- 14 Apr, 2020 1 commit
-
-
Georg Neis authored
For example, when --fuzzing is off, %OptimizeFunctionOnNextCall now crashes when given a non-function argument. The following behaviors remain unchanged for now: - %DeoptimizeFunction continues to do nothing if the function is not optimized. - %DeoptimizeNow continues to do nothing if the top-most JS function is not optimized. - %OptimizeOSR continues to do nothing if the function already has optimized code. Bug: v8:10249 Change-Id: I35d2f3d50ce3f94c8ffccabe50fb4df2b70ce028 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2137406 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#67121}
-
- 14 May, 2019 1 commit
-
-
Z Duong Nguyen-Huu authored
Reverted CL is in https://chromium-review.googlesource.com/c/v8/v8/+/1585269 This includes fix for ThrowTypeErrorIfStrict and add regression test. Spec: https://tc39.github.io/ecma262/#sec-proxy-object-internal-methods-and-internal-slots-set-p-v-receiver Bug: v8:6664, v8:9234 Change-Id: I785df3f12f619e2e0fe7b011b72043758e4083e3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1604071Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com> Cr-Commit-Position: refs/heads/master@{#61497}
-
- 30 Apr, 2019 1 commit
-
-
Mythri A authored
With bytecode flushing and lazy feedback allocation, we need to call %PrepareForOptimization before we call %OptimizeFunctionOnNextCall Bug: v8:8801, v8:8394 Change-Id: I81918f174b2f97cbaa8b8ef2e459080c2581f535 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588415 Commit-Queue: Mythri Alle <mythria@chromium.org> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#61122}
-
- 18 Dec, 2018 1 commit
-
-
Mythri authored
When we call ObjectToString on JSValues we only looked at string tags on the prototype map of the JSValue's value type and do not check the tags on the JSValue's prototype chain which may be non-trivial if subclassing is involved. For ex: if we have a class Test extend Number, we only looked for tags on the Number prototype and not on the Test prototype. This cl fixes the builtin to also check for these cases. Bug: v8:7706 Change-Id: I9f0e3bb6499646bf27b92bf4fb4e9014f6efa56b Reviewed-on: https://chromium-review.googlesource.com/c/1378176Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#58338}
-
- 11 Dec, 2018 1 commit
-
-
Ben L. Titzer authored
This is purely a renaming change. The ES spec uses the term 'detach' for the process of removing the backing store of a typed array, while V8 uses the historical term 'neuter'. Update our internal implementation, including method names and flag names, to match the spec. Note that some error messages still use the term 'neuter' since error messages are asserted by some embedder tests, like layout tests. R=bmeurer@chromium.org, yangguo@chromium.org, mstarzinger@chromium.org, mlippautz@chromium.org BUG=chromium:913887 Change-Id: I62f1c3ac9ae67ba01d612a5221afa3d92deae272 Reviewed-on: https://chromium-review.googlesource.com/c/1370036 Commit-Queue: Ben Titzer <titzer@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#58149}
-
- 18 Oct, 2018 1 commit
-
-
Hai Dang authored
AllocateJSArray always allocates in new space, so we bailout of the fast path for strings if the new array does not fit in new space. Bug found by ClusterFuzz. Regression test added. This also switches to the BranchIf pattern to avoid materialize a bool. Bug: chromium:895860, v8:7980 Change-Id: Ic7c41268c394ac2796b7694252390ab50fd74838 Reviewed-on: https://chromium-review.googlesource.com/c/1286337Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Hai Dang <dhai@google.com> Cr-Commit-Position: refs/heads/master@{#56759}
-
- 02 May, 2018 1 commit
-
-
Choongwoo Han authored
Bug: chromium:837939 Change-Id: Iaca2bc5b52f47d8add13ed9b82497a53cb522933 Reviewed-on: https://chromium-review.googlesource.com/1034043Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#52913}
-
- 30 Apr, 2018 1 commit
-
-
Caitlin Potter authored
The originally checked in regression test (https://chromium-review.googlesource.com/c/v8/v8/+/1034210/3/test/mjsunit/es6/regress/regress-7706.js) didn't actually reproduce the bug. BUG=v8:7706 R=gsathya@chromium.org, bmeurer@chromium.org Change-Id: I991c91d5a7f15419e388cb5133a281cf7f51736a Reviewed-on: https://chromium-review.googlesource.com/1036108Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Commit-Queue: Caitlin Potter <caitp@igalia.com> Cr-Commit-Position: refs/heads/master@{#52894}
-
- 29 Apr, 2018 1 commit
-
-
Caitlin Potter authored
Without this change, we could disable slow paths required when symbols such as toStringTag are present on a receiver, but accessors or interceptors are not (added in 31800120) This change modifies this behaviour to not unset the previously set bit if these forced slow path conditions are not met. BUG=v8:7706 R=bmeurer@chromium.org Change-Id: Id7bceb0e749da52e2dbcde0a310a865a89f24066 Reviewed-on: https://chromium-review.googlesource.com/1034210Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Caitlin Potter <caitp@igalia.com> Cr-Commit-Position: refs/heads/master@{#52874}
-
- 14 Mar, 2018 1 commit
-
-
Caitlin Potter authored
- Add a new bytecode for the ToString operation, replacing the old intrinsic call (currently does not collect type feedback). - Add a new AST node to represent TemplateLiterals, and avoid generating unnecessary ToString operations in some simple cases. - Use a single feedback slot for each string addition, because the type feedback should always be the same for each addition This seems to produce a very slight improvement on JSTests benchmarks and bench-ruben.js from v8:7415, and it's possible that type feedback for the ToString bytecode could provide more opportunities to eliminate the runtime call in TurboFan. Doesn't touch tagged templates [esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral Fixes an error where TemplateLiteral printing in --print-ast would try to read an element beyond the length of a vector. BUG=v8:7415, chromium:820596 R=adamk@chromium.org, gsathya@chromum.org, rmcilroy@chromium.org, ishell@chromium.org, bmeurer@chromium.org Change-Id: Ie56894f73a6445550a5f95f42160c4e29ab1da42 Reviewed-on: https://chromium-review.googlesource.com/958408Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Caitlin Potter <caitp@igalia.com> Cr-Commit-Position: refs/heads/master@{#51933}
-
- 10 Mar, 2018 2 commits
-
-
Michael Achenbach authored
This reverts commit 0802e2b2. Reason for revert: For reverting https://crrev.com/c/945408 Original change's description: > [esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral > > Fixes an error where TemplateLiteral printing in --print-ast > would try to read an element beyond the length of a vector. > > BUG=v8:7415, chromium:820596 > R=adamk@chromium.org, gsathya@chromium.org > > Change-Id: Idf9e0da8c165ee62bc1a348a91c2ed5ed798404a > Reviewed-on: https://chromium-review.googlesource.com/957883 > Reviewed-by: Adam Klein <adamk@chromium.org> > Commit-Queue: Caitlin Potter <caitp@igalia.com> > Cr-Commit-Position: refs/heads/master@{#51857} TBR=adamk@chromium.org,gsathya@chromium.org,caitp@igalia.com Change-Id: I5fe950cd823ae350b5f6c09227a62aef9dc2a008 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:7415, chromium:820596 Reviewed-on: https://chromium-review.googlesource.com/957724Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#51861}
-
Caitlin Potter authored
Fixes an error where TemplateLiteral printing in --print-ast would try to read an element beyond the length of a vector. BUG=v8:7415, chromium:820596 R=adamk@chromium.org, gsathya@chromium.org Change-Id: Idf9e0da8c165ee62bc1a348a91c2ed5ed798404a Reviewed-on: https://chromium-review.googlesource.com/957883Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Caitlin Potter <caitp@igalia.com> Cr-Commit-Position: refs/heads/master@{#51857}
-
- 23 Oct, 2017 1 commit
-
-
Choongwoo Han authored
- Fix a wrong type casting triggered when a given array's length is zero - Add a regression test case Bug: chromium:777182, chromium:768775 Change-Id: I615b73e9d7bad657c872c96c7a204efe355d8289 Reviewed-on: https://chromium-review.googlesource.com/732865Reviewed-by: Peter Marshall <petermarshall@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#48821}
-
- 23 Jun, 2017 1 commit
-
-
Michael Starzinger authored
This removes the --turbo flag and solely relies on the filter pattern provided via --turbo-filter when deciding whether to use TurboFan. Note that disabling optimization wholesale can still be done with --no-opt, which should be used in favor of --no-turbo everywhere. Also note that this contains semantic changes to the TurboFan activation criteria. We respect the filter pattern more stringently and no longer activate TurboFan just because the source contains patterns forcing use of Ignition via {AstNumberingVisitor::DisableFullCodegenAndCrankshaft}. R=rmcilroy@chromium.org BUG=v8:6408 Change-Id: I0c855f6a62350eb62283a3431c8cc1baa750950e Reviewed-on: https://chromium-review.googlesource.com/528121Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#46167}
-
- 24 May, 2017 1 commit
-
-
Caitlin Potter authored
A few tests that would be good to have to verify that the known manifestations of this bug are resolved. Previously, the async generator and async function tests would crash. The other ones never did, but still resulted in the register overwite bug. BUG=v8:6322 R=adamk@chromium.org Change-Id: Ic2238227629077de5671d67d18b3bfe018dd23f4 Reviewed-on: https://chromium-review.googlesource.com/514230Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Caitlin Potter <caitp@igalia.com> Cr-Commit-Position: refs/heads/master@{#45524}
-
- 04 May, 2017 1 commit
-
-
Caitlin Potter authored
Removes the do-expression wrapping, modifies BytecodeGenerator change to enter a class literal's block scope if needed. This does not solve the actual bug in v8:6322, but helps mitigate it in simple cases. The bug is caused by BytecodeGenerator not allocating a large enough array of context registers to hold its entire stack, allowing non-context registers to be overwritten during PushContext and PopContext bytecodes. Nevertheless, I like the idea of not depending on do-expressions when possible, so I think it's worth doing anyways. BUG=v8:6322 R=rmcilroy@chromium.org, marja@chromium.org, littledan@chromium.org Change-Id: I82b7569db2a0eead1694bd04765fc4456c2f1a0a Reviewed-on: https://chromium-review.googlesource.com/491074 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Marja Hölttä <marja@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Daniel Ehrenberg <littledan@chromium.org> Cr-Commit-Position: refs/heads/master@{#45110}
-
- 22 Mar, 2017 1 commit
-
-
Caitlin Potter authored
The AssignmentExpressions can legally contain destructuring assignments. BUG=v8:6098 R=marja@chromium.org, adamk@chromium.org Change-Id: I99b3a0f4c8d103edfb1dda943ec3e2ab2a5969f7 Reviewed-on: https://chromium-review.googlesource.com/455221 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/master@{#44049}
-
- 15 Feb, 2017 1 commit
-
-
caitp authored
- Removes shared InnerArrayCopyWithin JS builtin from src/js/array.js - Implements %TypedArray%.prototype.copyWithin as a C++ builtin, which relies on std::memmove rather than accessing individual eleements. - Fixes the case where copyWithin is invoked on a TypedArray with a detached buffer. - Add tests to ensure that +/-Infinity (for all 3 parameters) is handled correctly by the algorithm The C++ version gets through the benchmark more than 25000 times as quickly as the JS implementation. BUG=v8:5925, v8:5929, v8:4648 R=cbruni@chromium.org, adamk@chromium.org, littledan@chromium.org Review-Url: https://codereview.chromium.org/2697593002 Cr-Commit-Position: refs/heads/master@{#43213}
-
- 18 Nov, 2016 2 commits
-
-
caitp authored
BUG=666622, v8:5388 R=bmeurer@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2515683002 Cr-Commit-Position: refs/heads/master@{#41118}
-
marja authored
It originates from the era where we used to run a separate preparse step before parsing and store the function data. Now the usage of preparser is something completely different, so this flag doesn't make sense any more. In addition, this way we get more test coverage for preparser (for small scripts). BUG= Review-Url: https://codereview.chromium.org/2513563002 Cr-Commit-Position: refs/heads/master@{#41110}
-
- 16 Nov, 2016 1 commit
-
-
jgruber authored
This CL further extends the debug wrapper, migrates around 60 tests, and removes a few tests that use functionality we will not support anymore. In more detail: * Removed tests that use: * enable/disable individual breakpoints * invocationText() * the ScriptCollected event * showBreakPoints * evalFromScript (and similar) * mirror.constructedBy and mirror.referencedBy * event_data.promise() * Some frame.evaluate uses were adapted since due to differences between remote objects (inspector) and mirrors. For instance, exceptions are currently not recreated exactly, since the inspector protocol does not give us the stack and message separately. Other objects (such as 'this' in debug-evaluate-receiver-before-super) need to be explicitly converted to a string before the test works correctly. * Ensure that inspector stores the script before sending ScriptParsed and ScriptFailedToParse events in order to be able to use the script from within those events. * Better remote object reconstruction (e.g. for undefined and arrays). * New functionality in wrapper: * debuggerFlags().breakPointsActive.setValue() * scripts() * execState.setVariableValue() * execState.scopeObject().value() * execState.scopeObject().property() * execState.frame().allScopes() * eventData.exception() * eventData.script() * setBreakPointsActive() BUG=v8:5530 Review-Url: https://codereview.chromium.org/2497973002 Cr-Commit-Position: refs/heads/master@{#41019}
-
- 14 Nov, 2016 1 commit
-
-
caitp authored
Do not take the fast path for Array.prototype.keys() if the array length is not guaranteed to be an Smi. BUG=660925, v8:5388 R=bmeurer@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2496323002 Cr-Commit-Position: refs/heads/master@{#40976}
-
- 08 Nov, 2016 1 commit
-
-
jgruber authored
BUG=v8:5530 Review-Url: https://codereview.chromium.org/2487673002 Cr-Commit-Position: refs/heads/master@{#40840}
-
- 04 Nov, 2016 1 commit
-
-
caitp authored
Use a NumberConstant op rather than an Int32Constant to make assertions in v8::internal::compiler::EscapeAnalysis::ProcessAllocation() happy. BUG=v8:5598 R=bmeurer@chromium.org, franzih@chromium.org Review-Url: https://codereview.chromium.org/2478643002 Cr-Commit-Position: refs/heads/master@{#40746}
-
- 27 Sep, 2016 1 commit
-
-
caitp authored
BUG=chromium:650172 R=mstarzinger@chromium.org, bmeurer@chromium.org Review-Url: https://codereview.chromium.org/2368323002 Cr-Commit-Position: refs/heads/master@{#39760}
-
- 02 Sep, 2016 1 commit
-
-
nikolaos authored
R=adamk@chromium.org, littledan@chromium.org BUG=v8:5337 LOG=N Review-Url: https://codereview.chromium.org/2297303003 Cr-Commit-Position: refs/heads/master@{#39118}
-
- 22 Aug, 2016 1 commit
-
-
littledan authored
This flag was shipped on in 52, so it's due for removal. The patch includes removing the deprecated and unused-in-Blink API Promise::Chain, and many test updates. R=adamk@chromium.org BUG=v8:4633 Review-Url: https://codereview.chromium.org/2267033002 Cr-Commit-Position: refs/heads/master@{#38804}
-
- 11 May, 2016 1 commit
-
-
yangguo authored
R=jgruber@chromium.org BUG=chromium:609046 LOG=N Review-Url: https://codereview.chromium.org/1957303002 Cr-Commit-Position: refs/heads/master@{#36160}
-
- 22 Apr, 2016 2 commits
-
-
yangguo authored
Some scopes are introduced by the parser for desugaring and do not have any positions associated. The debugger should not make them visible. Also add some missing source positions. R=kozyatinskiy@chromium.org, rossberg@chromium.org BUG=chromium:604458 LOG=Y Review URL: https://codereview.chromium.org/1901413002 Cr-Commit-Position: refs/heads/master@{#35721}
-
adamk authored
The feature was deprecated in M49 and flagged off in M50. This patch removes it entirely from the codebase. Review URL: https://codereview.chromium.org/1909433003 Cr-Commit-Position: refs/heads/master@{#35714}
-
- 08 Apr, 2016 1 commit
-
-
adamk authored
These were all on by default in M49 without complaint. R=littledan@chromium.org Review URL: https://codereview.chromium.org/1858943002 Cr-Commit-Position: refs/heads/master@{#35342}
-
- 05 Apr, 2016 2 commits
-
-
caitpotter88 authored
The parser eagerly rewrites destructuring assignments occuring in formal parameter initializers, because not doing so would cause the BindingPattern rewriting to be confused and do the wrong thing. This change prevents this rewriting from descending into the bodies of lazily parsed functions. In general, it's a mistake to descend into the bodies of function literals anyways, since they are rewritten separately on their own time, so there is no distinction made between lazily "throw away" eagerly parsed functions in the temporary parser arena, or "real" eagerly parsed functions that will be compiled. BUG=chromium:594084, v8:811 LOG=N R=adamk@chromium.org, littledan@chromium.org Review URL: https://codereview.chromium.org/1864553002 Cr-Commit-Position: refs/heads/master@{#35277}
-
neis authored
When seeing a rest pattern, we used to get the remaining elements from the iterator by calling %concat_iterable_to_array on it. This was wrong because it caused an observable [[Get]] for @@iterator (which the iterator may not even provide). This CL gets rid of the call to %concat_iterable_to_array and does the iteration manually in a simple while-loop. It also gets rid of %concat_iterable_to_array itself because there aren't any other uses of it. BUG=v8:4759 LOG=n R=adamk@chromium.org Review URL: https://codereview.chromium.org/1852703002 Cr-Commit-Position: refs/heads/master@{#35251}
-
- 21 Mar, 2016 1 commit
-
-
adamk authored
Both of them shipped in Chrome 49 without incident. Also move relevant tests from harmony/ to es6/. Review URL: https://codereview.chromium.org/1815773002 Cr-Commit-Position: refs/heads/master@{#34964}
-
- 18 Mar, 2016 1 commit
-
-
adamk authored
- Move default parameters tests from harmony/ to es6/ and remove non-existent --harmony-default-parameters flag. - Remove some non-existent tests from mjsunit.status Review URL: https://codereview.chromium.org/1812313002 Cr-Commit-Position: refs/heads/master@{#34908}
-
- 10 Mar, 2016 1 commit
-
-
adamk authored
These flags have been on by default since version 4.9, which has been in stable Chrome for over a week now, demonstrating that they're here to stay. Also moved the tests out of harmony/ and into es6/. Review URL: https://codereview.chromium.org/1776683003 Cr-Commit-Position: refs/heads/master@{#34692}
-
- 16 Dec, 2015 1 commit
-
-
yangguo authored
And tons of changes to debugger tests. R=bmeurer@chromium.org BUG=chromium:569835 LOG=N Review URL: https://codereview.chromium.org/1525173003 Cr-Commit-Position: refs/heads/master@{#32885}
-
- 12 Dec, 2015 1 commit
-
-
adamk authored
It shipped in Chrome 47. Review URL: https://codereview.chromium.org/1519073004 Cr-Commit-Position: refs/heads/master@{#32816}
-
- 11 Dec, 2015 1 commit
-
-
cbruni authored
[proxy] fixing for-in for proxies, fixing harmony/proxy.js tests, improving error messages and some drive-by fixes BUG=v8:1543 LOG=n patch from issue 1519473002 at patchset 1 (http://crrev.com/1519473002#ps1) Review URL: https://codereview.chromium.org/1516843002 Cr-Commit-Position: refs/heads/master@{#32801}
-
- 10 Dec, 2015 1 commit
-
-
littledan authored
This patch removes Promise functions and methods which are absent from the ES2015 specification when the --es-staging flag is on. The patch is being relanded after being reverted due to an unrelated bug. This version is slightly different as promise_chain is installed on the context regardless of the flag value, so that the Promise::Chain API continues to work until it is deprecated. BUG=v8:3237 R=rossberg LOG=Y Review URL: https://codereview.chromium.org/1513873002 Cr-Commit-Position: refs/heads/master@{#32772}
-