This is a part of synchronization protocol with the concurrent marking.
BUG=chromium:694255
Review-Url: https://codereview.chromium.org/2872323002
Cr-Commit-Position: refs/heads/master@{#45262}
std::vector can never store const types, as the stored type has to be
either copy-constructable or move-constructable.
std::vector<const X> does not compile and makes no sense if you think
about it.
Thus remove the TODO to use such a vector.
R=ahaas@chromium.org
Change-Id: Ieb00a31872f04c720d2ef90b70452c18e79f0a5d
Reviewed-on: https://chromium-review.googlesource.com/503148
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45260}
This makes sure that function variables as well as function table
variables are properly typed as immutable, hence assignments to them
should cause validation failures.
R=clemensh@chromium.org
TEST=mjsunit/asm/immutable
BUG=chromium:721271
Change-Id: Ia3f65fd0782ca571ffcf99520fdbd8fc5a359d16
Reviewed-on: https://chromium-review.googlesource.com/503209
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45256}
This removes logic tracking whether a number literal in the source
contained a "dot" character or not. The tracking was only needed for
validation of asm.js modules on the AST, it is obsolete now.
R=marja@chromium.org
Change-Id: Ib474e2281db80fe56d43e1af52221a7c66261e01
Reviewed-on: https://chromium-review.googlesource.com/503228
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45255}
The mutator can convert a pointer slot of a JSObject to an unboxed
double slot. To make it we safe for the concurrent marker, we require
synchronization using the object markbits.
The concurrent marker visits the JSObject as follows:
- save snapshot of object slot addresses and values.
- visit the snapshot only after successful transition of the object
from grey to black.
Before an unsafe layout change the mutator colors the object black
and visits it using the bailout marking deque.
BUG=chromium:694255
Review-Url: https://codereview.chromium.org/2876553002
Cr-Commit-Position: refs/heads/master@{#45254}
This CL implements a streaming decoder which takes the bytes
of a wasm module as an input, potentially split into multiple
chunks, and decodes them into segments. Each segment either
contains the payload of a whole section, or the code of a
single function. The goal is that the streaming decoder is
used for streaming compilation. That's where the interface
comes from, see
(https://cs.chromium.org/chromium/src/v8/include/v8.h?q=OnBytesReceived&sq=package:chromium&l=4060)
Error positions are not reported correctly at the moment. I
plan to do this in a separate CL.
Change-Id: I6e3df6a91945c7baec2dc4f5de2e5f47636083df
Reviewed-on: https://chromium-review.googlesource.com/471350
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45250}
The reason we need this mode is that IterateRoots for the Scavenger only
captures dependent weak nodes. This is also what we do for marking for the
minor MC.
Since the regular marking might also mark objects that are weakly
(non-dependently) pointed to by nodes we need to capture all of them during
pointers updating. The reason this works for the Scavenger is because we do one
pass at the end of the scavenger (combined with resetting) that captures all
those nodes.
BUG=chromium:651354
Review-Url: https://codereview.chromium.org/2869413002
Cr-Commit-Position: refs/heads/master@{#45248}
Clearing the pending exception is not enough - if we want to swallow an
exception while currently on top of an external handler (e.g. TryCatch),
we also need to clear external_caught_exception.
BUG=chromium:719380
Review-Url: https://codereview.chromium.org/2870423002
Cr-Commit-Position: refs/heads/master@{#45247}
This reverts commit e2890c19a7.
Reason for revert: Looks like this CL causes slowdown on multiple builders, Check tests timeout and raise exceptions on the bot. Possible it is a bot issue as well, see tracking bug - https://bugs.chromium.org/p/chromium/issues/detail?id=720606
Original change's description:
> [global-handles] Remove dead code
>
> Bug: chromium:720477
> Change-Id: I090168c575c41b7038af5dfba6cd8973d1154c51
> Reviewed-on: https://chromium-review.googlesource.com/501790
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#45241}
TBR=hpayer@chromium.org,mlippautz@chromium.org,jochen@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Bug: chromium:720477
Change-Id: I92f40d8c4dbfdb5208b3068648612e8c5b97fb20
Reviewed-on: https://chromium-review.googlesource.com/502029
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45243}
Reason for revert:
CHECK is too strict.
Original issue's description:
> [inspector] use creation stack trace as parent for async call chains
>
> Creation stack trace points to the place where callback was actually chained, scheduled points where parent promise was resolved.
> For async tasks without creation stack (e.g. setTimeout) we continue to use scheduled as creation since usually they are the same.
>
> BUG=v8:6189
> R=dgozman@chromium.org
>
> Review-Url: https://codereview.chromium.org/2868493002
> Cr-Commit-Position: refs/heads/master@{#45198}
> Committed: e118462f18TBR=dgozman@chromium.org,alexclarke@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:6189
Review-Url: https://codereview.chromium.org/2868423004
Cr-Commit-Position: refs/heads/master@{#45242}
- Currently if GrowMemory is called with pages = 0, an attempt is made to
unregister the ArrayBuffer even if it is external. Cleanup so all Detaching
of ArrayBuffer is centralized to one method, and can only be called fromJS.
- Gate creating WeakHandles to the memory on the buffer having guard pages
enabled. Currently creating a WeakHandle is gated only on if the buffer
is_external true. If a buffer is marked is_external = true to begin with,
the WeakHandle is created and the Finalizer is run causing the program to
crash.
BUG=chromium:717647
Review-Url: https://codereview.chromium.org/2867233002
Cr-Commit-Position: refs/heads/master@{#45238}
This makes sure that the checking of stdlib values during module
instantiation is non-observable. It is needed to prevent observable
double evaluation of the involved property loads in case of failures
during instantiation and also fixes some issues with exceptions
happening during property loads.
R=clemensh@chromium.org
TEST=mjsunit/asm/asm-stdlib
BUG=v8:6297
Change-Id: I1d0c371e51bee8186d14fa794fb3f9b7f67e5944
Reviewed-on: https://chromium-review.googlesource.com/501887
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45237}
Since the feedback vector is itself a native context structure, why
not store optimized code for a function in there rather than in
a map from native context to code? This allows us to get rid of
the optimized code map in the SharedFunctionInfo, saving a pointer,
and making lookup of any optimized code quicker.
Original patch by Michael Stanton <mvstanton@chromium.org>
BUG=v8:6246,chromium:718891
TBR=yangguo@chromium.org,ulan@chromium.org
Change-Id: I3bb9ec0cfff32e667cca0e1403f964f33a6958a6
Reviewed-on: https://chromium-review.googlesource.com/500134
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45234}
When black allocation is turned on at deserialization time, then
slots in deserialized objects have to be visited by the incremental
marker. For spaces with reservations, this has always been done; for
large object space with its special handling, this patch adds it.
Additionally, we must ensure that no incremental steps that might
cause incremental marking to finish are performed while there is an
AlwaysAllocateScope around.
BUG=chromium:718859
Review-Url: https://codereview.chromium.org/2868103002
Cr-Commit-Position: refs/heads/master@{#45231}
Reason for revert:
buildbot failures
Original issue's description:
> [heap] Verify remembered set for objects in the old generation.
>
> Review-Url: https://codereview.chromium.org/2868053002
> Cr-Commit-Position: refs/heads/master@{#45225}
> Committed: 755a809ee5TBR=mlippautz@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2870413002
Cr-Commit-Position: refs/heads/master@{#45227}
Added support for DINSM and DINSU bit insertion instructions. Also fixed
errors with bit extraction instructions, added disassembler tests and
adjusted the code to make it more compact.
BUG=
TEST=cctest/test-assembler-mips/Dins
cctest/test-disasm-mips/Type0
Review-Url: https://codereview.chromium.org/2871663002
Cr-Commit-Position: refs/heads/master@{#45226}
One of the serializer fuzzers passes in random data to the deserializer,
which can then be used to deserialize a JSRegExp instance with random flag
contents. This can cause issues since the JSRegExp::Flag enum statically
contains kDotAll - but it is only valid to set kDotAll iff
FLAG_harmony_regexp_dotall is set.
This CL verifies deserialized flags before constructing the JSRegExp
and bails out if they are invalid.
R=jbroman@chromium.org,yangguo@chromium.org
BUG=chromium:719280
Review-Url: https://codereview.chromium.org/2870743004
Cr-Commit-Position: refs/heads/master@{#45222}
This fixes cases where falling off the end of a non-void function was
accepted as a valid asm.js module. This led to translation failures in
the WASM code. Only void functions are allowed to fall off the end.
R=clemensh@chromium.org
TEST=mjsunit/asm/return-types
BUG=chromium:719286
Change-Id: I7b1c9ba5381b87a23cf0a2171bee5e5f5e8cd9de
Reviewed-on: https://chromium-review.googlesource.com/500312
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45221}
By C++ standard, behaviour is undedined when converting -Infinity to
integer. This patch assures correct behaviour in this case on all
platforms.
BUG=
Review-Url: https://codereview.chromium.org/2865113005
Cr-Commit-Position: refs/heads/master@{#45220}
Mechanical change to remove argument adaption from RegExp.p.split,
RegExp.p.replace when the actual arguments counts does not match
the formal parameter count (should be a tad faster this way).
BUG=v8:6369
Review-Url: https://codereview.chromium.org/2865313002
Cr-Commit-Position: refs/heads/master@{#45219}
Mechanical change to remove argument adaption from Array.p.indexOf and
Array.p.includes when the actual arguments counts does not match the formal
parameter count.
BUG=v8:6369
Review-Url: https://codereview.chromium.org/2873653002
Cr-Commit-Position: refs/heads/master@{#45218}
Isolate::ThrowException calls Debug::OnException, this method can potentially enter debugger context and on exception inspector can lazily compile injected-script-source so NO_SCRIPT_NO_EXCEPTIONS restriction looks too strict to me
R=jochen@chromium.org
BUG=v8:5830
Change-Id: Ic37aaa7bc6f2bd5922654f1a3c235d5eaacb8f85
Reviewed-on: https://chromium-review.googlesource.com/501351
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45217}
For small arrays, it's way faster to just move the elements instead of
doing the fairly complex and heavy-weight left-trimming. Crankshaft has
had this optimization for small arrays already; this CL more or less
ports this functionality to TurboFan, which yields a 4x speed-up when
using shift on small arrays (with up to 16 elements).
This should recover some of the regressions reported in the Node.js issues
https://github.com/nodejs/node/issues/12657
and discovered for the syncthrough module using
https://github.com/mcollina/syncthrough/blob/master/benchmarks/basic.js
as benchmark.
R=jarin@chromium.org
BUG=v8:6376
Review-Url: https://codereview.chromium.org/2874453002
Cr-Commit-Position: refs/heads/master@{#45216}
During i18n code reorg, a couple of changes for ICU 59 prep were
lost. Add them back.
See https://codereview.chromium.org/2738503008/ for the original CL.
BUG=v8:6062
TEST=v8 can be compiled with ICU 59 (hash: c28886684 ).
Change-Id: Ie19a40a9e54d0a8966dbe8e072f9afabf9e85e4f
Reviewed-on: https://chromium-review.googlesource.com/499609
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45213}
