Original commit message:
Properly handle holes following spreads in array literals
Before this change, the spread desugaring would naively call
`%AppendElement($R, the_hole)` and in some cases $R would have
a non-holey elements kind, putting the array into the bad state
of exposing holes to author code.
This patch avoids calling %AppendElement with a hole, instead
simply incrementing $R.length when it sees a hole in the literal
(this is safe because $R is known to be an Array). The existing
logic for elements transitions takes care of giving the array a
holey ElementsKind.
BUG=chromium:644215
Review-Url: https://codereview.chromium.org/2321533003
Cr-Commit-Position: refs/heads/master@{#39294}
Fixes: https://github.com/nodejs/node/issues/12018
PR-URL: https://github.com/nodejs/node/pull/12037
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Original commit message:
Rewrite scopes in computed properties in destructured parameters
While we properly handled scopes of initializers in destructured
parameters,
we never did the right thing for computed properties. This patch
fixes that
by factoring out PatternRewriter's scope rewriting logic and calls
it for the computed property case.
BUG=chromium:620119
Review-Url: https://codereview.chromium.org/2084103002
Cr-Commit-Position: refs/heads/master@{#37228}
Fixes: https://github.com/nodejs/node/issues/10347
PR-URL: https://github.com/nodejs/node/pull/10386
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Original commit message:
For global object property cells, we did not check that the map on the
previous object is still the same for which we actually optimized. So
the optimized code was not in sync with the actual state of the property
cell. When loading from such a global object property cell, Crankshaft
optimizes away any map checks (based on the stable map assumption),
leading to arbitrary memory access in the worst case.
TurboFan has the same bug for stores, but is safe on loads because we
do appropriate map checks there. However mixing TurboFan and Crankshaft
still exposes the bug.
R=yangguo@chromium.org
BUG=chromium:659475
Review-Url: https://codereview.chromium.org/2444233004
Cr-Commit-Position: refs/heads/master@{#40592}
PR-URL: https://github.com/nodejs/node/pull/10169
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: ofrobots - Ali Ijaz Sheikh <ofrobots@google.com>
Original Commit Message:
Previously, any expressions inside destructuring patterns in a catch
would be parsed in the surrounding scope, instead of in the catch's
scope. This change fixes that by entering not only the catch scope,
but also the block scope inside it.
R=neis@chromium.org
BUG=v8:5106, v8:5112
Review-Url: https://codereview.chromium.org/2110193002
Cr-Commit-Position: refs/heads/master@{#37415}
PR-URL: https://github.com/nodejs/node/pull/9173
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Reviewed-By: ofrobots - Ali Ijaz Sheikh <ofrobots@google.com>
Original commit message:
Don't skip hole checks inside patterns in parameter lists
Previously, b6e9f625c17f3a688139426771e2cb34fbdcb46e fixed self-assignment
in parameters to throw. But it failed to deal with the case of
destructuring with defaults. This patch extends that previous approach
to always treat the end of a parameter as its initializer position,
whether it has an initializer or not.
This is the minimal change to make it easy to merge; a follow-up
will rename the field of Parameter from "initializer_end_position"
to "end_position".
BUG=v8:5454
Review-Url: https://codereview/chromium.org/2390943002
Cr-Commit-Position: refs/heads/master@{#39962}
PR-URL: https://github.com/nodejs/node/pull/9138
Reviewed-By: targos - Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Original commit message:
Rewrite scopes of non-simple default arguments
Default parameters have additional declaration block scopes inserted
around them when something in the function scope calls eval. This
patch sets the parent scope of the expressions introduced due to
those defaults to the new block scope.
R=adamk
BUG=chromium:616386
Review-Url: https://codereview.chromium.org/2077283004
Cr-Commit-Position: refs/heads/master@{#37198}
PR-URL: https://github.com/nodejs/node-private/pull/80
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Original commit message:
Revert of Put RegExp js code in strict mode (patchset #2 id:20001
of https://codereview.chromium.org/1776883005/ )
Reason for revert:
Found to break SAP Web IDE, and these semantics are not shipped
in any other browser.
Revert to legacy semantics while assessing web compatibility.
BUG=chromium:624318
Original issue's description:
> Put RegExp js code in strict mode
>
> src/js/regexp.js was one of the few files that was left in sloppy
> mode. The ES2017 draft specification requires that writes to
> lastIndex throw when the property is non-writable, and test262
> tests enforce this behavior. This patch puts that file in strict
> mode.
>
> BUG=v8:4504
> R=yangguo@chromium.org
> LOG=Y
>
> Committed: https://crrev.com/80b1b2a45bbd9bf3d08e4e6516acfaaa8f438213
> Cr-Commit-Position: refs/heads/master@{#34801}
TBR=yangguo@chromium.org,adamk@chromium.org
Review-Url: https://codereview.chromium.org/2112713003
Cr-Commit-Position: refs/heads/master@{#37449}
PR-URL: https://github.com/nodejs/node/pull/8673
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Original commit message:
[regexp] Fix case-insensitive matching for one-byte subjects.
The bug occurs because we do not canonicalize character class ranges
before adding case equivalents. While adding case equivalents, we abort
early for one-byte subject strings, assuming that the ranges are sorted.
Which they are not.
R=marja@chromium.org
BUG=v8:5199
Review-Url: https://codereview.chromium.org/2159683002
Cr-Commit-Position: refs/heads/master@{#37833}
Fixes: https://github.com/nodejs/node/issues/7708
PR-URL: https://github.com/nodejs/node/pull/7833
Reviewed-By: targos - Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: ofrobots - Ali Ijaz Sheikh <ofrobots@google.com>
regress/regress-crbug-514081 allocates a 2G block of memory
and if there are multiple variants running at the
same time this can lead to crashes, OOM kills or
the OS failing to allocate memory. This patch
limits us to running a single variant of the test
Fixes: https://github.com/nodejs/node/issues/6340
PR-URL: https://github.com/nodejs/node/pull/6678
Reviewed-By: Ben Noorhduis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Original commit message:
[regexp] Fix case-insensitive matching for one-byte subjects.
The bug occurs because we do not canonicalize character class ranges
before adding case equivalents. While adding case equivalents, we abort
early for one-byte subject strings, assuming that the ranges are sorted.
Which they are not.
R=marja@chromium.org
BUG=v8:5199
Review-Url: https://codereview.chromium.org/2159683002
Cr-Commit-Position: refs/heads/master@{#37833}
Fixes: https://github.com/nodejs/node/issues/7708
PR-URL: https://github.com/nodejs/node/pull/7834
Ref: https://github.com/nodejs/node/pull/7833
Reviewed-By: targos - Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Reviewed-By: ofrobots - Ali Ijaz Sheikh <ofrobots@google.com>
Original commit message:
InstanceOfStub incorrectly interprets the hole as a prototype.
Repair this to match what the runtime correctly does, by first
checking if the function is a constructor before we access the
prototype.
R=verwaest@chromium.org
BUG=
Committed: https://crrev.com/2aa070be4fd2960df98905b254f12ed801ef26cd
Cr-Commit-Position: refs/heads/master@{#34863}
This fixes the behavior of instanceof when the second parameter is not a
constructor.
Fixes: https://github.com/nodejs/node/issues/7592
PR-URL: https://github.com/nodejs/node/pull/7638
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
This commit backports a fix to a JIT bug in V8.
After 100 or so comparisons `typeof null ==="undefined"` is returning
`true` instead of `false`.
Original commit message:
Fix 'typeof null' canonicalization in crankshaft
BUG=
Review URL: https://codereview.chromium.org/1912553002
Cr-Commit-Position: refs/heads/master@{#35699}
Ref: https://bugs.chromium.org/p/chromium/issues/detail?id=604033
PR-URL: https://github.com/nodejs/node/pull/7348
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
regress/regress-crbug-514081 allocates a 2G block of memory
and if there are multiple variants running at the
same time this can lead to crashes, OOM kills or
the OS failing to allocate memory. This patch
limits us to running a single variant of the test
Fixes: https://github.com/nodejs/node/issues/6340
PR-URL: https://github.com/nodejs/node/pull/6678
Reviewed-By: Ben Noorhduis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
There were 2 issues which either the v8 team was reluctant to
backport the fix because the fix was for a disabled feature (wasm) or
that we did not have time to investigate before 5.0 was cut
which result in v8 test failures for PPC in 5.0. These are test
issues and are already resolved in v8 master. This PR
excludes these tests so that our v8 tests in the CI will
be green so that we can detect any real regressions.
PR-URL: https://github.com/nodejs/node/pull/6267
Fixes: https://github.com/nodejs/node/issues/6236
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Ported by exinfinitum from a PR by jasnell:
see https://github.com/nodejs/node-v0.x-archive/pull/14185
Allows the running of v8 tests on node's packaged v8 source code.
Note that the limited win32 support added by jasnell has NOT been ported,
and so these tests are currently UNIX ONLY.
Note that gclient depot tools
(see https://commondatastorage.googleapis.com/
chrome-infra-docs/flat/depot_tools/docs/html/
depot_tools_tutorial.html#_setting_up) and subversion are required
to run tests.
To perform tests, run the following commands:
make v8 DESTCPU=(ARCH)
make test-v8 DESTCPU=(ARCH)
where (ARCH) is your CPU architecture, e.g. x64, ia32.
DESTCPU MUST be specified for this to work properly.
Can also do tests on debug build by using "make test-v8 DESTCPU=(ARCH)
BUILDTYPE=Debug", or perform intl or benchmark tests via make
test-v8-intl or test-v8-benchmarks respectively.
Note that by default, quickcheck and TAP output are disabled, and i18n
is enabled. To activate these options, use options"QUICKCHECK=True" and
"ENABLE_V8_TAP=True" respectively.
Use "DISABLE_V8_I18N" to disable i18n.
Use V8_BUILD_OPTIONS to allow custom user-defined flags to be
appended onto "make v8".
Any tests performed after changes to the packaged v8 file will require
recompiling of v8, which can be done using "make v8 DESTCPU=(ARCH)".
Finally, two additional files necessary for one of the v8 tests have
been added to the v8 folder.
PR-URL: https://github.com/nodejs/node/pull/4704
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: targos - Michaël Zasso <mic.besace@gmail.com>
Original commit message:
Use baseline code to compute message locations.
This switches Isolate::ComputeLocation to use baseline code when
computing message locations. This unifies locations between optimized
and non-optimized code by always going through the FrameSummary for
location computation.
R=bmeurer@chromium.org
TEST=message/regress/regress-4266
BUG=v8:4266
LOG=n
Review URL: https://codereview.chromium.org/1331603002
Cr-Commit-Position: refs/heads/master@{#30635}
Fixes: https://github.com/nodejs/node/issues/3934
PR-URL: https://github.com/nodejs/node/pull/3937
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Original commit message:
[es6] Bound function name
Instead of updating the SharedFuntionInfo set the name property on
the function directly.
BUG=v8:4278
LOG=N
R=verwaest@chromium.org, littledan@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1227523003
Cr-Commit-Position: refs/heads/master@{#29558}
Fixes: https://github.com/nodejs/node/issues/2754
PR-URL: https://github.com/nodejs/node/pull/2916
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Original commit message:
TypedArray accessor detection: consider entire prototype chain
When looking up a special accessor for known TypedArray fields
("length", "byteLength", "byteOffset"), consider the entire
prototype chain, not only the direct prototype.
This allows subclasses of TypedArrays to benefit from fast
specialized accesses.
Review URL: https://codereview.chromium.org/1313493005
Cr-Commit-Position: refs/heads/master@{#30678}
Benchmark results:
buffers/buffer-iterate.js size=16386 type=slow method=for n=1000:
./node: 71607 node: 8702.3 ............ 722.85%
Improvement depends on the code, but generally brings us back to the
performance that we had before the v8 update (if not making it
faster).
Fixes: https://github.com/nodejs/node/issues/2463
PR-URL: https://github.com/nodejs/node/pull/2801
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Michaël Zasso
ishell@chromium.org
Cristian Cavalli
Myles Borins
Cristian Cavalli
Rod Vagg
Myles Borins
Franziska Hinkelmann
Ben Noordhuis
Matt Loring
Michael Dawson
Ali Ijaz Sheikh
Bryon Leung
Michaël Zasso
Fedor Indutny