Translates code of the form 'if (x === undefined)' into the JumpIfUndefined
bytecode, and similarly for comparisons with null. Also adds bytecodes for
JumpIfNotUndefined / Null.
Moves the peephole optimization for CompareUndefined out of the peephole
optimizer and into the BytecodeGenerator, having the side-effect of enabling
it for comparisons with undefined on both side of the compare operation.
BUG=v8:6107
Review-Url: https://codereview.chromium.org/2793923002
Cr-Commit-Position: refs/heads/master@{#44341}
With --harmony-function-tostring enabled (now enabled by --harmony),
CompileFunctionInContext would produce incorrect results whenever called
with 1 or more argument parameters, due to specifying an incorrect end
position for the parameters.
BUG=v8:6190, v8:4958
R=littledan@chromium.org, adamk@chromium.org, jwolfe@igalia.com
Change-Id: Ied2bcba44116311ebcae3967963472b4e1058fd3
Reviewed-on: https://chromium-review.googlesource.com/465515
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44340}
This CL adds support to parse a PushStackTraceAndDie dump on a windows
minidump:
Stack Message:
magic1: 00000000bbbbbbbb
magic2: 00000000bbbbbbbb
ptr1: 00000015f9ca78d1 T
ptr2: 0000000000000000
message start: 00000000002c58f0 S
stack_start: 00000000002cd8f0 S
All addresses within the message are annotated with the address marker to
make it easier to spot objects that are contained in the minidump.
Currently this doesn't work on OSX yet as we do not correctly push the two
magic markers on the stack.
Change-Id: I8385bb66a76bd253c4014bc7e25971d03830dd4d
Reviewed-on: https://chromium-review.googlesource.com/466007
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44339}
The byte_length field of the TypedArray is not set to 0 on neutering,
but JSArrayBufferView::byte_length() returns 0 if WasNeutered() is
true. We should use the length property here instead.
We can just short-circuit if the length is 0. Added checks to the
memcpy path that assert length and neutered status are sane.
Bug:chromium:707472,chromium:707595,chromium:707364,chromium:707410
Change-Id: Ia1dec53f175357673012cbbc5e2fc40207e03623
Reviewed-on: https://chromium-review.googlesource.com/465987
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44336}
This adds support for tracking token positions in the asm.js scanner and
uses these positions to emit a mapping from WASM to asm.js positions.
Note that the mapping is still incomplete (some call sites are not yet
covered).
R=clemensh@chromium.org
TEST=debugger/debug/wasm/asm-debug
BUG=v8:6127
Change-Id: Ic8aad1a85e7d9e19da2eec523fcc73d4984afcc8
Reviewed-on: https://chromium-review.googlesource.com/466046
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44335}
A DCHECK was failing if we unwind an activation which is not the
bottom-most. This CL fixes this and adds a test for this.
R=ahaas@chromium.org
BUG=v8:5822
Change-Id: Ib69116b4c45a7b2a0d6cab97ad984dfdcda55918
Reviewed-on: https://chromium-review.googlesource.com/464788
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44332}
For speculative number comparisons with SignedSmall feedback, we always
enforce either TaggedSigned or Word32 comparisons. But this is not
really beneficial if one of the inputs is already in Float64
representation; in that case it's cheaper to just convert the other
input to a Float64.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2790833004
Cr-Commit-Position: refs/heads/master@{#44327}
The "perf inject" command will place the generated function into a .text
section, placed directly after the ELF header. As a result, source position
addresses need to be adjusted according to the size of the ELF header, which is
0x40 for 64 bit architectures and 0x34 on 32 bit architectures.
We would previously adjust the addresses with 0x40 regardless of the
architecture.
BUG=
Review-Url: https://codereview.chromium.org/2783203005
Cr-Commit-Position: refs/heads/master@{#44325}
Previously, named captures (and related functionality) were restricted to
unicode-mode regexps.
This CL extends that support to non-unicode patterns. Named groups are
supported regardless of the mode, and named back-references are supported if
the regexp is in unicode mode or if it contains a named capture (otherwise '\k'
is treated as an identity escape).
BUG=v8:5437,v8:6192
Review-Url: https://codereview.chromium.org/2788873002
Cr-Commit-Position: refs/heads/master@{#44324}
This was missed when Latin-1 encoding replaced UTF-8 encoding when one-byte
strings (like most keys) are serialized.
BUG=chromium:686159
Review-Url: https://codereview.chromium.org/2784423002
Cr-Commit-Position: refs/heads/master@{#44320}
Records histogram of ArrayBuffer/SharedArrayBuffer new allocations
that failed because it couldn't allocate space for the
buffer. Histogram is based on the buffer size requested.
This counter is intended to give some clue as to how often, and what sizes are being requested. Unfortunately, the how often can't be answered with the current counter. The problem is that V8 doesn't currently support this possibility yet. Hence, for now, introducing a counter that at least counts the number/size of failing requests.
BUG=chromium:704922
R=bbudge@chromium.org,bradnelson@chromium.org,mtrofin@chromium.org
Review-Url: https://codereview.chromium.org/2786913004
Cr-Commit-Position: refs/heads/master@{#44318}
Adds a counter for large array buffers. Used to give an indication of
how common large array buffers are allocated in V8.
For the moment, we assume a 1Mb cutoff for the notion of large array
buffers. We also use log2(length) to cleanly bucket sizes into a
histogram.
BUG=chromium:704922
R=bbudge@chromium.org,bradnelson@chromium.org,mtrofin@chromium.org
Review-Url: https://codereview.chromium.org/2792623002
Cr-Commit-Position: refs/heads/master@{#44317}
Currently x instanceof RegExp checks cannot take the fast path, since
the RegExp constructor has dictionary properties. To avoid that, just
forcibly migrate the RegExp constructor to fast properties again once
it's fully setup in the bootstrapper. This yields a 10x improvement for
x instanceof RegExp checks.
R=yangguo@chromium.org
BUG=v8:5902
Review-Url: https://codereview.chromium.org/2786143004
Cr-Commit-Position: refs/heads/master@{#44316}
Looking at UMA results, we are getting a fair number of modules with
more than 10,000 functions (5.2%) that are being lumped into the
maximal entry. To get more visibility into what values are being
lumped, this CL lifts the maximum to 100,000.
BUG=chromium:704922
R=bbudge@chromium.org,bradnelson@chromium.org
Review-Url: https://codereview.chromium.org/2787163002
Cr-Commit-Position: refs/heads/master@{#44314}
Looking at UMA results, we are geting a number of instantiations (4%)
that are being lumped into the 1 second (plus) maximum entry. To get
more visibility into the values in this bucket, this CL lift the
maximun to 10 seconds.
BUG=chromium:704922
R=bbudge@chromium.org,bradnelson@chromium.org
Review-Url: https://codereview.chromium.org/2780353004
Cr-Commit-Position: refs/heads/master@{#44313}
Looking at UMA results, we are getting a lot of compilations (over 5%)
that are being lumped into the 1 second (plus) maximum entry. To get
more visibility into this, this CL lifts the maxiumum to 10 seconds.
BUG=chromium:704922
R=bbudge@chromium.org,bradnelson@chromium.org
Review-Url: https://codereview.chromium.org/2785313002
Cr-Commit-Position: refs/heads/master@{#44312}
Fixes a crash found by clusterfuzz caused by a call to
std::vector::reserve with a huge capacity, and reverts to ZoneList
handling as a tentative fix for performance regressions on the slow
@@replace path.
BUG=chromium:707187,chromium:706748,v8:5437
Review-Url: https://codereview.chromium.org/2787343002
Cr-Commit-Position: refs/heads/master@{#44311}
some arch like s390 has native instr can benefit from this.
see ~10% improvement on MathAbs on s390
Review-Url: https://codereview.chromium.org/2785773002
Cr-Commit-Position: refs/heads/master@{#44310}
Check that a register used as a local is within the bytecode array's
local count.
BUG=chromium:706234
Change-Id: I51f6a0a8be065b93b9a4e1dca623e98c51685b51
Reviewed-on: https://chromium-review.googlesource.com/464768
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44308}
This reverts commit 4506382dce.
We don't allow DEPS'ing things outside googlesource. This requires a
mirror. Also .gitignore entry is missing.
NOTRY=true
NOTREECHECKS=true
NOPRESUBMIT=true
TBR=bmeurer@chromium.org
Review-Url: https://codereview.chromium.org/2785183005
Cr-Commit-Position: refs/heads/master@{#44307}
Add assembler, disassembler and simulator support for NEON in the ARM64 backend.
BUG=
Review-Url: https://codereview.chromium.org/2622643005
Cr-Commit-Position: refs/heads/master@{#44306}
This CL uses the same logic as spread calls to check whether the
iteration over an array would produce different results to simply
accessing the backing store directly. Skipping the full iteration
protocol for normal arrays gives us a ~10x speedup on the
construct-typedarray benchmark.
BUG=v8:5977,v8:5699,v8:4782,chromium:698173
Change-Id: Ib878d39691e99b739afef0dd05a6a6efc5b6b5d4
Reviewed-on: https://chromium-review.googlesource.com/463367
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44304}
Numbered back-references that occur before the referenced capture
trigger an internal mini-parser that looks ahead in the pattern and
counts capturing groups.
This updates the mini-parser to correctly handle named captures.
BUG=v8:5437
Review-Url: https://codereview.chromium.org/2792523002
Cr-Commit-Position: refs/heads/master@{#44303}
Reason for revert:
This results in a deadlock when the scavenger decides to perform sweeping and re-grabs the same mutex.
Original issue's description:
> [heap] Take page lock when scavenging old to new references in Scavenger.
>
> BUG=v8:5807
>
> Review-Url: https://codereview.chromium.org/2781363002
> Cr-Commit-Position: refs/heads/master@{#44268}
> Committed: 4024e6a1bbTBR=ulan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5807
Review-Url: https://codereview.chromium.org/2786313003
Cr-Commit-Position: refs/heads/master@{#44302}
The last CL https://chromium-review.googlesource.com/c/456707/ caused
some pretty heavy performance regressions. After experimenting, it
seems the easiest and most straight-forward way to copy the elements
into the new typed array is to do it in JS.
Adds a fast path for typed arrays, where the source typed array has
the same elements kind, in which case we can just copy the backing
store using memcpy.
This CL also removes regression test 319120 which is from a pwn2own
vulnerability. The old code path enforced a maximum byte_length
that was too low, which this change removes. The length property of
the typed array must be a Smi, but the byte_length, which can be up
to 8x larger than length for a Float64Array, can be a heap number.
We can also re-use some of the logic from ConstructByLength when
deciding whether to allocate the buffer on- or off-heap, so that
is factored out into InitializeBasedOnLength. We can also re-use
the DoInitialize helper instead of calling into the runtime,
meaning we can remove InitializeFromArrayLike.
BUG=v8:5977,chromium:705503,chromium:705394
Change-Id: I63372652091d4bdf3a9491acef9b4e3ac793a755
Reviewed-on: https://chromium-review.googlesource.com/459621
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44301}
The original CL was reverted because regression test used i18n stuff,
which was not available in the no-i18n bot.
The regression test turned out to be flaky, because I cannot even
reproduce the crash now without the fix. I think the reason is that for
the crash to happen a stack check has to fail within the rejection of
a promise. Small changes can cause the stack check to fail somewhere
else. Investigations showed though that the crash should still be
possible. I propose therefore to land the fix now without the
regression test.
Original message:
We check that if we do not get a result, or if we get a negative result,
then there has to be a scheduled exception.
R=clemensh@chromium.org
BUG=chromium:704127
Change-Id: Iaf355249686412a636074a476687413b621aac68
Reviewed-on: https://chromium-review.googlesource.com/464846
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44300}
Add the source position to variables if they are parameters.
Collect type information for parameters and return values.
Index the types by their corresponding source position. For the
types of return values, use the function end as source position.
Sample output for a function with 2 parameters (at source
position 252 and 258, and function end at 443)
*************
Function: testFunction
252:
Object
number
string
number
258:
undefined
boolean
undefined
undefined
443:
Object
number
string
number
*************
BUG=v8:5933
Change-Id: I3b8749afcac706c1834146abf1b5b4a3fd130fb6
Reviewed-on: https://chromium-review.googlesource.com/461919
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44299}
This fixes printing of {CallRuntime} nodes that are backed by JavaScript
functions. Issues with the printing that was in place:
- Crash because it was accessing {context} instead of {native_context}
- Printout was not comparable, raw heap pointer different between runs
R=bmeurer@chromium.org
Change-Id: I941944b46550bd908ec14a324bc255d6c8f96fbe
Reviewed-on: https://chromium-review.googlesource.com/464766
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44298}
grow_memory was working from test cases, but not in combination with
compiled code. This CL makes the effect of grow_memory executed either
in the interpreter or compiled code always be reflected in both
execution environments.
It also adds a %RedirectToWasmInterpreter runtime function for testing
this interaction.
R=ahaas@chromium.orgCC=gdeepti@chromium.org
BUG=v8:5822
Change-Id: I3e7c184c42ef655d1c30d2e0dddad7fb783455fc
Reviewed-on: https://chromium-review.googlesource.com/463506
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44297}
Add a limit to the number of nested call frames in the C++ wasm
interpreter.
Both the size of the value stack as well as the size of the block stack
are limited per call frame. Thus, a limit on only the call frame stack
is enough to limit the overall memory consumption of one interpreter
instance.
R=ahaas@chromium.org
BUG=v8:5822
Change-Id: If9f7e547cd1d003bc2ae3c7586ece6b3cf3be587
Reviewed-on: https://chromium-review.googlesource.com/463486
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44296}
The dotAll flag changes behavior of the dot '.' character to match every
possible single character instead of excluding certain line terminators.
The implementation is staged behind --harmony-regexp-dotall.
Spec proposal: https://github.com/mathiasbynens/es-regexp-dotall-flag
BUG=v8:6172
Review-Url: https://codereview.chromium.org/2780173002
Cr-Commit-Position: refs/heads/master@{#44295}
This CL cleans up a few things:
- It removes two dead declarations: WasmMemoryObject::Grow and
wasm::GrowInstanceMemory.
- It removes the unneeded wasm::GetInstanceMemory function (use
instance->memory_buffer() directly).
- It moves wasm::GetInstanceMemorySize to
WasmInstanceObject::GetMemorySize.
- It moves wasm::GrowInstanceMemory to WasmInstanceObject::GrowMemory.
- It moves wasm::GrowWebAssemblyMemory to WasmMemoryObject::Grow.
R=ahaas@chromium.orgCC=gdeepti@chromium.org
Change-Id: I19781ca9784f1a8e7b60955bef82e341c4f75550
Reviewed-on: https://chromium-review.googlesource.com/463167
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44293}
