Commit Graph

42450 Commits

Author SHA1 Message Date
Alexey Kozyatinskiy
d415be61a1 [inspector] one more array with nullified __proto__
+ little reduction of injected-script-source size.

Bug: chromium:759651
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ia5d0b31fddc9f6c6c7e547618a6a01e93564bcbc
Reviewed-on: https://chromium-review.googlesource.com/660409
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47958}
2017-09-11 22:03:38 +00:00
Ben Smith
695cc8fe9f Remove volatile from TypedArray set/get
It causes a significant regression in TypedArray benchmarks. Thinking it
through, it is actually not necessary for the JavaScript memory model
either. I originally added it to ensure that reads/writes are not elided
or duplicated, but there is no guarantee of this behavior for non-atomic
writes in the model.

BUG=chromium:763814
R=clemensh@chromium.org

Change-Id: Ib03d2e2e77a846d4b9e84eebc7f8fbf861f8fd7c
Reviewed-on: https://chromium-review.googlesource.com/661192
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47957}
2017-09-11 21:07:55 +00:00
Georg Neis
0c246c33a3 [bigint] Introduce BigInt type.
BigInt is a new primitive type of arbitrary precision integers,
proposed in https://tc39.github.io/proposal-bigint.

This CL introduces a corresponding instance type, map, and C++
class to V8 and adds BigInt support to a few operations (see the
test file). Much more is to come. Also, the concrete representation
of BigInts is not yet fixed, currently a BigInt is simply a wrapped
Smi.

Bug: v8:6791
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ia2901948efd7808f17cfc945f0d56e23e8ae0b45
Reviewed-on: https://chromium-review.googlesource.com/657022
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47956}
2017-09-11 18:55:48 +00:00
Deepti Gandluri
5afca6b14e [wasm] Flag atomics tests as slow on ARM64
Change-Id: I960bd425e5ebd4cda1c44c6a6f085b1553d01a29
Reviewed-on: https://chromium-review.googlesource.com/660404
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47955}
2017-09-11 18:25:48 +00:00
Daniel Ehrenberg
8540c10c5c [test] test262 roll
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I3f07c8c5359297c061d1cf10d1c3f7bb2919c78e
Reviewed-on: https://chromium-review.googlesource.com/660278
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47954}
2017-09-11 17:12:48 +00:00
Jungshik Shin
d9a25842d3 Enable icu-timezone-data by default
This will introduce a new behavior on POSIX(-like) platforms. Timezone
names inside parentheses after GMT offset will not be 3-4 letter
abbreviation any longer. They'll be human-readable names in the current
default locale. This matches the current Windows behavior.

new Date(2017, 5, 22).toString()
new Date(2017, 11, 22).toString()

Current:

Thu Jun 22 2017 00:00:00 GMT-0700 (PDT)
Fri Dec 22 2017 00:00:00 GMT-0800 (PST)

New in en-US locale:

Thu Jun 22 2017 00:00:00 GMT-0700 (Pacific Daylight Time)
Fri Dec 22 2017 00:00:00 GMT-0800 (Pacific Standard Time)

New in German locale:

Thu Jun 22 2017 00:00:00 GMT-0700 (Nordamerikanische Westküsten-Sommerzeit)
Fri Dec 22 2017 00:00:00 GMT-0800 (Nordamerikanische Westküsten-Normalzeit)

BUG=v8:6031, v8:2137, v8:6076
TEST=mjsunit/icu-date-lord-howe.js, mjsunit/icu-date-to-string.js

Change-Id: I4e7fd8b3ddae5c7779e220c4c101e45904fcdc01
Reviewed-on: https://chromium-review.googlesource.com/625164
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47953}
2017-09-11 16:56:16 +00:00
Jakob Gruber
ddb5255f59 Reland "[snapshot] Temporarily enable --lazy-deserialization"
This is a reland of da6aab4319
Original change's description:
> [snapshot] Temporarily enable --lazy-deserialization
> 
> Flip the flag for one day to determine impact and flush out bugs.
> Please add crashes and regressions to https://crbug.com/v8/6796.
> 
> Bug: v8:6624,v8:6796
> Change-Id: I8b0581c40d956e01f94e9098ff935fdd5af36156
> Reviewed-on: https://chromium-review.googlesource.com/651408
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Michael Hablich <hablich@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47893}

Bug: v8:6624, v8:6796
Change-Id: I7df43925ccb2e6c1d3455439690526b0e1a6a747
Reviewed-on: https://chromium-review.googlesource.com/660218
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47952}
2017-09-11 16:47:06 +00:00
Mike Stanton
8340a86a62 Remove Code::FUNCTION type and predicates.
Since we don't have a full-codegen compiler anymore, we no longer
generate Code::FUNCTION kind. Nice! Here is some cleanup.

Bug: v8:6409
Change-Id: I05634e4ca85c4037b49a4346f4e8bae8042b8762
Reviewed-on: https://chromium-review.googlesource.com/657817
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47951}
2017-09-11 14:57:57 +00:00
Andreas Haas
35be2798fb [asmjs][cleanup] DCHECK that experimental opcodes are not used
The wasm code for asm.js modules is generated by us and does not come
from the user. Therefore we do not need to check in release builds that
experimental opcodes are not used for asm.js, a DCHECK is sufficient.

R=clemensh@chromium.org

Change-Id: I0c7135bfb03eafd2a39e648d57eff8e3a4440c3f
Reviewed-on: https://chromium-review.googlesource.com/659938
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47950}
2017-09-11 14:24:17 +00:00
Peter Marshall
872d671307 [cleanup] Make Add() out-of-line in ExternalReferenceTable.
We call this ~140 times from addReferences() and AddStubCache, which
caused size to increase.

Bug: 
Change-Id: Ib08d435abb82b3e07121adf023f96f6f0b33733e
Reviewed-on: https://chromium-review.googlesource.com/660120
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47949}
2017-09-11 14:05:41 +00:00
Toon Verwaest
cba02969b8 [csa] Migrate NumberConstructor and StringConstructor from ASM to CSA
Bug: v8:5269
Change-Id: Ie649a83435f74b6dd705991c264085f28b12736c
Reviewed-on: https://chromium-review.googlesource.com/655438
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47948}
2017-09-11 14:02:12 +00:00
jgruber
f894706357 [snapshot] Flush icache and allocate with code alignment
This fixes two issues related to Code object allocation: Code objects
need to be aligned to kCodeAlignment (= 32), and the instruction cache
needs to be flushed after deserialization.

Both bugs combined manifested as a crash at a basically arbitrary point
in the code after the Runtime::kDeserializeLazy call:

0x286bc8dc:  blx     r12     // Call to Runtime::kDeserializeLazy,
                             // generated through
                             // GenerateTailCallToReturnedCode.
0x286bc8e0:  mov     r2, r0  // This seemingly innocent register move
                             // crashes hard.

Bug: v8:6624,v8:6796
Change-Id: I88c7eaf57ac851745fb7e800c92b0f5978b33466
Reviewed-on: https://chromium-review.googlesource.com/660119
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47947}
2017-09-11 13:41:54 +00:00
Andreas Haas
07f93affa7 [wasm] Simd locals are not allowed without --experimental-wasm-simd
The wasm valiation incorrectly allowed simd locals, even without the
experimental flag turned on. This was not noted in the generated code
because simd opcodes were forbidden, but the interpreter could not
handle these locals.

R=clemensh@chromium.org

Bug: chromium:763697
Change-Id: I11d924ac21e50bce81d0504c2c7b252105a89f80
Reviewed-on: https://chromium-review.googlesource.com/660117
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47946}
2017-09-11 13:09:30 +00:00
Michael Starzinger
955d7e414e [iwyu] Remove obsolete "api.h" include from "handles-inl.h".
R=clemensh@chromium.org

Change-Id: If0554f01068fb76228e85cfe120630eda86de41d
Reviewed-on: https://chromium-review.googlesource.com/659997
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47945}
2017-09-11 12:52:20 +00:00
Clemens Hammacher
b8cc63ee6d [presubmit] Add check for unbalanced #define / #undef
With jumbo builds, we get spurious errors if several .cc files define
the same preprocessor macro without undefining it. This is also
disallowed by the style guide.
This patch adds a presubmit check to check that each #define is
eventually followed by a corresponding #undef. Special care has to be
taken for conditionally defined macros. Here, the logic to check that
there are not multiple defines and that they are undefined in all
cases is not perfect; it's optimistic in order to avoid false positives.

R=mstarzinger@chromium.org, machenbach@chromium.org

Bug: v8:6811
Change-Id: I55cde499399d97a5eb02fbc5ecfa34e6a8099d06
Reviewed-on: https://chromium-review.googlesource.com/657104
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47944}
2017-09-11 12:44:40 +00:00
Clemens Hammacher
f9efb571ab [wasm] [test] [cleanup] Add missing undefs
Cleanup before enabling the presubmit check:
https://chromium-review.googlesource.com/c/v8/v8/+/657104

Bug: v8:6811
R=ahaas@chromium.org
CC=​​mstarzinger@chromium.org

Change-Id: Ifbf9210464b46dfdb5e04fbedc41d30e11536f74
Reviewed-on: https://chromium-review.googlesource.com/657422
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47943}
2017-09-11 12:09:50 +00:00
Benedikt Meurer
b8f144ec4f [turbofan] Fix type of String#indexOf and String#lastIndexOf.
The Typer put the wrong type on String#index and String#lastIndexOf
builtins, with an off by one on the upper bound.

Bug: chromium:762874
Change-Id: Ia4c29bc2e8e1c85b6a7ae0b99f8aaabf839a5932
Reviewed-on: https://chromium-review.googlesource.com/660000
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47942}
2017-09-11 12:05:29 +00:00
Andreas Haas
d2da19c780 [wasm][fuzzer] Check 'main' export to be a function before execution
In the test case the module contained a memory which got exported by the
name 'main'. The fuzzer crashed when it tried to cast the memory to a
function to execute it. This CL checks that 'main' is a function before
doint the cast.

R=clemensh@chromium.org

Bug: chromium:763349
Change-Id: I9a21413c8038a7547f8b59057afea2870b15499a
Reviewed-on: https://chromium-review.googlesource.com/659978
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47941}
2017-09-11 11:44:19 +00:00
Benedikt Meurer
68e4d86c6e [turbofan] Inline multi-parameter Array#push.
TurboFan wasn't able to inline calls to Array.prototype.push which
didn't have exactly one parameter. This was a rather artifical
limitation and was mostly due to the way the MaybeGrowFastElements
operator was implemented (which was not ideal by itself). Refactoring
this a bit, allows us to inline the operation in general, independent
of the number of values to push.

Array#push with multiple parameters is used quite a lot inside Ember (as
discovered by Apple, i.e. https://bugs.webkit.org/show_bug.cgi?id=175823)
and is also dominating the Six-Speed/SpreadLiterals/ES5 benchmark (see
https://twitter.com/SpiderMonkeyJS/status/906528938452832257 from the
SpiderMonkey folks). The micro-benchmark mentioned in the tracking bug
(v8:6808) improves from

  arrayPush0: 2422 ms.
  arrayPush1: 2567 ms.
  arrayPush2: 4092 ms.
  arrayPush3: 4308 ms.

to

  arrayPush0: 798 ms.
  arrayPush1: 2563 ms.
  arrayPush2: 2623 ms.
  arrayPush3: 2773 ms.

with this change, effectively removing the odd 50-60% performance
cliff that was associated with going from one parameter to two or
more.

Bug: v8:2229, v8:6808
Change-Id: Iffe4c1233903c04c3dc2062aad39d99769c8ab57
Reviewed-on: https://chromium-review.googlesource.com/657582
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47940}
2017-09-11 10:52:29 +00:00
Ivica Bogosavljevic
e8b6173ac6 MIPS64: Fix compilation failure in Debug mode after removal of Register::is method
Fix 408f252bfa

Bug: 
Change-Id: Ibed235d76ceb9a6adc818a5e06b1ba28fe365cba
Reviewed-on: https://chromium-review.googlesource.com/659619
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Cr-Commit-Position: refs/heads/master@{#47939}
2017-09-11 09:55:47 +00:00
Franziska Hinkelmann
50fb877eb8 [coverage] Use shared_ptr instead of raw pointer
If Coverage goes out of scope, ScriptData, FunctionData, or BlockData still rely on 
Coverage's coverage_. Make coverage_ a shared_ptr owned by all four classes. 

Bug: 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ifab5d05184cc5db0fd0a935254b967286295e63f
Reviewed-on: https://chromium-review.googlesource.com/657381
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47938}
2017-09-11 07:34:18 +00:00
Franziska Hinkelmann
0921c6c3b1 [type-profile] Move type profile to its own files
Bug: v8:5933
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: If7d69844a309285ff53edb38688c3c647217fea2
Reviewed-on: https://chromium-review.googlesource.com/657379
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47937}
2017-09-11 06:29:48 +00:00
Benedikt Meurer
f31bae0330 [builtins] Add fast-path for JSTypedArray to CreateListFromArrayLike.
It's quite common today to use Function#apply together with typed
arrays, for example to construct a String from character codes (or code
points) within a Uint8Array or Uint16Array, i.e.

  String.fromCharCode.apply(undefined, uint8array)

is seen quite often on the web. But there are other interesting cases
like

  Math.max.apply(undefined, float64array)

to compute the maximum value in a Float64Array, which is definitely not
the fastest implementation, but quite convenient and readable.
Unfortunately these cases hit the super-slow-path of the Function#apply
machinery in V8 currently, because Function#apply doesn't have any
fast-path for TypedArrays.

This CL adds a proper fast-path to CreateListFromArrayLike to the
ElementsAccessor, which can be used as long as the typed array that's
passed wasn't neutered. With this fast-path in place, the performance on
the micro-benchmark mentioned in the issue improves from

  stringFromCharCode: 6386 ms.
  stringFromCodePoint: 8752 ms.

to

  stringFromCharCode: 1932 ms.
  stringFromCodePoint: 4262 ms.

which corresponds to a 2.0x-3.3x improvement.

Bug: v8:2435
Change-Id: I4d39666e53644b11d5856982b005928e26f296fe
Reviewed-on: https://chromium-review.googlesource.com/657405
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47936}
2017-09-11 06:21:58 +00:00
Jeremy Roman
6716a7f641 Make v8::JSON::Stringify take Local<Value> instead of Local<Object>.
It is legal to stringify other kinds of values, like strings and numbers.
Since Local<Object> is convertible to Local<Value>, this is unlikely to
break callers.

Bug: v8:6810
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ie8e97c86308d62cdf0a2a17490a6e20de58fc76e
Reviewed-on: https://chromium-review.googlesource.com/657633
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jeremy Roman <jbroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47935}
2017-09-11 05:17:28 +00:00
Jaroslav Sevcik
5100a00960 [turbofan] Reland^3 "Polymorphic inlining - try merge map check dispatch with function call dispatch."
This reverts commit ae28e0cff1.

Bug: chromium:758096
Change-Id: I6541bd1ba46cd5dfb942ed3f3d382e047fb1f3e6
Reviewed-on: https://chromium-review.googlesource.com/657401
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47934}
2017-09-11 04:18:38 +00:00
Anisha Rohra
0b491c89df s390/PPC: Make Register et al. real classes
Port 9e995e12ca
Port 408f252bfa

  Up to now, each architecture defined all Register types as structs,
  with lots of redundancy. An often found comment noted that they cannot
  be classes due to initialization order problems. As these problems are
  gone with C++11 constexpr constants, I now tried making Registers
  classes again.
  All register types now inherit from RegisterBase, which provides a
  default set of methods and named constructors (like ::from_code,
  code(), bit(), is_valid(), ...).
  This design allows to guarantee an interesting property: Each register
  is either valid, or it's the no_reg register. There are no other
  invalid registers. This is guaranteed statically by the constexpr
  constructor, and dynamically by ::from_code.

  I decided to disallow the default constructor completely, so instead of
  "Register reg;" you now need "Register reg = no_reg;". This makes
  explicit how the Register is initialized.

  I did this change to the x64, ia32, arm, arm64, mips and mips64 ports.
  Overall, code got much more compact and more safe. In theory, it should
  also increase performance (since the is_valid() check is simpler), but
  this is probably not measurable.

R=bjaideep@ca.ibm.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I2e87efc8790290c64fd6c0a2d093326710b30ed3
Reviewed-on: https://chromium-review.googlesource.com/658065
Reviewed-by: Jaideep Bajwa <bjaideep@ca.ibm.com>
Commit-Queue: Jaideep Bajwa <bjaideep@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#47933}
2017-09-09 13:19:33 +00:00
Sathya Gunasekaran
4de946d96d [ESnext] Stage Promise.prototype.finally
Bug: v8:5967
Change-Id: I10388495158fe72ff06cc0f9f9a7b9522705f6e6
Reviewed-on: https://chromium-review.googlesource.com/658301
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47932}
2017-09-08 21:55:38 +00:00
Alexander Timokhin
1cd0f7e1dd Add V8_ENABLE_CHECKS define to public config
We should add this define to external_config because it is used in
public include v8.h (e.g.: https://cs.chromium.org/chromium/src/v8/include/v8.h?l=272&rcl=5cd6565d5ad06a8cb5a1d9d502d15a54e4fa5bbe)

Change-Id: Idf29830a43f348fbf658fada0036c65ab410b155
Reviewed-on: https://chromium-review.googlesource.com/657397
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47931}
2017-09-08 21:49:48 +00:00
Clemens Hammacher
3ced15cb03 [wasm] [fuzzer] Fix segfault
Even though we were generating additional arguments with default value
in the case that the caller was not providing enough, we then passed
the original pointer, leading to potential out-of-bounds accesses.

R=ahaas@chromium.org

Bug: chromium:763294,chromium:763297
Change-Id: Id18622d0d40e0408e26a5fc6f97494b5f9e18d17
Reviewed-on: https://chromium-review.googlesource.com/657699
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47930}
2017-09-08 19:12:27 +00:00
Ben Smith
181c03e9cc Add TSAN annotations for TypedArray accesses
TSAN finds data races in generated JavaScript code that use
access the SharedArrayBuffer backing store racily. These are races, but
they are OK in the sense that the JavaScript memory model allows for the
potential bad behavior they could introduce (e.g. potentially tearing
reads). Relaxed atomics could be used here instead, but that could
introduce performance regressions.

This change adds TSAN annotations to the TypedArray reads/writes to
prevent TSAN from warning about them.

Bug: chromium:722871
Change-Id: I0776475f02a352b678ade7d32ed6bd4a6be98c36
Reviewed-on: https://chromium-review.googlesource.com/656509
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47929}
2017-09-08 18:35:17 +00:00
Benedikt Meurer
62649c8e7e [cleanup] Drop obsolete %StringCharCodeAt intrinsic.
The previous %StringCharCodeAt runtime entry (and the inlined intrinsic)
are obsolete and not used anymore (except in dedicated tests for this
runtime function), so remove it. And rename the %StringCharCodeAtRT
function, which is actually used to %StringCharCodeAt instead to have
a consistent naming scheme for runtime fallbacks.

Bug: v8:5049
Change-Id: I619429ef54f6efea61fc51ab9ed1d5cfe4417f99
Reviewed-on: https://chromium-review.googlesource.com/657719
Commit-Queue: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47928}
2017-09-08 15:45:44 +00:00
Michael Starzinger
4214aa7d5a [objects] Remove obsolete Code::prologue_offset field.
R=mvstanton@chromium.org
BUG=v8:6409

Change-Id: I9252055a395287381d2646fedc59c8c376333694
Reviewed-on: https://chromium-review.googlesource.com/652469
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47927}
2017-09-08 14:42:24 +00:00
Clemens Hammacher
dca02f0c28 [wasm] [cleanup] undef all defined macros in cc files
This is a cleanup for a presubmit check that might get enabled soon:
https://chromium-review.googlesource.com/c/v8/v8/+/657104

R=ahaas@chromium.org
CC=mstarzinger@chromium.org

Change-Id: Id431f2d4e8fcbb88a777b63e3fb136fa8ceac70a
Reviewed-on: https://chromium-review.googlesource.com/657400
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47926}
2017-09-08 14:13:04 +00:00
Camillo Bruni
f162ea9249 [runtime] Remove nedless branch in ToObject builtin
Change-Id: I61d9e2555fa6063e6e047f7cadb9fbcf4cdba312
Reviewed-on: https://chromium-review.googlesource.com/654869
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47925}
2017-09-08 14:01:05 +00:00
Marja Hölttä
9f21cab8c8 Revert "Reland#2 [parser] Refactor streaming scanner streams."
This reverts commit de9269f3c3.

Something's still wrong in the encoding handling (see bug).

Bug: chromium:763106
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Icd19dd42b84b9d090e191375a2942b9941110bcf
Reviewed-on: https://chromium-review.googlesource.com/657386
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47924}
2017-09-08 13:36:04 +00:00
Anna Henningsen
9b21865822 [api] Add optional data pointer to GC callbacks
This can be useful when there may be multiple callbacks attached by
code that's not directly tied to a single isolate, e.g. working
on a per-context basis.

This also allows rephrasing the global non-isolate APIs in terms
of this new API, rather than working around it inside `src/heap`.

TBR=hpayer@chromium.org

Bug: 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I2e490ec40d1a34ea812f25f41ef9741d2116d965
Reviewed-on: https://chromium-review.googlesource.com/647548
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47923}
2017-09-08 13:07:24 +00:00
Jaroslav Sevcik
6e8c00f7df Introduce an Abort bytecode and turbofan operator.
The advantage of an explicit Abort that the interpreter and the compiler know
that aborting cannot continue or throw or deopt. As a result we generate less
code and we do not confuse the compiler if the environment is not set up for
throwing (as in the generator dispatch that fails validation in
crbug.com/762057).

Bug: chromium:762057
Change-Id: I3e88f78be32f31ac49b1845595255f802c405ed7
Reviewed-on: https://chromium-review.googlesource.com/657025
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47922}
2017-09-08 12:16:23 +00:00
Michael Starzinger
9b42967642 [iwyu] Fix cctest inline header inclusion violation.
R=clemensh@chromium.org

Change-Id: I35a69e690a0647e1e6092bf881007198b252d3e8
Reviewed-on: https://chromium-review.googlesource.com/657577
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47921}
2017-09-08 11:59:53 +00:00
Franziska Hinkelmann
335c8ad009 [type-profile] Incorporate into inspector protocol.
JavaScript is a dynamically typed language. But most code is 
written with fixed types in mind. When debugging JavaScript, 
it is helpful to know the types of variables and parameters 
at runtime. It is often hard to infer types for complex code. 
Type profiling provides this information at runtime.

Node.js uses the inspector protocol. This CL allows Node.js users 
to access and analyse type profile for via Node modules or the
in-procress api. Type Profile helps developers to analyze 
their code for correctness and performance.  

Design doc: https://docs.google.com/a/google.com/document/d/1O1uepXZXBI6IwiawTrYC3ohhiNgzkyTdjn3R8ysbYgk/edit?usp=sharing

Add `takeTypeProfile` to the inspector protocol. It returns a list
of TypeProfileForScripts, which in turn contains the type profile for
each function. We can use TypeProfile data to annotate JavaScript code. 

Sample script with data from TypeProfile:
function f(/*Object, number, undefined*/a, 
           /*Array, number, null*/b, 
           /*boolean, Object, symbol*/c) {
  return 'bye';
/*string*/};
f({}, [], true);
f(3, 2.3, {a: 42});
f(undefined, null, Symbol('hello'));/*string*/

Bug: v8:5933
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I626bfb886b752f90b9c86cc6953601558b18b60d
Reviewed-on: https://chromium-review.googlesource.com/508588
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47920}
2017-09-08 09:46:12 +00:00
Michael Starzinger
532c9052d6 [iwyu] Extend inline include checking to tests.
R=clemensh@chromium.org

Change-Id: I4e2108beee792e54d4ff54c36fd326a058272b73
Reviewed-on: https://chromium-review.googlesource.com/657179
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47919}
2017-09-08 09:31:32 +00:00
Yuki Shiino
3fcf917119 Fix the load of Map::kBitFieldOffset in lazy accessors.
Map::kBitFieldOffset should be loaded as a byte data.  This patch
fixes the loading instruction of Map::kBitFieldOffset in lazy
accessors.

Bug: v8:6795, v8:6156
Change-Id: I8fbc88ed44fb43a24335fc81f75b7199ca80212c
Reviewed-on: https://chromium-review.googlesource.com/656862
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47918}
2017-09-08 08:46:53 +00:00
Michael Starzinger
c3d93c8dff [builtins] Remove obsolete healing from {FastNewClosure}.
This removes logic related to healing of the optimized code slot within
the feedback vector from the {FastNewClosure} builtin. The underlying
code will by now self-heal making it obsolete during closure creation.
It will also simplify future inline allocation of closures.

R=jarin@chromium.org
BUG=v8:6563

Change-Id: If57fe00e3a98c2af423a833c98a465a669b8f3bc
Reviewed-on: https://chromium-review.googlesource.com/649551
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47917}
2017-09-08 08:31:58 +00:00
Georg Neis
37e9541761 [cleanup] Fix/remove some incorrect/obsolete/trivial comments.
R=petermarshall@chromium.org

Bug: 
Change-Id: I4c14032aa1bd4fad39cf3db36556d53a529a52b3
Reviewed-on: https://chromium-review.googlesource.com/654865
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47916}
2017-09-08 08:27:12 +00:00
Daniel Bevenius
c24c99e04d Fix typo on DescriptorArray class comment
Bug: 
Change-Id: I236e6efe4142741ae8dc7e4ca4acdf8a65890c16
Reviewed-on: https://chromium-review.googlesource.com/647534
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47915}
2017-09-08 08:23:52 +00:00
Michael Starzinger
bd3005cc21 [stubs] Remove {CodeStub::GetCopy} support.
This removes the ability to create a copy of a code-stub with a given
replacement pattern applied. It is in preparation of having the ability
to write-protect code objects.

R=ishell@chromium.org
BUG=v8:6409

Change-Id: Id7528b3bfc53ece73d8c58b0ac96c6e5702a9d45
Reviewed-on: https://chromium-review.googlesource.com/654605
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47914}
2017-09-08 08:05:32 +00:00
Benedikt Meurer
1f3f8f3e69 [turbofan] Optimize Object constructor subclassing.
Add support to the JSCallReducer to recognize JSConstruct nodes where
the target is the Object constructor, and reduce them to JSCreate
nodes if either

 (a) no value is passed to the Object constructor, or
 (b) the target and new.target are definitely not identical, by checking
     whether both target and new.target are different HeapConstants
     (if they are not, then the JSCreateLowering will not be able to
     do a lot with the JSCreate anyways).

This should cover the relevant cases for subclassing appropriately. It
fixes the 3-4x slowdown on the micro-benchmark mentioned in the linked
bug,

  baseNoExtends: 752 ms.
  baseExtendsObject: 752 ms.
  baseExtendsViaFactory: 751 ms.

and thus removes the performance cliff.

R=jarin@chromium.org

Bug: v8:6801
Change-Id: Id265fd1399302a67b5790a6d0156679920c58bdd
Reviewed-on: https://chromium-review.googlesource.com/657019
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47913}
2017-09-08 07:57:52 +00:00
Michael Hablich
836d530202 Revert "Add V8_ENABLE_CHECKS define to public config"
This reverts commit 9c0471b37b.

Reason for revert: blocks roll https://chromium-review.googlesource.com/c/chromium/src/+/656897

Original change's description:
> Add V8_ENABLE_CHECKS define to public config
> 
> We should add this define to external_config because it is used in
> public include v8.h (e.g.: https://cs.chromium.org/chromium/src/v8/include/v8.h?l=272&rcl=5cd6565d5ad06a8cb5a1d9d502d15a54e4fa5bbe)
> 
> Change-Id: I795a3de448029e34033cf8f83094bdea3590bbb9
> Reviewed-on: https://chromium-review.googlesource.com/654876
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47901}

TBR=gsathya@chromium.org,atimoxin@yandex-team.ru

Change-Id: I8265f78a9ab260b719226843afd649245e72434f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/657157
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47912}
2017-09-08 07:37:36 +00:00
Yang Guo
cd61390ea5 [snapshot] include fewer strings.
R=mstarzinger@chromium.org

Change-Id: I6cb9d9b7b82ce05299bb6088b187e91c4fa2ca0f
Reviewed-on: https://chromium-review.googlesource.com/649750
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47911}
2017-09-08 06:10:12 +00:00
Aseem Garg
5f3a2def82 [wasm] redirect wasm calls to js functions through a GCed table
This is revert of commit aee1e1fb8d with the fix for A1 and N6 jetstream failure.

R=bradnelson@chromium.org,mtrofin@chromium.org,clemensh@chromium.org
Bug: chromium:750828

Change-Id: Id38896af51315f76a0667ace32c77a2ba7287eec
Reviewed-on: https://chromium-review.googlesource.com/607092
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47910}
2017-09-08 04:36:12 +00:00
Mircea Trofin
de296d1466 [wasm] Weaken global handles used for indirect tables
The previous design assumed we can't possibly have a cycle involving
an instance, however, we can. For example: a script can reference
an instance, which ends up referencing the native context because
of how we generate wasm-to-js wrappers; that references the global
object, which then references the script. A global handle to the
indirect function table can then root such a cycle. That means
the instance is never collected, which never deletes the global
handle.

This change addresses that by making the handles weak.

Bug: 
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ief7263af83974bf96505a4fba65d162474fe7c7c
Reviewed-on: https://chromium-review.googlesource.com/653852
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Aseem Garg <aseemgarg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47909}
2017-09-08 00:21:52 +00:00