Merge V8 5.2.361.47 DO NOT MERGE
https://chromium.googlesource.com/v8/v8/+/5.2.361.47
FPIIM-449
Change-Id: Ibec421b85a9b88cb3a432ada642e469fe7e78346
(cherry picked from commit bcf72ee8e3b26f1d0726869c7ddb3921c68b09a8)
diff --git a/src/x87/code-stubs-x87.cc b/src/x87/code-stubs-x87.cc
index 71adfd3..fdb97ee 100644
--- a/src/x87/code-stubs-x87.cc
+++ b/src/x87/code-stubs-x87.cc
@@ -62,12 +62,6 @@
}
-void ArrayNoArgumentConstructorStub::InitializeDescriptor(
- CodeStubDescriptor* descriptor) {
- InitializeArrayConstructorDescriptor(isolate(), descriptor, 0);
-}
-
-
void ArraySingleArgumentConstructorStub::InitializeDescriptor(
CodeStubDescriptor* descriptor) {
InitializeArrayConstructorDescriptor(isolate(), descriptor, 1);
@@ -80,11 +74,6 @@
}
-void InternalArrayNoArgumentConstructorStub::InitializeDescriptor(
- CodeStubDescriptor* descriptor) {
- InitializeInternalArrayConstructorDescriptor(isolate(), descriptor, 0);
-}
-
void FastArrayPushStub::InitializeDescriptor(CodeStubDescriptor* descriptor) {
Address deopt_handler = Runtime::FunctionForId(Runtime::kArrayPush)->entry;
descriptor->Initialize(eax, deopt_handler, -1, JS_FUNCTION_STUB_MODE);
@@ -1781,129 +1770,6 @@
}
-void InstanceOfStub::Generate(MacroAssembler* masm) {
- Register const object = edx; // Object (lhs).
- Register const function = eax; // Function (rhs).
- Register const object_map = ecx; // Map of {object}.
- Register const function_map = ebx; // Map of {function}.
- Register const function_prototype = function_map; // Prototype of {function}.
- Register const scratch = edi;
-
- DCHECK(object.is(InstanceOfDescriptor::LeftRegister()));
- DCHECK(function.is(InstanceOfDescriptor::RightRegister()));
-
- // Check if {object} is a smi.
- Label object_is_smi;
- __ JumpIfSmi(object, &object_is_smi, Label::kNear);
-
- // Lookup the {function} and the {object} map in the global instanceof cache.
- // Note: This is safe because we clear the global instanceof cache whenever
- // we change the prototype of any object.
- Label fast_case, slow_case;
- __ mov(object_map, FieldOperand(object, HeapObject::kMapOffset));
- __ CompareRoot(function, scratch, Heap::kInstanceofCacheFunctionRootIndex);
- __ j(not_equal, &fast_case, Label::kNear);
- __ CompareRoot(object_map, scratch, Heap::kInstanceofCacheMapRootIndex);
- __ j(not_equal, &fast_case, Label::kNear);
- __ LoadRoot(eax, Heap::kInstanceofCacheAnswerRootIndex);
- __ ret(0);
-
- // If {object} is a smi we can safely return false if {function} is a JS
- // function, otherwise we have to miss to the runtime and throw an exception.
- __ bind(&object_is_smi);
- __ JumpIfSmi(function, &slow_case);
- __ CmpObjectType(function, JS_FUNCTION_TYPE, function_map);
- __ j(not_equal, &slow_case);
- __ LoadRoot(eax, Heap::kFalseValueRootIndex);
- __ ret(0);
-
- // Fast-case: The {function} must be a valid JSFunction.
- __ bind(&fast_case);
- __ JumpIfSmi(function, &slow_case);
- __ CmpObjectType(function, JS_FUNCTION_TYPE, function_map);
- __ j(not_equal, &slow_case);
-
- // Go to the runtime if the function is not a constructor.
- __ test_b(FieldOperand(function_map, Map::kBitFieldOffset),
- Immediate(1 << Map::kIsConstructor));
- __ j(zero, &slow_case);
-
- // Ensure that {function} has an instance prototype.
- __ test_b(FieldOperand(function_map, Map::kBitFieldOffset),
- Immediate(1 << Map::kHasNonInstancePrototype));
- __ j(not_zero, &slow_case);
-
- // Get the "prototype" (or initial map) of the {function}.
- __ mov(function_prototype,
- FieldOperand(function, JSFunction::kPrototypeOrInitialMapOffset));
- __ AssertNotSmi(function_prototype);
-
- // Resolve the prototype if the {function} has an initial map. Afterwards the
- // {function_prototype} will be either the JSReceiver prototype object or the
- // hole value, which means that no instances of the {function} were created so
- // far and hence we should return false.
- Label function_prototype_valid;
- Register const function_prototype_map = scratch;
- __ CmpObjectType(function_prototype, MAP_TYPE, function_prototype_map);
- __ j(not_equal, &function_prototype_valid, Label::kNear);
- __ mov(function_prototype,
- FieldOperand(function_prototype, Map::kPrototypeOffset));
- __ bind(&function_prototype_valid);
- __ AssertNotSmi(function_prototype);
-
- // Update the global instanceof cache with the current {object} map and
- // {function}. The cached answer will be set when it is known below.
- __ StoreRoot(function, scratch, Heap::kInstanceofCacheFunctionRootIndex);
- __ StoreRoot(object_map, scratch, Heap::kInstanceofCacheMapRootIndex);
-
- // Loop through the prototype chain looking for the {function} prototype.
- // Assume true, and change to false if not found.
- Label done, loop, fast_runtime_fallback;
- __ mov(eax, isolate()->factory()->true_value());
- __ bind(&loop);
-
- // Check if the object needs to be access checked.
- __ test_b(FieldOperand(object_map, Map::kBitFieldOffset),
- Immediate(1 << Map::kIsAccessCheckNeeded));
- __ j(not_zero, &fast_runtime_fallback, Label::kNear);
- // Check if the current object is a Proxy.
- __ CmpInstanceType(object_map, JS_PROXY_TYPE);
- __ j(equal, &fast_runtime_fallback, Label::kNear);
-
- __ mov(object, FieldOperand(object_map, Map::kPrototypeOffset));
- __ cmp(object, function_prototype);
- __ j(equal, &done, Label::kNear);
- __ mov(object_map, FieldOperand(object, HeapObject::kMapOffset));
- __ cmp(object, isolate()->factory()->null_value());
- __ j(not_equal, &loop);
- __ mov(eax, isolate()->factory()->false_value());
-
- __ bind(&done);
- __ StoreRoot(eax, scratch, Heap::kInstanceofCacheAnswerRootIndex);
- __ ret(0);
-
- // Found Proxy or access check needed: Call the runtime.
- __ bind(&fast_runtime_fallback);
- __ PopReturnAddressTo(scratch);
- __ Push(object);
- __ Push(function_prototype);
- __ PushReturnAddressFrom(scratch);
- // Invalidate the instanceof cache.
- __ Move(eax, Immediate(Smi::FromInt(0)));
- __ StoreRoot(eax, scratch, Heap::kInstanceofCacheFunctionRootIndex);
- __ TailCallRuntime(Runtime::kHasInPrototypeChain);
-
- // Slow-case: Call the %InstanceOf runtime function.
- __ bind(&slow_case);
- __ PopReturnAddressTo(scratch);
- __ Push(object);
- __ Push(function);
- __ PushReturnAddressFrom(scratch);
- __ TailCallRuntime(is_es6_instanceof() ? Runtime::kOrdinaryHasInstance
- : Runtime::kInstanceOf);
-}
-
-
// -------------------------------------------------------------------------
// StringCharCodeAtGenerator
@@ -3534,8 +3400,8 @@
__ j(not_equal, &miss);
__ push(slot);
__ push(vector);
- Code::Flags code_flags = Code::RemoveTypeAndHolderFromFlags(
- Code::ComputeHandlerFlags(Code::LOAD_IC));
+ Code::Flags code_flags =
+ Code::RemoveHolderFromFlags(Code::ComputeHandlerFlags(Code::LOAD_IC));
masm->isolate()->stub_cache()->GenerateProbe(masm, Code::LOAD_IC, code_flags,
receiver, name, vector, scratch);
__ pop(vector);
@@ -3795,8 +3661,8 @@
__ pop(value);
__ push(slot);
__ push(vector);
- Code::Flags code_flags = Code::RemoveTypeAndHolderFromFlags(
- Code::ComputeHandlerFlags(Code::STORE_IC));
+ Code::Flags code_flags =
+ Code::RemoveHolderFromFlags(Code::ComputeHandlerFlags(Code::STORE_IC));
masm->isolate()->stub_cache()->GenerateProbe(masm, Code::STORE_IC, code_flags,
receiver, key, slot, no_reg);
__ pop(vector);
@@ -4386,16 +4252,16 @@
__ bind(&done_allocate);
// Initialize the JSObject fields.
- __ mov(Operand(eax, JSObject::kMapOffset), ecx);
- __ mov(Operand(eax, JSObject::kPropertiesOffset),
+ __ mov(FieldOperand(eax, JSObject::kMapOffset), ecx);
+ __ mov(FieldOperand(eax, JSObject::kPropertiesOffset),
masm->isolate()->factory()->empty_fixed_array());
- __ mov(Operand(eax, JSObject::kElementsOffset),
+ __ mov(FieldOperand(eax, JSObject::kElementsOffset),
masm->isolate()->factory()->empty_fixed_array());
STATIC_ASSERT(JSObject::kHeaderSize == 3 * kPointerSize);
- __ lea(ebx, Operand(eax, JSObject::kHeaderSize));
+ __ lea(ebx, FieldOperand(eax, JSObject::kHeaderSize));
// ----------- S t a t e -------------
- // -- eax : result (untagged)
+ // -- eax : result (tagged)
// -- ebx : result fields (untagged)
// -- edi : result end (untagged)
// -- ecx : initial map
@@ -4413,10 +4279,6 @@
// Initialize all in-object fields with undefined.
__ LoadRoot(edx, Heap::kUndefinedValueRootIndex);
__ InitializeFieldsWithFiller(ebx, edi, edx);
-
- // Add the object tag to make the JSObject real.
- STATIC_ASSERT(kHeapObjectTag == 1);
- __ inc(eax);
__ Ret();
}
__ bind(&slack_tracking);
@@ -4439,10 +4301,6 @@
__ LoadRoot(edi, Heap::kOnePointerFillerMapRootIndex);
__ InitializeFieldsWithFiller(ebx, edx, edi);
- // Add the object tag to make the JSObject real.
- STATIC_ASSERT(kHeapObjectTag == 1);
- __ inc(eax);
-
// Check if we can finalize the instance size.
Label finalize;
STATIC_ASSERT(Map::kSlackTrackingCounterEnd == 1);
@@ -4473,10 +4331,10 @@
__ CallRuntime(Runtime::kAllocateInNewSpace);
__ Pop(ecx);
}
- STATIC_ASSERT(kHeapObjectTag == 1);
- __ dec(eax);
__ movzx_b(ebx, FieldOperand(ecx, Map::kInstanceSizeOffset));
__ lea(edi, Operand(eax, ebx, times_pointer_size, 0));
+ STATIC_ASSERT(kHeapObjectTag == 1);
+ __ dec(edi);
__ jmp(&done_allocate);
// Fall back to %NewObject.
@@ -4497,19 +4355,19 @@
// -----------------------------------
__ AssertFunction(edi);
- // For Ignition we need to skip all possible handler/stub frames until
- // we reach the JavaScript frame for the function (similar to what the
- // runtime fallback implementation does). So make edx point to that
- // JavaScript frame.
- {
- Label loop, loop_entry;
- __ mov(edx, ebp);
- __ jmp(&loop_entry, Label::kNear);
- __ bind(&loop);
+ // Make edx point to the JavaScript frame.
+ __ mov(edx, ebp);
+ if (skip_stub_frame()) {
+ // For Ignition we need to skip the handler/stub frame to reach the
+ // JavaScript frame for the function.
__ mov(edx, Operand(edx, StandardFrameConstants::kCallerFPOffset));
- __ bind(&loop_entry);
+ }
+ if (FLAG_debug_code) {
+ Label ok;
__ cmp(edi, Operand(edx, StandardFrameConstants::kFunctionOffset));
- __ j(not_equal, &loop);
+ __ j(equal, &ok);
+ __ Abort(kInvalidFrameForFastNewRestArgumentsStub);
+ __ bind(&ok);
}
// Check if we have rest parameters (only possible if we have an
@@ -4539,7 +4397,7 @@
// Allocate an empty rest parameter array.
Label allocate, done_allocate;
- __ Allocate(JSArray::kSize, eax, edx, ecx, &allocate, TAG_OBJECT);
+ __ Allocate(JSArray::kSize, eax, edx, ecx, &allocate, NO_ALLOCATION_FLAGS);
__ bind(&done_allocate);
// Setup the rest parameter array in rax.
@@ -4581,7 +4439,7 @@
Label allocate, done_allocate;
__ lea(ecx, Operand(eax, times_half_pointer_size,
JSArray::kSize + FixedArray::kHeaderSize));
- __ Allocate(ecx, edx, edi, no_reg, &allocate, TAG_OBJECT);
+ __ Allocate(ecx, edx, edi, no_reg, &allocate, NO_ALLOCATION_FLAGS);
__ bind(&done_allocate);
// Setup the elements array in edx.
@@ -4643,35 +4501,50 @@
// -----------------------------------
__ AssertFunction(edi);
+ // Make ecx point to the JavaScript frame.
+ __ mov(ecx, ebp);
+ if (skip_stub_frame()) {
+ // For Ignition we need to skip the handler/stub frame to reach the
+ // JavaScript frame for the function.
+ __ mov(ecx, Operand(ecx, StandardFrameConstants::kCallerFPOffset));
+ }
+ if (FLAG_debug_code) {
+ Label ok;
+ __ cmp(edi, Operand(ecx, StandardFrameConstants::kFunctionOffset));
+ __ j(equal, &ok);
+ __ Abort(kInvalidFrameForFastNewSloppyArgumentsStub);
+ __ bind(&ok);
+ }
+
// TODO(bmeurer): Cleanup to match the FastNewStrictArgumentsStub.
- __ mov(ecx, FieldOperand(edi, JSFunction::kSharedFunctionInfoOffset));
- __ mov(ecx,
- FieldOperand(ecx, SharedFunctionInfo::kFormalParameterCountOffset));
- __ lea(edx, Operand(ebp, ecx, times_half_pointer_size,
+ __ mov(ebx, FieldOperand(edi, JSFunction::kSharedFunctionInfoOffset));
+ __ mov(ebx,
+ FieldOperand(ebx, SharedFunctionInfo::kFormalParameterCountOffset));
+ __ lea(edx, Operand(ecx, ebx, times_half_pointer_size,
StandardFrameConstants::kCallerSPOffset));
- // ecx : number of parameters (tagged)
+ // ebx : number of parameters (tagged)
// edx : parameters pointer
// edi : function
+ // ecx : JavaScript frame pointer.
// esp[0] : return address
// Check if the calling frame is an arguments adaptor frame.
Label adaptor_frame, try_allocate, runtime;
- __ mov(ebx, Operand(ebp, StandardFrameConstants::kCallerFPOffset));
- __ mov(eax, Operand(ebx, CommonFrameConstants::kContextOrFrameTypeOffset));
+ __ mov(eax, Operand(ecx, StandardFrameConstants::kCallerFPOffset));
+ __ mov(eax, Operand(eax, CommonFrameConstants::kContextOrFrameTypeOffset));
__ cmp(eax, Immediate(Smi::FromInt(StackFrame::ARGUMENTS_ADAPTOR)));
__ j(equal, &adaptor_frame, Label::kNear);
// No adaptor, parameter count = argument count.
- __ mov(ebx, ecx);
- __ push(ecx);
+ __ mov(ecx, ebx);
+ __ push(ebx);
__ jmp(&try_allocate, Label::kNear);
// We have an adaptor frame. Patch the parameters pointer.
__ bind(&adaptor_frame);
- __ mov(ebx, ecx);
- __ push(ecx);
- __ mov(edx, Operand(ebp, StandardFrameConstants::kCallerFPOffset));
+ __ push(ebx);
+ __ mov(edx, Operand(ecx, StandardFrameConstants::kCallerFPOffset));
__ mov(ecx, Operand(edx, ArgumentsAdaptorFrameConstants::kLengthOffset));
__ lea(edx,
Operand(edx, ecx, times_2, StandardFrameConstants::kCallerSPOffset));
@@ -4705,7 +4578,7 @@
__ add(ebx, Immediate(JSSloppyArgumentsObject::kSize));
// Do the allocation of all three objects in one go.
- __ Allocate(ebx, eax, edi, no_reg, &runtime, TAG_OBJECT);
+ __ Allocate(ebx, eax, edi, no_reg, &runtime, NO_ALLOCATION_FLAGS);
// eax = address of new object(s) (tagged)
// ecx = argument count (smi-tagged)
@@ -4883,19 +4756,19 @@
// -----------------------------------
__ AssertFunction(edi);
- // For Ignition we need to skip all possible handler/stub frames until
- // we reach the JavaScript frame for the function (similar to what the
- // runtime fallback implementation does). So make edx point to that
- // JavaScript frame.
- {
- Label loop, loop_entry;
- __ mov(edx, ebp);
- __ jmp(&loop_entry, Label::kNear);
- __ bind(&loop);
+ // Make edx point to the JavaScript frame.
+ __ mov(edx, ebp);
+ if (skip_stub_frame()) {
+ // For Ignition we need to skip the handler/stub frame to reach the
+ // JavaScript frame for the function.
__ mov(edx, Operand(edx, StandardFrameConstants::kCallerFPOffset));
- __ bind(&loop_entry);
+ }
+ if (FLAG_debug_code) {
+ Label ok;
__ cmp(edi, Operand(edx, StandardFrameConstants::kFunctionOffset));
- __ j(not_equal, &loop);
+ __ j(equal, &ok);
+ __ Abort(kInvalidFrameForFastNewStrictArgumentsStub);
+ __ bind(&ok);
}
// Check if we have an arguments adaptor frame below the function frame.
@@ -4934,7 +4807,7 @@
__ lea(ecx,
Operand(eax, times_half_pointer_size,
JSStrictArgumentsObject::kSize + FixedArray::kHeaderSize));
- __ Allocate(ecx, edx, edi, no_reg, &allocate, TAG_OBJECT);
+ __ Allocate(ecx, edx, edi, no_reg, &allocate, NO_ALLOCATION_FLAGS);
__ bind(&done_allocate);
// Setup the elements array in edx.
@@ -5354,9 +5227,14 @@
STATIC_ASSERT(FCA::kReturnValueDefaultValueIndex == 2);
STATIC_ASSERT(FCA::kIsolateIndex == 1);
STATIC_ASSERT(FCA::kHolderIndex == 0);
- STATIC_ASSERT(FCA::kArgsLength == 7);
+ STATIC_ASSERT(FCA::kNewTargetIndex == 7);
+ STATIC_ASSERT(FCA::kArgsLength == 8);
__ pop(return_address);
+
+ // new target
+ __ PushRoot(Heap::kUndefinedValueRootIndex);
+
// context save.
__ push(context);
@@ -5401,7 +5279,7 @@
// Allocate the v8::Arguments structure in the arguments' space since
// it's not controlled by GC.
- const int kApiStackSpace = 4;
+ const int kApiStackSpace = 3;
PrepareCallApiFunction(masm, kApiArgc + kApiStackSpace);
@@ -5412,8 +5290,6 @@
__ mov(ApiParameterOperand(3), scratch);
// FunctionCallbackInfo::length_.
__ Move(ApiParameterOperand(4), Immediate(argc()));
- // FunctionCallbackInfo::is_construct_call_.
- __ Move(ApiParameterOperand(5), Immediate(0));
// v8::InvocationCallback's argument.
__ lea(scratch, ApiParameterOperand(2));
@@ -5433,8 +5309,8 @@
}
Operand return_value_operand(ebp, return_value_offset * kPointerSize);
int stack_space = 0;
- Operand is_construct_call_operand = ApiParameterOperand(5);
- Operand* stack_space_operand = &is_construct_call_operand;
+ Operand length_operand = ApiParameterOperand(4);
+ Operand* stack_space_operand = &length_operand;
stack_space = argc() + FCA::kArgsLength + 1;
stack_space_operand = nullptr;
CallApiFunctionAndReturn(masm, api_function_address, thunk_ref,
@@ -5445,14 +5321,34 @@
void CallApiGetterStub::Generate(MacroAssembler* masm) {
- // ----------- S t a t e -------------
- // -- esp[0] : return address
- // -- esp[4] : name
- // -- esp[8 .. (8 + kArgsLength*4)] : v8::PropertyCallbackInfo::args_
- // -- ...
- // -- edx : api_function_address
- // -----------------------------------
- DCHECK(edx.is(ApiGetterDescriptor::function_address()));
+ // Build v8::PropertyCallbackInfo::args_ array on the stack and push property
+ // name below the exit frame to make GC aware of them.
+ STATIC_ASSERT(PropertyCallbackArguments::kShouldThrowOnErrorIndex == 0);
+ STATIC_ASSERT(PropertyCallbackArguments::kHolderIndex == 1);
+ STATIC_ASSERT(PropertyCallbackArguments::kIsolateIndex == 2);
+ STATIC_ASSERT(PropertyCallbackArguments::kReturnValueDefaultValueIndex == 3);
+ STATIC_ASSERT(PropertyCallbackArguments::kReturnValueOffset == 4);
+ STATIC_ASSERT(PropertyCallbackArguments::kDataIndex == 5);
+ STATIC_ASSERT(PropertyCallbackArguments::kThisIndex == 6);
+ STATIC_ASSERT(PropertyCallbackArguments::kArgsLength == 7);
+
+ Register receiver = ApiGetterDescriptor::ReceiverRegister();
+ Register holder = ApiGetterDescriptor::HolderRegister();
+ Register callback = ApiGetterDescriptor::CallbackRegister();
+ Register scratch = ebx;
+ DCHECK(!AreAliased(receiver, holder, callback, scratch));
+
+ __ pop(scratch); // Pop return address to extend the frame.
+ __ push(receiver);
+ __ push(FieldOperand(callback, AccessorInfo::kDataOffset));
+ __ PushRoot(Heap::kUndefinedValueRootIndex); // ReturnValue
+ // ReturnValue default value
+ __ PushRoot(Heap::kUndefinedValueRootIndex);
+ __ push(Immediate(ExternalReference::isolate_address(isolate())));
+ __ push(holder);
+ __ push(Immediate(Smi::FromInt(0))); // should_throw_on_error -> false
+ __ push(FieldOperand(callback, AccessorInfo::kNameOffset));
+ __ push(scratch); // Restore return address.
// v8::PropertyCallbackInfo::args_ array and name handle.
const int kStackUnwindSpace = PropertyCallbackArguments::kArgsLength + 1;
@@ -5462,9 +5358,6 @@
// active) in non-GCed stack space.
const int kApiArgc = 3 + 1;
- Register api_function_address = edx;
- Register scratch = ebx;
-
// Load address of v8::PropertyAccessorInfo::args_ array.
__ lea(scratch, Operand(esp, 2 * kPointerSize));
@@ -5474,25 +5367,30 @@
Operand info_object = ApiParameterOperand(3);
__ mov(info_object, scratch);
+ // Name as handle.
__ sub(scratch, Immediate(kPointerSize));
- __ mov(ApiParameterOperand(0), scratch); // name.
+ __ mov(ApiParameterOperand(0), scratch);
+ // Arguments pointer.
__ lea(scratch, info_object);
- __ mov(ApiParameterOperand(1), scratch); // arguments pointer.
+ __ mov(ApiParameterOperand(1), scratch);
// Reserve space for optional callback address parameter.
Operand thunk_last_arg = ApiParameterOperand(2);
ExternalReference thunk_ref =
ExternalReference::invoke_accessor_getter_callback(isolate());
+ __ mov(scratch, FieldOperand(callback, AccessorInfo::kJsGetterOffset));
+ Register function_address = edx;
+ __ mov(function_address,
+ FieldOperand(scratch, Foreign::kForeignAddressOffset));
// +3 is to skip prolog, return address and name handle.
Operand return_value_operand(
ebp, (PropertyCallbackArguments::kReturnValueOffset + 3) * kPointerSize);
- CallApiFunctionAndReturn(masm, api_function_address, thunk_ref,
- thunk_last_arg, kStackUnwindSpace, nullptr,
- return_value_operand, NULL);
+ CallApiFunctionAndReturn(masm, function_address, thunk_ref, thunk_last_arg,
+ kStackUnwindSpace, nullptr, return_value_operand,
+ NULL);
}
-
#undef __
} // namespace internal