Commit Graph

3491 Commits

Author SHA1 Message Date
Mythri A
d11292fcff [ic] Use slow stub when storing non-existent properties to global object
In strict mode stores to non-existent properties throw. We should not
install a handler with the property cell for such stores. These handlers
would expect that the value exists when they see a property cell. If
this property cell gets invalidated later, it appears as if it is a
valid property cell with undefined value. This leads to an incorrect
behaviour. This cl checks if we are in strict mode and uses a slow
stub in such cases.

Bug: chromium:1067757
Change-Id: I543c6a6931530bfb13cc9a33d1dabaa756489fd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2142255
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67151}
2020-04-15 15:00:29 +00:00
Andreas Haas
401190baf0 [wasm] Fix return value of concurrent memory.grow
When memory.grow was executed concurrently on multiple threads a data
race could happen such that two memory.grow operations result in the
same return value. With this CL the return value of memory.grow is
unique, given that memory.grow actually grows the memory.

As a concrete example, assume a shared WebAssembly memory initially has
a size of 100. Assume two threads call memory.grow concurrently with a
parameter `10`. Then with the existing code, memory would grow correctly
to a size of 120, but the data race may cause both memory.grow
operations to return 100. With the change in this CL one memory.grow
operation would return 100, the other would return 110.

R=gdeepti@chromium.org
CC=rreverser@google.com

Bug: chromium:1067621
Change-Id: Ib22b5135714a56799e0818ccb39e5dce327e5f8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2144113
Reviewed-by: Ben Smith <binji@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67135}
2020-04-14 21:37:32 +00:00
Georg Neis
aff70262f1 [test] Crash on invalid intrinsic use unless --fuzzing is on
For example, when --fuzzing is off, %OptimizeFunctionOnNextCall now
crashes when given a non-function argument.

The following behaviors remain unchanged for now:
- %DeoptimizeFunction continues to do nothing if the function is not
  optimized.
- %DeoptimizeNow continues to do nothing if the top-most JS function
  is not optimized.
- %OptimizeOSR continues to do nothing if the function already has
  optimized code.

Bug: v8:10249
Change-Id: I35d2f3d50ce3f94c8ffccabe50fb4df2b70ce028
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2137406
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67121}
2020-04-14 15:01:49 +00:00
Ng Zhi An
44d3ae7032 Reland "[wasm-simd][x64][ia32] Do not overwrite input register"
This relands commit 7d955faa76.

Changed the test case to use i16x8 splat instead of i8x16 splat,
the latter was causing issues when doing scalar lowering. This
change still causes the regression test to fail without the fix.

Original change's description:
> [wasm-simd][x64][ia32] Do not overwrite input register
>
> We are ovewriting input register (contains the shift) when we are
> masking it, instead, move to a temporary,then mask it.
>
> Bug: chromium:1065599
> Change-Id: Iab72b94581239447e444746681387350b576e24a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2125941
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#66997}

Bug: chromium:1065599
Change-Id: I0dc78ddb013652ef88c07d065c3f6877937c5300
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2136220
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67026}
2020-04-06 19:54:05 +00:00
Jakob Gruber
30658b6b1b [regexp] Reserve space for all registers in interpreter
This is a minimal version of https://crrev.com/c/2135642 intended for
backmerges.

Ensure that the interpreter has space for all required registers.

Bug: chromium:1067270
Change-Id: Iefd016b4845fb8698d1e0ef5f6a03df0e66aa576
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2137403
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67013}
2020-04-06 14:34:34 +00:00
Zhi An Ng
2808167b6f Revert "[wasm-simd][x64][ia32] Do not overwrite input register"
This reverts commit 7d955faa76.

Reason for revert: Bad change, modified wrong test file https://ci.chromium.org/p/v8/builders/ci/V8%20Linux/36416

Original change's description:
> [wasm-simd][x64][ia32] Do not overwrite input register
> 
> We are ovewriting input register (contains the shift) when we are
> masking it, instead, move to a temporary,then mask it.
> 
> Bug: chromium:1065599
> Change-Id: Iab72b94581239447e444746681387350b576e24a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2125941
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#66997}

TBR=gdeepti@chromium.org,zhin@chromium.org

Change-Id: I50c57906d6eb49758584b477c971179ea3c6e5d3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1065599
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2134655
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67000}
2020-04-03 19:23:31 +00:00
Ng Zhi An
7d955faa76 [wasm-simd][x64][ia32] Do not overwrite input register
We are ovewriting input register (contains the shift) when we are
masking it, instead, move to a temporary,then mask it.

Bug: chromium:1065599
Change-Id: Iab72b94581239447e444746681387350b576e24a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2125941
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66997}
2020-04-03 17:57:31 +00:00
Toon Verwaest
4561500ee4 [parser] Already break the expression scope chain for function parameters
Otherwise we'll invalidly propagate information from default function parameters outwards to outer arrow scopes.

Bug: chromium:1060023
Change-Id: Id43ecb5e1d354d5250a80c2a4f7e3129759041d5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2134006
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66964}
2020-04-02 13:16:55 +00:00
Mythri A
800c294cf1 [ic] Use the existing prototype validity cell when recomputing handlers
For keyed stores we recompute handlers based on the receiver maps
we have seen. This is done so that we can transition to the most generic
elements kind we have seen so far. When we recompute this handlers we
get a new prototype validity cell and ignore the existing cell. This
leads to incorrect behaviour if the cell was invalid. Recomputing the
handler may be extra work which is not worth doing at this point. So
we just reuse the existing validity cell and let the IC recompute the
handler if we see the map again.

Bug: chromium:1053939
Change-Id: Ifc891d70f5a4b8b774238e12fb40e29b4d174e37
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2122032
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66963}
2020-04-02 12:36:45 +00:00
Clemens Backes
7bb686a976 [asm] Fix double literals without dots
Double literals without dots should still be parsed as double constants,
not unsigned constants. The static_cast would remove the fractional
part, making constants like "1e-15" come out as "0" unsigned constants.

The precise semantics is not spec'ed, so we still consider literals like
"1e1" to be unsigned, and only switch to double if there is a fractional
part.

R=ecmziegler@chromium.org

Bug: chromium:1065635
Change-Id: I0aac018058a149632e0849572d19fdcc7b2af7aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2126922
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66949}
2020-04-01 13:59:24 +00:00
Maya Lekova
6ee457bf05 [turbofan] Add a type check to String.prototype.startsWith
The ReduceStringPrototypeStartsWith implementation in TurboFan
was doing the CheckString too late, after returning "false" in
case there are no arguments.

Fixed: chromium:1065741
Change-Id: I1016383d65120d3b050e76d6ac41986497af0b8d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2129639
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66948}
2020-04-01 13:57:44 +00:00
Clemens Backes
ee498c1c16 [asm] Avoid instantiation as resumable function
If "use asm" is used inside a "function*" or async function, it should
bail out.

Drive-by: Minor cleanup in {Runtime_InstantiateAsmJs}.

R=ecmziegler@chromium.org

Bug: chromium:1065852
Change-Id: Ice48126b803a30c4b4ff7b5ae22df85a3f36198a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2126920
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66939}
2020-04-01 09:50:34 +00:00
Z Nguyen-Huu
073c5d2dd6 [wasm] WAT-compatible naming for exported function
For exported functions that do not have a name yet, we use the field
name (see <name> of WasmExport) of the first export entry.

Doc: https://docs.google.com/document/d/1XoXWONLBgZWQ9dhtoMpQPvD0fnnWA50OorsuSXfME3g/edit#heading=h.6yuhg1v2w3q4
Bug: v8:10242
Change-Id: Icfa55fd50e5d1c4cf10581b7d322112e9f113388
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2112684
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66877}
2020-03-26 17:29:49 +00:00
Camillo Bruni
855b4945d3 [mjsunit] Use smaller test array
This might help reduce flaky test results caused by too high memory
consumption due to the large Float32Array in regress-crbug-1057653.js.

Bug: v8:10333
Change-Id: Id99ebb67ebe5a7a730e44cd8967ebbea905ccdc5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2108547
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66836}
2020-03-23 23:06:06 +00:00
Jakob Kummerow
ea468d5318 Fix one more LookupIterator
to properly choose named or indexed mode

Bug: chromium:1059738
Change-Id: Icd086fee31079f52770742afa54fc946acb1fd81
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2101005
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66702}
2020-03-13 13:39:54 +00:00
Deepti Gandluri
37ef629a87 [wasm-simd] Add regression test to validate results on Arm64 HW
Bug: v8:10309
Change-Id: Ib0ad8f936d0229129315e8e48e54fa500fd40cd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2101701
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66691}
2020-03-13 00:58:01 +00:00
Camillo Bruni
22afaacd47 [keys] Handle RangeError in GetKeysWithPrototypeInfoCache
Drive-by-fix: Add V8_WARN_UNUSED_RESULT to MaybeHandle::ToHandle

Bug: chromium:1057653
Change-Id: I2834806ca498a2fa43a64f5391606cdbfb4af4fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2084814
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66582}
2020-03-04 13:38:10 +00:00
Jakob Kummerow
27538aa361 [wasm] Fix memory limit check with custom flags
Move the recently introduced extra check for 32-bit platforms so
that it covers all code paths that would be hit by custom/future
memory limit settings.

Bug: chromium:1057094
Change-Id: I5e2217a24578ee82c7bfa753b7d5dcd3d00e1b7c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2083300
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66568}
2020-03-03 16:17:24 +00:00
Camillo Bruni
cb67be1a38 [mjsunit] Move all regress-*.js tests to mjsunit/regress/
Change-Id: I213587414aaa4d159dc0c6fd9b5986d7bfcaa3ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2082562
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66559}
2020-03-03 11:35:13 +00:00
Camillo Bruni
09d14728ca [intl] Fix Intl.NumberFormat constructor
Call the @@hasInstance trap only when required by the spec.

Bug: chromium:1052647
Change-Id: I7a0a3133c7b6280c6a3215e379bf02e9c22ffe55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2082560
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66558}
2020-03-03 11:33:53 +00:00
Francis McCabe
b66e24f0b3 Revert "[runtime] Improve handling of enumeration index on global dictionary"
This reverts commit 25d16574f8.

Reason for revert: breaks tree with new flakes. See, for example:

https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/31169
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim/21895
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20isolates/8490


Original change's description:
> [runtime] Improve handling of enumeration index on global dictionary
> 
> Bug: chromium:1056054
> Change-Id: Ie1f2da98bc54a2ad5189cbe2ee1686fe1ef7019a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2079035
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/master@{#66504}

TBR=jkummerow@chromium.org,verwaest@chromium.org,seth.brenith@microsoft.com,victorgomes@chromium.org

Change-Id: I2baa48f6ed2b0b3e23b0d705b6a805d76ee4bb8f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1056054
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2080653
Reviewed-by: Francis McCabe <fgm@chromium.org>
Commit-Queue: Francis McCabe <fgm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66505}
2020-02-28 19:29:03 +00:00
Seth Brenith
25d16574f8 [runtime] Improve handling of enumeration index on global dictionary
Bug: chromium:1056054
Change-Id: Ie1f2da98bc54a2ad5189cbe2ee1686fe1ef7019a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2079035
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#66504}
2020-02-28 17:43:02 +00:00
Georg Neis
3aa52a22ca Revert "[builtins] stop using imprecise fdlibm pow"
This reverts commit b12ba06edf.

Reason for revert:
After further discussion we decided to stick with fdlibm.

Original change's description:
> [builtins] stop using imprecise fdlibm pow
>
> This CL reinstates the old pow implementation which calls out to the
> system implementation of pow.
>
> Bug: v8:9622
> Change-Id: I3df997888ced3fb8b5bd4b810098e967649aaa55
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1774898
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#66303}

TBR=yangguo@chromium.org,neis@chromium.org,hpayer@chromium.org,me@gus.host

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9622
Change-Id: I941f70c7432cd2fab86e0eadcb2e1a9ec8195e91
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2072746
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66452}
2020-02-26 10:36:23 +00:00
Ng Zhi An
a67a16aae4 [wasm-simd] Fix OpcodeLength of load splat/extend ops
Move load splat and load extend ops into the list of SIMD memory
opcodes, since they similarly take an i32 and an memarg. This fixes the
OpcodeLength calculation in function-body-decoder-impl.h.

And in turn, fixes the mjsunit test code that the fuzzer generates. See
the regress-1055692.js file for the weird S8x16LoadSplat followed by 2
kExprUnreachable, where the kExprUnreachable really is a memarg
{0x0, 0x0}. This bug was caught by the fuzzer, and that was the
generated test (with small fixes to add kExprDrop), so leaving it as it
is.

Bug: chromium:1055692
Change-Id: I743b6beb82350b5fea22c8dd10b546a02741cfed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2071401
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66439}
2020-02-26 02:57:20 +00:00
Andreas Haas
7a31813024 Reland "[wasm] The name of a custom section can cause a validation error"
This is a reland of 03d5a7ba9b

Nothing changed here compared to the original test. The tests on the
blink side were invalid, I fixed them in https://crrev.com/c/2066907.

Original change's description:
> [wasm] The name of a custom section can cause a validation error
>
> The WebAssembly spec defines that the name of a custom section can cause
> a validation error. The streaming decoder, however, used a separate
> Decoder object to decode the name, and thereby avoided a validation
> error. With this CL the streaming decoder uses the main decoder to
> decode the name of the custom section.
>
> In addition this CL removes the test mjsunit/regress/wasm/regress-789952.
> This test defined an invalid WebAssembly module and expected it to
> compile. As it is a regression test, it makes no sense to fix the test.
> The module is invalid because it defines the length of the custom section
> to be '0', so there are no bytes in the custom section for its name.
>
> R=clemensb@chromium.org
> CC=thibaudm@chromium.org
>
> Bug: v8:10126
> Change-Id: I8cfc77c9a5916570d5362d5922e0179a29774da8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2041446
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#66348}

Bug: v8:10126
Change-Id: I48aaed8eb9899da1703030fb6809fe46a6e66191
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2069325
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66431}
2020-02-25 15:38:27 +00:00
Ng Zhi An
0d0d38fec0 Reland "[liftoff] Check fp_pair when looking up register for reuse"
This is a reland of 548fda4afb

regress-1054466 is modified to not use 64x2 operations, since that was
causing problems on noavx/nosse builds, which requires scalar lowering,
and scalar lowering for 64x2 ops is not implemented.

Original change's description:
> [liftoff] Check fp_pair when looking up register for reuse
>
> Given two registers that are both not gp_pair, one could be an fp_pair,
> and the other not, and we will incorrect call == on them. The current
> check needs to be expanded to check that both registers are fp_pair.
>
> Bug: chromium:1054466
> Change-Id: Ib986c002a8a5cadb9668458597a797cecfd971b1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2070006
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#66402}

Bug: chromium:1054466
Change-Id: If88f1ff2fb17aaa3727758cda5b368be1c6d9bd6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2071396
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66423}
2020-02-25 12:18:46 +00:00
Clemens Backes
37425fe968 Revert "[liftoff] Check fp_pair when looking up register for reuse"
This reverts commit 548fda4afb.

Reason for revert: Segfault on nosse bot: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux/35905?

Original change's description:
> [liftoff] Check fp_pair when looking up register for reuse
> 
> Given two registers that are both not gp_pair, one could be an fp_pair,
> and the other not, and we will incorrect call == on them. The current
> check needs to be expanded to check that both registers are fp_pair.
> 
> Bug: chromium:1054466
> Change-Id: Ib986c002a8a5cadb9668458597a797cecfd971b1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2070006
> Commit-Queue: Zhi An Ng <zhin@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#66402}

TBR=clemensb@chromium.org,zhin@chromium.org

Change-Id: I56f13406ef3cc3793c9d0e2273c4dc5fb0e3de38
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1054466
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2069327
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66405}
2020-02-24 13:18:46 +00:00
Ng Zhi An
548fda4afb [liftoff] Check fp_pair when looking up register for reuse
Given two registers that are both not gp_pair, one could be an fp_pair,
and the other not, and we will incorrect call == on them. The current
check needs to be expanded to check that both registers are fp_pair.

Bug: chromium:1054466
Change-Id: Ib986c002a8a5cadb9668458597a797cecfd971b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2070006
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66402}
2020-02-24 12:24:06 +00:00
Jakob Kummerow
a8b7d47733 [wasm] Bring memory limits up to spec
Make sure the "initial pages" memory limit is enforced correctly and
throws a CompileError when exceeded.
Bump the "maximum pages" memory limit to 65536.
The --wasm-max-mem-pages flag now controls the "initial pages" limit;
the "maximum pages" limit is always 65536 as spec'ed.

This CL depends on https://github.com/WebAssembly/spec/pull/1121.

Bug: v8:7881, v8:8633
Change-Id: I68d07cef56633b8b8ce3b3d047c14e1096daf547
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2035876
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66400}
2020-02-24 11:00:16 +00:00
Nico Hartmann
86a6ce454b [turbofan] Fixes Array constructor with single string argument
Bug: chromium:1034449
Change-Id: Id121b60af0c8c8621464f15aa754056cecb04595
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2064985
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66386}
2020-02-21 12:26:09 +00:00
Toon Verwaest
4b0916a2bc [keys] Make sure we don't leak the enum cache in slow-mode for/in
An enum cache can only be referenced together with the map that owns the
entries that are needed. Otherwise the entires can be trimmed away if
the map dies because of transitions.

Bug: chromium:1050046
Change-Id: I5bc9dd65ca092c3d5ebc08ce553f6f1dc980d41b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2066959
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66375}
2020-02-20 16:44:41 +00:00
Michael Achenbach
43accc8b7f Revert "[wasm] The name of a custom section can cause a validation error"
This reverts commit 03d5a7ba9b.

Reason for revert: Needs rebaseline:
https://ci.chromium.org/p/v8/builders/ci/V8%20Blink%20Linux/3243

Original change's description:
> [wasm] The name of a custom section can cause a validation error
> 
> The WebAssembly spec defines that the name of a custom section can cause
> a validation error. The streaming decoder, however, used a separate
> Decoder object to decode the name, and thereby avoided a validation
> error. With this CL the streaming decoder uses the main decoder to
> decode the name of the custom section.
> 
> In addition this CL removes the test mjsunit/regress/wasm/regress-789952.
> This test defined an invalid WebAssembly module and expected it to
> compile. As it is a regression test, it makes no sense to fix the test.
> The module is invalid because it defines the length of the custom section
> to be '0', so there are no bytes in the custom section for its name.
> 
> R=​clemensb@chromium.org
> CC=​thibaudm@chromium.org
> 
> Bug: v8:10126
> Change-Id: I8cfc77c9a5916570d5362d5922e0179a29774da8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2041446
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#66348}

TBR=ahaas@chromium.org,clemensb@chromium.org

Change-Id: I5a7ea265ce47b9e685a5056bb83db6dc58f774a9
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:10126
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2065168
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66356}
2020-02-19 21:38:28 +00:00
Andreas Haas
03d5a7ba9b [wasm] The name of a custom section can cause a validation error
The WebAssembly spec defines that the name of a custom section can cause
a validation error. The streaming decoder, however, used a separate
Decoder object to decode the name, and thereby avoided a validation
error. With this CL the streaming decoder uses the main decoder to
decode the name of the custom section.

In addition this CL removes the test mjsunit/regress/wasm/regress-789952.
This test defined an invalid WebAssembly module and expected it to
compile. As it is a regression test, it makes no sense to fix the test.
The module is invalid because it defines the length of the custom section
to be '0', so there are no bytes in the custom section for its name.

R=clemensb@chromium.org
CC=thibaudm@chromium.org

Bug: v8:10126
Change-Id: I8cfc77c9a5916570d5362d5922e0179a29774da8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2041446
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66348}
2020-02-19 18:39:25 +00:00
Gus Caplan
b12ba06edf [builtins] stop using imprecise fdlibm pow
This CL reinstates the old pow implementation which calls out to the
system implementation of pow.

Bug: v8:9622
Change-Id: I3df997888ced3fb8b5bd4b810098e967649aaa55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1774898
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66303}
2020-02-18 09:09:38 +00:00
Thibaud Michaud
80c7ab4d77 [wasm] Fix streaming compilation prefix hash
The previous code was relying on {compilation_unit_builder_} to check if
a section was after or before the code section. This only works for the
first section after code section, since the compilation unit builder is
then reset. Use an additional field to track this instead.

R=clemensb@chromium.org

Bug: chromium:1051912
Change-Id: Id1dfa803ecde2cf77f206ea781c007fc61168942
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2054099
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66265}
2020-02-13 20:53:17 +00:00
Jakob Gruber
04c868c1ac Add test skips for deopt_fuzzer
These tests rely on predictable opt & deopt timings. Also add the
--opt flag to tests to force optimization even in configurations that
contain the --no-opt flag.

Bug: v8:9972,chromium:1049982
Change-Id: Ic161d188ebfae9aaae6a160d365413abedfee5f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2050402
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66231}
2020-02-12 08:41:54 +00:00
Jakob Gruber
099de337fe [gasm] Fix deopt frame state in Array.p.reduce and reduceRight
This fixes a bug in lazy deopts caused by calls to the callback function
in Array.prototype.reduce and reduceRight.

The deopt continuation expects the *next* iteration's index value but
we actually passed the current iteration's value.

The user-visible effect of this bug was that sometimes, an unexpected
additional call to the callback function would occur.

It was introduced by https://crrev.com/c/1934329.

Bug: v8:9972,chromium:1049982
Change-Id: Icfd2ef076209e20602f54d4662220e1d4c5d07ee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2049850
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66226}
2020-02-11 16:38:33 +00:00
Clemens Backes
0e2e50dd5b [liftoff][ia32] Fix AtomicStore register spilling
If we need a byte register, but {src} is none, we should definitely use
another register.

R=ahaas@chromium.org

Bug: chromium:1048241
Fixed: chromium:1048241
Change-Id: I3396826986e1823250ad6855b84f4b05faaf3b90
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2036073
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66095}
2020-02-04 09:39:54 +00:00
Leszek Swirski
6abbfe2736 [ast] Flatten Wasm function names
Factory::NewFunction now requires names passed into it to be flat.
Make sure to flatten Wasm function names when creating new Wasm JS
functions.

Fixes: chromium:1047368
Change-Id: I7bd2d8bc83ae8fab901ab469872bce0f703fc3ec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2030738
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66064}
2020-01-31 11:25:45 +00:00
Clemens Backes
d8bb229df0 [Liftoff] Clean up implementation of AtomicStore
As discussed offline, the current implementation implement each
situation separately. I think we can simplify the code a lot by sharing
code between the different paths.
This CL does that by
1) implementing the kI64Store case separately, because it does not have
   all the register contraints that the others have, and
2) moving all logic to ensure that the {src} register is usable before
   the switch, such that it's shared by all the compare-exchange cases.

As a side produce, this also fixes issue 1045225, because for i64 stores
which actually only use the lower half of {src}, only that half will be
pinned.

R=ahaas@chromium.org

Bug: chromium:1045225, v8:10108
Change-Id: I0be025b9706d563835ae6337d45b88e0233eacad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2029414
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66062}
2020-01-31 08:54:44 +00:00
Andreas Haas
8ff14f5b36 [wasm] Type check brtable if it's not unreachable
There was a bug in the function body decoder where
type checking of brtable only happened if the brtable
instruction is reachable. However, type checking is
required in all cases where brtable "not unreachable".
The difference between reachable and "not unreachable"
is a state called spec-reachable where a clever
compiler can already infer that the code will be
unreachable (e.g. a memory access is out of bounds
just by the offset and therefore unconditionally
traps), but the spec can not. If an instruction is
only spec-reachable, it still has to be type checked.

R=clemensb@chromium.org
FIX=chromium:1046472

Change-Id: I7e9f1108597871615c0d443a0e94de35a0207b5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2027990
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66049}
2020-01-30 13:46:15 +00:00
Jakob Kummerow
efaa34b5e5 Fix one more LookupIterator
Copying one object's named properties is always fine, even if one of
the names could be a large index on a TypedArray. Mark the LookupIterator
as OWN_SKIP_INTERCEPTOR to avoid the DCHECK.

Bug: chromium:1044909
Change-Id: I6918186a4b50df7865de3572cb674fd7d6eadb78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2023558
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66027}
2020-01-29 16:49:50 +00:00
Igor Sheludko
68cc5c6796 [builtins] Fix FastCreateDataProperty
... which didn't check writability of array length on appending
a new element to an array.

Bug: chromium:1041251
Change-Id: I6935e505a4844e5b22abe9d4a42786619499daa6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2023551
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66023}
2020-01-29 12:25:03 +00:00
Georg Neis
e395871fdb [runtime] Don't invalidate property cell when it becomes read-only
The compiler assumes (for loads) that the property cell of a
non-configurable global property never gets invalidated.

Bug: chromium:1044919
Change-Id: I27f6ce30fb9a21e2c1e5310f25e9bb973ebbc266
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2023562
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66021}
2020-01-29 11:06:42 +00:00
Jakob Kummerow
2d10033fba Fix ArrayLengthSetter for suddenly frozen elements
Converting an object to an array length can freeze the array whose
length is being set, but SetLength for the frozen elements accessor
is supposedly unreachable. This fix extends the existing special
handling for suddenly-readonly lengths to cover this case as well.
Prior art: https://codereview.chromium.org/2543553002

Bug: chromium:1044911
Change-Id: I85d2e79446a8d9c1d22cd86ddf828328bf51a1a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2023555
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66020}
2020-01-29 10:52:52 +00:00
Andreas Haas
82b78191ef [wasm][liftoff] Zero-extend result of atomic.add
R=clemensb@chromium.org

Fix: chromium:1045737
Change-Id: I0e27b8ff6ab09078a2f63f955e6123e1003ed889
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2020768
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65998}
2020-01-27 14:02:35 +00:00
Deepti Gandluri
3390e57553 Remove "--wasm-disable-structured-cloning" flag
Bug: v8:10021
Change-Id: I23a693064c44cd620a874787bcc00cb42bc5874f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1999158
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65933}
2020-01-22 22:24:19 +00:00
Jakob Kummerow
3bff8fa5ea [64bit] Bump TypedArray max length to 2**32-1 elements
The actual allocatable size still depends on the allocator;
in particular Blink's ArrayBufferAllocator is currently limited
to 2GB.
WebAssembly memories are not affected by this change (i.e. still
capped at 2GB as well).

For 32-bit platforms, the limit remains at 2**30-1 (=max smi) elements.

Bug: v8:4153
Change-Id: If0d6047dd4061028688d85a3dc0a2684dcca8693
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2007495
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65924}
2020-01-22 17:42:26 +00:00
Bill Ticehurst
99641cb424 Fix native stacks flag for pointer compression
The interpreted-frames-native-stack flag has been broken since pointer
compression was enabled. This fixes the load of the field.

Bug: v8:10138
Change-Id: I746407a7a5680c5d3e9a3b190371af00818282b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2011206
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65878}
2020-01-21 09:40:57 +00:00
Emanuel Ziegler
18e9cece40 [asm.js] Force -0 to be double
This adjusts parsing of negative numbers in UnaryExpression and
MultiplicativeExpression to return double if the token is -0.

R=clemensb@chromium.org
TEST=mjsunit/regress/regress-6838-4
BUG=v8:6838

Change-Id: I6c2113b520c3831f4a5101f0a963f49c1eb9d7d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2007272
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65862}
2020-01-20 11:50:31 +00:00