It was a good flag, but it's time to say goodbye. Let us take a moment
to remember the good times we've had during its short time on earth.
It shipped in Chrome 74.
BUG=v8:8523
R=adamk@chromium.org, mathias@chromium.org, gsathya@chromium.org
Change-Id: I37e58360614c0bb3582b8bbfac795d5ed3e5a149
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1641205
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Auto-Submit: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#62099}
An error object's 'stack' property is lazily formatted once the
property is first read. It is thus possible that lazy formatting
happens in a different realm than where the error object was
constructed.
In this case, we should use the origin-realm's prepareStackTrace
function to format the stack trace.
This CL implements that behavior by fetching prepareStackTrace from
the given error object's context's error function.
Bug: v8:7848
Change-Id: Ibc383cf24f2c0dab2fd8bb7bc740f1488d9954a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1113438
Commit-Queue: Simon Zünd <szuend@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62090}
This CL adds two mjsunit tests that transition an error object to
dictionary mode before and after Error.stack is formatted and verify
that the custom 'stack' property accessor works as intended.
Bug: v8:8742
Change-Id: I4beb52c75b94533c10fac007f41117ab8915fac8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1649789
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62078}
Quotes have been added around the token to make the message clearer.
Bug: chromium:943636
Change-Id: Ic38f3e6d307157af2c0146e69fb611a2cfb46564
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593307
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62074}
The path for sealed elements is handled by using the same path for SmiOrObjectElementKind, just need to extend a DCHECK in CodeStubAssembler::IsFixedArrayWithKind.
The only special case is when we write to a hole in holey sealed elements. Since we can not write in that case, just bail out.
Bug: chromium:967101
Change-Id: Ibf837ae053fe609bca83da432f298ef056f3aced
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632830
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62071}
The CloneObject bytecode was only able to handle objects, null and
undefined, and explicit bytecode had to be generated to perform the
ToObject outside the bytecode (unlike the other IC bytecodes that
just perform the ToObject implicitly). That means the simplest possible
object cloning would also generate a sequence of 5 bytecodes (at least):
```
Mov <register>, a0
JumpIfNull @1
JumpIfUndefined @1
ToObject <register>
1: CloneObject <register>
```
That is quite wasteful and unnecessary, since the core logic in the
runtime already does the ToObject properly anyways. This change
refactors the CloneObjectIC slightly to behave more like the other ICs
and do the ToObject implicitly when necessary.
Bug: v8:7611, v8:9114, v8:9183, v8:9343
Change-Id: I11973e90bf875f154a5a7739287bee17041e4a7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1649554
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62064}
The DoubleToFloat32 helper takes care of everything, so use it
consistently.
Bug: chromium:969498
Change-Id: If71e5374684b89615006548cb0329f4d4cb7fd6d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648253
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62062}
As per the new specs, when the exception is thrown by iterator's return method
while doing iterator close because it is not callable, the exception is
suppressed in the same way as if the return method is called and threw an exception.
https://github.com/tc39/ecma262/issues/1398
Bug: v8:9056
Change-Id: I21abd5fdd01d3a957c3c16d9d3aaab9091e43142
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648256
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Swapnil Gaikwad <swapnilgaikwad@google.com>
Cr-Commit-Position: refs/heads/master@{#62035}
We need to hold onto the bytecode array so it doesn't get flushed.
Bug: v8:8394
Change-Id: Ia583a0a662740e369fcbc1c94041895e463be26e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1645329
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62011}
ObjectIsExtensible is now a Torque builtin (previously CPP) and the Proxy path is implemented completely in Torque while everything else calls into runtime (and is thus a bit slower than previously).
Improvement in micro-benchmark
Before:
IsExtensibleWithoutTrap-Proxies(Score): 2228
IsExtensibleWithTrap-Proxies(Score): 917
After:
IsExtensibleWithoutTrap-Proxies(Score): 3683
IsExtensibleWithTrap-Proxies(Score): 3310
Bug: v8:6664
Change-Id: I1fbe1c51cb724a23d7a59fc8231bb3d1461a6add
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1637444
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62006}
With bytecode flushing and lazy feedback allocation, we need to call
%PrepareForOptimization before we call %OptimizeFunctionOnNextCall,
ideally after declaring the function.
Bug: v8:8801, v8:8394, v8:9183
Change-Id: I6bf119e726426df8527d97546b6ce806112c894d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1643167
Auto-Submit: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61988}
Array push / pop / shift were inlined if the elements kind of the
receiver maps is the same. This cl extends it by inlining these
builtins even when the receiver maps have different elements kinds.
It still limits it to only fast elements kinds. This is required to
prevent regressions in deltablue when lazy feedback allocation is
enabled. With lazy feedback allocation we may see polymorphic
feedback more often, since we don't have allocation site feedback
till the feedback vectors are allocated.
Bug: v8:9078
Change-Id: Id4a7b84be6305b125913b6ce0fb4f3eb3e3b15ec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632239
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61949}
Bug: v8:9247
Change-Id: Id6860e7b0f932990ac3cda39e369b0809e4f6a2b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632072
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61928}
Currently, Number.prototype.toString(radix) often fails to produce the
least significant bit for doubles near zero. For example, for the
minimum double, 5e-324, toString(2) produces "0". This means that a
user cannot reliably get the exact binary or hexdecimal value of a
double from JavaScript using toString.
This patch makes a slight amendment to the DoubleToRadixCString
function, so that doubles where the gap to the next double is 5e-324
(i.e. doubles less than 2**-1021), are represented exactly in binary and
other power-of-two bases, and close to exactly otherwise. It results
in Number.prototype.toString producing the correct binary value for all
doubles.
R=jkummerow@chromium.org, mathias@chromium.org, yangguo@chromium.org
Bug: v8:9294
Change-Id: I71506149b7c4c0eac8c38675a1ee15fb4f36f9ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631601
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61925}
According to the spec, in case where the property is non-configurable and
non-writable, the value passed to the set trap should be compared to the data.
Instead, the trap result was compared, because of the misleading name of the
CheckGetSetTrapResult parameter.
Regression was introduced in
https://chromium-review.googlesource.com/c/v8/v8/+/1604071
Bug: chromium:966450
Change-Id: I77501980475da3aeb4f6153321da39e6fc2e6bd9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632238
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61916}
This is a reland of 8092acbe41
Original change's description:
> [wasm] Store signature with {WebAssembly.Function} objects.
>
> This adds simple serialization and deserialization of the signature
> provided when a {WebAssembly.Function} object is constructed. For now
> this signature is only used by the {WebAssembly.Function.type} method,
> but will soon be used when importing such functions as well.
>
> R=jkummerow@chromium.org
> TEST=mjsunit/wasm/type-reflection
> BUG=v8:7742
>
> Change-Id: If4a687ea537d8c12f4f01a7d3ac5a795ceb999c6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632211
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61898}
Bug: v8:7742
Change-Id: I5d784165c460abd9d7b07f5cdafc746d5380ccd6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632159
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61910}
On Android libraries there are zero length entries within the ranged
symbols which break our range processing. This updates the logic to
only add entries for zero-length entries if they aren't within the range
of the previously added entry.
Change-Id: I511a6221817c535d967a50413948a29d9deb1e85
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627985
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61903}
This reverts commit 8092acbe41.
Reason for revert: Causes UBSan warnings:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20UBSan/6436
Original change's description:
> [wasm] Store signature with {WebAssembly.Function} objects.
>
> This adds simple serialization and deserialization of the signature
> provided when a {WebAssembly.Function} object is constructed. For now
> this signature is only used by the {WebAssembly.Function.type} method,
> but will soon be used when importing such functions as well.
>
> R=jkummerow@chromium.org
> TEST=mjsunit/wasm/type-reflection
> BUG=v8:7742
>
> Change-Id: If4a687ea537d8c12f4f01a7d3ac5a795ceb999c6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632211
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61898}
TBR=jkummerow@chromium.org,mstarzinger@chromium.org
Change-Id: I56ea9df5db3f95c05068186097e298cb73a3675d
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7742
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632218
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61899}
This adds simple serialization and deserialization of the signature
provided when a {WebAssembly.Function} object is constructed. For now
this signature is only used by the {WebAssembly.Function.type} method,
but will soon be used when importing such functions as well.
R=jkummerow@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742
Change-Id: If4a687ea537d8c12f4f01a7d3ac5a795ceb999c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632211
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61898}
Feedback pollution can create situations in which we statically see stores to the same field with incompatible representations; dynamically this should be impossible for a single TurboFan compilation unit. Instead of failing an assertion we produce Unreachable nodes.
R=tebbi@chromium.org
Bug: chromium:967434 chromium:967506
Change-Id: Id549ec84f28b4fed2d2e5ef05b40b48bc5b30e97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632169
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61894}
This is a quick fix for the recent bailout-on-uninitialized feature of
the serializer, which does not work with resumables. For now, simply
treat the ResumeGenerator bytecode as if it was an exception handler
entry point. I want to revisit this later because the proper fix might
be to teach the serializer about the SwitchOnGeneratorState bytecode.
Bug: chromium:966560, v8:7790
Change-Id: I48bc6ba7299faa29802159cc7c36f4629667b5d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630670
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61877}
This is a reland of 4b86fea530 with
copy&paste typo in CodeStubAssembler::AllocateByteArray() fixed
(bug led to holes in new space, which was crashing reproducibly
on the ia32 bot).
Original change's description:
> [typedarray] Move external/data pointer to JSTypedArray.
>
> As the next step in supporting huge typed arrays in V8, this moves the
> external/data pointer from the FixedTypedArrayBase backing store to the
> JSTypedArray instance itself, and replaces the special backing stores
> with a plain ByteArray (removing all the code for the FixedTypedArrayBase
> class hierarchy). By doing so, we can drastically simplify the system
> around typed arrays.
>
> Note: Several places in the code base used to check the instance type
> of the elements backing store of a JSTypedArray instead of checking the
> elements kind on the JSTypedArray map directly. Those had to be fixed,
> since the backing store is now always a ByteArray.
>
> Drive-by-fix: Move all the typed elements access related code into the
> elements.cc file to properly encapsulate the accesses.
>
> Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
> Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
> Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
> Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61855}
Tbr: petermarshall@chromium.org
Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
Change-Id: I87fcdb28532c5f08cc227332a4d59546cb423810
Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
Cq-Include-Trybots: luci.v8.try:v8_linux_shared_compile_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631592
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61864}
This adds a reflective function to retrieve the function type of an
exported or constructed WebAssembly function object. Note that this
first implementation only supports exported functions for now, the
support for constructed functions will be done as a follow-up.
R=jkummerow@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742
Change-Id: I38a16972d8437521993992ca20887c47c7c6b99b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627989
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61851}
When allocating large arrays on 32-bit systems, the length conversion
caused the work array capacity to become negative. As the sort range
is currently clamped at kSmiMaxValue anyway, the fix is to also
clamp the work capacity to that value.
R=jgruber@chromium.org
Bug: chromium:967065
Change-Id: I9ea60464c5b7f3796c5389cbaf668b990eddecf6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630672
Auto-Submit: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61845}
This is a reland of e588ff10e5
The only change over the original CL is found in JSCreateLowering::AllocateFastLiteral. We now guard against boilerplate values for unboxed double fields that *look* like legitimate initial values, but should really be kHoleNanInt64 instead.
The underlying problem certainly existed before, but an invariant added to LoadElimination in this CL caused a Chromium layout test to fail. The change in this reland is therefore a workaround, the root cause remains to be fixed. Specifically, we find that a pointer to the undefined value oddball is sometimes reinterpreted as a double and assigned as a boilerplate value. @jarin suspects that this stems from in-place map updates.
Original change's description:
> Make LoadElimination aware of const fields (Part 2; stores)
>
> Adds const information to store field accesses and uses it in load elimination
>
> Change-Id: I00765c854c95c955dabd78557463267b95f75eef
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1611543
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Georg Schmid <gsps@google.com>
> Cr-Commit-Position: refs/heads/master@{#61796}
Change-Id: Ie388754890024a3ca7d10c9d4d7391442655b426
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630676
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#61838}
COW arrays were previously handled in the C++ pre-processing runtime
function. The Torque version forgot a "EnsureWritableFastElements".
This CL fixes that.
Bug: chromium:967254
Change-Id: Ifbf89e57cfe724e61316b8abc226f7e8a262fce2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630675
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61835}
This is a reland of 2b0ac2fb9f
The layout test that caused this revert was fixed with:
https://crrev.com/c/1627386
Original change's description:
> [array] Move Array#sort pre-processing to Torque
>
> This CL removes the "PrepareElementsForSort" runtime function, and
> replaces it with a simpler version in Torque. The biggest difference
> is that certain sparse configurations no longer have a fast-path.
>
> The Torque pre-processing step replaces the existing Torque mechanism that
> copied already pre-processed elements into the "work" FixedArray. The Torque
> compacting works as follows:
> - Iterate all elements from 0 to {length}
> - If the element is the hole: Do nothing.
> - If the element is "undefined": Increment undefined counter.
> - In all other cases, push the element into the "work" FixedArray.
>
> Then the "work" FixedArray is sorted as before. Writing the elements from
> the "work" array back into the receiver, after sorting, has three steps:
> 1. Copy the sorted elements from the "work" FixedArray to the receiver.
> 2. Add previously counted number of "undefined" to the receiver.
> 3. Depending on the backing store either delete properties or
> set them to the Hole up to {length}.
>
> Bug: v8:8714
> Change-Id: I14eccb7cfd2e4618bce2a85cba0689d7e0380ad2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619756
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61812}
TBR: jgruber@chromium.org
Bug: v8:8714
Change-Id: If7613f6e5f37c5e0d649e8192195594bc6c32100
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627977
Commit-Queue: Simon Zünd <szuend@chromium.org>
Auto-Submit: Simon Zünd <szuend@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61827}
New spec changes allow anyref tables to be initialized with function
references.
R=mstarzinger@chromium.org
Bug: v8:7581
Change-Id: I59596e1e383408114b974fa10529ae15b8cf7a15
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627348
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61823}
This reverts commit 2b0ac2fb9f.
Reason for revert: Breaks scrollingcoordinator/non-fast-scrollable-region-nested.html layout test on https://ci.chromium.org/p/v8/builders/ci/V8-Blink%20Linux%2064/32241
Original change's description:
> [array] Move Array#sort pre-processing to Torque
>
> This CL removes the "PrepareElementsForSort" runtime function, and
> replaces it with a simpler version in Torque. The biggest difference
> is that certain sparse configurations no longer have a fast-path.
>
> The Torque pre-processing step replaces the existing Torque mechanism that
> copied already pre-processed elements into the "work" FixedArray. The Torque
> compacting works as follows:
> - Iterate all elements from 0 to {length}
> - If the element is the hole: Do nothing.
> - If the element is "undefined": Increment undefined counter.
> - In all other cases, push the element into the "work" FixedArray.
>
> Then the "work" FixedArray is sorted as before. Writing the elements from
> the "work" array back into the receiver, after sorting, has three steps:
> 1. Copy the sorted elements from the "work" FixedArray to the receiver.
> 2. Add previously counted number of "undefined" to the receiver.
> 3. Depending on the backing store either delete properties or
> set them to the Hole up to {length}.
>
> Bug: v8:8714
> Change-Id: I14eccb7cfd2e4618bce2a85cba0689d7e0380ad2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619756
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61812}
TBR=peter.wm.wong@gmail.com,jgruber@chromium.org,tebbi@chromium.org,szuend@chromium.org
Change-Id: If1c1bc07f38dfbd4bf6b6ce8f9d70714e7526877
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8714
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627976
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61814}
This CL removes the "PrepareElementsForSort" runtime function, and
replaces it with a simpler version in Torque. The biggest difference
is that certain sparse configurations no longer have a fast-path.
The Torque pre-processing step replaces the existing Torque mechanism that
copied already pre-processed elements into the "work" FixedArray. The Torque
compacting works as follows:
- Iterate all elements from 0 to {length}
- If the element is the hole: Do nothing.
- If the element is "undefined": Increment undefined counter.
- In all other cases, push the element into the "work" FixedArray.
Then the "work" FixedArray is sorted as before. Writing the elements from
the "work" array back into the receiver, after sorting, has three steps:
1. Copy the sorted elements from the "work" FixedArray to the receiver.
2. Add previously counted number of "undefined" to the receiver.
3. Depending on the backing store either delete properties or
set them to the Hole up to {length}.
Bug: v8:8714
Change-Id: I14eccb7cfd2e4618bce2a85cba0689d7e0380ad2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619756
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61812}
Unfortunately, we still have to keep the field because GC mole and Torque
do not support platform specific padding well
(see http://crbug.com/v8/9287).
Bug: v8:9183
Change-Id: I2210be4b8174c97bc82145605f9b862aac3bdc37
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1624791
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61802}
Adds const information to store field accesses and uses it in load elimination
Change-Id: I00765c854c95c955dabd78557463267b95f75eef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1611543
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#61796}
The indirect function table only exists for table 0 at the moment.
Therefore we should initialize it only for table 0.
R=mstarzinger@chromium.org
Bug: chromium:964607
Change-Id: I88a3a5cb5ebec7f0456adc2cebdf5cc499b22761
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1624804
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61794}
This makes the WebAssembly function constructor return a proper function
object. Note that the returned object is not yet callable, only the
prototype structure is in place.
R=jkummerow@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742
Change-Id: If6a3d0ae7078b5526606eef1b8fd4815353b850b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627343
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61792}
The tests need to properly hold on to the original fast-mode map,
otherwise the GC might clear that, and so the NormalizedMapCache
lookup would fail due to that.
Bug: chromium:963411, v8:9114, v8:9183, v8:9267
Change-Id: Ic41ed363959a5c182c74097767dc14c366076e17
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627333
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61772}
These instructions were renamed in the October 2, WebAssembly CG meeting. The
issue describing the change is here:
https://github.com/WebAssembly/spec/issues/884
Change-Id: Ia9e8733156b5ed5db7fc9ab1681c1a51b874dd71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1620681
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61711}
