- Throw a TypeError exception if a given target argument is not a typed
array before converting a given offset argument to an integer.
- Add a testcase
Bug: chromium:768775
Change-Id: Id132a0f154fcf930f211922fcbef6c66f9d6f285
Reviewed-on: https://chromium-review.googlesource.com/728120
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48736}
This adds BigInt support to JavaScript's abstract equality (== and !=),
implemented mainly via CodeStubAssembler::Equal and via Object::Equals.
Bug: v8:6791
Change-Id: I53219f2f71baa760b142cc676f18931731b87226
Reviewed-on: https://chromium-review.googlesource.com/725701
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48730}
Replace GetElement and SetElement to Get and Set, and use CopyElements,
which reduces 4x-13x overheads.
Bug: chromium:768775
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I58534b30c2035195c5f4b8f2c04e7c459bdbebaa
Reviewed-on: https://chromium-review.googlesource.com/720661
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48723}
This addresses the odd performance cliff, where the CallIC tracks known
JSFunction targets, but goes MEGAMORPHIC when it sees a JSBoundFunction
target. With this fix in place the micro-benchmark on the bug goes from
arrowCall: 82 ms.
boundCall: 234 ms.
to
arrowCall: 81 ms.
boundCall: 80 ms.
so Function#bind doesn't cause any additional overhead anymore.
Bug: v8:5267, v8:6962
Change-Id: Iaceaf89fd3e99e2afe2ae45e96a6813a3ef8b1d2
Reviewed-on: https://chromium-review.googlesource.com/727879
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48722}
So far the JSCallReducer was only able to unfold constant
JSBoundFunction targets for JSCall nodes, which is not the
common case. With the introduction of JSCreateBoundFunction
operator earlier, we can now also recognize calls to bound
functions where the bind happens earlier in the function,
i.e. as the example of
a.map(f.bind(self))
in https://twitter.com/BenLesh/status/920700003974123520, which
is a handy way to use Function#bind. So this transformation
takes a node like
JSCall(JSCreateBoundFunction(bound_target_function,
bound_this,
a1,...,aN),
receiver, p1,...,pM)
and turns that into
JSCall(bound_target_function, bound_this, a1,...,aN,p1,...,pM)
allowing TurboFan to further inline the bound_target_function
at this call site if that's also inlinable (i.e. it's a known
constant JSFunction or the result of a JSCreateClosure call).
This improves the micro-benchmark from
arrowCall: 55 ms.
boundCall: 221 ms.
arrowMap: 181 ms.
boundMap: 806 ms.
to
arrowCall: 71 ms.
boundCall: 76 ms.
arrowMap: 188 ms.
boundMap: 186 ms.
so that Function#bind in this case is as fast as using closures,
which is an up to 4.3x improvement in the Array#map example.
Bug: v8:5257, v8:6961
Change-Id: Ibca650faad912bf9db1db6fbc48772e7551289a6
Reviewed-on: https://chromium-review.googlesource.com/727799
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48713}
The bug reference has been fixed, probably due to the new WasmContext
changes. We should keep a regression test for this anyway though.
Bug: v8:6931
Change-Id: Ie9d94690e764498d2153691d96414d0d26258794
Reviewed-on: https://chromium-review.googlesource.com/727022
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48712}
Support inlining of Array.prototype.filter in TurboFan.
(relanding with fix for chromium:766635, visible in the
diff between patchsets 2 and 3)
Bug: v8:1956,chromium:766635
Change-Id: Ia50be6770602513e3d91d17e2b2ca9d3b0e8b42a
Reviewed-on: https://chromium-review.googlesource.com/721119
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48697}
These tests are currently failing on TSAN bot with OOM when running
with the stress-incremental-marking flag.
Bug: v8:6924
Change-Id: I50b9a7142b2e8759f4bc327516f8c06ce1779777
Reviewed-on: https://chromium-review.googlesource.com/723427
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48693}
TurboFan expects the offset input of a Load or Store node to be a
pointer-size input, i.e. an int32 input on 32-bit platforms, and int64
on 64-bit platforms. In WebAssembly we always provided 32-bit offset
though, which caused problems when the high word of the register which
contained the offset was not empty.
With this CL we change the offset input to int64 on 64-bit platforms.
In addition we also change the type of the memory_size_ node to int64,
so that that we do not have to adjust the type of the memory size at
every memory load.
This CL will cause performance regressions but is necessary for
correctness and to avoid crashes.
R=titzer@chromium.org
Bug: chromium:766666
Change-Id: I5301e108d05e125258d2a06d500c1b75e91697b8
Reviewed-on: https://chromium-review.googlesource.com/723379
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48689}
A while ago, CharacterRange::AddCaseEquivalents used to operate on a
single range (the `this` value) and add case equivalents for that to
`ranges`.
This was changed in a2baaaac to use `ranges` as a list of incoming
operands instead. When we now determine that the current range does not
have case equivalents, we need to `continue` instead of `return` to
avoid skipping the remaining ranges in the list.
Bug: v8:6940
Change-Id: I9face88a2ef8b9408f177e503f3399a25e688e06
Reviewed-on: https://chromium-review.googlesource.com/725430
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48682}
This makes sure that the lowering of {JSCreate} operator during create
lowering is only applied to operations where both target and new.target
are known to be constructors.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-768080
BUG=chromium:774780,chromium:768080
Change-Id: I55a582a3453bba7e14655b594b7714a3940eeaae
Reviewed-on: https://chromium-review.googlesource.com/725332
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48680}
This fixes https://bugs.chromium.org/p/chromium/issues/detail?id=773954.
The issue was that in the EffectControlLinearizer, the effect input of an
{Unreachable} node was not updated, leaving a {Checkpoint} behind.
This is a reland of 4cf476458f
Original change's description:
> Reland^3 "[turbofan] eagerly prune None types and deadness from the graph"
>
> This fixes the issues
> https://bugs.chromium.org/p/chromium/issues/detail?id=772873
> and https://bugs.chromium.org/p/chromium/issues/detail?id=772872.
>
> One problem was that mutating an effect node into Unreachable confused
> the LoadElimination sidetables, so I just always create a new node now.
>
> The other problem was that UpdateBlockControl() was executed after
> UpdateEffectPhi() in the lazy case. This reverted the update to the Merge input.
> So now I make sure that UpdateEffectPhi() is always executed last.
>
> This is a reland of 6ddb5e7da7
> Original change's description:
> > Reland^2 "[turbofan] eagerly prune None types and deadness from the graph"
> >
> > Now, the EffectControlLinearizer connects all occurrences of Unreachable to the
> > graph end. This fixes issues with later phases running DeadCodeElimination and
> > introducing new DeadValue nodes when processing uses of Unreachable.
> >
> > This is a reland of 3c4bc27f13
> > Original change's description:
> > > Reland "[turbofan] eagerly prune None types and deadness from the graph"
> > >
> > > This is a reland of e1cdda2512
> > > Original change's description:
> > > > [turbofan] eagerly prune None types and deadness from the graph
> > > >
> > > > In addition to using the {Dead} node to prune dead control nodes and nodes that
> > > > depend on them, we introduce a {DeadValue} node representing an impossible value
> > > > that can occur at any position in the graph. The extended {DeadCodeElimination}
> > > > prunes {DeadValue} and its uses, inserting a crashing {Unreachable} node into
> > > > the effect chain when possible. The remaining uses of {DeadValue} are handled
> > > > in {EffectControlLinearizer}, where we always have access to the effect chain.
> > > > In addition to explicitly introduced {DeadValue} nodes, we consider any value use
> > > > of a node with type {None} as dead.
> > > >
> > > > Bug: chromium:741225
> > > > Change-Id: Icc4b636d1d018c452ba1a2fa7cd3e00e522f1655
> > > > Reviewed-on: https://chromium-review.googlesource.com/641250
> > > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> > > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > > > Cr-Commit-Position: refs/heads/master@{#48208}
> > >
> > > Bug: chromium:741225
> > > Change-Id: I21316913dae02864f7a6d7c9269405a79f054138
> > > Reviewed-on: https://chromium-review.googlesource.com/692034
> > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#48232}
> >
> > Bug: chromium:741225
> > Change-Id: I5702ec34856c075717162153adc765774453c45f
> > Reviewed-on: https://chromium-review.googlesource.com/702264
> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#48366}
>
> Bug: chromium:741225
> Change-Id: I4054a694d2521c2e1f0c4a3ad0f3cf100b5c536f
> Reviewed-on: https://chromium-review.googlesource.com/709214
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48469}
Bug: chromium:741225
Change-Id: Id9d4f3a3ae36cb3e38f80edcdba88efa7922ca24
Reviewed-on: https://chromium-review.googlesource.com/715716
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48660}
Ensure we only lower SpeculativeNumberBinops to a pure operator for
non-string plain primitives. Previously we could lower if a value might be
the-hole, however this would fail a CHECK in ConvertInputsToNumber which
expects a plain primitive.
BUG=chromium:772420
Change-Id: I0c755d10db7afd9cabfb638eca5662d70dfc8d51
Reviewed-on: https://chromium-review.googlesource.com/715717
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48649}
OSR for functions which use arguments no longer needs to be disabled, since
TurboFan handles the case.
Bug:
Change-Id: I121f1190a142c18f113bd5f875e258812645c43f
Reviewed-on: https://chromium-review.googlesource.com/721661
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48631}
Disabling only for stress mode did not help, the test uses 10GB
in other modes too.
Bug: v8:6924
Change-Id: I0e1348f8a43e41612d3a94e75396f0a26a82ece2
Reviewed-on: https://chromium-review.googlesource.com/721662
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48626}
Inner functions which called eval, and were the kind of functions
that can use `super`, were erroneously not marked as "uses_super_property",
leading to downstream crashes when the runtime tried to load the
[[HomeObject]] from them.
This patch eliminates the public Scope::uses_super_property()
API and ensures that callers always call Scope::NeedsHomeObject()
instead.
This is a minimal fix designed for easy merging; it's likely that
in the long run we should remove most mentions of "uses super property"
and replace them with "needs home object" for clarity.
Bug: v8:5516, chromium:774994
Change-Id: Id269dd33e35bd40f6b59a3d3e19330687afa64f8
Reviewed-on: https://chromium-review.googlesource.com/721879
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48619}
This supports {valueOf() { return BigInt(...) }} objects as
operands in binary and unary operations.
Bug: v8:6791
Change-Id: I30ec9983ff611477742f9ea0bc6d04972fe21d3c
Reviewed-on: https://chromium-review.googlesource.com/716863
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48612}
Port the baseline version of Reflect.has to the CodeStubAssembler and
reuse the existing logic for HasProperty (i.e. the HasProperty builtin).
Also inline the Reflect.has builtin into TurboFan, by adding a check
on the target in front of a use of the JSHasProperty operator.
Technically this additional check is not necessary, because the
JSHasProperty operator already throws if the target is not a JSReceiver,
but the exception message is confusing then.
This improves the performance of the micro-benchmark from
reflectHasPresent: 337 ms.
reflectHasAbsent: 472 ms.
to
reflectHasPresent: 121 ms.
reflectHasAbsent: 216 ms.
which is a nice 2.8x improvement in the best case. It also improves the
chai test on the web-tooling-benchmark by around 1-2%, which is roughly
the expected win (since Reflect.has overall accounts for around 3-4%).
Bug: v8:5996, v8:6936, v8:6937
Change-Id: I856183229677a71c19936f06f2a4fc7a794a9a4a
Reviewed-on: https://chromium-review.googlesource.com/720959
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48608}
- Extract core StringPrototypeRepeat code into a TFS builtin (StringRepeat)
- Assumes arguments are a string and smi (no range checks)
- Add StringPrototypePadStart and StringPrototypePadEnd TFJ builtins
- Added StringPadAssembler to ensure common behavior
- Removed functionality from string.js
A quick benchmark shows significant performance gains for unoptimized
code (2.1x to 2.46x) and optimized code (1.03x - 1.56x).
https: //github.com/peterwmwong/v8-perf/blob/master/string-pad/README.md
Bug: v8:5049
Change-Id: I6e4fe99fb62a3edb3d6906fd4f78b3576b5b0d13
Reviewed-on: https://chromium-review.googlesource.com/720067
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48595}
When skipping inner funcs is enabled, we also track variables for top level
funcs. Thus, we also declared the function name for the function scope, even
though it was the function scope for a function whose preparsing was
aborted. This lead into declaring the function name twice.
The fix is to declare the function name only in the success case.
The code was "wrong" before too, but this was never a problem, since variable
tracking and aborting preparsing were enabled for disjoint sets of
functions (aborting preparsing only for top-level, and variable tracking for
non-top-level).
BUG=v8:5516,chromium:774475
Change-Id: Ie6c321cc834cd946e8843f73916fa7dd75e9cd09
Reviewed-on: https://chromium-review.googlesource.com/720920
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48592}
This CL removes the code specialization for WASM functions that access
globals. Previously, we were embedding the start address of the globals
memory (globals_start) as a constant in the code, which required
patching for every instance. We now put this base in to the WasmContext,
which is available as a parameter to every WasmFunction.
R=ahaas@chromium.org,
CC=mtrofin@chromium.org
Bug:
Change-Id: I04bb739e898cc5a3b7dd081cc166483022d113fd
Reviewed-on: https://chromium-review.googlesource.com/712595
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48581}
In Array.prototype.map, we have to store the map result in an output array.
If we know we are storing objects, or special objects like boolean, rather
than a number, then we can reduce the amount of checks we have to do to
transition the output array to the appropriate ElementsKind.
Likewise, if we know we've got floating point values, we can specialize
appropriately to a double array.
Bug: v8:6896
Change-Id: I375daf604562b53638ea749945c1a4c907e33547
Reviewed-on: https://chromium-review.googlesource.com/711845
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48579}
This patch introduces assertPromiseFulfills and assertPromiseFulfills as
a replacement for assertPromiseResult because it’s more JavaScript-y.
BUG=v8:6921
R=ahaas@chromium.org
Also-By: ahaas@chromium.org
Change-Id: I2f865dba3992ddf3b58987bf0b376d143edb5c31
Reviewed-on: https://chromium-review.googlesource.com/718746
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48578}
Reuses the existing logic for BigInt.parseInt, adapted slightly
to allow octal and binary radix prefixes (and to support parsing
of a raw character buffer, rather than a v8::internal::String).
Bug: v8:6791
Change-Id: I41904b2204721eac452e0765fa9ff0ab26ee343b
Reviewed-on: https://chromium-review.googlesource.com/711334
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48560}
Previously, Function("++f`...`) would not throw an exception until the
created function was called. Now, it throws an early ReferenceError.
This change matches the behaviour in JavaScriptCore and SpiderMonkey.
Ordinary calls such as Function("++f()") are still thrown at runtime,
also compatible with JavaScriptCore and SpiderMonkey.
BUG=v8:4480, v8:6910
R=marja@chromium.org, littledan@chromium.org
Change-Id: If31c6d360a0464744eff5d8dd377ebff184ae00e
Reviewed-on: https://chromium-review.googlesource.com/712794
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48553}
This adds and explicit check for the constructability of the new.target
value in the lowering of {JSCall} nodes known to call Reflect.construct.
The {JSConstruct} operator does not perform this check and relies on the
implicit validity of new.target in all other use cases.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-768080
BUG=chromium:768080
Change-Id: I7c1921e787bae64ba83de3eb08aa00fc5523e251
Reviewed-on: https://chromium-review.googlesource.com/718100
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48543}
The test uses more than 10GB memory in stress mode and causes OOM
failures on TSAN bots.
NOTRY=true
Bug: v8:6924
Change-Id: Ifaab153316432a5c59869ef312b43d84827480df
Reviewed-on: https://chromium-review.googlesource.com/718110
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48532}
These tests use too much memory on MIPS.
Bug:
Change-Id: I9ab15b04ad8cec94ab1b1c022e819a2d802e375d
Reviewed-on: https://chromium-review.googlesource.com/716497
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Cr-Commit-Position: refs/heads/master@{#48518}
This flag describes that the memory defined in a wasm module has a
maximum size. Therefore I think kHasMaximumFlag is more appropriate.
R=titzer@chromium.org
Bug: v8:6921
Change-Id: Ie794d670f74e7f1f9a42822e2f774da85aaaaa4b
Reviewed-on: https://chromium-review.googlesource.com/718198
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48517}
In preparation for adding more separate test files.
Bug: v8:6791
Change-Id: I92e2a3ab6fd35e2f902179a005ed9640851ca1b6
Reviewed-on: https://chromium-review.googlesource.com/716927
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48512}
Parser creates a FunctionState for default ctors, which affects the
next_function_is_likely_called logic. PreParser needs to match that logic, so
that Parser and PreParser agree about which functions are skippable.
BUG=v8:5515, chromium:773576
Change-Id: I96cb6f5aa68e74389a863355f70a34693a2d1329
Reviewed-on: https://chromium-review.googlesource.com/712579
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48511}
Contrary to other Absolute-bitwise operations, it is not symmetric.
Bug: v8:6791
Change-Id: Id0d57e3cf61177af0b77a3d9d4a4e17e5737ae11
Reviewed-on: https://chromium-review.googlesource.com/714301
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48507}
This propagates the existing type of a {JSAdd} node back to the newly
created {Allocate} node. There are cases where said type is {None}.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-772720
BUG=chromium:772720
Change-Id: Iab18d2108a789b51db4e405f7f335c5c0ca6f686
Reviewed-on: https://chromium-review.googlesource.com/708796
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48493}
Also add tests for Object::SameValue.
R=jkummerow@chromium.org
Bug: v8:6791
Change-Id: I0611044dcfee4c6ba836629cf82d1589135e4ab0
Reviewed-on: https://chromium-review.googlesource.com/712034
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48486}
