Commit Graph

42792 Commits

Author SHA1 Message Date
Kevin Gibbons
d0651bd108 [language] Implement optional catch binding proposal
This allows the syntax `try {} catch {}` (with no binding after the
`catch`).

See https://github.com/michaelficarra/optional-catch-binding-proposal/

Currently behind --harmony-optional-catch-binding.

As part of the implementation, this allows TryCatchStatements to not
have an associated catch scope; various paths which assumed they
would have been updated to handle this case.

Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ic525b45199eef025eb05da562e10fbd4f3d7465f
Reviewed-on: https://chromium-review.googlesource.com/571453
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Kevin Gibbons <bakkot@gmail.com>
Cr-Commit-Position: refs/heads/master@{#48300}
2017-10-05 01:51:20 +00:00
Jakob Kummerow
f83d0e0be8 [bigint] Implement shift ops
Bug: v8:6791
Change-Id: I5e91832bcb74e895eaf7a3d6ee493c832abba7bf
Reviewed-on: https://chromium-review.googlesource.com/699635
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48299}
2017-10-05 00:56:50 +00:00
Sathya Gunasekaran
c56258849c [Promises] Fulfill promise before firing PromiseRejectCallback
Previously, we would first fire the PromiseRejectCallback before
fulfilling the promise. This patch changes the behavior to first
fulfill the promise. This behavior is more intuitive.

This patch also merges the check for PromiseHook callback with the
debug callback, since they use the same boolean bit on the isolate.

Bug: v8:6880
Change-Id: Ia04867e16423a1d6006f0f3f93a14fa6026e17ed
Reviewed-on: https://chromium-review.googlesource.com/700980
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48298}
2017-10-04 23:01:00 +00:00
Eric Holk
df5a509a2c [wasm] use ccall to set/clear thread in wasm flag
CCalls have significantly less overhead than runtime calls which will improve
runtime performance on programs that make lots of transitions between JS and
Wasm.

Bug: v8:5277
Change-Id: If09dea97f24eb43753847e2b894ebc1ba5168c23
Reviewed-on: https://chromium-review.googlesource.com/688481
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48297}
2017-10-04 22:30:09 +00:00
Michael Lippautz
6f4a86c129 Revert "[heap] Separate map space pointers updating from main bulk"
This reverts commit 0f5d3ed1cb.

Reason for revert: Needs to consider invalidated slots too. Roll flaking on GPU bots: https://chromium-review.googlesource.com/c/chromium/src/+/700721

Original change's description:
> [heap] Separate map space pointers updating from main bulk
> 
> Evacuating and compacting LayoutDescriptor is meta-circular, i.e., we
> need the descriptor to iterate the objects that are copied. Separate the
> phases to avoid requiring a publishing store for object payloads.
> 
> Bug: v8:6884
> Change-Id: Icc3bb80a938fbd9eec60c79d88ab8fdd9bda0840
> Reviewed-on: https://chromium-review.googlesource.com/700437
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48288}

TBR=ulan@chromium.org,mlippautz@chromium.org

Change-Id: I854687c5e40541c62a0bcf15ad251afe5ddaa8d1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6884
Reviewed-on: https://chromium-review.googlesource.com/701534
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48296}
2017-10-04 21:56:53 +00:00
Jakob Kummerow
e300221621 [bigint] Implement bitwise binary ops
Bug: v8:6791
Change-Id: Id889823ff2cf20cf504010ffce3283f0d75bf72f
Reviewed-on: https://chromium-review.googlesource.com/699420
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48295}
2017-10-04 17:22:25 +00:00
Eric Holk
841ca52c81 Revert "Reland "[wasm] always allocate memory when guard regions are needed""
This reverts commit 5e76ff5a4a.

Reason for revert: tsan failures - https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/17574

Original change's description:
> Reland "[wasm] always allocate memory when guard regions are needed"
> 
> This reverts commit 7cf29d8df3.
> 
> Original change's description:
> > [wasm] always allocate memory when guard regions are needed
> >
> > When using trap handlers, memory references do not get any checks inserted. This
> > means there is no check for a null memory as happens when the memory size is
> > 0. Normally this would be correctly caught as an out of bounds access, since the
> > low memory addresses are not normally mapped. However, if they were mapped for
> > some reason, we would not catch the out of bounds access.
> >
> > The fix is to ensure WebAssembly instances always have a guard region even if
> > the memory is size 0.
> >
> > Bug: chromium:769637
> 
> Change-Id: I09fdaea92b7ccb3a6cc9e28392171ec098538a00
> Reviewed-on: https://chromium-review.googlesource.com/695812
> Commit-Queue: Eric Holk <eholk@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48293}

TBR=gdeepti@chromium.org,mtrofin@chromium.org,mlippautz@chromium.org,eholk@chromium.org,eholk@google.com,clemensh@chromium.org

Change-Id: I52d5354126158a92602b08c48703d562ac95075b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/699599
Reviewed-by: Eric Holk <eholk@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48294}
2017-10-04 17:21:07 +00:00
Eric Holk (eholk)
5e76ff5a4a Reland "[wasm] always allocate memory when guard regions are needed"
This reverts commit 7cf29d8df3.

Original change's description:
> [wasm] always allocate memory when guard regions are needed
>
> When using trap handlers, memory references do not get any checks inserted. This
> means there is no check for a null memory as happens when the memory size is
> 0. Normally this would be correctly caught as an out of bounds access, since the
> low memory addresses are not normally mapped. However, if they were mapped for
> some reason, we would not catch the out of bounds access.
>
> The fix is to ensure WebAssembly instances always have a guard region even if
> the memory is size 0.
>
> Bug: chromium:769637

Change-Id: I09fdaea92b7ccb3a6cc9e28392171ec098538a00
Reviewed-on: https://chromium-review.googlesource.com/695812
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48293}
2017-10-04 16:59:25 +00:00
Michael Lippautz
56dc592516 Dispose isolate at end of UNINITIALIZED_TEST
No-try: true
Bug: v8:6886
Change-Id: I994b998e9e5006c6de183328603f3545158bd32c
Reviewed-on: https://chromium-review.googlesource.com/700536
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48292}
2017-10-04 16:21:09 +00:00
Caitlin Potter
f3fb1b7798 [esnext] initialize native_context()->initial_async_generator_prototype
Fix an error overwriting the `prototype` property of async generator
functions when FLAG_enable_slow_asserts is enabled.

Previously, the `initial_async_generator_prototype` field was never
written to the native context, and was always undefined. This caused
some incorrect runtime behaviour, and would crash when loading the field
using the Context::initial_aysnc_generator_prototype accessor when
attempting to cast the Undefined oddball to a JSObject.

BUG=chromium:771470, v8:5855
R=adamk@chromium.org, verwaest@chromium.org, gsathya@chromium.org

Change-Id: I13f2a518c59852bc77c2de1f2468a4eea457609e
Reviewed-on: https://chromium-review.googlesource.com/700261
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#48291}
2017-10-04 16:15:59 +00:00
Niklas Hambüchen
4f8a70adca [asm.js] Fix infinite loop in parser on parse error.
The code in `AsmJsScanner::Next()` checks for both
end of input and parse error:

  if (token_ == kEndOfInput || token_ == kParseError) {
    return;
  }

but until now the code in the parsing loop only checked
for `kEndOfInput`, resulting in an infinite loop on
`kParseError`.

R=bradnelson@chromium.org, mstarzinger@chromium.org

Bug: chromium:771428
Change-Id: I9170f090503590b3b9b949a0d00ab4daef85bf66
Reviewed-on: https://chromium-review.googlesource.com/699994
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48290}
2017-10-04 16:13:39 +00:00
Daniel Clifford
66d75d41ec [builtins] Enable inlining of polymorphic receivers in Array.prototype.forEach
In the process, also enable support for PACKED_DOUBLE_ELEMENTS arrays.

Change-Id: I16dd79276f1023e30b072d45216396533077f53c
Reviewed-on: https://chromium-review.googlesource.com/571006
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48289}
2017-10-04 16:08:58 +00:00
Michael Lippautz
0f5d3ed1cb [heap] Separate map space pointers updating from main bulk
Evacuating and compacting LayoutDescriptor is meta-circular, i.e., we
need the descriptor to iterate the objects that are copied. Separate the
phases to avoid requiring a publishing store for object payloads.

Bug: v8:6884
Change-Id: Icc3bb80a938fbd9eec60c79d88ab8fdd9bda0840
Reviewed-on: https://chromium-review.googlesource.com/700437
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48288}
2017-10-04 15:44:50 +00:00
Toon Verwaest
a7ecf7d4ee Inline relevant parts of MigrateToMap into AllocateStorageForMap
This speeds up the json parser by 10-20%

Bug: chromium:771227
Change-Id: Ib2392471bdd9ff9041237708cb272229b5ece410
Reviewed-on: https://chromium-review.googlesource.com/700494
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48287}
2017-10-04 15:01:29 +00:00
Ben L. Titzer
cbd03a8379 [wasm] Further reduce usage of wasm-module.h outside of src/wasm.
This CL also removes the v8::internal::wasm::testing namespace, which
had methods that were defined in wasm-module.h, moving them to be
*ForTesting methods on the corresponding WASM heap objects.

R=clemensh@chromium.org

Bug: v8:6877
Change-Id: I1b346ec64d93ee3a122b8f7e69772cfe98371754
Reviewed-on: https://chromium-review.googlesource.com/695523
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48286}
2017-10-04 14:49:19 +00:00
Georgia Kouveli
6a041da011 Remove BailoutState and pad accumulator for arm64.
Bug: v8:6644
Change-Id: I5cd713465563f2dc803b175684bf04a05559e653
Reviewed-on: https://chromium-review.googlesource.com/693239
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48285}
2017-10-04 13:58:19 +00:00
Benedikt Meurer
947101c873 [turbofan] Properly optimize polymorphic constructor call inlining.
This CL addresses a couple of minor issues that were in the way of
properly inlining polymorphic constructors calls, i.e. as found in
this common pattern using Symbol.species:

  class A {
    static get [Symbol.species]() { return this; }
    clone() { return new this.constructor[Symbol.species](); }
  }
  class B extends A {
    static get [Symbol.species]() { return this; }
  }

  function foo(o) { return o.clone(); }
  foo(new A());
  foo(new B());

Here the call to this.constructor[Symbol.species]() is the interesting
site. To get this fully inlined, we had to

  - make sure we don't introduce too many CheckHeapObject eagerly that
    block later optimizations (instead we try harder to see whether the
    receiver is already provably a HeapObject), and
  - also update the new.target of polymorphic JSConstruct nodes, when
    it refers to the same node as the target that we're specializing
    to (this way the JSCreate becomes fully inlinable later).

This seems to yield a solid 1.5% on the ARES6 ML benchmark (run via the
d8 cli runner), which confirms the previous profiled estimation. On the
micro-benchmark that specifically measures this feature in isolation we
go from

  testClone: 828 ms.

on V8 ToT as of today and

  testClone: 1439 ms.

on V8 6.1 to

  testClone: 219 ms.

which is a 3.7x improvement, on top of the previous ~2x boost that we
got from inlining the polymorphic symbol lookup.

Bug: v8:6885, v8:6278, v8:6344
Change-Id: Ida7abf683c7879978f181ba7f52a125f4f83ae6f
Reviewed-on: https://chromium-review.googlesource.com/700596
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48284}
2017-10-04 13:41:59 +00:00
Camillo Bruni
808dc8cff3 Support fast-path Function.prototype.bind for bound function
This CL speeds up a common pattern found in the React framework:

function f(a, b, c) { ... };
let f_bound = f.bind(this, 1);
let f_bound2 = f_bound(this, 2);

This CL yields roughly a 15x improvement for rebinding a bound function.

Change-Id: I4d8580a5bce422af411148bc6b3e4eb287fac9ce
Reviewed-on: https://chromium-review.googlesource.com/695206
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48283}
2017-10-04 13:06:49 +00:00
Michael Achenbach
ec489f39c1 [build] Roll isolate binaries
This ports:
https://chromium-review.googlesource.com/c/chromium/src/+/696886

Bug: chromium:692940, chromium:524758
Change-Id: I158d996ff76c354b8a672b085d476e9687205034
Reviewed-on: https://chromium-review.googlesource.com/700455
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48282}
2017-10-04 11:45:08 +00:00
Michael Lippautz
f46a92c2a8 [heap] MC: Parallel marking for the atomic pause
Reuse existing concurrent marking infrastructure for marking in the
atomic pause.

Details:
- Do not stop concurrent marking when entering the atomic pause.
- Start concurrent marking when it was off. This is required for
  non-incremental MC GCs.
- Use atomic marking state in MC.
- Transition through grey and avoid white->black.

CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux64_tsan_rel;master.tryserver.v8:v8_linux64_tsan_concurrent_marking_rel_ng;master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Bug: chromium:750084
Change-Id: I9f84661e69beac6254494907bdfe94e865b1e3ab
Reviewed-on: https://chromium-review.googlesource.com/690002
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48281}
2017-10-04 11:24:09 +00:00
Ivica Bogosavljevic
94388568f6 [wasm] Add instruction cache flush for wrapper table
Add instruction cache flish for wrapper table in module compiler
instance builder. This fixes several failures in mjsunit/wasm
and mjsunit/asm test suites on some MIPS boards.

Bug: 
Change-Id: Ia8b640ad73a078d29f458d55663606dbbe8e387c
Reviewed-on: https://chromium-review.googlesource.com/697807
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Cr-Commit-Position: refs/heads/master@{#48280}
2017-10-04 10:05:52 +00:00
Clemens Hammacher
3b20b1c803 [cleanup] Remove unused VectorIterator class
Good thing this class is actually being unused. Vector<T> is iterable,
so it should just be iterated using a foreach loop.

R=mstarzinger@chromium.org

Change-Id: Ieb6729e5b1336888989d5ec6128b0782b158b1f7
Reviewed-on: https://chromium-review.googlesource.com/695525
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48279}
2017-10-04 09:57:03 +00:00
Ilija Pavlovic
419edddad3 MIPS: Use macro-instructions in code-generator.
Port for: https://chromium-review.googlesource.com/c/v8/v8/+/608975

In code generator for MIPS32, certain instructions are substituted with
corresponding macro-instructions.

TEST=
BUG=

Change-Id: I2ac47a785f0ea14c448f727da124dc78ea6c81af
Reviewed-on: https://chromium-review.googlesource.com/699998
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Cr-Commit-Position: refs/heads/master@{#48278}
2017-10-04 09:14:42 +00:00
Daniel Clifford
51334bb841 Add JSReceiver method for detecting complex elements
Change-Id: Id34d21437b3881d829526b89058f26741bee7acc
Reviewed-on: https://chromium-review.googlesource.com/695327
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48277}
2017-10-04 09:01:31 +00:00
Marja Hölttä
fa3b73fffe [parser] Skipping inner funcs: Turn flag back on.
After closer investigation, the crashes / regressions we currently have are not
so bad that we couldn't have the flag on.

BUG=v8:5516

Change-Id: I1b70cf99de1707d659b2e0abcd3678ec71a530bf
Reviewed-on: https://chromium-review.googlesource.com/699997
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48276}
2017-10-04 08:23:11 +00:00
Benedikt Meurer
d4da17c6e3 [es2015] Optimize Object.is baseline and interesting cases.
The Object.is builtin provides an entry point to the abstract operation
SameValue, which properly distinguishes -0 and 0, and also identifies
NaNs. Most of the time you don't need these, but rather just regular
strict equality, but when you do, Object.is(o, -0) is the most readable
way to check for minus zero.

This is for example used in Node.js by formatNumber to properly print -0
for negative zero. However since the builtin thus far implemented as C++
builtin and TurboFan didn't know anything about it, Node.js considering
to go with a more performant, less readable version (which also makes
assumptions about the input value) in

  https://github.com/nodejs/node/pull/15726

until the performance of Object.is will be on par (so hopefully we can
go back to Object.is in Node 9).

This CL ports the baseline implementation of Object.is to CSA, which
is pretty straight-forward since SameValue is already available in
CodeStubAssembler, and inlines a few interesting cases into TurboFan,
i.e. comparing same SSA node, and checking for -0 and NaN explicitly.

On the micro-benchmarks we go from

  testNumberIsMinusZero: 1000 ms.
  testObjectIsMinusZero: 929 ms.
  testObjectIsNaN: 954 ms.
  testObjectIsSame: 793 ms.
  testStrictEqualSame: 104 ms.

to

  testNumberIsMinusZero: 89 ms.
  testObjectIsMinusZero: 88 ms.
  testObjectIsNaN: 88 ms.
  testObjectIsSame: 86 ms.
  testStrictEqualSame: 105 ms.

which is a nice 10x to 11x improvement and brings Object.is on par with
strict equality for most cases.

Drive-by-fix: Also refactor and optimize the SameValue check in the
CodeStubAssembler to avoid code bloat (by not inlining StrictEqual
into every user of SameValue, and also avoiding useless checks).

Bug: v8:6882
Change-Id: Ibffd8c36511f219fcce0d89ed4e1073f5d6c6344
Reviewed-on: https://chromium-review.googlesource.com/700254
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48275}
2017-10-04 06:58:36 +00:00
v8-autoroll
bfb43f8c12 Update V8 DEPS.
Rolling v8/build: 05cc4b1..7311b74

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/3f41f93..672cabd

TBR=machenbach@chromium.org,hablich@chromium.org

Change-Id: I5663213d2835b02d0ed9c953749cb722b8422a58
Reviewed-on: https://chromium-review.googlesource.com/700015
Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48274}
2017-10-04 04:27:41 +00:00
Deepti Gandluri
06d1ffb5c9 [wasm] Compute opcode length for Atomic ops
When atomic operations are used in loops, return the correct opcode length
for loop assignment.

Bug=v8:6842,v8:6532

Change-Id: I306db704d8a0baa5d98c05702360e6dfae11cbfa
Reviewed-on: https://chromium-review.googlesource.com/699561
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48273}
2017-10-04 00:59:08 +00:00
Jakob Kummerow
d96463a2bf [bigint] Implement BigIntShortPrint
For an improved debugging experience.

Bug: v8:6791
Change-Id: Id4f7fea47036e4520e7b24edf34f210b664672bc
Reviewed-on: https://chromium-review.googlesource.com/699427
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48272}
2017-10-04 00:13:36 +00:00
Anisha Rohra
f701d99ba9 PPC/s390: [wasm] Allow traps in tests with many parameters in cctests
Original Commit Message:
  In the test-run-wasm and test-run-wasm-64 cctests it is not possible to
  call runtime functions. To test traps in these cctests we therefore
  replace the runtime call with a call to a c-callback, followed by a
  return. This CL fixes the problem that the return did not clean up stack
  parameters.

R=joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: Ia6b95141341635b769acf12b82b4524a56b12b94
Reviewed-on: https://chromium-review.googlesource.com/698424
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#48271}
2017-10-03 18:18:58 +00:00
Yang Guo
84b448be2c [debug] add microtask-related tests.
I'd like to make sure changes to microtask handling do not break debugging.

R=jarin@chromium.org

Change-Id: I983bd3340261e472b22b0d5b6cded60b64b19d38
Reviewed-on: https://chromium-review.googlesource.com/691715
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48270}
2017-10-03 12:56:17 +00:00
Jaroslav Sevcik
ea3d7196a4 [heap] Only verify object layout with --heap-verify on.
Change-Id: I0de0ea0798c39831765bb3c00a00d0df7471bc3b
Reviewed-on: https://chromium-review.googlesource.com/695407
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48269}
2017-10-03 09:19:07 +00:00
Benedikt Meurer
38b489186b [ic] Transition to MEGAMORPHIC when (map, handler) stays the same.
THe change in https://chromium-review.googlesource.com/695108 flushed
out an issue with the IC::UpdatePolymorphicIC logic, where we'd try to
stay MONOMORPHIC or POLYMORPHIC as long as the internalized name doesn't
change. But the calling code already does the internalization for keyed
accesses with Strings, so we need to double check that the same
combination of (map, handler) is not already in the list, and properly
go to MEGAMORPHIC state if there's such a pair already.

This seriously tanked the six-speed-object-literals-ext-es5.js benchmark
on AWFY.

Bug: v8:6367, v8:6278, v8:6344
Change-Id: I90ea88d1fe61c165990c0a10d4a8687ffe351986
Reviewed-on: https://chromium-review.googlesource.com/695307
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48268}
2017-10-03 06:30:41 +00:00
Mostyn Bramley-Moore
0c93ef357d [jumbo] arm unittests fixup
Avoid F5 symbol clash.

Bug: chromium:770684
Change-Id: I9e851c1fe5abbdc4d032b7efdd0462c96d0c8ef3
Reviewed-on: https://chromium-review.googlesource.com/696063
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Mostyn Bramley-Moore <mostynb@vewd.com>
Cr-Commit-Position: refs/heads/master@{#48267}
2017-10-03 06:24:30 +00:00
v8-autoroll
9cd2be9f2a Update V8 DEPS.
Rolling v8/build: ce6d3d8..05cc4b1

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/8ec7b14..3f41f93

TBR=machenbach@chromium.org,hablich@chromium.org

Change-Id: Ibf166d33a133519e0c4ce36b20a42aa391f48c8b
Reviewed-on: https://chromium-review.googlesource.com/696523
Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48266}
2017-10-03 04:00:48 +00:00
Alexey Kozyatinskiy
f4a2b7f3e0 [inspector] should ignore asyncTask* with null
In V8Debugger code we don't expect task_id == null, e.g.
asyncTaskStartedForStepping will trigger debug break on null as task_id.
Let's filter task_id == null out.

This issue is originally filed in Node.js:
https://github.com/nodejs/node/issues/15464

R=dgozman@chromium.org

Bug: none
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Icc9f96105b3c91ee1b102d545a7817f7ee93394c
Reviewed-on: https://chromium-review.googlesource.com/695808
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48265}
2017-10-03 00:08:37 +00:00
Michael Starzinger
631489bd39 [deoptimizer] Fix TranslatedState inline frame indexing.
This makes sure that helper methods on the {TranslatedState} class stick
to the counting scheme used by {OptimizedFrame::Summarize} within the
stack-walker. Both now treat {kJavaScriptBuiltinContinuation} as real
JavaScript frames.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-770543
BUG=chromium:770543

Change-Id: Icda65a7efb487470d39ebf648767a488ebf2e5f1
Reviewed-on: https://chromium-review.googlesource.com/695123
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48264}
2017-10-02 14:14:30 +00:00
Michael Starzinger
1fa0f9ba4c [deoptimizer] Simplify {Runtime_NotifyDeoptimized} calls.
R=jarin@chromium.org

Change-Id: I6f2e70d231d2c28c77bee121e98317f3f506fce4
Reviewed-on: https://chromium-review.googlesource.com/691975
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48263}
2017-10-02 14:03:30 +00:00
Michael Starzinger
17d86d76fb [deoptimizer] Materialize objects with top-most stub frame.
This makes sure the deoptimizer properly materializes heap objects, even
when the top-most frame happens to be a stub-frame. Without this step
the {arguments_marker} would leak into user-land and most likely be
treated as an undefined value.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-769852
BUG=chromium:769852

Change-Id: I4ba17501c5d7e68d1f402b7c2cc5ccb0fb7bfb05
Reviewed-on: https://chromium-review.googlesource.com/691996
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48262}
2017-10-02 13:23:45 +00:00
Benedikt Meurer
08db4d7652 [ic] Properly handle polymorphic symbol accesses.
Until now keyed accesses to properties with string or symbol keys were
only optimized properly while the IC was monomorphic and would go
megamorphic as soon as there's another receiver map, even if the name
was still the same (i.e. the same symbol or internalized string). This
was a weird performance-cliff, that'll hurt modern code especially
because for symbols you can only access them via keyed loads and stores.

This CL fixes the state machine inside the ICs to properly transition to
POLYMORPHIC state (and stay there) as long as the new name matches the
previously recorded name. The FeedbackVector and TurboFan were already
able to deal with this and didn't need any updates.

On the micro-benchmark from the tracking bug we go from

  testStringMonomorphic: 429 ms.
  testSymbolMonomorphic: 431 ms.
  testStringPolymorphic: 429 ms.
  testSymbolPolymorphic: 5621 ms.

to

  testStringMonomorphic: 429 ms.
  testSymbolMonomorphic: 429 ms.
  testStringPolymorphic: 429 ms.
  testSymbolPolymorphic: 430 ms.

effectively eliminating the overhead for symbols completely, and
yielding a 13.5x performance boost.

This also seems to yield a 1% improvement on the ARES6 ML benchmark,
because it eliminates the KEYED_LOAD_ICs for the Symbol.species lookups.

Bug: v8:6367, v8:6278, v8:6344
Change-Id: I879fe56387b4c56203c1ad8ef8cafb6cc4c32897
Reviewed-on: https://chromium-review.googlesource.com/695108
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48261}
2017-10-02 12:35:05 +00:00
Mathias Bynens
d3c9812143 [parser] Add use counter for U+2028 & U+2029
The context is the following proposal to make JSON a subset of
JavaScript: https://github.com/tc39/proposal-json-superset

There’s interest in performing a side investigation to answer the
question of what would happen if we stopped treating U+2028 and U+2029
as `LineTerminator`s *entirely*. (Note that this is separate from the
proposal, which just changes how these characters are handled in
ECMAScript strings.) This is technically a breaking change, and IMHO it
would be wonderful if we could get away with it, but no one really has
any data on whether or not we could. Adding this use counter lets us get
that data.

BUG=v8:6827

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ia22e8db1634df4d3f965bec8e1cfa11cc7b5e9aa
Reviewed-on: https://chromium-review.googlesource.com/693155
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48260}
2017-10-02 11:46:36 +00:00
Michael Lippautz
7283b57cf8 [heap] IncrementalMarking: Enforce coding style
Bug: 
Change-Id: I2b1ae2f475e780606fa07db2cf861eb2537207d6
Reviewed-on: https://chromium-review.googlesource.com/695223
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48259}
2017-10-02 10:30:47 +00:00
Camillo Bruni
38c902de3e [tools] Increase limits to find stack messages in grokdump.py
Change-Id: I3b7e5f4fb9bc6cdad3582e19099fb97b2a0c7cb0
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/684185
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48258}
2017-10-02 10:09:05 +00:00
Benedikt Meurer
e65c0b2578 [turbofan] Don't go MEGAMORPHIC when storing oddballs to typed arrays.
The KEYED_STORE_IC was never able to deal with stores to typed arrays
where the value being stored is not already a Number (i.e. either a Smi
or a HeapNumber). By extending it to also handle Oddballs (i.e. true,
false, undefined and null) and teaching TurboFan to also perform the
appropriate check plus the truncation to Number, we can easily support
this use case as well.

On the micro-benchmark in the bug report, we go from

  typedArrayStoreBool: 2975 ms.
  typedArrayStoreInt: 44 ms.

to

  typedArrayStoreBool: 43 ms.
  typedArrayStoreInt: 44 ms.

so that's roughly a 70x performance boost.

Bug: chromium:287773
Change-Id: I227419aeabc3f5b6793aa280a95448d03ac2f2dd
Reviewed-on: https://chromium-review.googlesource.com/691731
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48257}
2017-10-02 09:21:37 +00:00
Ben L. Titzer
9debe4411c [wasm] Move memory-related methods to wasm-memory.(cc|h).
R=gdeepti@chromium.org

Bug: 
Change-Id: Ic2e519d24354b3327a92daa0d4d6e06c9ca4605e
Reviewed-on: https://chromium-review.googlesource.com/687056
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48256}
2017-10-02 09:09:06 +00:00
Clemens Hammacher
bfaacb8afb [wasm] Add flag for memory tracing
With --wasm-trace-memory, both compiled code and the interpreter will
output each memory load or store. This helps to debug miscompilations in
emscripten or in V8, like the referenced bug.

R=titzer@chromium.org

Bug: chromium:718858
Change-Id: I90704d164975b11c65677f86947ab102242d5153
Reviewed-on: https://chromium-review.googlesource.com/684316
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48255}
2017-10-02 08:26:26 +00:00
Benedikt Meurer
b8b76ebaac [es2015] Optimize TypedArray.prototype[Symbol.toStringTag].
The TypedArray.prototype[Symbol.toStringTag] getter is currently the best (and
as far as I can tell only definitely side-effect free) way to check whether an
arbitrary object is a TypedArray - either generally TypedArray or a specific
one like Uint8Array. Using the getter is thus emerging as the general pattern
to detect TypedArrays, even Node.js now adapted it starting with

  https://github.com/nodejs/node/pull/15663

for the isTypedArray and isUint8Array type checks in lib/internal/util/types.js
now.

The getter returns either the string with the TypedArray subclass name
(i.e. "Uint8Array") or undefined if the receiver is not a TypedArray.
This can be implemented with a simple elements kind dispatch, instead of
checking the instance type and then loading the class name from the
constructor, which requires a loop walking up the transition tree. This
CL ports the builtin to CSA and TurboFan, and changes the logic to a
simple elements kind check. On the micro-benchmark mentioned in the
referenced bug, the time goes from

  testIsArrayBufferView: 565 ms.
  testIsTypedArray: 2403 ms.
  testIsUint8Array: 3847 ms.

to

  testIsArrayBufferView: 566 ms.
  testIsTypedArray: 965 ms.
  testIsUint8Array: 965 ms.

which presents an up to 4x improvement.

Bug: v8:6874
Change-Id: I9c330b4529d9631df2f052acf023c6a4fae69611
Reviewed-on: https://chromium-review.googlesource.com/695021
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48254}
2017-10-02 07:12:49 +00:00
Daniel Clifford
0543782147 Introduce protector cell helper functions in CSA
Change-Id: Iac4a95a0c094472d887d89bbf5d6189988c56f7c
Reviewed-on: https://chromium-review.googlesource.com/692016
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48253}
2017-10-02 06:59:59 +00:00
Deepti Gandluri
b380525b3b [wasm] Implement I32AtomicLoad, I32AtomicStore ops
Bug: V8:6532
Change-Id: I6713e1c01ec669b7fa9a09bb75fbecff12f6cc22
Reviewed-on: https://chromium-review.googlesource.com/685949
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48252}
2017-10-02 05:40:59 +00:00
v8-autoroll
86fc2af909 Update V8 DEPS.
Rolling v8/build: b376554..ce6d3d8

TBR=machenbach@chromium.org,hablich@chromium.org

Change-Id: Idda412143f1ff00ca10e8822acb5a0754372ee29
Reviewed-on: https://chromium-review.googlesource.com/694681
Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48251}
2017-10-02 03:52:21 +00:00