- 28 Aug, 2017 20 commits
-
-
Michael Lippautz authored
The deadlock can happen when we lock a page for processing old to new references as part of the scavenger while at the same time trying to lazily sweep another page for retrieving memory. If two tasks decide to sweep each others pages they will deadlock. Bug: v8:6754 Change-Id: Ic9fae0eafa5b5a5cb5eaa1c0aac61de24d1b9486 Reviewed-on: https://chromium-review.googlesource.com/636371 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#47647}
-
Michael Starzinger authored
This makes sure the minimum memory size for WebAssembly modules derived from asm.js is set to zero. It allows instatiation without allocating an underlying memory, when such memory is unused. It also fixes a bug in patching of embedded memory sizes for asm.js modules. R=ahaas@chromium.org TEST=mjsunit/regress/regress-crbug-759327 BUG=chromium:759327 Change-Id: If5a965b96a03cbb5ba15bc41fbaf359f74961f41 Reviewed-on: https://chromium-review.googlesource.com/637912 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#47646}
-
Michael Lippautz authored
Bug: v8:6333 Change-Id: Ic47c1f60d32b9dabfcbe85f5b6e2586dd7e1fd11 Reviewed-on: https://chromium-review.googlesource.com/637995Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#47645}
-
Michael Lippautz authored
Bug: Change-Id: Ied0ef1fc7fbcd9f58d793b9b2ecd87ae6c549dca Reviewed-on: https://chromium-review.googlesource.com/635590 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#47644}
-
Michael Starzinger authored
This removes dangerous accessors method from the arguments object accessor classes. The shape of an arguments object might transition, turning the fields into dictionary mode, making the accessors invalid. It also fixes a bug in the reported number of embedder fields on the arguments object. R=ishell@chromium.org TEST=cctest/test-api/InternalFieldsOfRegularObjects Change-Id: Ib7a73608c6236fe8864434e0cfdcb754ae012a75 Reviewed-on: https://chromium-review.googlesource.com/636368 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#47643}
-
Georg Neis authored
This reverts commit 1169f55b. Reason for revert: http://crbug.com/758994 Original change's description: > Remove obsolete kNumber binop feedback. > > With the removal of Crankshaft, kNumber has become obsolete as > BinaryOperationFeedback. Turbofan uses kNumberOrOddball. > > Bug: > Change-Id: If577f5efcc81d7c08f43908f2764ff0ec6f8747c > Reviewed-on: https://chromium-review.googlesource.com/628376 > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> > Reviewed-by: Mythri Alle <mythria@chromium.org> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> > Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> > Cr-Commit-Position: refs/heads/master@{#47555} TBR=jkummerow@chromium.org,jarin@chromium.org,neis@chromium.org,mythria@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Change-Id: I1b33f572f3e6865e00d2468bffcce2ea466814b3 Reviewed-on: https://chromium-review.googlesource.com/637711Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#47642}
-
Choongwoo Han authored
Get the old table size after converting integer of 'delta' argument. Converting integer of the argument can execute another javascript code, and the code can trigger mismatching between table sizes of instance and table object, which causes redundant memory allocation. http://webassembly.org/docs/js/#webassemblytableprototypegrow Bug: chromium:752423 Change-Id: If9a576d20625d0c39342ea5de114e9fc9f230125 Reviewed-on: https://chromium-review.googlesource.com/627248Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#47641}
-
Jaroslav Sevcik authored
This is just a refactoring in preparation for typing the speculative integer operation as safe integers. Bug: v8:5267 Change-Id: I56da91a72655a0733b2cf04afcf33cb1d2aa1415 Reviewed-on: https://chromium-review.googlesource.com/637830Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#47640}
-
Jakob Gruber authored
This reverts commit f6d73509. Reason for revert: Perf regressions https://crbug.com/758126 Original change's description: > [csa] Refactor large-object handling in string allocation > > CSA::AllocateSeq{One,Two}ByteString used its own home-grown handling to > allocate very large strings. This CL refactors both methods to use > AllocationFlags::kAllowLargeObjectAllocation instead. Callers now need > to specify explicitly if large-object allocation is possible or not. > > Bug: chromium:636391 > Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng > Change-Id: I0b7ffb0b083f4e977cea42c500f8f2ee1c60519f > Reviewed-on: https://chromium-review.googlesource.com/625738 > Reviewed-by: Camillo Bruni <cbruni@chromium.org> > Commit-Queue: Jakob Gruber <jgruber@chromium.org> > Cr-Commit-Position: refs/heads/master@{#47504} TBR=cbruni@chromium.org,jgruber@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: chromium:636391 Change-Id: Iab88ce400f489a677df821d4053bd3678289ae2e Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng Reviewed-on: https://chromium-review.googlesource.com/637392Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47639}
-
Sergei D authored
Derived projects need easy access to the original V8's implementation of time to implement Platform interface. Bug: chromium:751993 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng Change-Id: I97ee77929fda5930e7d75ca8609797673485cec3 Reviewed-on: https://chromium-review.googlesource.com/636884Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Sergei Datsenko <dats@chromium.org> Cr-Commit-Position: refs/heads/master@{#47638}
-
Ulan Degenbaev authored
Bug: chromium:694255 Change-Id: I58be876aa6db2e528f7d2e045e042657354575c7 Reviewed-on: https://chromium-review.googlesource.com/637393Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#47637}
-
jgruber authored
When the range of all non-bmp characters is passed to AddUnicodeCaseEquivalents, icu::UnicodeSet::closeOver dutifully tries to case-fold every single character in that range. Since we already know this to be a nop, we can simply return instead. This improves compilation time of /ui regexps by around 100x. Bug: v8:6727 Change-Id: I79d73c77d6a54cbb5ad2cad0355214ed712b59b9 Reviewed-on: https://chromium-review.googlesource.com/635303 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#47636}
-
Benedikt Meurer authored
Instead of introducing a lot of explicit branching in the JSNativeContextSpecialization for polymorphic property accesses that cannot be folded into a single LoadField/StoreField, and which are mostly invisible and not optimizable for later passes, we now have a single CompareMaps operator that takes a set of maps (like the CheckMaps operator) and produces a boolean indicating the result of the comparison. R=jarin@chromium.org Bug: v8:6761 Change-Id: Iee8788e915b762d542acb54feb9931346e442dc0 Reviewed-on: https://chromium-review.googlesource.com/636365Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#47635}
-
jgruber authored
TryCatch only clears the pending exception if it has been propagated through OptionalRescheduleException. This is another tentative fix for https://crbug.com/754422. Bug: chromium:754422 Change-Id: Ifbbeed8ef44131a0a010ac6bde3adbbf9fb4c4af Reviewed-on: https://chromium-review.googlesource.com/637305Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47634}
-
Benedikt Meurer authored
There's no need to have the StringLengthProtector as a PropertyCell, since it's only used to guard against deoptimization loops. This also allows us to remove the use of the CompilationDependencies from the JSTypedLowering. R=jarin@chromium.org Bug: v8:6759 Change-Id: I54a37be6b8064ca3475e3b321f928b6a9903f209 Tbr: mstarzinger@chromium.org Reviewed-on: https://chromium-review.googlesource.com/637303 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#47633}
-
Benedikt Meurer authored
Optimize the common pattern for (var i in o) { if (Object.prototype.hasOwnProperty.call(o, i)) { // do something } } which is part of the guard-for-in style in ESLint (see the documentation at https://eslint.org/docs/rules/guard-for-in for details). This pattern also shows up in React and Ember applications quite a lot (and is tested by the appropriate Speedometer benchmarks, although not dominating those benchmarks, since they spent a lot of time in non-TurboFan'ed code). This improves the forInHasOwnProperty and forInHasOwnPropertySafe micro- benchmarks in v8:6702, which look like this function forInHasOwnProperty(o) { var result = 0; for (var i in o) { if (o.hasOwnProperty(i)) { result += 1; } } return result; } function forInHasOwnPropertySafe(o) { var result = 0; for (var i in o) { if (Object.prototype.hasOwnProperty.call(o, i)) { result += 1; } } return result; } by around 4x and allows for additional optimizations in the future, by also elimiating the megamorphic load when accessing the enumerated properties. This changes the interpreter ForInNext bytecode to collect more precise feedback about the for-in state, which now consists of three individual states: UNINITIALIZED, MEGAMORPHIC and GENERIC. The MEGAMORPHIC state means that the ForInNext has only seen objects with a usable enum cache thus far, whereas GENERIC means that we have seen some slow-mode for..in objects as well. R=jarin@chromium.org Bug: v8:6702 Change-Id: Ibcd75ea9b58c3b4f9219f11bc37eb04a2b985604 Reviewed-on: https://chromium-review.googlesource.com/636964 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#47632}
-
Alexei Filippov authored
This reverts commit 9b157602. Reason for revert: Seems to be the cause of 100% crashes of runtime-call-stats layout_test on Windows. https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Win7/builds/54947 Original change's description: > [runtime-call-stats] Fix a long standing crash in RuntimeCallStats::Leave > > There must be a matching Leave for each Enter. Otherwise it ends up > with a dead stack-allocated object in the timer chain. > > Drive-by: There was also a bug in > RuntimeCallTimerScope::RuntimeCallTimerScope(HeapObject* ...) did create a > local object instead of calling an overloaded constructor. > > BUG=chromium:669329 > > Change-Id: I9aa1c574a854af8beab3d8097efab3a726ad1c8d > Reviewed-on: https://chromium-review.googlesource.com/634511 > Commit-Queue: Alexei Filippov <alph@chromium.org> > Reviewed-by: Camillo Bruni <cbruni@chromium.org> > Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> > Cr-Commit-Position: refs/heads/master@{#47613} TBR=rmcilroy@chromium.org,alph@chromium.org,cbruni@chromium.org,rmcilroy@google.com # Not skipping CQ checks because original CL landed > 1 day ago. Bug: chromium:669329 Change-Id: I57b4fcd2e7bf92a68824d2ac5f40cc74deee0b25 Reviewed-on: https://chromium-review.googlesource.com/636762Reviewed-by: Alexei Filippov <alph@chromium.org> Commit-Queue: Alexei Filippov <alph@chromium.org> Cr-Commit-Position: refs/heads/master@{#47631}
-
v8-autoroll authored
Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/8e7ce53..2887ee5 Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/123b9d8..68a8df6 TBR=machenbach@chromium.org,hablich@chromium.org Change-Id: I4cf915cd7b117abab676e263f8f4e69857ca3b55 Reviewed-on: https://chromium-review.googlesource.com/636279Reviewed-by: v8 autoroll <v8-autoroll@chromium.org> Commit-Queue: v8 autoroll <v8-autoroll@chromium.org> Cr-Commit-Position: refs/heads/master@{#47630}
-
Yang Guo authored
This is so that precise coverage starts with a clean slate. The old behavior can be emulated by calling getBestEffortCoverage before starting precise coverage. R=jgruber@chromium.org Bug: chromium:757998 Change-Id: Ib3ee2316966f676456198159bdcf8ba8b9d3896f Reviewed-on: https://chromium-review.googlesource.com/635084 Commit-Queue: Yang Guo <yangguo@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47629}
-
Sathya Gunasekaran authored
Instead of using a word to store the status of the promise, this patch uses 2 bit on flags. Bug: v8:5046 Change-Id: Ic651338230dbe1704c68de8652676f236a3298f0 Reviewed-on: https://chromium-review.googlesource.com/634623 Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47628}
-
- 26 Aug, 2017 3 commits
-
-
v8-autoroll authored
Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/a2b7113..8e7ce53 Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/e37aa9d..123b9d8 TBR=machenbach@chromium.org,hablich@chromium.org Change-Id: Ie53cd86e6b8aed971b8a67bb1ee2f4cb881c8623 Reviewed-on: https://chromium-review.googlesource.com/636266Reviewed-by: v8 autoroll <v8-autoroll@chromium.org> Commit-Queue: v8 autoroll <v8-autoroll@chromium.org> Cr-Commit-Position: refs/heads/master@{#47627}
-
Alexey Kozyatinskiy authored
R=dgozman@chromium.org Bug: chromium:752019 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel Change-Id: I1a64a26e5e5d44757edd5b887d140b6b855cecab Reviewed-on: https://chromium-review.googlesource.com/636300Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Cr-Commit-Position: refs/heads/master@{#47626}
-
Jakob Kummerow authored
By adding LoadIC support for JSModuleNamespace objects. The index of the corresponding slot in the Module's "exports" dictionary is cached in the feedback vector, so the value can be loaded directly, without having to call the C++ accessor. This speeds up the "foo" property access in code like the following snippet by about 10x: import * as m from "module.js" m.foo; Bug: v8:1569 Change-Id: I152abedcbdc6f90b5bedd203cfdf97ed88d1137c Reviewed-on: https://chromium-review.googlesource.com/631136 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/master@{#47625}
-
- 25 Aug, 2017 17 commits
-
-
Andrey Lushnikov authored
This patch adds objects support for Runtime.callFunctionOn arguments. R=kozy Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel Change-Id: I9e9ad000482aa556f10a632b89c2f91fdc21ff1e Reviewed-on: https://chromium-review.googlesource.com/636353Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Reviewed-by: Pavel Feldman <pfeldman@chromium.org> Commit-Queue: Andrey Lushnikov <lushnikov@chromium.org> Cr-Commit-Position: refs/heads/master@{#47624}
-
Alexey Kozyatinskiy authored
setupInjectedScriptEnvironment should check array getters/setters as well. R=dgozman@chromium.org Bug: none Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel Change-Id: I72b03f62980e339d83bcfda55f1d35135b23da3b Reviewed-on: https://chromium-review.googlesource.com/636469Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Cr-Commit-Position: refs/heads/master@{#47623}
-
Erik Luo authored
Currently, injected script source adds natural object properties before internal properties. This can result in important ones such as "[[PrimitiveValue]]" being left out. This CL - makes sure internal properties are always added to preview - removes unused "[[Iterator*]]" properties from preview - boxed strings (e.g. new String("foo")) will not send unnecessary properties 0:"f", 1:"o", 2:"o" if the [[PrimitiveValue]] is sent. Bug: chromium:567265 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel Change-Id: Icd5c7410351f371055277ce471226cc6fb5a861f Reviewed-on: https://chromium-review.googlesource.com/634584Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Commit-Queue: Erik Luo <luoe@chromium.org> Cr-Commit-Position: refs/heads/master@{#47622}
-
Andrey Lushnikov authored
This patch re-writes the call-function-on-async.js test according to the new style. R=kozy Change-Id: I0541d336fe2bba3197170b0cc22c70e96d8543aa Reviewed-on: https://chromium-review.googlesource.com/636691Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Commit-Queue: Andrey Lushnikov <lushnikov@chromium.org> Cr-Commit-Position: refs/heads/master@{#47621}
-
Deepti Gandluri authored
BUG=v8:6532 R=binji@chromium.org, bradnelson@chromium.org Change-Id: I376dd8e4d27cac657d5a7c05a50a0477963da7b7 Reviewed-on: https://chromium-review.googlesource.com/627476 Commit-Queue: Brad Nelson <bradnelson@chromium.org> Reviewed-by: Brad Nelson <bradnelson@chromium.org> Reviewed-by: Ben Smith <binji@chromium.org> Cr-Commit-Position: refs/heads/master@{#47620}
-
Mircea Trofin authored
We're moving the code table off the heap, while the export wrappers are instance-specific, and, thus, won't move off the heap. Bug: Change-Id: I392fb537c7708a0a06f3468f714335df29bc401b Reviewed-on: https://chromium-review.googlesource.com/636309Reviewed-by: Brad Nelson <bradnelson@chromium.org> Commit-Queue: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#47619}
-
Adam Klein authored
All microbenchmarks now add 20 variables together per iteration, rather than just a single variable. Also re-add a sanity check after the loop, and fix a missing variable add (a15) from the loop. Bug: v8:1569 Change-Id: Ie54357b5cedaafd85f01c699c08b24a5ee6468c9 Reviewed-on: https://chromium-review.googlesource.com/636284Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/master@{#47618}
-
Ross McIlroy authored
This change adapts the Call bytecode handlers such that they don't require a stack frame. It does this by modifying the call bytecode handler to tail-call the Call or InterpreterPushArgsAndCall builtins. As a result, the callee function will return to the InterpreterEntryTrampoline when it returns (since this is the return address on the interpreter frame), which is adapted to dispatch to the next bytecode handler. The return bytecode handler is modified to tail-call a new InterpreterExitTramoline instead of returning to the InterpreterEntryTrampoline. Overall this significanlty reduces the amount of stack space required for interpreter frames, increasing the maximum depth of recursive calls from around 6000 to around 12,500 on x64. BUG=chromium:753705 Change-Id: I23328e4cef878df3aca4db763b47d72a2cce664c Reviewed-on: https://chromium-review.googlesource.com/634364 Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#47617}
-
Jaideep Bajwa authored
WasmGraphBuilder::StoreMem is called with the last argument as default with machine rep = kNode, which causes BuildChangeEndiannessStore(val, memtype, type) to fail. R=gdeepti@google.com, binji@chromium.org, jyan@ca.ibm.com BUG=v8:6752 LOG=N Change-Id: I0633982ff4b5a93551b4765ca8df50073010f3ca Reviewed-on: https://chromium-review.googlesource.com/633755Reviewed-by: Junliang Yan <jyan@ca.ibm.com> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Commit-Queue: Jaideep Bajwa <bjaideep@ca.ibm.com> Cr-Commit-Position: refs/heads/master@{#47616}
-
Caitlin Potter authored
Keep parsing the rest of the MemberExpression after `new.target` BUG=v8:6745 R=marja@chromium.org, adamk@chromium.org Change-Id: I53cc370766e72ed9e36c5c7aa150a3ad9a6062f8 Reviewed-on: https://chromium-review.googlesource.com/627756Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Caitlin Potter <caitp@igalia.com> Cr-Commit-Position: refs/heads/master@{#47615}
-
Adam Klein authored
Change-Id: Ic3812d16a4e8449ac9619981719e997c90300ee7 Reviewed-on: https://chromium-review.googlesource.com/634254Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/master@{#47614}
-
Alexei Filippov authored
There must be a matching Leave for each Enter. Otherwise it ends up with a dead stack-allocated object in the timer chain. Drive-by: There was also a bug in RuntimeCallTimerScope::RuntimeCallTimerScope(HeapObject* ...) did create a local object instead of calling an overloaded constructor. BUG=chromium:669329 Change-Id: I9aa1c574a854af8beab3d8097efab3a726ad1c8d Reviewed-on: https://chromium-review.googlesource.com/634511 Commit-Queue: Alexei Filippov <alph@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#47613}
-
Leszek Swirski authored
For deferred commands (such as in try-finally), some deferred commands save and restore the accumulator using a result register (e.g. return, throw, rethrow), while others don't (e.g. break, continue, fall-through). However, conditionally reading this result register that may not ever be written caused it to be considered live from the start of the function, as far as the liveness analysis could statically tell. Now, we write the result register for all deferred commands, including the fall-through. As a micro-optimization, we re-use the Smi command tokeen to clobber the result, rather than emitting an LdaUndefined. Bug: chromium:758472 Change-Id: I2ea65e2249b40ee6403216e654a8bb88d50bec3b Reviewed-on: https://chromium-review.googlesource.com/635592 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#47612}
-
Jakob Gruber authored
We cannot assume that the receiver is a JSObject, nor can we assume ToObject() completes successfully. TBR=yangguo@chromium.org Bug: chromium:739954 Change-Id: Id55571131ef8755e86f15cd2acb918ff0f1b7788 Reviewed-on: https://chromium-review.googlesource.com/632376Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47611}
-
Michael Lippautz authored
The deadlock can happen when two scavenging tasks process two different pages for their old->new sets and at the same time try to allocate in old space which triggers sweeping of the other task's page. Bug: v8:6754 Change-Id: I6087553631e198d5ecfb8ab37925ac41cd6995bd Reviewed-on: https://chromium-review.googlesource.com/635843 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#47610}
-
Jakob Gruber authored
The Uint32(limit) conversion can end up transitioning the regexp instance to slow mode. In this case we need to bail out to runtime while ensuring that ToUint32 is not observably called a second time. We do this by passing the already-converted value to runtime. This particular path was broken and we ended up passing the original maybe_limit value to runtime instead. TBR=yangguo@chromium.org Bug: chromium:758763 Change-Id: If7f23b452d2e134ad9be3d4ef1d78d1c946fcef0 Reviewed-on: https://chromium-review.googlesource.com/635588Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47609}
-
Albert Mingkun Yang authored
Change the signature of `Construct` so that no casting is required on calling it. The casting would fire control flow integrity check if the class contains virtual members. Bug: chromium:758925 Change-Id: Iefc711c634b36efd051e245e2df13b28d5563f45 Reviewed-on: https://chromium-review.googlesource.com/635563Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com> Cr-Commit-Position: refs/heads/master@{#47608}
-