Skip to content

V
V8
Switch branch/tag
  1. 27 Apr, 2017 1 commit
  3. 26 Apr, 2017 6 commits
  5. 25 Apr, 2017 5 commits
  7. 24 Apr, 2017 4 commits
  9. 21 Apr, 2017 1 commit
  11. 20 Apr, 2017 1 commit
    • Eric Holk's avatar
      Restrict range for int64_t to immediate conversions · ec772a4f
      Eric Holk authored 
      The included test case illustrates the problem. It subtracts (16 << 27)
from another number. The Machine Operator Reducer would replace the
shift computation with 0x0000000080000000, and then change the subtract
to an add of -(0x0000000080000000), which is 0xffffffff80000000.
The instruction selector would determine that this value could be an
immediate, because it fits in 32 bits, so it would select the lea
instruction. Finally, the code generator would detect that the
immediate was less than 0, flip the sign and replace the add with a
subtract of 0x80000000. Because the x64 subtract instruction's
immediate field is 32 bits, the processor would interpret this as
0xffffffff80000000 instead of an unsigned value.

This change fixes the issue by making the CanBeImmediate check
explicitly compare against INT_MIN and INT_MAX. We disallow INT_MIN
as an immediate precisely because we cannot tell 0x0000000080000000
from 0xffffffff80000000 when truncated to 32 bits.

Bug: chromium:711203
Change-Id: Ie371b8ea290684a6bb723bae9c693a866f961850
Reviewed-on: https://chromium-review.googlesource.com/482448
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: 's avatarMircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44758}
      ec772a4f
  13. 19 Apr, 2017 1 commit
  15. 18 Apr, 2017 4 commits
  17. 17 Apr, 2017 1 commit
  19. 13 Apr, 2017 2 commits
    • Sathya Gunasekaran's avatar
      [d8] Fix leak in IntializeModuleEmbedderData · 484d25d4
      Sathya Gunasekaran authored 
      If the current context is overwritten by doing Realm.navigate(0) we
fail to delete the module embedder data from the correct current
context, because we have an handle to the old context which was
already cleaned up by calling DisposeRealm in RealmNavigate.

This patch disallows navigation to the first realm.

Bug: chromium:711165
Change-Id: I6b9d3187367dae9d1fe38c0efa361d461c94c917
Reviewed-on: https://chromium-review.googlesource.com/476970Reviewed-by: 's avatarAdam Klein <adamk@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44656}
      484d25d4
    • Michael Starzinger's avatar
      [turbofan] Fix lowering of JSGetSuperConstructor. · 68b047d0
      Michael Starzinger authored 
      This fixes the existing lowering of {JSGetSuperConstructor} nodes to
unconditional throws. The above operator is marked as {kNoWrite} but
runtime calls are not marked as such. Any deoptimizing operation after
the throw would not be able to find a valid {Checkpoint}. We remove the
lowering case in question.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-6248
BUG=v8:6248

Change-Id: I22c922947336254502f698b02f944cf35dd8688a
Reviewed-on: https://chromium-review.googlesource.com/476570Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44632}
      68b047d0
  21. 12 Apr, 2017 3 commits
    • bmeurer's avatar
      [turbofan] Properly represent the float64 hole. · 8c0c5e81
      bmeurer authored 
      The hole NaN should also have proper Type::Hole, and not silently hide
in the Type::Number. This way we can remove all the special casing for
the hole NaN, and we also finally get the CheckNumber right.

This also allows us to remove some ducktape from the Deoptimizer, as for
escape analyzed FixedDoubleArrays we always pass the hole value now to
represent the actual holes.

Also-By: jarin@chromium.org
BUG=chromium:684208,chromium:709753,v8:5267
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2814013003
Cr-Commit-Position: refs/heads/master@{#44603}
      8c0c5e81
    • jgruber's avatar
      [regexp] Consider surrogate pairs when optimizing disjunctions · 46355724
      jgruber authored 
      RationalizeConsecutiveAtoms optimizes ab|ac|az to a(?:b|c|d).
Ensure that this optimization does not split surrogate pairs in unicode
mode.

BUG=chromium:641091

Review-Url: https://codereview.chromium.org/2813893002
Cr-Commit-Position: refs/heads/master@{#44599}
      46355724
    • bmeurer's avatar
      [turbofan] Fix typing rule for CheckBounds. · 483812d4
      bmeurer authored 
      As of crrev.com/2760213003, the CheckBounds operator passes a truncation
that identfies zero and minus zero. However that was not reflected in
the typing rule, and as such the type of CheckBounds(-0,length) was
always Type::None. That confused the typed alias analysis in the
LoadElimination and led to ignoring StoreElement nodes.

BUG=chromium:708050
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2812013006
Cr-Commit-Position: refs/heads/master@{#44598}
      483812d4
  23. 11 Apr, 2017 1 commit
  25. 10 Apr, 2017 5 commits
  27. 07 Apr, 2017 1 commit
    • Clemens Hammacher's avatar
      [wasm] Implement extensible name section · 1a73f73b
      Clemens Hammacher authored 
      The format of the name section changed recently. It now contains
subsections of different type (currently for function names or local
variable names).
This CL changes our internal wasm module builders (in JS and C++) to
emit this new format, and changes the decoder to understand it.
We currently only parse the function name section, and ignore names of
local variables. I will later extend this to parse local variable names
when needed for debugging.

R=ahaas@chromium.org, rossberg@chromium.org
BUG=v8:6222

Change-Id: I2627160c25c9209a3f09abe0b88941ec48b24434
Reviewed-on: https://chromium-review.googlesource.com/470247
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: 's avatarAndreas Rossberg <rossberg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44492}
      1a73f73b
  29. 06 Apr, 2017 3 commits
  31. 05 Apr, 2017 1 commit