Commits · 43ce9c6f101c4224addd9a54e0c39963188dc7fa · Linshizhi / V8

07 Jul, 2015 21 commits

[d8] bounds-check before getting Shell::Worker internal field · 43ce9c6f

caitpotter88 authored Jul 07, 2015

Prevents fatal error in debug builds

BUG=v8:4271
R=binji@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/1214053004

Cr-Commit-Position: refs/heads/master@{#29524}

43ce9c6f

Add debug-stepnext test for for-let loops · a1f20f09

adamk authored Jul 07, 2015

Review URL: https://codereview.chromium.org/1215383002

Cr-Commit-Position: refs/heads/master@{#29523}

a1f20f09

[turbofan] VisitSuperCallReference is not reachable · 01fe045b

arv authored Jul 07, 2015

BUG=N
LOG=N
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1226443004

Cr-Commit-Position: refs/heads/master@{#29522}

01fe045b

Delete from non-array end by trimming the backing store · 44dcc0a2

verwaest authored Jul 07, 2015

Review URL: https://codereview.chromium.org/1218663009

Cr-Commit-Position: refs/heads/master@{#29521}

44dcc0a2

Use FullCodeGenerator::EmitGlobalVariableLoad() where possible to avoid code duplication. · f043ab86
ishell authored Jul 07, 2015
```
Review URL: https://codereview.chromium.org/1222203007

Cr-Commit-Position: refs/heads/master@{#29520}
```
f043ab86

[turbofan] Move RawMachineAssembler back to src/compiler. · ea560a9b

rmcilroy authored Jul 07, 2015

The RawMachineAssembler will be used to build the interpreter, so it needs
to move back to src/compiler.

This reverts commit b5b00cc0.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1221303014

Cr-Commit-Position: refs/heads/master@{#29519}

ea560a9b

Debugger: clear ICs on activating step-in to correctly flood accessor pairs. · c1b5d174

yangguo authored Jul 07, 2015

If we compile handlers to call accessors, Debug::HandleStepIn won't get
called. Therefore we need to clear ICs each time. This has not been
necessary before because we used to patch ICs for breaking, and restored
them with cleared ICs. This is no longer the case. We do not use ICs
for breaking anymore, so they are not implicitly cleared any longer.

R=mvstanton@chromium.org
BUG=v8:4269
LOG=N

Review URL: https://codereview.chromium.org/1212253009

Cr-Commit-Position: refs/heads/master@{#29518}

c1b5d174

[test262-es6] Update to 2015-07-06 which includes the yaml harness fix · 870ea40a

arv authored Jul 07, 2015

Revert "Revert of [test262-es6] Update to 2011-06-29 (patchset #1 id:1 of https://codereview.chromium.org/1220793005/)"

This reverts commit f50fff57.

BUG=N
LOG=N
R=littledan@chromium.org, machenbach@chromium.org

Review URL: https://codereview.chromium.org/1212723004

Cr-Commit-Position: refs/heads/master@{#29517}

870ea40a

[turbofan] Unify various bailout hacks for super call. · cc149578

mstarzinger authored Jul 07, 2015

This removes various boilouts for super constructor calls from the
TurboFan pipeline and unifies them. It also disables and optimization
which breaks references to uninitialized const this variables.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1222843004

Cr-Commit-Position: refs/heads/master@{#29516}

cc149578

Start incremental marking in long idle notification for background tab · fe8c8c3b

ulan authored Jul 07, 2015

disregarding the allocation throughput.

BUG=chromium:506132
LOG=NO

Review URL: https://codereview.chromium.org/1213313004

Cr-Commit-Position: refs/heads/master@{#29515}

fe8c8c3b

Index -> Entry and Key -> Index in elements.[cc|h] · ca7feba7

verwaest authored Jul 07, 2015

BUG=v8:4137
LOG=n

Review URL: https://codereview.chromium.org/1224643004

Cr-Commit-Position: refs/heads/master@{#29514}

ca7feba7

[test] Turn off certificate verification when downloading test data on windows. · 3e966abc

machenbach authored Jul 07, 2015

BUG=v8:4254
LOG=n
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1220333004

Cr-Commit-Position: refs/heads/master@{#29513}

3e966abc

Reland "Replace reduce-memory mode in idle notification with delayed clean-up GC." · a7f62edb

ulan authored Jul 07, 2015

This reverts commit 26991892.
This reverts commit 435b3c87.

The failing test is fixing in chromium.

BUG=chromium:490559
LOG=NO
TBR=hpayer@chromium.org

Review URL: https://codereview.chromium.org/1208993009

Cr-Commit-Position: refs/heads/master@{#29512}

a7f62edb

Move compatible receiver check from CompileHandler to UpdateCaches · 8c298c79

jochen authored Jul 07, 2015

We also need to do the check before using an existing handler from the
cache

BUG=chromium:505374
R=verwaest@chromium.org
LOG=y

Review URL: https://codereview.chromium.org/1221433010

Cr-Commit-Position: refs/heads/master@{#29511}

8c298c79

[test] Fix redirect problem for downloading test data on windows. · e7330a64

machenbach authored Jul 07, 2015

BUG=v8:4254
LOG=n
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1219013007

Cr-Commit-Position: refs/heads/master@{#29510}

e7330a64

Cleanup frame description constant. · a104e7c9

mstarzinger authored Jul 07, 2015

This unifies the existing frame constants that are the same accross all
architectures. It also adds a new kOriginalConstructorOffset constant
for construct frames and uses is in full-codegen.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1220223005

Cr-Commit-Position: refs/heads/master@{#29509}

a104e7c9

X87: Debugger: use debug break slots instead of ICs (except for calls). · c935d2b9

chunyang.dai authored Jul 07, 2015

port a8a4c364 (r29487).

original commit message:

BUG=

Review URL: https://codereview.chromium.org/1227603002

Cr-Commit-Position: refs/heads/master@{#29508}

c935d2b9

[deoptimizer] Properly evict TurboFan OSR code objects on eager deopts. · c18cf2b4

bmeurer authored Jul 07, 2015

TurboFan OSR installs the CompileOptimized builtin on JSFunctions, which
means that we never evict the OSR code objects for such functions from
eager deopts.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1220813018

Cr-Commit-Position: refs/heads/master@{#29507}

c18cf2b4

Revert of Fix bug when transferring SharedArrayBuffer to multiple Workers.... · 9281d9b6

machenbach authored Jul 07, 2015

Revert of Fix bug when transferring SharedArrayBuffer to multiple Workers. (patchset #3 id:40001 of https://codereview.chromium.org/1215233004/)

Reason for revert:
[Sheriff] Test hangs sometimes and times out flakily. E.g.: http://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosse3/builds/4551/steps/Check%20%28flakes%29/logs/d8-worker-sharedarray..

Original issue's description:
> Fix bug when transferring SharedArrayBuffer to multiple Workers.
>
> Previously, the serialization code would call Externalize for every transferred
> ArrayBuffer or SharedArrayBuffer, but that function can only be called once. If
> the buffer is already externalized, we should call GetContents instead.
>
> Also fix use-after-free bug when transferring ArrayBuffers. The transferred
> ArrayBuffer must be internalized in the new isolate, or be managed by the
> Shell. The current code gives it to the isolate externalized and frees it
> immediately afterward when the SerializationData object is destroyed.
>
> BUG=chromium:497295
> R=jarin@chromium.org
> LOG=n
>
> Committed: https://crrev.com/dd7962bf7838f8379ba776ee6b7b0e4d3bec2140
> Cr-Commit-Position: refs/heads/master@{#29499}

TBR=jarin@chromium.org,jochen@chromium.org,binji@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:497295

Review URL: https://codereview.chromium.org/1224843008

Cr-Commit-Position: refs/heads/master@{#29506}

9281d9b6

Update V8 DEPS. · 3c272e19

v8-autoroll authored Jul 07, 2015

Rolling v8/third_party/icu to c81a1a3989c3b66fa323e9a6ee7418d7c08297af

TBR=machenbach@chromium.org

Review URL: https://codereview.chromium.org/1213043007

Cr-Commit-Position: refs/heads/master@{#29505}

3c272e19

X87: [turbofan] Enable tail calls for %_CallRuntime. · 19e53974

cdai2 authored Jul 07, 2015

port 1fa4285e (r29436).

original commit message:

    This involves:
    - Enabling the tail call optimization reducer in all cases.
    - Adding an addition flag to CallFunctionParameters to mark call sites
      that can be tail-called enabled.
    - Only set the tail-call flag for %_CallFunction.

BUG=
R=weiliang.lin@intel.com

Review URL: https://codereview.chromium.org/1228463003

Cr-Commit-Position: refs/heads/master@{#29504}

19e53974

06 Jul, 2015 19 commits

PPC: Debugger: use debug break slots instead of ICs (except for calls). · c59da8b9

mbrandy authored Jul 06, 2015

Port a8a4c364

R=yangguo@chromium.org, dstence@us.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1216863005

Cr-Commit-Position: refs/heads/master@{#29503}

c59da8b9

PPC: Fix "Support for global var shortcuts in script contexts." · 85ed098c

mbrandy authored Jul 06, 2015

R=ishell@chromium.org, dstence@us.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1212343007

Cr-Commit-Position: refs/heads/master@{#29502}

85ed098c

PPC: Fix "[turbofan] Add Uint64LessThanOrEqual to 64-bit TurboFan backends." · 332e1dd1

mbrandy authored Jul 06, 2015

R=titzer@chromium.org, dstence@us.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1218073008

Cr-Commit-Position: refs/heads/master@{#29501}

332e1dd1

[turbofan] Port initialization of new.target variable. · e2f0bca7

mstarzinger authored Jul 06, 2015

This implements the proper initialization of the new.target internal
variable in the AstGraphBuilder. For now this uses a runtime call that
cannot handle inlined frames correctly.

R=arv@chromium.org

Review URL: https://codereview.chromium.org/1212813008

Cr-Commit-Position: refs/heads/master@{#29500}

e2f0bca7

Fix bug when transferring SharedArrayBuffer to multiple Workers. · dd7962bf

binji authored Jul 06, 2015

Previously, the serialization code would call Externalize for every transferred
ArrayBuffer or SharedArrayBuffer, but that function can only be called once. If
the buffer is already externalized, we should call GetContents instead.

Also fix use-after-free bug when transferring ArrayBuffers. The transferred
ArrayBuffer must be internalized in the new isolate, or be managed by the
Shell. The current code gives it to the isolate externalized and frees it
immediately afterward when the SerializationData object is destroyed.

BUG=chromium:497295
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1215233004

Cr-Commit-Position: refs/heads/master@{#29499}

dd7962bf

Support for global var shortcuts in script contexts. · 8fe17a67

ishell authored Jul 06, 2015

Review URL: https://codereview.chromium.org/1218783005

Cr-Commit-Position: refs/heads/master@{#29498}

8fe17a67

Revert of Revert of [es6] Bound function names (patchset #1 id:1 of... · 8e2c2e44

arv authored Jul 06, 2015

Revert of Revert of [es6] Bound function names (patchset #1 id:1 of https://codereview.chromium.org/1225793002/)

Reason for revert:
This will prevent rolls. Fixing the root issue instead.

Original issue's description:
> Revert of [es6] Bound function names (patchset #1 id:1 of https://codereview.chromium.org/1195983002/)
>
> Reason for revert:
> Incorrect behavior
>
> Original issue's description:
> > [es6] Bound function names
> >
> > https://people.mozilla.org/~jorendorff/es6-draft.html#sec-function.prototype.bind
> >
> > Bound functions should have a name based on the function that was
> > bound.
> >
> > This reverts the revert f2747ed9. The original
> > CL was reverted because the Blink layout test broke. I have a CL that disables
> > these tests at: https://codereview.chromium.org/1196753003/
> >
> > BUG=N
> > LOG=N
> > R=adamk
> > CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
> >
> > Committed: https://crrev.com/b6d950c979f4348138de0ec54e40dcc48d833926
> > Cr-Commit-Position: refs/heads/master@{#29193}
>
> TBR=adamk@chromium.org,verwaest@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=N
>
> Committed: https://crrev.com/744e4d4fd9316674682bc6ca30ded5866494cc1c
> Cr-Commit-Position: refs/heads/master@{#29495}

TBR=adamk@chromium.org,verwaest@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=N

Review URL: https://codereview.chromium.org/1222363002

Cr-Commit-Position: refs/heads/master@{#29497}

8e2c2e44

Fix performance regression introduced in r28961 · d45803b5

jkummerow authored Jul 06, 2015

where bound functions' length was made configurable. The bootstrapper must be kept in sync to avoid polymorphism.

BUG=chromium:500686
LOG=n
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1221383003

Cr-Commit-Position: refs/heads/master@{#29496}

d45803b5

Revert of [es6] Bound function names (patchset #1 id:1 of... · 744e4d4f

arv authored Jul 06, 2015

Revert of [es6] Bound function names (patchset #1 id:1 of https://codereview.chromium.org/1195983002/)

Reason for revert:
Incorrect behavior

Original issue's description:
> [es6] Bound function names
>
> https://people.mozilla.org/~jorendorff/es6-draft.html#sec-function.prototype.bind
>
> Bound functions should have a name based on the function that was
> bound.
>
> This reverts the revert f2747ed9. The original
> CL was reverted because the Blink layout test broke. I have a CL that disables
> these tests at: https://codereview.chromium.org/1196753003/
>
> BUG=N
> LOG=N
> R=adamk
> CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
>
> Committed: https://crrev.com/b6d950c979f4348138de0ec54e40dcc48d833926
> Cr-Commit-Position: refs/heads/master@{#29193}

TBR=adamk@chromium.org,verwaest@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=N

Review URL: https://codereview.chromium.org/1225793002

Cr-Commit-Position: refs/heads/master@{#29495}

744e4d4f

Revert of Reland: Fix logic for incremental marking steps on tenured... · 0790a8c0

machenbach authored Jul 06, 2015

Revert of Reland: Fix logic for incremental marking steps on tenured allocation (patchset #4 id:60001 of https://codereview.chromium.org/1077153004/)

Reason for revert:
[Sheriff] Speculative revert, see:
https://code.google.com/p/chromium/issues/detail?id=506875

Original issue's description:
> Reland: Fix logic for incremental marking steps on tenured allocation
>
> BUG=
>
> Committed: https://crrev.com/5000650bde2ec0bc90d959b529c97aea20385043
> Cr-Commit-Position: refs/heads/master@{#29442}

TBR=hpayer@chromium.org,erikcorry@chromium.org
BUG=chromium:506875
LOG=n
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1212063005

Cr-Commit-Position: refs/heads/master@{#29494}

0790a8c0

[turbofan] Context specialization is the job of the JSContextSpecialization. · 069a47f6

bmeurer authored Jul 06, 2015

Remove the context specialization hack from the AstGraphBuilder, and
properly specialize to the function context in the context specialization.
And replace the correct context in the JSInliner.

R=mstarzinger@chromium.org
BUG=v8:4273
LOG=n

Review URL: https://codereview.chromium.org/1218873005

Cr-Commit-Position: refs/heads/master@{#29493}

069a47f6

[test] Push binaries to separate folders on Android devices. · 90d0f67f

machenbach authored Jul 06, 2015

BUG=chromium:507213
LOG=n
NOTRY=true
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1213613005

Cr-Commit-Position: refs/heads/master@{#29492}

90d0f67f

[test] Add android perf trybots. · 7d5db46e

machenbach authored Jul 06, 2015

BUG=chromium:502176
LOG=n
NOTRY=true

Review URL: https://codereview.chromium.org/1217503008

Cr-Commit-Position: refs/heads/master@{#29491}

7d5db46e

[turbofan] Fix value output count for the Start node. · 870ce53a

bmeurer authored Jul 06, 2015

The value output count for Start is currently off by 1 for code stubs,
because the CommonOperatorBuilder hardcodes the receiver parameter.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1217553005

Cr-Commit-Position: refs/heads/master@{#29490}

870ce53a

[test] Port clobber of old test262 archive files. · e595f33f

machenbach authored Jul 06, 2015

BUG=v8:4254
LOG=n
NOTRY=true
TBR=jkummerow@chromium.org
NOTREECHECKS=true

Review URL: https://codereview.chromium.org/1226803002

Cr-Commit-Position: refs/heads/master@{#29489}

e595f33f

[turbofan] Cleanup Parameter creation in AstGraphBuilder. · 422e0c4a

mstarzinger authored Jul 06, 2015

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1222833002

Cr-Commit-Position: refs/heads/master@{#29488}

422e0c4a

Debugger: use debug break slots instead of ICs (except for calls). · a8a4c364

yangguo authored Jul 06, 2015

BUG=v8:3147,v8:4269
LOG=N

Review URL: https://codereview.chromium.org/1218493005

Cr-Commit-Position: refs/heads/master@{#29487}

a8a4c364

[turbofan] Reland "Add new JSFrameSpecialization reducer." and "Perform OSR... · ef661b08

bmeurer authored Jul 06, 2015

[turbofan] Reland "Add new JSFrameSpecialization reducer." and "Perform OSR deconstruction early and remove type propagation.".

We have to reland these two commits at once, because the first breaks
some asm.js benchmarks without the second. The change was reverted
because of bogus checks in the verifier, which will not work in the
presence of OSR (and where hidden because of the type back propagation
hack in OSR so far). Original messages are below:

[turbofan] Add new JSFrameSpecialization reducer.

The JSFrameSpecialization specializes an OSR graph to the current
unoptimized frame on which we will perform the on-stack replacement.
This is used for asm.js functions, where we cannot reuse the OSR
code object anyway because of context specialization, and so we could as
well specialize to the max instead.

It works by replacing all OsrValues in the graph with their values
in the JavaScriptFrame.

The idea is that using this trick we get better performance without
doing the unsound backpropagation of types to OsrValues later. This
is the first step towards fixing OSR for TurboFan.

[turbofan] Perform OSR deconstruction early and remove type propagation.

This way we don't have to deal with dead pre-OSR code in the graph
and risk optimizing the wrong code, especially we don't make
optimistic assumptions in the dead code that leaks into the OSR code
(i.e. deopt guards are in dead code, but the types propagate to OSR
code via the OsrValue type back propagation).

BUG=v8:4273
LOG=n
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1226673005

Cr-Commit-Position: refs/heads/master@{#29486}

ef661b08

unicode-decoder: fix out-of-band write in utf16 · b199bcdd

fedor authored Jul 06, 2015

`WriteUtf16Slow` should not assume that the output buffer has enough
bytes to hold both words of surrogate pair. It should pass the number of
remaining bytes to the `Utf8::ValueOf` instead, just as we already do in
`Utf8DecoderBase::Reset`. Otherwise it will attempt to write the trail
uint16_t past the buffer boundary, leading to memory corruption and
possible crash.

Originally reported by: Kris Reeves <kris.re@bbhmedia.com>

BUG=v8:4274
R=danno
R=svenpanne
LOG=y

Review URL: https://codereview.chromium.org/1226493003

Cr-Commit-Position: refs/heads/master@{#29485}

b199bcdd