My hypothesis is that the OOM crash is caused by a loop of forgetting and reallocating a VirtualObject inside of a VirtualState.
R=mstarzinger@chromium.org
BUG=chromium:691487
Review-Url: https://codereview.chromium.org/2694723002
Cr-Commit-Position: refs/heads/master@{#43184}
CQ will only allow CL authors (owners in Gerrit) and V8 committers to trigger
CQ in Gerrit codereview. Thus, CQ voting restriction to just committers
can be lifted, letting every authenticated user attempt to trigger CQ.
R=machenbach@chromium.org,agable@chromium.org
BUG=641422,685318
NOTRY=True
Change-Id: Ied310a65277d6fefa44a9945cc780cb8fe827e03
Reviewed-on: https://chromium-review.googlesource.com/442124
Commit-Queue: Andrii Shyshkalov <tandrii@chromium.org>
Reviewed-by: Aaron Gable <agable@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43183}
If the Reflect.construct receives an argument expected to be a constructor,
and the argument is not a constructor, V8 currently declares that
Reflect.construct is not a function. It should instead say that the offending
argument is not a constructor.
This is the case for all ports of builtins
(Builtins::Generate_ReflectConstruct). All of them make an
attempt to at least pass the right argument to the TypeError parametrised
message, calling out the offending Reflect.construct argument. However,
Runtime::kThrowCalledNonCallable extracts the callsite from those arguments,
discarding the precise information.
This CL adds Runtime::kNotConstructor, which reports the arguments passed
to it, and the CL also modifies the ports of builtins to make use of
Runtime::kNotConstructor
BUG=v8:5671
Review-Url: https://codereview.chromium.org/2688393003
Cr-Commit-Position: refs/heads/master@{#43182}
I identified lots of asm.js tests that are actually not valid according
to the spec, hence they execute in default-javascript-mode.
This CL fixes most of them by adding additional type annotations.
The atomic tests are totally non-spec-compliant by expecting a fourth
argument, and infinite-loops-taken expects a function-type parameter,
so I did not fix those.
I also did not fix the regression tests.
R=titzer@chromium.org, bradnelson@chromium.org
BUG=v8:4203
Review-Url: https://codereview.chromium.org/2663243002
Cr-Commit-Position: refs/heads/master@{#43179}
Within the initialization of a WasmInstanceWrapper a WeakCell is
allocated for the wrapped instance. This allocation of the WeakCell can
cause a garbage collection. The bug happened because a pointer to the
WasmInstanceWrapper was stored in the unhandlified this pointer, which
was invalidated by the garbage collection.
R=clemensh@chromium.orgCC=gdeepti@chromium.org
BUG=chromium:691538
Change-Id: I7001ab7ad3ee30f4c87a13c42e2fd16c0c86027a
Reviewed-on: https://chromium-review.googlesource.com/441766
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43177}
Port 6ee0b6cec6
Original Commit Message:
This adds support for deoptimizing into the JSConstructStub after the
receiver instantiation but before the actual constructor invocation.
Such a deoptimization point is needed for cases where instantiation
might be observed (e.g. when new.target is a proxy) and hence might
trigger a deopt.
We use this new deoptimization point for the "after" frame-state the
inliner attaches to {JSCreate} nodes being inserted when constructor
calls are being inlined.
R=mstarzinger@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:5638
LOG=N
Review-Url: https://codereview.chromium.org/2690213002
Cr-Commit-Position: refs/heads/master@{#43171}
- Renames select, swizzle, and shuffle to be consistent with the S128 and
existing S32x4 ops, and reflect that these aren't arithmetic.
e.g. I16x8Swizzle -> S16x8Swizzle.
- Implements S16x8 and S8x16 Select operations and tests.
- Implements S128And, Or, Xor, Not operations and tests.
- Implements Swizzle for 32x4 formats.
- Refactors test macros that generate SIMD code.
TEST=cctest/test-run-wasm-simd/*
LOG=N
BUG=v8:4124
Review-Url: https://codereview.chromium.org/2683713003
Cr-Commit-Position: refs/heads/master@{#43168}
Port 6c12d57ead
Original Commit Message:
This fixes the case where the index passed to {HMaybeGrowElements} used
to derive the new capacity for the elements backing store does not fit
into Smi range. Such an overflow would fail the capacity check and cause
growing to be skipped. Subsequent keyed stores would potentially go out
of bounds.
R=mstarzinger@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=chromium:686427
LOG=N
Review-Url: https://codereview.chromium.org/2697473004
Cr-Commit-Position: refs/heads/master@{#43167}
Unlike the old manually written LoadNonexistent stub, the data handler properly supports keyed loads out of the box. Simply remove the condition that disables it.
BUG=
Review-Url: https://codereview.chromium.org/2693913002
Cr-Commit-Position: refs/heads/master@{#43165}
The environment variables for swarming shards are leaking into the gtest runs, which read them as well and in turn skip some tests. Now we make sure those environment variables aren't passed to the subprocesses.
BUG=v8:5956
Change-Id: I9c93b1facc703a10a88e633074977743ccd24eb0
Reviewed-on: https://chromium-review.googlesource.com/441745
Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43161}
Test both cases where the interesting constructs occur at the
laziness boundary and cases where they occur deeper.
BUG=v8:5501
R=vogelheim@chromium.org
Change-Id: I99e32cb0c829616011bf7d1f389a8d309b54d67e
Reviewed-on: https://chromium-review.googlesource.com/441844
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43157}
The StringEqual builtin can now deal with ExternalOneByteStrings
without going to the runtime. It still needs to go to the runtime
if the external string is short, i.e. if the resource data pointer
is not cached.
R=yangguo@chromium.org
BUG=v8:4913
Review-Url: https://codereview.chromium.org/2690853004
Cr-Commit-Position: refs/heads/master@{#43152}
The constructor for TypedArray in js/typedarray.js emitted
kInvalidTypedArrayAlignment if the array offset exceeded the size of the
underlying buffer. This seems like a typo introduced in
https://codereview.chromium.org/2090353003.
The error message to be emitted instead coincides with the already existing
kInvalidDataViewOffset. The message string is independent of whether the
object in question is a DataView or a typed array, so this CL:
(1) renames kInvalidDataViewOffset to just kInvalidOffset, and
(2) uses kInvalidOffset instead of kInvalidTypedArrayAlignment for cases
when the TypedArray is constructed with an offset exceeding the buffer
size.
BUG=v8:5733
TEST=Run d8, execute "new Uint8Array(new ArrayBuffer(1),2)", see the error message mention the invalid offset 2.
Review-Url: https://codereview.chromium.org/2692753002
Cr-Commit-Position: refs/heads/master@{#43151}
This CL fixes some nits in TypeError messages, unifying the form of
kDefineDisallowed and kObjectNotExtensible to match what is used by the
majority of the other messages:
* "Cannot" vs. "Can't" -> choose "Cannot"
* "property:%" -> "property %"
* omit the full-stop at the end of the message
BUG=v8:5673
Review-Url: https://codereview.chromium.org/2686233008
Cr-Commit-Position: refs/heads/master@{#43150}
This adds support for deoptimizing into the JSConstructStub after the
receiver instantiation but before the actual constructor invocation.
Such a deoptimization point is needed for cases where instantiation
might be observed (e.g. when new.target is a proxy) and hence might
trigger a deopt.
We use this new deoptimization point for the "after" frame-state the
inliner attaches to {JSCreate} nodes being inserted when constructor
calls are being inlined.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-5638b
BUG=v8:5638
Change-Id: I7c72c807ee8fb76d12e0e9ccab86d970ab1a0efd
Reviewed-on: https://chromium-review.googlesource.com/440125
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43149}
Previously, accumulators and registers each had a single element cache,
distinct from the local register cache. This meant that
a) Dead accumulator state nodes were not re-used if the accumulator
became live.
b) Functions with only one parameter (the this object) or only one
local register could not reuse the single-valued state value node
of the accumulator.
This patch introduces heavier re-use of state-value nodes, decreasing
memory use when building the graph and decreasing the number of nodes
created overall.
Change-Id: Ie3cc6913483aab0819d99be382eb2cb42de8c3d2
Reviewed-on: https://chromium-review.googlesource.com/440926
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43148}
If exactly one byte in the upper half of the pushed 8-byte value is
set, use a smaller code sequence to push this value on the stack.
Before, we did
movq r10,<constant>
push r10
Now, we do
push 0x0
movb [rsp+<offset>],<byte>
The old sequence had 12 bytes, the new one has 7.
Pushing such values is used a lot for stack frame markers, which are
small numbers (1-17) encoded as SMIs.
Review-Url: https://codereview.chromium.org/2685213004
Cr-Commit-Position: refs/heads/master@{#43146}
Windows won't create empty .lib files, and will subsequently fail to
find the library other rules expect
R=machenbach@chromium.org
BUG=
Change-Id: I8b848834a6957c2164f0eafc853587d39ccb6ca9
Reviewed-on: https://chromium-review.googlesource.com/440244
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43141}
We cannot skip the @@hasInstance lookup in instanceof depending on a
global protector cell, as the lookup of the property is observable
via proxies or accessors. So remove the global protector and properly
implement CSA::InstanceOf via GetPropertyStub, with an appropriate
fast-path for Function.prototype[@@hasInstance] where we call the
builtin code object directly if the function matches, skipping all
the checks from the call sequence, and also avoid the redundant
ToBoolean conversion on the result.
R=yangguo@chromium.orgTBR=ulan@chromium.org
BUG=v8:5958
Review-Url: https://codereview.chromium.org/2684033012
Cr-Commit-Position: refs/heads/master@{#43137}
