The opcodes for 'cmpw r/m16, r16' and 'cmpw r16, r/m16' were swapped, causing a few issues when less than/greater than comparison were performed.
Adds a regression test.
BUG=621926
Review-Url: https://codereview.chromium.org/2103713003
Cr-Commit-Position: refs/heads/master@{#37339}
Following the existing model where most committers are top-level OWNERS, this enables easier boilerplate changes to the V8 build environment and tests in the PST time-zone.
R=danno@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2101423002
Cr-Commit-Position: refs/heads/master@{#37337}
The serializer does not support serialization of HashTables in general because
after deserialization it might be necessary to rehash the table.
However the UnseededNumberDictionary does not require rehashing and this CL allows
them to be serialized.
This CL also changes the shape of UnseededNumberDictionary: the details field is
no longer part of the entry since no one needs it.
BUG=chromium:576312, chromium:623516
Review-Url: https://codereview.chromium.org/2102073002
Cr-Commit-Position: refs/heads/master@{#37336}
When re-scoping arrow function parameter initializers, temporaries
should be moved from the closure of the old scope to the closure of
the new scope, if necessary.
R=adamk@chromium.org, rossberg@chromium.org
BUG=chromium:622663
LOG=N
Review-Url: https://codereview.chromium.org/2083083007
Cr-Commit-Position: refs/heads/master@{#37335}
This part of the snapshot API should not be in use yet, so we can still
change this. The motivation for this change is:
- Use MaybeHandle where reasonable.
- Remove ambiguity: when we use index to create context from snapshot,
we should not have a silent fallback if snapshot is not available.
- Symmetry: rename to Context::FromSnapshot to mirror templates.
R=jochen@chromium.org
BUG=chromium:617892
Review-Url: https://codereview.chromium.org/2100073002
Cr-Commit-Position: refs/heads/master@{#37334}
This cl fixes the long-standing bug for for-in with shadowing properties.
BUG=v8:705
Review-Url: https://codereview.chromium.org/2081733002
Cr-Commit-Position: refs/heads/master@{#37333}
This avoids forgetting to add files for either gyp or gn.
While for most executables, this is detected by compilation
errors, for test executables, it can lead to tests silently
not running.
BUG=chromium:474921
Review-Url: https://codereview.chromium.org/2098313002
Cr-Commit-Position: refs/heads/master@{#37331}
It also dereferences the inputs of StoreField, if those were
CheckTaggedPointers. Tested manually.
BUG=
Review-Url: https://codereview.chromium.org/2104893002
Cr-Commit-Position: refs/heads/master@{#37330}
We use CheckNumber to guard values as being proper numbers, i.e. if the
input value is anything but a Number, we deoptimize. This follows the
existing effect/control linearization magic that we already use for the
other checks.
R=jarin@chromium.org
BUG=v8:5141
Review-Url: https://codereview.chromium.org/2109623002
Cr-Commit-Position: refs/heads/master@{#37329}
The reason for reverting is: This breaks gc-stress bot:
https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot
Abortion of compaction could cause duplicate entries in the typed-old-to-new remembered set. These duplicates could cause a DCHECK to trigger which checks that slots recorded in the remembered set never point to to-space. This reland-CL allows duplicates in the remembered set by removing the DCHECK, and additionally clears entries in the remembered set if objects are moved.
Original issue's description:
Cells were needed originally because there was no typed remembered set to
record direct pointers from code space to new space. A previous
CL (https://codereview.chromium.org/2003553002/) already introduced
the remembered set, this CL uses it.
This CL
* stores direct pointers in code objects, even if the target is in new space,
* records the slot of the pointer in typed-old-to-new remembered set,
* adds a list which stores weak code-to-new-space references,
* adds a test to test-heap.cc for weak code-to-new-space references,
* removes prints in tail-call-megatest.js
Review-Url: https://codereview.chromium.org/2097023002
Cr-Commit-Position: refs/heads/master@{#37325}
Introduce a new machine operator Float64Pow that for now is backed by
the existing MathPowStub to start the unification of Math.pow, and at
the same time address the main performance issue that TurboFan still has
with the imaging-darkroom benchmark in Kraken.
Also migrate the Math.pow builtin itself to a TurboFan builtin and
remove a few hundred lines of hand-written platform code for special
handling of the fullcodegen Math.pow version.
BUG=v8:3599,v8:5086,v8:5157
Review-Url: https://codereview.chromium.org/2103733003
Cr-Commit-Position: refs/heads/master@{#37323}
The ARM64 instruction selector can generate code like this
negs w0, w1
b.vs deopt
but then reference the old value of w0 in the frame state, which will
obviously lead to wrong results.
R=jarin@chromium.org
BUG=v8:5158
Review-Url: https://codereview.chromium.org/2103793002
Cr-Commit-Position: refs/heads/master@{#37322}
port 1b4e0130faee8115fae274f1d2c46cfa8ae5f415(r37181)
original commit message:
Previously only stubs built in the snapshot were checked for having an
eager frame. This caused a regression to creap in on ia32 for
RegExpConstructResultStub. Change test to always check.
BUG=
Review-Url: https://codereview.chromium.org/2098303003
Cr-Commit-Position: refs/heads/master@{#37320}
port b5c69cbf39 (r37132)
original commit message:
With the tail call, pointers to the JS heap could be pushed on a
js-to-wasm frame. On the js-to-wasm frame, however, this pointer would
not be updated by the GC.
BUG=
Review-Url: https://codereview.chromium.org/2108543002
Cr-Commit-Position: refs/heads/master@{#37319}
With the current approach we only need to track using an unordered set as we can
still access the backing store pointer and length by the time we free the
backing store.
BUG=chromium:619491, chromium:611688
LOG=N
R=ulan@chromium.org
Review-Url: https://codereview.chromium.org/2107443002
Cr-Commit-Position: refs/heads/master@{#37318}
port cbc6adc86c (r37111)
original commit message:
Runtime_DeclareLookupSlot is used when generating code for var and function declarations
originating in an eval. Over time, it's accumulated quite a bit of cruft, which this CL removes:
- With legacy const gone, lookup slots never have any property attributes.
- There was a bit signaling that the variable was from an eval, but that was redundant since
DeclareLookupSlot is only used for eval.
- Some Proxy-related code didn't make sense here.
Its name was also not terribly clear: while "LookupSlot" is used in several places, this
particular function is only used for declaring variables and functions inside sloppy eval.
Renamed (and split into two) to make this clear for future archeologists.
Also added various DCHECKs to check the assumptions being made.
BUG=
Review-Url: https://codereview.chromium.org/2107663002
Cr-Commit-Position: refs/heads/master@{#37317}
The main fix is to mark stack memory the SafeStackFrameIterator
accesses as initialied.
Drive-by: Make sure we bail out when the simulator is in the
process of updating FP/SP registers.
BUG=v8:5156
Review-Url: https://codereview.chromium.org/2104763002
Cr-Commit-Position: refs/heads/master@{#37315}
When calling the throw method on a generator suspended inside a yield*, yield*
in turn tries to call throw on its iterable. If the iterable does not provide a
throw method, yield* must try to call the return method instead and then throw a
TypeError. Due to a bug in our desugaring, we never threw the TypeError.
R=adamk@chromium.org
BUG=v8:5132
Review-Url: https://codereview.chromium.org/2094253002
Cr-Commit-Position: refs/heads/master@{#37314}
port c87168bc8c (r37087)
original commit message:
Import base::ieee754::tan() from fdlibm and introduce Float64Tan TurboFan
operator based on that, similar to what we do for Float64Cos and Float64Sin.
Rewrite Math.tan() as TurboFan builtin and use those operators to also
inline Math.tan() into optimized TurboFan functions.
Drive-by-fix: Kill the %_ConstructDouble intrinsics, and provide only
the %ConstructDouble runtime entry for writing tests.
BUG=
Review-Url: https://codereview.chromium.org/2101233002
Cr-Commit-Position: refs/heads/master@{#37313}
Removing a bad test case because:
- The test case makes wrong assumptions about compilation. We now
may run bytecode with the interpreter.
- The test exposes internal implementation details such as pc offset
of JIT code.
- The test uses a runtime function specially written to cater to, and
used only by this test. Being unmaintained, this runtime function
is already returning bogus results, making this test useless.
R=jgruber@chromium.org
Review-Url: https://codereview.chromium.org/2101223002
Cr-Commit-Position: refs/heads/master@{#37312}
When calling the return method on a generator suspended inside a yield*, yield*
in turn calls return on its iterable. If this results in a "done" iterator,
yield* must return immediately, thus terminating the generator. For some
reason, we didn't terminate the generator but continued right after the yield*.
R=adamk@chromium.org
BUG=v8:5131
Review-Url: https://codereview.chromium.org/2100093002
Cr-Commit-Position: refs/heads/master@{#37310}
port c1d01aea11 (r37086)
original commit message:
Compilation of wasm functions happens before instantiation. Imports are linked afterwards, at instantiation time. Globals and memory are also
allocated and then tied in via relocation at instantiation time.
This paves the way for implementing Wasm.compile, a prerequisite to
offering the compiled code serialization feature.
Currently, the WasmModule::Compile method just returns a fixed array
containing the code objects. More appropriate modeling of the compiled module to come.
Opportunistically centralized the logic on how to update memory
references, size, and globals, since that logic is the exact same on each
architecture, except for the actual storing of values back in the
instruction stream.
BUG=
Review-Url: https://codereview.chromium.org/2100393003
Cr-Commit-Position: refs/heads/master@{#37307}
Add NumberAbs operator to implement an inline version of Math.abs, that
can be optimized and eliminated. We don't use any speculation here, but
for now stick to the information we can infer (this way we avoid the
inherent deopt loops that Crankshaft has around Math.abs).
CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel
R=jarin@chromium.org
BUG=v8:5086
Review-Url: https://codereview.chromium.org/2096403002
Cr-Commit-Position: refs/heads/master@{#37306}
Rolling v8/build to 87e063014aa0f343b15f5de495a28e5f8572bf8d
Rolling v8/tools/clang to 2ad431ac7823581e1f39c5b770704e1e1ca6cb32
TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org
Review-Url: https://codereview.chromium.org/2101893002
Cr-Commit-Position: refs/heads/master@{#37305}
port c781e83194 (r37072)
original commit message:
Import base::ieee754::cos() and base::ieee754::sin() from fdlibm and
introduce Float64Cos and Float64Sin TurboFan operator based on that,
similar to what we do for Float64Log. Rewrite Math.cos() and Math.sin()
as TurboFan builtins and use those operators to also inline Math.cos()
and Math.sin() into optimized TurboFan functions.
BUG=
Review-Url: https://codereview.chromium.org/2105613002
Cr-Commit-Position: refs/heads/master@{#37304}
Reason for revert:
Ready to test fix and reland.
Original issue's description:
> Revert of Include file names in trace_turbo output (patchset #3 id:40001 of https://codereview.chromium.org/2083863004/ )
>
> Reason for revert:
> Many build bots are failing with a message of the form:
>
> Missing or invalid v8 JSON file: /tmp/tmp2qcEUy_swarming/0/output.json
>
> Can be relanded once we understand why these failures are occuring.
>
> Original issue's description:
> > Include file names in trace_turbo output
> >
> > The trace turbo output will overwrite itself when functions in different
> > files share the same name. Output files now have the form
> > `turbo-<function_name>:<opt_file_name>-<opt_phase>.suffix`.
> >
> > R=ofrobots@google.com
> > BUG=
> >
> > Committed: https://crrev.com/a53b9bf02f31e5647c37e0392afa19f74df1a3ba
> > Cr-Commit-Position: refs/heads/master@{#37199}
>
> TBR=ofrobots@google.com,bmeurer@chromium.org,danno@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=
>
> Committed: https://crrev.com/97c2bc362f234bd58515a0faf6af23b4f8ad183a
> Cr-Commit-Position: refs/heads/master@{#37204}
TBR=ofrobots@google.com,bmeurer@chromium.org,danno@chromium.org,machenbach@google.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2081323007
Cr-Commit-Position: refs/heads/master@{#37303}
When reading malformed input, the length of variable-length types can be very large. Computing operand length with this and adding it to PC will overflow and screw up decode.
This patch switches to unsigned int for arity and lengths, terminates loop analysis on error, adds overflow checking to BranchTableOperand, and adds a unit test.
Review-Url: https://codereview.chromium.org/2052623003
Cr-Commit-Position: refs/heads/master@{#37301}
the .eh_frame format as part of the jitdump generated when
FLAG_perf_prof is enabled. The final goal is allowing precise unwinding
of callchains that include JITted code when profiling V8 using perf.
Unwinding information is stored in the body of code objects after the
code itself, prefixed with its length and aligned to a 8-byte boundary.
A boolean flag in the header signals its presence, resulting in zero
memory overhead when the generation of unwinding info is disabled or
no such information was attached to the code object.
A new jitdump record type (with id 4) is introduced for specifying
optional unwinding information for code load records. The EhFrameHdr
struct is also introduced, together with a constructor to initialise it
from the associated code object.
At this stage no unwinding information is written to the jitdump, but
the infrastructure for doing so is ready in place.
BUG=v8:4899
LOG=N
Review-Url: https://codereview.chromium.org/1993653003
Cr-Commit-Position: refs/heads/master@{#37296}
This adds a missing lazy bailout point when defining data properties
with computed property names in object literals. The runtime call to
Runtime::kDefineDataPropertyInLiteral can trigger deopts. The necessary
bailout ID already exists and is now properly used.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-621816
BUG=chromium:621816
Review-Url: https://codereview.chromium.org/2099133003
Cr-Commit-Position: refs/heads/master@{#37294}
Instead of a JS implementation that calls C++ runtime functions, migrate String.fromCodePoint() to C++.
BUG=v8:5049
Review-Url: https://codereview.chromium.org/2038563003
Cr-Commit-Position: refs/heads/master@{#37293}
This is a building block for GetPropertyStub. It supports querying fast,
slow and global objects without native accessors and interceptors.
BUG=v8:4911
LOG=Y
Review-Url: https://codereview.chromium.org/2079823002
Cr-Commit-Position: refs/heads/master@{#37291}