org/1412963002
Cr-Commit-Position: refs/heads/master@{#31358}
This removes all locally constructed SimplifiedOperatorBuilder instances
and uses the one passed along the JSGraph. It ensures that the correct
zone is used to allocate operators, no matter where the reducer is used.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1410003002
Cr-Commit-Position: refs/heads/master@{#31355}
The typer can infer true/false for ObjectIsSmi if the argument has a
fixed/known representation (i.e. is either known to be smi or heap
object).
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1412673003
Cr-Commit-Position: refs/heads/master@{#31354}
This introduces an explicit lazy bailout. It is wrapped in the call
node, mostly because the lazy deoptimization processing is married
to the call processing in the instruction selector and the code generator.
It is still a terrible hack.
R=bmeurer@chromium.org,mstarzinger@chromium.org
BUG=chromium:543994,v8:4195
LOG=n
Review URL: https://codereview.chromium.org/1412443003
Cr-Commit-Position: refs/heads/master@{#31353}
