Skip to content

Commit

Permalink
deps: update V8 to 5.4.500.36
Browse files Browse the repository at this point in the history
PR-URL: #9253
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: James M Snell <[email protected]>
  • Loading branch information
targos authored and jasnell committed Oct 24, 2016
1 parent 3238f15 commit 6bbdd66
Show file tree
Hide file tree
Showing 14 changed files with 152 additions and 25 deletions.
2 changes: 1 addition & 1 deletion deps/v8/include/v8-version.h
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 5
#define V8_MINOR_VERSION 4
#define V8_BUILD_NUMBER 500
#define V8_PATCH_LEVEL 31
#define V8_PATCH_LEVEL 36

// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
Expand Down
11 changes: 10 additions & 1 deletion deps/v8/src/compiler/js-builtin-reducer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -145,11 +145,16 @@ bool CanInlineArrayResizeOperation(Handle<Map> receiver_map) {
if (!receiver_map->prototype()->IsJSArray()) return false;
Handle<JSArray> receiver_prototype(JSArray::cast(receiver_map->prototype()),
isolate);
// Ensure that all prototypes of the {receiver} are stable.
for (PrototypeIterator it(isolate, receiver_prototype, kStartAtReceiver);
!it.IsAtEnd(); it.Advance()) {
Handle<JSReceiver> current = PrototypeIterator::GetCurrent<JSReceiver>(it);
if (!current->map()->is_stable()) return false;
}
return receiver_map->instance_type() == JS_ARRAY_TYPE &&
IsFastElementsKind(receiver_map->elements_kind()) &&
!receiver_map->is_dictionary_map() && receiver_map->is_extensible() &&
(!receiver_map->is_prototype_map() || receiver_map->is_stable()) &&
receiver_prototype->map()->is_stable() &&
isolate->IsFastArrayConstructorPrototypeChainIntact() &&
isolate->IsAnyInitialArrayPrototype(receiver_prototype) &&
!IsReadOnlyLengthDescriptor(receiver_map);
Expand Down Expand Up @@ -308,6 +313,10 @@ Reduction JSBuiltinReducer::ReduceArrayPush(Node* node) {
AccessBuilder::ForFixedArrayElement(receiver_map->elements_kind())),
elements, length, value, effect, control);

// Return the new length of the {receiver}.
value = graph()->NewNode(simplified()->NumberAdd(), length,
jsgraph()->OneConstant());

ReplaceWithValue(node, value, effect, control);
return Replace(value);
}
Expand Down
2 changes: 1 addition & 1 deletion deps/v8/src/compiler/js-native-context-specialization.cc
Original file line number Diff line number Diff line change
Expand Up @@ -614,7 +614,7 @@ Reduction JSNativeContextSpecialization::ReduceElementAccess(
fallthrough_control);
this_controls.push_back(
graph()->NewNode(common()->IfTrue(), branch));
this_effects.push_back(effect);
this_effects.push_back(this_effect);
fallthrough_control =
graph()->NewNode(common()->IfFalse(), branch);
}
Expand Down
2 changes: 2 additions & 0 deletions deps/v8/src/compiler/typer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1352,6 +1352,8 @@ Type* Typer::Visitor::JSCallFunctionTyper(Type* fun, Typer* t) {
case kArrayIndexOf:
case kArrayLastIndexOf:
return Type::Range(-1, kMaxSafeInteger, t->zone());
case kArrayPush:
return t->cache_.kPositiveSafeInteger;
// Object functions.
case kObjectHasOwnProperty:
return Type::Boolean();
Expand Down
44 changes: 29 additions & 15 deletions deps/v8/src/crankshaft/hydrogen-instructions.cc
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,11 @@ bool Range::AddAndCheckOverflow(const Representation& r, Range* other) {
bool may_overflow = false;
lower_ = AddWithoutOverflow(r, lower_, other->lower(), &may_overflow);
upper_ = AddWithoutOverflow(r, upper_, other->upper(), &may_overflow);
KeepOrder();
if (may_overflow) {
Clear();
} else {
KeepOrder();
}
#ifdef DEBUG
Verify();
#endif
Expand All @@ -271,13 +275,21 @@ bool Range::SubAndCheckOverflow(const Representation& r, Range* other) {
bool may_overflow = false;
lower_ = SubWithoutOverflow(r, lower_, other->upper(), &may_overflow);
upper_ = SubWithoutOverflow(r, upper_, other->lower(), &may_overflow);
KeepOrder();
if (may_overflow) {
Clear();
} else {
KeepOrder();
}
#ifdef DEBUG
Verify();
#endif
return may_overflow;
}

void Range::Clear() {
lower_ = kMinInt;
upper_ = kMaxInt;
}

void Range::KeepOrder() {
if (lower_ > upper_) {
Expand All @@ -301,8 +313,12 @@ bool Range::MulAndCheckOverflow(const Representation& r, Range* other) {
int v2 = MulWithoutOverflow(r, lower_, other->upper(), &may_overflow);
int v3 = MulWithoutOverflow(r, upper_, other->lower(), &may_overflow);
int v4 = MulWithoutOverflow(r, upper_, other->upper(), &may_overflow);
lower_ = Min(Min(v1, v2), Min(v3, v4));
upper_ = Max(Max(v1, v2), Max(v3, v4));
if (may_overflow) {
Clear();
} else {
lower_ = Min(Min(v1, v2), Min(v3, v4));
upper_ = Max(Max(v1, v2), Max(v3, v4));
}
#ifdef DEBUG
Verify();
#endif
Expand Down Expand Up @@ -3184,6 +3200,13 @@ bool HAllocate::HandleSideEffectDominator(GVNFlag side_effect,
return false;
}

if (IsAllocationFoldingDominator()) {
if (FLAG_trace_allocation_folding) {
PrintF("#%d (%s) cannot fold into #%d (%s), already dominator\n", id(),
Mnemonic(), dominator->id(), dominator->Mnemonic());
}
return false;
}

if (!IsFoldable(dominator_allocate)) {
if (FLAG_trace_allocation_folding) {
Expand Down Expand Up @@ -3235,17 +3258,6 @@ bool HAllocate::HandleSideEffectDominator(GVNFlag side_effect,
}
}

if (IsAllocationFoldingDominator()) {
DeleteAndReplaceWith(dominator_allocate);
if (FLAG_trace_allocation_folding) {
PrintF(
"#%d (%s) folded dominator into #%d (%s), new dominator size: %d\n",
id(), Mnemonic(), dominator_allocate->id(),
dominator_allocate->Mnemonic(), new_dominator_size);
}
return true;
}

if (!dominator_allocate->IsAllocationFoldingDominator()) {
HAllocate* first_alloc =
HAllocate::New(isolate, zone, dominator_allocate->context(),
Expand Down Expand Up @@ -3280,6 +3292,8 @@ std::ostream& HAllocate::PrintDataTo(std::ostream& os) const { // NOLINT
if (IsOldSpaceAllocation()) os << "P";
if (MustAllocateDoubleAligned()) os << "A";
if (MustPrefillWithFiller()) os << "F";
if (IsAllocationFoldingDominator()) os << "d";
if (IsAllocationFolded()) os << "f";
return os << ")";
}

Expand Down
5 changes: 3 additions & 2 deletions deps/v8/src/crankshaft/hydrogen-instructions.h
Original file line number Diff line number Diff line change
Expand Up @@ -237,6 +237,7 @@ class Range final : public ZoneObject {
lower_ = Max(lower_, Smi::kMinValue);
upper_ = Min(upper_, Smi::kMaxValue);
}
void Clear();
void KeepOrder();
#ifdef DEBUG
void Verify() const;
Expand Down Expand Up @@ -4935,7 +4936,7 @@ class HAllocate final : public HTemplateInstruction<3> {
static_cast<HAllocate::Flags>(flags_ | ALLOCATION_FOLDING_DOMINATOR);
}

bool IsAllocationFoldingDominator() {
bool IsAllocationFoldingDominator() const {
return (flags_ & ALLOCATION_FOLDING_DOMINATOR) != 0;
}

Expand All @@ -4946,7 +4947,7 @@ class HAllocate final : public HTemplateInstruction<3> {
SetOperandAt(2, dominator);
}

bool IsAllocationFolded() { return (flags_ & ALLOCATION_FOLDED) != 0; }
bool IsAllocationFolded() const { return (flags_ & ALLOCATION_FOLDED) != 0; }

bool HandleSideEffectDominator(GVNFlag side_effect,
HValue* dominator) override;
Expand Down
6 changes: 1 addition & 5 deletions deps/v8/src/parsing/parser.cc
Original file line number Diff line number Diff line change
Expand Up @@ -4506,9 +4506,6 @@ Block* Parser::BuildParameterInitializationBlock(
// TODO(adamk): Should this be kNoSourcePosition, since
// it's just copying from a temp var to the real param var?
descriptor.initialization_pos = parameter.pattern->position();
// The initializer position which will end up in,
// Variable::initializer_position(), used for hole check elimination.
int initializer_position = parameter.pattern->position();
Expression* initial_value =
factory()->NewVariableProxy(parameters.scope->parameter(i));
if (parameter.initializer != nullptr) {
Expand All @@ -4524,7 +4521,6 @@ Block* Parser::BuildParameterInitializationBlock(
initial_value = factory()->NewConditional(
condition, parameter.initializer, initial_value, kNoSourcePosition);
descriptor.initialization_pos = parameter.initializer->position();
initializer_position = parameter.initializer_end_position;
}

Scope* param_scope = scope();
Expand All @@ -4547,7 +4543,7 @@ Block* Parser::BuildParameterInitializationBlock(

BlockState block_state(&scope_state_, param_scope);
DeclarationParsingResult::Declaration decl(
parameter.pattern, initializer_position, initial_value);
parameter.pattern, parameter.initializer_end_position, initial_value);
PatternRewriter::DeclareAndInitializeVariables(param_block, &descriptor,
&decl, nullptr, CHECK_OK);

Expand Down
11 changes: 11 additions & 0 deletions deps/v8/test/mjsunit/regress/regress-5454.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

assertThrows(function(...[b = !b]) { }, ReferenceError);
assertThrows(() => (function([b = !b]) { })([]), ReferenceError);
assertThrows(() => (function({b = !b}) { })({}), ReferenceError);

assertThrows((...[b = !b]) => { }, ReferenceError);
assertThrows(() => (([b = !b]) => { })([]), ReferenceError);
assertThrows(() => (({b = !b}) => { })({}), ReferenceError);
20 changes: 20 additions & 0 deletions deps/v8/test/mjsunit/regress/regress-crbug-621868.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --verify-heap

function f(a) { // First parameter is tagged.
var n = 1 + a;
}

function g() {
f();
var d = {x : f()};
return [d];
}

g();
g();
%OptimizeFunctionOnNextCall(g);
g();
14 changes: 14 additions & 0 deletions deps/v8/test/mjsunit/regress/regress-crbug-644689-1.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

for (var i = 0; i < 1024; ++i) Object.prototype["i" + i] = i;

function foo() { [].push(1); }

foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
14 changes: 14 additions & 0 deletions deps/v8/test/mjsunit/regress/regress-crbug-644689-2.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

for (var i = 0; i < 1024; ++i) Object.prototype["i" + i] = i;

function foo() { [1].pop(); }

foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
16 changes: 16 additions & 0 deletions deps/v8/test/mjsunit/regress/regress-crbug-645438.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function n(x,y){
y = (y-(0x80000000|0)|0);
return (x/y)|0;
};
var x = -0x80000000;
var y = 0x7fffffff;
n(x,y);
n(x,y);
%OptimizeFunctionOnNextCall(n);
assertEquals(x, n(x,y));
15 changes: 15 additions & 0 deletions deps/v8/test/mjsunit/regress/regress-crbug-655004.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function foo(a) {
a.x = 0;
if (a.x === 0) a[1] = 0.1;
a.x = {};
}
foo(new Array(1));
foo(new Array(1));
%OptimizeFunctionOnNextCall(foo);
foo(new Array(1));
15 changes: 15 additions & 0 deletions deps/v8/test/mjsunit/regress/regress-crbug-656037.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function foo(a) {
return a.push(true);
}

var a = [];
assertEquals(1, foo(a));
assertEquals(2, foo(a));
%OptimizeFunctionOnNextCall(foo);
assertEquals(3, foo(a));

0 comments on commit 6bbdd66

Please sign in to comment.