In 5742da056a, the toString property was
accidentally applied to all NativeError prototypes, when it should only
be inherited from Error.prototype.
Refs: https://github.com/tc39/ecma262/issues/1794
Bug: v8:10017
Change-Id: I2af9a31f463deb9871dd7a4a5a2e4dd7485ed38c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1933054
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65355}
Also make return and unconditional jumps kill the environment instead
of clearing it. This was still leftover from before we introduced
liveness and prevented sharing as well.
Bug: v8:7790
Change-Id: Ic79d64c9eaedf608d26e3265d4b27d21f7f3dfe1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1948710
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65345}
This fixes the operation functions (i.e. WebIDL interface member and
namespace member operations) for WebAssembly to not have 'prototype'
properties and not be marked as constructors.
R=ahaas@chromium.org
TEST=mjsunit/wasm/js-api
BUG=chromium:1027945
Change-Id: I4db753a9ca570b95c45cb033c36de65bcafafe8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1950483
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65329}
Imports can also have associated names, and in fact we generate these
names for asm.js. Thus in logging, just append this name to the
generated signature.
R=jkummerow@chromium.org
Bug: chromium:1030103
Change-Id: I3969bcf8d1d17f4256b5a0643acdf8a24766f889
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1948705
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65321}
Bug: chromium:1029576
Change-Id: If647f764da2682a0f278b9b8060d0665fab1c40c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1948711
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65312}
The following changes were introduced with the recent proposal update:
- OOB access with 0 length traps
- Double drop of segments is allowed
- Dropped segments are treated like having size 0 (OOB error)
- Active segments are dropped right after initialization
R=ahaas@chromium.org
Change-Id: I4e9fc4d9212841c7d858585c672143f99287520d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1946355
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65305}
CSA::TryLookupElement must check the upper bound for dictionary-mode
indices.
The "stable map + accessor" branch of FastGetOwnValuesOrEntries must
construct its LookupIterator such that it handles the named/indexed
distinction correctly.
Bug: chromium:1029338,chromium:1029369
Change-Id: I17e74ed24c260c5cfc20c61616e75db7d347f7a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1943164
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65301}
Add serialization of the virtual closures for Function.ptototype.apply
and Function.prototype.call. Also add tests for those.
Bug: v8:7790
Change-Id: I26374009c09958943ef36eae283a270875234e40
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1943155
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65298}
This reverts commit c509bb8c55.
Reason for revert: Breaks arm64 - sim - MSAN, see https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/30050
Original change's description:
> [wasm] Share native modules compiled from the same bytes
>
> Cache native modules in the wasm engine by their wire bytes. This is to
> prepare for sharing {Script} objects between multiple {WasmModuleObject}
> created from the same bytes. This also saves unnecessary compilation
> time and memory.
>
> R=clemensb@chromium.org
>
> Bug: v8:6847
> Change-Id: Iad5f70efbfe3f0f134dcb851edbcec50691677e0
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1916603
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#65296}
TBR=clemensb@chromium.org,thibaudm@chromium.org
Change-Id: I908b0f59bce26678d0b5d7fddc986384c40b4709
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6847
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1946334
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65297}
Cache native modules in the wasm engine by their wire bytes. This is to
prepare for sharing {Script} objects between multiple {WasmModuleObject}
created from the same bytes. This also saves unnecessary compilation
time and memory.
R=clemensb@chromium.org
Bug: v8:6847
Change-Id: Iad5f70efbfe3f0f134dcb851edbcec50691677e0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1916603
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65296}
Loop variable analysis doesn't recognize that the initial type of the
loop variable phi combined with the increment type may produce a NaN
result through the addition of two infinities of differing sign.
This leads to unreachable code and a SIGINT crash.
The fix is to consider this case before typing the loop variable phi,
falling back to more conservative typing if discovered.
R=neis@chromium.org
Bug: chromium:1028863
Change-Id: Ic4b5189c4c50c5bbe29e46050de630fd0673de9f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1946352
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65291}
The flag combination --gc-interval=500 --stress-compaction
--stress-flush-bytecode, combined with baking mjsunit.js into the
custom snapshot, caused type feedback for "deepEquals" to be
forgotten, leading to an unexpected soft deopt. Forcing type feedback
collection with %PrepareFunctionForOptimization() fixes that.
Change-Id: I954c7ecbe70ca5b803a5fa7cd809c118f7659f21
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1946347
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65281}
Adding a regression test for https://crrev.com/c/1930606.
This test was generated using --dump-wasm-module, which created a 6KB
module, and then running binaryen's wasm-reduce on it until it churned
this out, and removing an extra kExprUnreachable.
Bug: chromium:1027410
Change-Id: I14ba6ebe52f45e3b3ba943088807e110eebe0339
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1933592
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65276}
This fixes the accessor functions (getters and setters) for WebAssembly
accessor properties to not have 'prototype' properties and not be marked
as constructors.
R=ahaas@chromium.org
TEST=mjsunit/wasm/js-api
BUG=chromium:1027945
Change-Id: I0288f511fee1f99997031b41354ecf7b8629b783
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1943157
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65265}
Replacing a constant BigInt with a constant int64 is only valid
when the use site has truncating semantics. (For non-constant
values, the representation changer did correctly check for this.)
Bug: chromium:1028593
Change-Id: Ib58b16ece6f21ba30153fd6cfa0560cc2d78d6a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1940263
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65262}
If the inputs are Unsigned32OrMinusZeroOrNaN and we want to compile for
an Unsigned32 result, we still need to deopt if the RHS is zero (because
that must produce NaN).
Bug: chromium:1028862
Change-Id: Ib5b7cd10f8c4ec9a76b75a2b408729f1ca86ea3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1943150
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65260}
This reverts commit 5253d7bf15.
Reason for revert: Elements don't properly invalidate the cache.
Original change's description:
> [runtime] Cache prototype chain enumerable keys in PrototypeInfo
>
> This CL adds a prototype_chain_enum_cache to cache the enumeration of a
> prototype and its entire chain on the PrototypeInfo. It can improve for-in
> performance via simply merging the receiver enumeration with this cache.
>
> It improves the score of JetStream2-tagcloud-SP case by ~9% on IA Chromebook.
>
> Contributed by tao.pan@intel.com
>
> Change-Id: Ib40bfe41e772672337155584672f06fa1ba1e70d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1870844
> Commit-Queue: Shiyu Zhang <shiyu.zhang@intel.com>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#65224}
TBR=verwaest@chromium.org,shiyu.zhang@intel.com
# Not skipping CQ checks because original CL landed > 1 day ago.
Change-Id: Ic5d476bc8b334241b2accb8344749fcf7dcf5e09
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1943153
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65259}
Correctly passing the receiver depends on the Call AST node's type.
Calling a parenthesized optional chain expression is parsed as a Call of
an OptionalChain of a Property. Currently the computation of the type
does not take optional chains of property loads into consideration, so
calls of parenthesized optional chain expressions always get passed an
undefined receiver.
Bug: v8:10024
Change-Id: I904b0eeca2df30160def674fb32adf821403aef9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1938571
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65252}
A call to this intrinsic will produce true in the interpreter and false
in optimized code. This is useful for writing tests.
Change-Id: I64d06ed062027e723eca82d6f879202244f21fdf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1939750
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65240}
Reverting https://chromium-review.googlesource.com/c/v8/v8/+/1741660
This fixed one bug but caused a lot of others and on balance I think
reverting it is the lesser evil.
This also fixed generator-relocation.js because
(function*(){}).constructor is the function constructor and we try to
set a breakpoint on line 3.
Bug: chromium:109362, chromium:1028689
Fixes: v8:9721
Change-Id: I1bfe6ec57ce77ea7292df91266311f5c0194947e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1940259
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65232}
This CL adds a prototype_chain_enum_cache to cache the enumeration of a
prototype and its entire chain on the PrototypeInfo. It can improve for-in
performance via simply merging the receiver enumeration with this cache.
It improves the score of JetStream2-tagcloud-SP case by ~9% on IA Chromebook.
Contributed by tao.pan@intel.com
Change-Id: Ib40bfe41e772672337155584672f06fa1ba1e70d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1870844
Commit-Queue: Shiyu Zhang <shiyu.zhang@intel.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65224}
First this plumbs RuntimeCallStats from the OptimizingCompileDispatcher
down through to PipelineCompilationJob which stashes the
RuntimeCallStats on the PipelineData.
Adds new RCS thread-specific counters: OptimizeAssembleCode and
OptimizeBackgroundAssembleCode which are used in
PipelineImpl::AssembleCode.
Bug: v8:10006
Change-Id: Ieef6d32afddf4b0760e204010b09a85dfec92cf3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1926030
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65221}
The serializer was missing the opportunity to process calls later
constructed by JSNativeContextSpecialization::InlinePropertySetterCall
and InlinePropertyGetterCall. Added a test to ensure we're not missing
the data anymore.
This drops the "Missing data" warnings when running ARES-6 from 1044
to only 12.
Bug: v8:7790
Change-Id: Ic4b8a4cb2ac3927371b75f22de011b9957502319
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1937147
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65220}
This reverts commit 48c9ca4462.
Reason for revert: Possible clusterfuzz issues
Bug: chromium:1028952
Original change's description:
> [names] Fix some test262 name tests to conform with spec changes
>
> In order to reflect web reality, TC39 has made some slight changes to
> name descriptors, see https://github.com/tc39/ecma262/pull/1490 for
> details. V8 was mostly already in compliance with these changes, but
> ThrowTypeError and anonymous classes needed some slight changes.
>
> Bug: v8:9646
> Change-Id: I163238954938f0c005e3adbc61b90498e01436da
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1764622
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63373}
TBR=gsathya@chromium.org,joshualitt@chromium.org
Bug: v8:9646
Change-Id: I06dd5527d30052d9c9dfc45a2862be930274aba7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1939948
Reviewed-by: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65216}
After landing a few relatively simple ports in preceding work, this CL
ports the more involved Array.prototype.forEach reduction, containing
checkpoints, JS and runtime calls, loops, and exceptions. With the
mechanisms introduced in this change, I'd expect a large chunk of
js-call reductions to be trivially portable.
Newly introduced:
- IfBuilder0 for if-then-else statements (with optional else).
- ForBuilder for for-loop statements.
- MayThrow() for exceptional control flow. Exceptional edges are
automatically merged and wired into the outer graph if necessary.
Bug: v8:9972
Change-Id: I835bf90c5871fbd94a1d12721d44b500fbef75e2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1921798
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65193}
Now since we also encode KeyedAccessStoreMode information in the slow
handler for some cases, the DCheck can result in failure.The Check can
result in failures for other cases of StoreSlow. Removing the DCHECK
altogether, now verifying the correctness of the behavior using the
Kind Bits of the Handler in the method GetKeyedAccessStoreMode.
Bug: chromium:1027025, chromium:1028085
Change-Id: I59acedbb499930e67ae5999d4bfd0f040a34b46e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1929408
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Suraj Sharma <surshar@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#65185}
(1) One more place in ic.cc must guard against "lookup->name()" calls
when the LookupIterator might be in indexed mode.
(2) Rather than burdening LookupIterator users with specifying
"kGuaranteedNoTypedArray", we can do the corresponding calculation in
the LookupIterator itself, which makes it robust towards any callers
that haven't been updated (specifically, in Object.values).
Bug: chromium:1027461,chromium:1028213
Change-Id: I76b5d08e309fc2a694955b537adbeb5a30e681f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1936474
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65177}
This flag has had no effect since mid 2017 when its use-site was
accidentally removed (in https://codereview.chromium.org/2902533003).
Change-Id: I81436b064c2664deff781ad6d75ad47937e3fdc0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1934333
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65172}
This brings the number of optimization misses (with concurrent
inlining) in Octane's typescript from 179 down to 3 (the actual
score doesn't seem to change but it's already on par with the
default configuration).
Bug: v8:7790
Change-Id: Ia4ade2eafc035491d3eac9081383c72b435e8df6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924441
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65152}
This makes sure that the return type of the aforementioned heap views is
always {float?} and {double?} respectively, independent of the type of
the value passed to the store. It fixes validation failures due to bogus
(and redundant) conversion expressions being emitted.
R=clemensb@chromium.org
TEST=mjsunit/asm/regress-1027595
BUG=chromium:1027595
Change-Id: I037613afc643ac1b04ae4a943e42dc1823ad5bdf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1932374
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65151}
Subsequently LookupHolderOfExpectedType should be called only
when we have installed handler code.
Bug: chromium:1024936, v8:7790
Change-Id: I33a0a7232afaba8455a0cec1fdc56251947419d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1930905
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65148}
Allow sharing of hints and modification of shared hints such that
feedback can be propagated to the hints for the corresponding
register, AND all alias registers. Even propagation from an inlined
callee back to the caller is possible.
Bug: v8:7790
Change-Id: I96b3c5e41613efa5711ab758db1c3ef7f7ae6418
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1914560
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65139}
During conflict lookup (for lexical variables and sloppy block function
hoisting), we cache the looked-up variable on the current scope if the
lookup goes through a ScopeInfo. However, for variable lookup during
scope analysis, we use the "entry point" as the cache.
Since both lookups can create Variables, this can cause us to create
duplicate variables, e.g. a duplicate function name variable in the
attached test.
Instead, for ScopeInfo conflict lookups we can cache the result on the
function's outer scope, which shoud be equivalent to the entry point.
As a (necessary) drive-by, we can terminate the lookup early if we find
a VAR with the same name, as we can safely assume that its existence
means that it doesn't conflict, which means that our variable can't
conflict either.
Bug: chromium:1026603
Change-Id: I19f80f65597ba6573ebe0b48aa5698f55e5c3ea1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1928861
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65138}
