BUG=chromium:702460

R=mtrofin@chromium.org, bbudge@chromium.org

Review-Url: https://codereview.chromium.org/2794693002
Cr-Commit-Position: refs/heads/master@{#44319}

The test was out-dated. The wasm bytes still had the version 0xd, and
no END instruction at the end of the function. In addition, the test
used asynchronous compilation but did not wait for the promise to
resolve.

R=clemensh@chromium.org

Change-Id: Ib01f47ac8f668401ed14470af7100e990e5bbd94
Reviewed-on: https://chromium-review.googlesource.com/463286Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44276}

The int64-lowering lowers return nodes which return one int64 value into
a return node which returns two int32 values. For this lowering it has
to adjust the input count of the return operator.

The existing code assumed that if the signature of a function said that
the return type is int64, then all return nodes have int64 inputs.
However, with a recent CL we also introduced void returns. With this CL
I check if the number of inputs of a return node changes with the
DefaultLowering, and only if the number of inputs changes, then I check
if I also have to change the operator of the return node.

R=mstarzinger@chromium.org
TEST=mjsunit/regress/wasm/regression-6164
BUG=v8:6164

Change-Id: I004ab1b4be942cc045719f306705d95b48707a1c
Reviewed-on: https://chromium-review.googlesource.com/461941Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44232}

BUG=chromium:699485

R=ahaas@chromium.org, bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2772973002
Cr-Commit-Position: refs/heads/master@{#44166}

This reverts commit 6ad5ca59.

Reason for revert: Breaks on noi18n bot, needs fix in the new regression test

Original change's description:
> [wasm] Check the result of Promise::Resolver
> 
> We check that if we do not get a result, or if we get a negative result,
> then there has to be a scheduled exception.
> 
> R=​clemensh@chromium.org
> TEST=mjsunit/regress/wasm/regression-704127
> BUG=chromium:704127
> 
> Change-Id: I3fef3cc02f685a9cbc3f10203e2a59b61b3702d5
> Reviewed-on: https://chromium-review.googlesource.com/458282
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44144}

TBR=ahaas@chromium.org,clemensh@chromium.org,v8-reviews@googlegroups.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:704127

Change-Id: Ibf6d27929c88064bc2755688358998640092e31a
Reviewed-on: https://chromium-review.googlesource.com/459512Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44145}

We check that if we do not get a result, or if we get a negative result,
then there has to be a scheduled exception.

R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regression-704127
BUG=chromium:704127

Change-Id: I3fef3cc02f685a9cbc3f10203e2a59b61b3702d5
Reviewed-on: https://chromium-review.googlesource.com/458282Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44144}

The stack check at the beginning of each function maps to the wasm byte
offset 0. For asm.js functions, this byte offset is mapped further to an
asm.js source position. For most functions, we explicitly add an entry
to this side table for offset 0. This was missing for the start
function.

R=ahaas@chromium.org
BUG=v8:4203,chromium:703568

Change-Id: I05bc4a8cfa666864bb7a0b23f75186abe0be9bee
Reviewed-on: https://chromium-review.googlesource.com/458437
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44037}

This fixes a bug where an exported function is being specialized, but
the callsite inside the JS_TO_WASM function was patched to call an
interpreter entry instead. We would not identify the call site as the
one to be patched during specialization, and would thus fail a DCHECK.

R=ahaas@chromium.org
BUG=v8:5822, chromium:702839

Change-Id: I148d98333051c399a4cb11bd9620b396f4eb261d
Reviewed-on: https://chromium-review.googlesource.com/456282
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43942}

Without the check it happened that the builtin call in the trap code
was too far away from the constant pool and therefore crashed.

BUG=v8:6054
R=bmeurer@chromium.org, v8-arm-ports@googlegroups.com

Review-Url: https://codereview.chromium.org/2738683003
Cr-Commit-Position: refs/heads/master@{#43928}

From asm.js code we might get an empty ArrayBuffer as heap memory. In
this case, both the old memory start and the new memory start will be
nullptr. The size however has to be patched from default_size to 0.

This CL changes code specialization to be able to either patch memory
references, or patch memory sizes or both.

R=titzer@chromium.org, ahaas@chromium.org
BUG=chromium:698587

Change-Id: I4d9d811d75cb83842f23df317e8e7fc02aeb5146
Reviewed-on: https://chromium-review.googlesource.com/450257
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43613}

The limit needs to be checked before casting the length to int in
ModuleWireBytes.

R=titzer@chromium.org
BUG=694433

Review-Url: https://codereview.chromium.org/2705233002
Cr-Commit-Position: refs/heads/master@{#43352}

One optimization in the machine-operator-reducer did not consider that
that word32 shift left instructions only consider the last 5 bits of
the shift input.

The issue only occurs for WebAssembly because in JavaScript we always
add a "& 0xf" on the shift value to the TurboFan graph.

For additional background: The JavaScript and WebAssembly spec both
say that only the last 5 bits of the shift value are used in the
word32-shift-left operation. This means that an "x << 0x29", in the
code is actually executed as "x << 0x09". Therefore the changes in
this CL are okay because they mask the last 5 bit of the shift value.

BUG=chromium:689450

Change-Id: Id92f298ed6d7f1714b109b3f4fbcecd5ac6d30f7
Reviewed-on: https://chromium-review.googlesource.com/439312Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43245}

The testb instruction requires the REX prefix when either of its
operands uses a register with the high bit set. The existing code only
considered the register operand. In the test case the REX prefix was not
emitted because the testb instruction had the register operand RAX which
does not have the high bit set. The REX prefix was necessary though
because the memory operand used R8, which has the high bit set.

R=bmeurer@chromium.org
BUG=chromium:688876

Change-Id: Ib214bebbe75965664f2aea530e29afa95a54f44f
Reviewed-on: https://chromium-review.googlesource.com/439145
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43030}

This CL adds --crankshaft and --no-always-opt flags to the tests that use
assertOptimized() and assertUnoptimized() respectively.

This CL also adds presubmit checks that ensure that tests have the proper
flags set.

BUG=v8:5890

Review-Url: https://codereview.chromium.org/2653753007
Cr-Commit-Position: refs/heads/master@{#42709}

First issue I found with my local fuzzing.

R=titzer@chromium.org
BUG=v8:5884

Review-Url: https://codereview.chromium.org/2656563003
Cr-Commit-Position: refs/heads/master@{#42683}

After decoding an invalid function name (e.g. OOB), we stored the parsed
offset and length into the WasmFunction anyway, resulting in a runtime
CHECK failure later on.
This CL fixes this, and adds a regression test.

R=titzer@chromium.org
CC=mtrofin@chromium.org, bradnelson@chromium.org
BUG=chromium:684858

Review-Url: https://codereview.chromium.org/2656713003
Cr-Commit-Position: refs/heads/master@{#42654}

BUG=v8:5860
R=rossberg@chromium.org

Review-Url: https://codereview.chromium.org/2653533003
Cr-Commit-Position: refs/heads/master@{#42622}

The IA32AddPair and IA32SubPair instructions were using an input register as a
temporary value, which led to registers sometimes being clobbered when they
shouldn't have been. This led to problems, for example, in calling printf to
format doubles:

printf("%f", 1.2345) => 0.61725 (on x86)

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5800

Review-Url: https://codereview.chromium.org/2637583002
Cr-Commit-Position: refs/heads/master@{#42486}

R=rossberg@chromium.org,clemensh@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2640013003
Cr-Commit-Position: refs/heads/master@{#42473}

Makes us pass the spec's memory.wast test.

R=titzer@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2640453003
Cr-Commit-Position: refs/heads/master@{#42452}

 - Currently WebAssembly.Memory.grow() assumes that it always has an instance associated with it,
 fix to grow and reflect new size when no instance is associated with memory object.
 - Correctness fixes for the js api, throw range errors instead of generic errors

BUG=chromium:680938

R=bradnelson@chromium.org, titzer@chromium.org

Review-Url: https://codereview.chromium.org/2638243002
Cr-Commit-Position: refs/heads/master@{#42432}

R=clemensh@chromium.org
BUG=chromium:663994

Review-Url: https://codereview.chromium.org/2622563002
Cr-Commit-Position: refs/heads/master@{#42163}

R=clemensh@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2595733003
Cr-Commit-Position: refs/heads/master@{#42141}

The scenario here: the asm function fails asm validation,
so we emit a message. In doing so, we create a JSValue wrapper for
the script object that we cache on the script object. This wrapper
is context-dependent and causes the code serializer to choke.

R=mtrofin@chromium.org, titzer@chromium.org
BUG=chromium:674446,chromium:673321

Review-Url: https://codereview.chromium.org/2586943003
Cr-Commit-Position: refs/heads/master@{#41794}

Determine if the scope of the function to be serialized includes asm-
wasm, and if so, bypass serialization, since we do not support it in
that scenario.

In this change, we do so regardless of whether the asm-wasm path was
successful. This is so we keep the design simple, since the guidance
to developers, moving forward, is to use wasm.

BUG=643595

Review-Url: https://codereview.chromium.org/2573193002
Cr-Commit-Position: refs/heads/master@{#41704}

BUG=chromium:670683

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2548223002
Cr-Commit-Position: refs/heads/master@{#41603}

Previous fuzzer fix broke the case when the pending assessment came from the same
block. In that case, the assessments table does not have an entry yet for the block,
because we register only when we're done processing a block.

BUG=667745

Review-Url: https://codereview.chromium.org/2519973004
Cr-Commit-Position: refs/heads/master@{#41193}

The verifier needs to use the block and assessments in that block corresponding to
a predecessor of a "pending" assessment. Not doing that causes incorrect
assessments when 2 locations are swapped.

BUG=665402

Review-Url: https://codereview.chromium.org/2515803002
Cr-Commit-Position: refs/heads/master@{#41159}

This fixes a bug found by the fuzzer where we would attempt to
dereference a null handle if memory allocation failed. In this case,
the failure was because the amount of memory requested was above V8's
hardcoded limit.

BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=666741

Review-Url: https://codereview.chromium.org/2514983002
Cr-Commit-Position: refs/heads/master@{#41158}

 - When module bytes have a memory maximum defined, compiled module object should set maximum memory
 - Exported memory objects should set maximum value on the memory objects
 - Update tests to use declared maximum values.

R=ahaas@chromium.org

Review-Url: https://codereview.chromium.org/2474333003
Cr-Commit-Position: refs/heads/master@{#40820}

R=ahaas@chromium.org,rossberg@chromium.org,binji@chromium.org,bradnelson@chromium.org
BUG=chromium:575167, chromium:659591

Review-Url: https://codereview.chromium.org/2440953002
Cr-Commit-Position: refs/heads/master@{#40600}

This CL refactors the handling of metadata associated with WebAssembly
modules to reduce the duplicate marshalling of data from the C++ world
to the JavaScript world. It does this by wrapping the C++ WasmModule*
object in a Foreign that is rooted from the on-heap WasmCompiledModule
(which is itself just a FixedArray). Upon serialization, the C++ object
is ignored and the original WASM wire bytes are serialized. Upon
deserialization, the C++ object is reconstituted by reparsing the bytes.

This is motivated by increasing complications in implementing the JS
API, in particular WebAssembly.Table, which must perform signature
canonicalization across instances.

Additionally, this CL implements the proper base + offset initialization
behavior for tables.

R=rossberg@chromium.org,bradnelson@chromium.org,mtrofin@chromium.org,yangguo@chromium.org
BUG=v8:5507, chromium:575167, chromium:657316

Review-Url: https://chromiumcodereview.appspot.com/2424623002
Cr-Commit-Position: refs/heads/master@{#40434}

Using uint32 to store the the number of control outputs allows WebAssembly switches to have more than 2^16 case.

BUG=v8:5531
TEST=mjsunit/regress/wasm/regression-5531
R=titzer@chromium.org

Review-Url: https://chromiumcodereview.appspot.com/2425983002
Cr-Commit-Position: refs/heads/master@{#40420}

A decoder error sets builder_ to null, which causes builder_->StackCheck
to segfault.

R=titzer@chromium.org

TEST=mjsunit/regress/wasm/loop-stack-check

Review-Url: https://codereview.chromium.org/2416873002
Cr-Commit-Position: refs/heads/master@{#40271}

BUG=chromium:654377
TEST=mjsunit/regress/wasm/regression-654377
R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2403013002
Cr-Commit-Position: refs/heads/master@{#40246}

 - Added gating code in the module-decoder to allow SIMD code only when
 it can be decoded correctly
 - SIMD128 values should not be exported to JS
 - Try/Catch should not be available in asmjs modules
 - Trivial fixes for S128  values

BUG=chromium:648079

R=ahaas@chromium.org, titzer@chromium.org, bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2400863003
Cr-Commit-Position: refs/heads/master@{#40067}

The implementation of MemorySize with RelocatableInt32Constants is
problematic if MemorySize is placed close to a GrowMemory instruction in
the code. The use of a runtime function guarantees that the order in
which MemorySize and GrowMemory is executed is correct.

R=titzer@chromium.org
BUG=chromium:651961
TEST=mjsunit/regress/wasm/regression-651961

Committed: https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689
Review-Url: https://codereview.chromium.org/2386183004
Cr-Original-Commit-Position: refs/heads/master@{#39972}
Cr-Commit-Position: refs/heads/master@{#39980}

Revert of [wasm] Call a runtime function for a MemorySize instruction. (patchset #2 id:20001 of https://codereview.chromium.org/2386183004/ )

Reason for revert:
Patch problem

Original issue's description:
> [wasm] Call a runtime function for a MemorySize instruction.
>
> The implementation of MemorySize with RelocatableInt32Constants is
> problematic if MemorySize is placed close to a GrowMemory instruction in
> the code. The use of a runtime function guarantees that the order in
> which MemorySize and GrowMemory is executed is correct.
>
> R=titzer@chromium.org
> BUG=chromium:651961
> TEST=mjsunit/regress/wasm/regression-651961
>
> Committed: https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689
> Cr-Commit-Position: refs/heads/master@{#39972}

TBR=titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:651961

Review-Url: https://codereview.chromium.org/2391223002
Cr-Commit-Position: refs/heads/master@{#39973}

The implementation of MemorySize with RelocatableInt32Constants is
problematic if MemorySize is placed close to a GrowMemory instruction in
the code. The use of a runtime function guarantees that the order in
which MemorySize and GrowMemory is executed is correct.

R=titzer@chromium.org
BUG=chromium:651961
TEST=mjsunit/regress/wasm/regression-651961

Review-Url: https://codereview.chromium.org/2386183004
Cr-Commit-Position: refs/heads/master@{#39972}

This fixes a gc stress bug. We cannot rely on an ordering of
clearing of the weak cells, so we explicitly reset the weak
link to the owning instance, when finalizing a compiled
module. In turn, this serves as a reliable signal when GCs
happen while instantiating, allowing us to correctly link the
new instance.

BUG=chromium:652425

Review-Url: https://codereview.chromium.org/2393443003
Cr-Commit-Position: refs/heads/master@{#39964}