Commit Graph

57488 Commits

Author SHA1 Message Date
Thibaud Michaud
6cb6f8ee04 [wasm] Load undefined value from the wasm instance
In export wrappers generated code, load the undefined value from the
wasm instance rather than from the isolate. With asynchronous
compilation, the isolate may not be available.

R=mstarzinger@chromium.org

Bug: v8:9554
Change-Id: Ic448bda82c2125fc9c9f8715bce26870308715d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722556
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62946}
2019-07-29 08:15:32 +00:00
Ng Zhi An
9f3f2d5b8c [wasm-simd] Implement I64x2 Neg for arm64
Bug: v8:8460
Change-Id: Ia9ffb214738fca17fc36a4323d5e6c4d82a36f2a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719036
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62945}
2019-07-27 00:28:12 +00:00
Ng Zhi An
66c6f68be3 Skip opt-elements-kind test on gc_fuzzer
Bug: v8:9557
Change-Id: Iff790b82a362b3919a63485011745dcb7d2061c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1721203
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62944}
2019-07-26 22:48:42 +00:00
Andrew Comminos
8f97640136 [cpu-profiler] Enable logging for the lifetime of each CpuProfiler
Implements ProfilerCodeObserver, a class to track the generation and
movement of code on the heap for the lifetime of each CpuProfiler. When
sampling is inactive, logged code is committed directly to the CodeMap.
During profiling, ProfilerCodeObserver redirects these events onto the
profiling thread for later dispatch.

Bug: v8:9151
Change-Id: Ib5b152446d2a3838e1b00a80253fc4fbd2f6e8c3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1604143
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Andrew Comminos <acomminos@fb.com>
Cr-Commit-Position: refs/heads/master@{#62943}
2019-07-26 19:57:02 +00:00
Seth Brenith
5ce023df29 [regexp] Stricter bounds checks in interpreter
This change updates the RegExp bytecode generator to emit checks for
larger eats_at_least values when they are available, so we can fail to
match earlier in some cases.

Bug: v8:9305
Change-Id: I96740531e142ff8dced41c49b774845b07df6ae6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709768
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62942}
2019-07-26 15:38:12 +00:00
Santiago Aboy Solanes
0e8215eaee [ptr-compr][turbofan] Remove unneeded CheckedTaggedToTaggedPointer conversion
In some cases, we end up with a ChangeCompressedPointerToTaggedPointer next
to a CheckedTaggedToTaggedPointer. In this case, the checked one is not
needed since we are sure we are dealing with a pointer (and not a Smi).

This doesn't get resolved in the simplfied lowering phase due to having a
Phi[Tagged] in the middle of those two nodes.

Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:7703
Change-Id: Ia4a44b36423c2242d5c663f9b93b09924190fe8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709426
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62941}
2019-07-26 14:55:21 +00:00
Santiago Aboy Solanes
dc76a4da20 [ptr-compr] Add method that checks sminess in 32 bits
If we are sure that we are dealing with a Compressed value, we can check
for sminess in 32 bits.

Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:7703
Change-Id: Icf77d8bcd1decfd392b4887241a9b559f11814c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1718146
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62940}
2019-07-26 14:53:41 +00:00
Georg Schmid
35a613555c [torque] Replace ReferenceType by generic Torque struct Reference<T>
This CL removes the built-in reference type in favor of a Torque-implemented generic struct, i.e., internal::Reference<T>. It also adds various infrastructure for getting and creating new generic struct instances, as well as matching against them.

R=tebbi@chromium.org

Change-Id: I1e3d6afe355a0603fa9c3ad789c6b8a97d1b3c26
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1718148
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62939}
2019-07-26 14:26:51 +00:00
Santiago Aboy Solanes
0a424ac1a5 [ptr-compr][gc] Propagate tenuring in StoreField with Compress nodes.
The propagation of tenuring from outer allocations to inner allocations
was blocked in pointer compression since we now had Compress nodes between
AllocateRaw and StoreField.

This was causing issues in GC. It popped up in the Octane2.1/Splay
benchmark, where we had big regressions.

This CL updates the memory optimizer so that it can use the Compress nodes
as bridges and can perform the optimization successfully. Note that the
Compress nodes only appear on the value input of the StoreField.

Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:7703, v8:9519
Change-Id: I6b0cc67955c6cc696e8c426b85c87a1794098ed0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714650
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62938}
2019-07-26 12:52:01 +00:00
Maya Lekova
e25fcd26b2 Revert "[d8] Remove maximum workers limitation"
This reverts commit a0728e869b.

Reason for revert: Times out on Windows & debug builds - https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20nosnap%20-%20shared/34484

Original change's description:
> [d8] Remove maximum workers limitation
> 
> This CL refactors the lifetime management of the v8::Worker C++ object
> and in the process lifts the 100 maximum worker limitation. To do this,
> it uses a Managed<v8::Worker> heap object and attaches the managed to
> the API worker object.
> 
> R=​mstarzinger@chromium.org
> BUG=v8:9524
> 
> Change-Id: I279b7aeb6645a87f9108ee6f572105739721cef4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715453
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62932}

TBR=mstarzinger@chromium.org,titzer@chromium.org,clemensh@chromium.org

Change-Id: I3a27937cba13b5413390f49268a107c184515153
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9524
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1720590
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62937}
2019-07-26 12:38:26 +00:00
Dan Elphick
f47cbb28ab [parsing] Improve elision of hole checks for default parameters
Use the position of commas in arrow expressions to mark the initializer
position of any parameters that might have been set in the preceding
parameter.

To enable this, this makes variable_list_ in ExpressionParsingScope a
ScopedList<pair<VariableProxy*, int>> and changes ScopedList::at to
return references so its elements can be modified in place.

This fixes a source of bytecode mismatches when collecting source
positions lazily and is a second attempt at fixing this after
https://chromium-review.googlesource.com/c/v8/v8/+/1683267 introduced
problems due to destructuring.

Bug: chromium:980422, chromium:981701, v8:8510
Change-Id: I948f89f34fb75d7463a13183e363f7f96ad09d13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710671
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62936}
2019-07-26 12:15:31 +00:00
Ulan Degenbaev
5c95dbda9e Revert "[snapshot] Fix clearing of feedback vector in serializer (follow-up 2)"
This reverts commit 1320c917dd.

Reason for revert: The code in SFI is also flushed by the serializer with FunctionCodeHandling::kClear, so this fix does not work with --no_flush_bytecode.

Original change's description:
> [snapshot] Fix clearing of feedback vector in serializer (follow-up 2)
> 
> Bug: v8:7857
> Change-Id: I3940ae2830adb6c572e079551b7bba7d84462afd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715444
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62881}

TBR=ulan@chromium.org,rmcilroy@chromium.org,yangguo@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:7857
Change-Id: If85fe29b2cdf6523ee53895628da38d942d45c2b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719190
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62935}
2019-07-26 12:14:01 +00:00
Mythri A
b62a7166c7 Fix flaky failure in mjsunit/regress/regress-unlink-closures-on-deopt
This is short-term fix for flaky failures on GC fuzzer. The closures
g1 and g2 have the same SFI and pending optimzed table treats them as
a single entry. This cl, adds %PrepareFunctionForOptimize after one of
them is optimized.

Bug: v8:9556
Change-Id: I1fd72da1baa5de2f7650e080f9b6d04b69dd6a16
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719188
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62934}
2019-07-26 12:00:11 +00:00
David Carlier
c09aff1721 random number generator seeding update for macOS
using file descriptor's free approach instead.

Change-Id: I9baa3d471b4ed6f624985a5b6325648ef7875596
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710665
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62933}
2019-07-26 11:55:01 +00:00
Ben L. Titzer
a0728e869b [d8] Remove maximum workers limitation
This CL refactors the lifetime management of the v8::Worker C++ object
and in the process lifts the 100 maximum worker limitation. To do this,
it uses a Managed<v8::Worker> heap object and attaches the managed to
the API worker object.

R=mstarzinger@chromium.org
BUG=v8:9524

Change-Id: I279b7aeb6645a87f9108ee6f572105739721cef4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715453
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62932}
2019-07-26 11:50:51 +00:00
Michael Achenbach
26447401f9 [build] Update mac toolchain via deps
TBR=tmrts@chromium.org

Bug: chromium:986701
Change-Id: I86cf6c73dfdb4c76eaad530bd22da385a834655b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714653
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62931}
2019-07-26 11:10:29 +00:00
Georg Neis
0a47bc63f3 [turbofan] Eliminate more non-const reference arguments
... mostly by turning them into pointer arguments.

After this CL, all remaining non-const reference arguments in
the compiler directory are in the backend.

Bug: v8:9429
Change-Id: I6a546da0fe93179e1a0b12296632591cbf209808
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719185
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62930}
2019-07-26 09:33:08 +00:00
Ng Zhi An
0cedd8649b [wasm-simd] Implement I64x2 Shl ShrS ShrU for arm64
Bug: v8:8460
Change-Id: I70bdd71909fd103f3cc537d3184d2f7225cf8cfa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719034
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62929}
2019-07-25 23:51:18 +00:00
Ng Zhi An
1a1138f57a [wasm-simd] Implement I64x2 splat extract_lane replace_lane for arm64
Bug: v8:8460
Change-Id: Ic92efbcb7c64184c237d0fb00c3c7aa75323a3e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1717662
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62928}
2019-07-25 23:19:48 +00:00
Zhi An Ng
11e27b5e6a Revert "Reland "[wasm] Compile JS to WASM wrappers asynchronously""
This reverts commit 801930f5f5.

Reason for revert: blink layout tests failure https://bugs.chromium.org/p/v8/issues/detail?id=9554

Original change's description:
> Reland "[wasm] Compile JS to WASM wrappers asynchronously"
> 
> Original CL had an issue with builtins being accessed through the
> isolate after the isolate died. See:
> https://ci.chromium.org/p/v8/builders/try.triggered/v8_win64_rel_ng_triggered/b8907837534672203296
> 
> Initial upload is the original CL and the following patch sets will
> attempt to fix it.
> 
> Original CL:
> 
> > [wasm] Compile JS to WASM wrappers asynchronously
> >
> > R=mstarzinger@chromium.org, ahaas@chromium.org
> >
> > Bug: v8:9231
> > Change-Id: I9e18073bbe25bf8c9c5f9ace102316e6209d0459
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1669699
> > Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> > Reviewed-by: Andreas Haas <ahaas@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#62672}
> 
> R=​mstarzinger@chromium.org, ahaas@chromium.org
> 
> Bug: v8:9231
> Change-Id: I1b01d5d2b9f728d6f6a90fe9b642f5ba3bf686eb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708485
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62918}

TBR=mstarzinger@chromium.org,thibaudm@chromium.org

Change-Id: I3a6829692614c44bacb764ef02723e61a3d61763
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9231
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719231
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62927}
2019-07-25 22:48:13 +00:00
Zhi An Ng
bf7284b90c Revert "[wasm] Simplify module creation"
This reverts commit 425fa3ae15.

Reason for revert: test failure https://bugs.chromium.org/p/v8/issues/detail?id=9554 reverting the root cause has merge conflicts due to changes in same file

Original change's description:
> [wasm] Simplify module creation
> 
> This includes WasmEngine::NewNativeModule() and WasmModuleObject::New().
> The intent is to make the various ways of creating a module (sync,
> async, deserialize, import) more similar.
> 
> After this change, a NativeModule will always be created before a
> WasmModuleObject. This will make it easier to look up a cached
> NativeModule given its wire bytes.
> 
> The following changes are made:
> 
> * Use WasmCodeManager::EstimateNativeModuleCodeSize() to find the code
>   size estimate by default. A different code size estimate is only used in
>   tests.
> * Change CompileJsToWasmWrappers() to allocate a new FixedArray instead of
>   assuming the array was created with the correct size. This simplifies
>   WasmModuleObject::New(), and matches what CompileToNativeModule()
>   does.
> * Remove the WasmModuleObject::New() constructor that creates a
>   NativeModule. This case was only used in DeserializeNativeModule() and
>   in test code.
> 
> Change-Id: I6bdfc425057f92de11abbbf702d052d40aa8267d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1717497
> Commit-Queue: Ben Smith <binji@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62925}

TBR=binji@chromium.org,ahaas@chromium.org,clemensh@chromium.org

Change-Id: I8dcad7ddcd4601f657b6263bf22009907284fce3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719230
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62926}
2019-07-25 22:47:10 +00:00
Ben Smith
425fa3ae15 [wasm] Simplify module creation
This includes WasmEngine::NewNativeModule() and WasmModuleObject::New().
The intent is to make the various ways of creating a module (sync,
async, deserialize, import) more similar.

After this change, a NativeModule will always be created before a
WasmModuleObject. This will make it easier to look up a cached
NativeModule given its wire bytes.

The following changes are made:

* Use WasmCodeManager::EstimateNativeModuleCodeSize() to find the code
  size estimate by default. A different code size estimate is only used in
  tests.
* Change CompileJsToWasmWrappers() to allocate a new FixedArray instead of
  assuming the array was created with the correct size. This simplifies
  WasmModuleObject::New(), and matches what CompileToNativeModule()
  does.
* Remove the WasmModuleObject::New() constructor that creates a
  NativeModule. This case was only used in DeserializeNativeModule() and
  in test code.

Change-Id: I6bdfc425057f92de11abbbf702d052d40aa8267d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1717497
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62925}
2019-07-25 21:22:46 +00:00
Ng Zhi An
8c58e0513e [wasm simd] Implement I64x2 Min and Max on x64
Bug: v8:8460
Change-Id: I913406a4079c766432a56d059a6cb9861fd469bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1703993
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62924}
2019-07-25 18:13:16 +00:00
Bill Ticehurst
84a641faa1 Fix layout of the Space class for members accessed via an offset
Bug: v8:9118
Change-Id: I2271a158226a12f69a7efdfcb6c4faccccf98d15
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715090
Commit-Queue: Bill Ticehurst <billti@microsoft.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62923}
2019-07-25 17:23:14 +00:00
Ng Zhi An
f9b2f66579 [wasm simd] Implement F64x2 Add Sub Mul on x64
Bug: v8:8460
Change-Id: Ia9b2360c414abedfd9690e97b555c4e9b19fa1b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708451
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62922}
2019-07-25 17:05:54 +00:00
Leszek Swirski
1d4079b30c [obj-stats] Fix heap-stats label order
Data in the viewer has to be in the same order as the labels.

Change-Id: I2e64fb30ebc0e3585c7b9d364553cb6a5ec1f3cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1718159
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62921}
2019-07-25 14:43:35 +00:00
Georg Neis
f95124821e [turbofan] First part of brokerization/serialization for instanceof
- Move SerializePrototype out of DependOnStablePrototypes into
  ComputePropertyAccessInfo.
- Brokerize JSNativeContextSpecialization::InferHasInPrototypeChain.
- Brokerize JSNativeContextSpecialization::ReduceJSOrdinaryHasInstance
  (modulo the call to ReduceJSInstanceOf).
- Brokerize JSNativeContextSpecialization::ReduceJSHasInPrototypeChain.
- Serialize for JSCallReducer::ReduceObjectPrototypeIsPrototypeOf.
- Serialize for JSNativeContextSpecialization::ReduceJSInstanceOf. This
  is still incomplete.

Bug: v8:7790
Change-Id: Ic56eab5ddd8d725a13d2980e5b55db53ae82e822
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709408
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62920}
2019-07-25 14:39:54 +00:00
Seth Brenith
f42b1a5d5b [regexp] Use stricter bounds check to avoid additional iteration
The motivating example is JetStream 2's UniPoker test, which tests
whether a sorted string of Unicode playing cards contains a five-card
straight using a regular expression. In the top-level generated loop for
this RegExp, we see this loop exit condition:

00000350000C2067    27  83fffe         cmpl rdi,0xfe
00000350000C206A    2a  0f8da8e40000   jge 00000350000D0518  <+0xe4d8>

Meaning if the current position is pointing at the very last (16-bit)
character, then we exit the loop. Otherwise we go on and try to find
various matches starting at the current position. However, we can see
in the original expression that any possible match is at least 10
characters (5 astral-plane Unicode values), so we're wasting a lot of
time attempting to find matches in cases where we're too close to the
end of the string for any match to succeed.

This example might be a bit contrived, but I expect that an improvement
in this bounds check would help a larger family of regular expressions,
where the minimum match length is large relative to the string being
matched and we don't meet the other necessary criteria for fast Boyer-
Moore lookahead.

To get the desired bounds check in this case, this patch does the
following:
1. Compute accurate EatsAtLeast values for every node during the
   analysis phase. This could end up doing more work than the current
   implementation, but analysis already has to touch every node, so it
   seems like a cache-friendly time to compute these values. In some
   cases, this might be less total work than the current implementation,
   because the current implementation might recompute the same node
   multiple times.
2. When emitting a quick check, use the EatsAtLeast value from the
   predecessor ChoiceNode for the bounds check.

This improves the UniPoker score on my machine by about 4%, because it
cuts the time spent checking for straights roughly in half, and checking
for straights originally accounted for about 8% of the total time.

Bug: v8:9305
Change-Id: I110b190c2578f73b2263259d5aa5750e921b01be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1702125
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62919}
2019-07-25 14:24:34 +00:00
Thibaud Michaud
801930f5f5 Reland "[wasm] Compile JS to WASM wrappers asynchronously"
Original CL had an issue with builtins being accessed through the
isolate after the isolate died. See:
https://ci.chromium.org/p/v8/builders/try.triggered/v8_win64_rel_ng_triggered/b8907837534672203296

Initial upload is the original CL and the following patch sets will
attempt to fix it.

Original CL:

> [wasm] Compile JS to WASM wrappers asynchronously
>
> R=mstarzinger@chromium.org, ahaas@chromium.org
>
> Bug: v8:9231
> Change-Id: I9e18073bbe25bf8c9c5f9ace102316e6209d0459
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1669699
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62672}

R=mstarzinger@chromium.org, ahaas@chromium.org

Bug: v8:9231
Change-Id: I1b01d5d2b9f728d6f6a90fe9b642f5ba3bf686eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708485
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62918}
2019-07-25 13:44:14 +00:00
Santiago Aboy Solanes
31518ccc0e [ptr-compr] Avoid (de)compressions in CheckSmi
Avoids unnecessary compression and decompression nodes since we
are going to be able to check for smis without needing to decompress and
re-compress.

It was doing a CheckedInt32ToTaggedSigned ->
ChangeTaggedSignedToCompressedSigned combo, where we could just do
CheckedInt32ToCompressedSigned.

Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:7703
Change-Id: I0bbbbb5bd4744c49840c84b2fcb775fe6b603de0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714878
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62917}
2019-07-25 13:36:53 +00:00
Tobias Tebbi
a6c859f9bc [torque] disallow tail calls from macros
Bug: v8:7793
Change-Id: I36daa0ef26cc7c274c64cfdba7e3a196677a7bc4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1718156
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62916}
2019-07-25 13:20:32 +00:00
Georg Neis
52dbefd66a [turbofan] Remove some obsolete serialization calls
Bug: v8:7790
Change-Id: I774601b25f4dbe104875d18c03e17244efc1a0e2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1718157
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62915}
2019-07-25 13:15:02 +00:00
Leszek Swirski
b50ee58ca7 [obj-stats] Count more field types (Smi, boxed double, string)
Distinguish between generic Tagged and Smi in-object fields, and special
case (boxed) double values and string data rather than lumping those
into generic "raw data"

Change-Id: I5d635434ab94065c077a40110948424c31ead73d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1718154
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62914}
2019-07-25 13:04:12 +00:00
Mathias Bynens
dd7190a979 [regexp] Add UseCounter for matchAll with non-g RegExp
Per the July TC39 meeting consensus, we'd like to make the
upcoming String.prototype.replaceAll proposal throw for
non-global RegExp searchValues. However,
String.prototype.matchAll currently does not throw in this
case, causing consistency concerns.

This patch adds a use counter for String.prototype.matchAll
with a non-global RegExp as the searchValue. Hopefully, this
pattern isn't too common in real-world code today, in which case
we can both a) change matchAll and b) proceed with the desired
replaceAll semantics.

https://github.com/tc39/proposal-string-replaceall/issues/16

V8 CL: https://chromium-review.googlesource.com/c/v8/v8/+/1718145
Chromium CL: https://chromium-review.googlesource.com/c/chromium/src/+/1718367

BUG=v8:9551

Change-Id: Ica660a0a6189d84c3d33398c98305d0bcb9f8c23
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1718145
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62913}
2019-07-25 12:53:02 +00:00
Leszek Swirski
61a3f827ee [ptr-compr] Fix literal field copy iteration size
When iterating over fields to copy, we should copy kTagged-sized fields,
not kPointer-sized fields, to avoid overwriting something allocated after
the last slot of an object if the end of the object isn't kPointer
aligned.

Bug: v8:8948
Change-Id: Ic3d933157ca1962a779dba6ae58facb558d75ca0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1718151
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62912}
2019-07-25 12:49:33 +00:00
Maya Lekova
6c46b2031c Update V8 version to 7.8
TBR=machenbach@chromium.org
NOTRY=true

Change-Id: Ibe9b8e034ad71a45d3d5eeba70d7d07cd897dee3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1718158
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62911}
2019-07-25 12:41:32 +00:00
Clemens Hammacher
9afbef1ebe [wasm] Grow reserved code space exponentially
If a new code allocation request cannot be fulfilled, do not just
reserve enough to fulfill this one request, but request at least 20
percent of the total reserved code space so far. This ensures that
the reserved space grows exponentially instead of linearly.

R=mstarzinger@chromium.org

Bug: chromium:987560
Change-Id: I3fc4dd0f7acee2a380495a87c0425c58058551bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1718144
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62910}
2019-07-25 11:03:40 +00:00
Santiago Aboy Solanes
7f1304755b [turbofan][cleanup] Do a Word32Equal since inputs are 32 bits
The two inputs are a Word32And and an Int32Constant. There is no need to
do this in 64 bits.

Bug: v8:9396
Change-Id: Ie564ac2f43e98192bf9853855b6c766248264886
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715462
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62909}
2019-07-25 10:28:10 +00:00
Maya Lekova
60d2018f1f Reland "[turbofan] Brokerize Function.prototype.bind"
This is a reland of 49f8323f7c

Re-applied previous fix for an undefined symbol,
changing std::max to i::Max.

Original change's description:
> [turbofan] Brokerize Function.prototype.bind
>
> Bug: v8:7790
> Change-Id: I2985f5740b947445723ce0f5072a32be48d22be1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709410
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62895}

Bug: v8:7790
Change-Id: I1f141ea097054f069b94563e6140848e41c0ae1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715459
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62908}
2019-07-25 09:39:40 +00:00
Yu Yin
484c155825 [mips][wasm] Access "CEntryStub" from the root set.
Port 5564356 https://crrev.com/c/1714656

Original Commit Message:

    This removes a shortcut to a "CEntryStub" from the instance object and
    instead loads those values via the root set which is also referenced
    from the instance. It makes instance objects smaller.

Change-Id: I62d16960cb18e3cd69c2fa56da85a6bfc6064db4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1716473
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Yu Yin <xwafish@gmail.com>
Cr-Commit-Position: refs/heads/master@{#62907}
2019-07-25 08:59:18 +00:00
Andreas Haas
81efb932b5 [wasm][bulk-memory] Adjust elem and data segment to recent spec changes
R=binji@chromium.org

Change-Id: I8eeff7dbc92749c4b9ea6bedd9123b9e6635ab5c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709048
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62906}
2019-07-25 08:40:27 +00:00
v8-ci-autoroll-builder
0ed85c1d3e Update wasm-spec.
Rolling v8/test/wasm-js/data: 1a411f7..b0c936c

[interpreter] Downgrade to Ocaml 4.02 (#1044) (Andreas Rossberg)
https://chromium.googlesource.com/external/github.com/WebAssembly/spec/+/b0c936c

TBR=ahaas@chromium.org,clemensh@chromium.org

Change-Id: I9726e31b94e0ffa2e4b10f0dc447b0253f03deb5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1716001
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#62905}
2019-07-25 04:33:53 +00:00
Patrick Thier
3a0f407d26 Reland "Reland "[regexp] Call the regexp interpreter without CEntry overhead""
This is a reland of c2ee4a7999

Original change's description:
> Reland "[regexp] Call the regexp interpreter without CEntry overhead"
> 
> This is a reland of d4d28b73cb
> 
> Original change's description:
> > [regexp] Call the regexp interpreter without CEntry overhead
> > 
> > Previously all RegExp calls went through Runtime_RegExpExec when --regexp-interpret-all was set.
> > 
> > This CL avoids the runtime overhead by calling into the interpreter directly from the RegExpExec Builtin when the regular expression subject was already compiled to ByteCode (i.e. after the first call).
> > 
> > Bug: v8:8954
> > Change-Id: Iae9dfcef3370b772a05b2942305335d592f6f15a
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1698391
> > Commit-Queue: Patrick Thier <pthier@google.com>
> > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#62753}
> 
> Bug: v8:8954
> Change-Id: I1f0b6de9c6da65bcb582ddb41a37419116a5c510
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1706053
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Patrick Thier <pthier@google.com>
> Cr-Commit-Position: refs/heads/master@{#62794}

Bug: v8:8954
Change-Id: Ice77c05240f1fabd36bf97b8e789dd4c25a9718f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715451
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62904}
2019-07-24 17:20:15 +00:00
Frank Tang
5bd577834b [Intl] Adding volume units.
Add 'fluid-ounce','gallon', 'liter', and 'milliliter'
Also roll ICU to 682a2309

Sync with https://github.com/tc39/proposal-unified-intl-numberformat/pull/48


Bug: v8:9475
Change-Id: If45a20f17f5973b860893b0f70e724cc93c6550a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1699759
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62903}
2019-07-24 17:16:46 +00:00
Daniel Clark
61e2b67ecd Move potentially reentrant allocation out of the middle of Module::Reset
During Module::Reset(), the module is in an unstable state between the
change to SourceTextModule::code and Module::status.  Any reentrancy
between these points is problematic because the normal invariants about
the value of SourceTextModule::code in relation to Module::status do not
hold.

An allocation of the exports hash table in the middle of Module::Reset()
was causing reentrancy during this problematic time.  This change fixes
the issue by moving the allocation earlier in Reset() before any fields
are modified.

Bug: v8:9522
Change-Id: Ia941af60a0b31f05a6d8da610b9a270e7f79dac2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1712449
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Dan Clark <daniec@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#62902}
2019-07-24 17:14:18 +00:00
Georgia Kouveli
7cb9984ef9 [arm64] Add support for pointer authentication instructions
Change-Id: I29c88d9e5de34e9a940b76ab76a40376d251c25f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1373781
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62901}
2019-07-24 17:00:26 +00:00
Bill Budge
95c7148d82 [wasm simd] Fix two reversing swizzles.
- Fixes bugs in x64 and ia32 reversing swizzles.

Change-Id: Iea0beccab804fd8e68dc58bc0fa11db46ac391c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1330104
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62900}
2019-07-24 16:41:15 +00:00
Zhi An Ng
6747e3a186 Revert "Add postmortem debugging helper library"
This reverts commit 517ab73fd7.

Reason for revert: Test failures https://bugs.chromium.org/p/v8/issues/detail?id=9538

Original change's description:
> Add postmortem debugging helper library
> 
> This change begins to implement the functionality described in
> https://docs.google.com/document/d/1evHnb1uLlSbvHAAsmOXyc25x3uh1DjgNa8u1RHvwVhk/edit#
> for investigating V8 state in crash dumps.
> 
> This change adds a new library, v8_debug_helper, for providing platform-
> agnostic assistance with postmortem debugging. This library can be used
> by extensions built for debuggers such as WinDbg or lldb. Its public API
> is described by debug-helper.h; currently the only method it exposes is
> GetObjectProperties, but we'd like to add more functionality over time.
> The API surface is restricted to plain C-style structs and pointers, so
> that it's easy to link from a debugger extension built with a different
> toolchain.
> 
> This change also adds a new cctest file to exercise some basic
> interaction with the new library.
> 
> The API function GetObjectProperties takes an object pointer (which
> could be compressed, or weak, or a SMI), and returns a string
> description of the object and a list of properties the object contains.
> For now, the list of properties is entirely based on Torque object
> definitions, but we expect to add custom properties in future updates so
> that it can be easier to make sense of complex data structures such as
> dictionaries.
> 
> GetObjectProperties does several things that are intended to generate
> somewhat useful results even in cases where memory may be corrupt or
> unavailable:
> - The caller may optionally provide a type string which will be used if
>   the memory for the object's Map is inaccessible.
> - All object pointers are compared against the list of known objects
>   generated by mkgrokdump. The caller may optionally provide the
>   pointers for the first pages of various heap spaces, to avoid spurious
>   matches. If those pointers are not provided, then any matches are
>   prefixed with "maybe" in the resulting description string, such as
>   "maybe UndefinedValue (0x4288000341 <Oddball>)".
> 
> Bug: v8:9376
> 
> Change-Id: Iebf3cc2dea3133c7811bcefcdf38d9458b02fded
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1628012
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Michael Stanton <mvstanton@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62882}

TBR=yangguo@chromium.org,mvstanton@chromium.org,jgruber@chromium.org,tebbi@chromium.org,seth.brenith@microsoft.com

Change-Id: Ia078f2e8d101d2375b5db88021b2d65d28f1b075
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9376
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1716033
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62899}
2019-07-24 16:31:54 +00:00
Leszek Swirski
db37c0fb95 [parser] Templaterificate ScopedPtrList into ScopedList
This will allow us to use ScopedPtrList for other contents than just
pointers.

Change-Id: Ib16d388d5dd556f5e01593279f463ae25510f2be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715455
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62898}
2019-07-24 15:09:43 +00:00
Milad Farazmand
6cd231bc41 PPC/s390: [wasm] Access "CEntryStub" from the root set.
Port 55643564a6

Original Commit Message:

    This removes a shortcut to a "CEntryStub" from the instance object and
    instead loads those values via the root set which is also referenced
    from the instance. It makes instance objects smaller.

R=mstarzinger@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I2ad2f3479431dae71f47af7ad5c722e46fd592d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1716368
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#62897}
2019-07-24 14:09:03 +00:00