Merge Master to Linux #1370
Merged
Merge Master to Linux #1370
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
to instantiate the destination array. Addresses CVE-2016-3214.
…week, this is the case where we have a dominating initialization that nevertheless doesn't write to the variable's register, but a later delay-captured reference does write to the register. Conservatively emitting undef-init now; delay capture needs to be revisited in the wake of the stable closures change.
Dictionary type is not shareable with the current design and hence cannot be cached on the javascript library. We can change this design if there is a compelling reason in the future. For now, Creating dictionary type everytime still works better than what we had before.
…ptimization Merge pull request chakra-core#1322 from satheeshravi:StrictMode_BugFix Dictionary type is not shareable with the current design and hence cannot be cached on the javascript library. We can change this design if there is a compelling reason in the future. For now, Creating dictionary type everytime still works better than what we had before.
Fix the original bug where we should be calling array fast path if there is a single argument to `Array` ctor which is constant. After the bug fix, we were setting `FunctionBodyWeakRef` twice for array initializing. First time in fast-path and next time from helper path. Updated to not go through the 2nd code path.
Merge pull request chakra-core#1304 from kunalspathak:arrayfastpath Generate FastPath for `Array` ctor if it has single argument which is constant between 0 and 8 (inclusive). Tests: In Progress. Benchmarks: See ~1.96% in Octane's Richard. Others, no change. Fixes: chakra-core#1271
This change does the following : - Eliminates stack probe for leaf functions with small stack footprint - Eliminates arg saves on stack for a leaf function with no arg usage - Eliminate redundant null store on stack ----------------------------------------------------------------------------- Empty function before : ----------------------------------------------------------------------------- Function empty ( (chakra-core#1.1), chakra-core#2) Instr Count:38 FunctionEntry (rax).i64 = MOV 0xXXXXXXXX (&StackLimit).u64 (rax).i64 = MOV [(rax).i64].i64 (rax).i64 = ADD (rax).i64, 0x000000001BD0.u64 JO $L4 CMP (rsp).i64, (rax).i64 JLE $L4 NOP 4 (0x4).i8 NOP 2 (0x2).i8 arg5(s8)<32>.i64 = MOV (r9).i64 arg4(s7)<24>.i64 = MOV (r8).i64 arg3(s6)<16>.i64 = MOV (rdx).i64 arg2(s5)<8>.i64 = MOV (rcx).i64 PrologStart PUSH (rbp).i64 (rbp).i64 = MOV (rsp).i64 (rsp).i64 = SUB (rsp).i64, 64 (0x40).i32 PrologEnd (rax).u32 = XOR (rax).u32, (rax).u32 s4<-8>.i64 = MOV (rax).i64 s3(rax).u64 = MOV 0xXXXXXXXX (&CallCount).u64 CMP [s3(rax).u64].u8, 255 (0xFF).u8 JEQ $L3 [s3(rax).u64].u8 = INC [s3(rax).u64].u8 $L3: s0(rax)[Undefined].var = MOV 0xXXXXXXXX (undefined)[Undefined].var Line 7: } Col 1: ^ StatementBoundary #0 StatementBoundary #-1 (rsp).i64 = MOV (rbp).i64 (rbp).i64 = POP RET 0 (0x0).i32, (rax).i64 FunctionExit $L4: [helper] (rdx).i64 = MOV 0xXXXXXXXX (ScriptContext).u64 (rcx).i64 = MOV 0x000000001BD0.u64 (rax).i64 = MOV ProbeCurrentStack.u64 JMP (rax).i64 StatementBoundary #- ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- Empty function after : ----------------------------------------------------------------------------- Function empty ( (chakra-core#1.1), chakra-core#2) Instr Count:18 FunctionEntry PrologStart PUSH (rbp).i64 (rbp).i64 = MOV (rsp).i64 (rsp).i64 = SUB (rsp).i64, 32 (0x20).i32 PrologEnd s3(rax).u64 = MOV 0xXXXXXXXX (&CallCount).u64 CMP [s3(rax).u64].u8, 255 (0xFF).u8 JEQ $L3 [s3(rax).u64].u8 = INC [s3(rax).u64].u8 $L3: s0(rax)[Undefined].var = MOV 0xXXXXXXXX (undefined)[Undefined].var Line 7: } Col 1: ^ StatementBoundary #0 StatementBoundary #-1 (rsp).i64 = MOV (rbp).i64 (rbp).i64 = POP RET 0 (0x0).i32, (rax).i64 FunctionExit -----------------------------------------------------------------------------
…d functions Merge pull request chakra-core#1239 from meg-gupta:emptyfncleanup This change does the following : - Eliminates call count profile when there is no bailout - Eliminates stack probe for leaf functions with small stack footprint - Eliminates arg saves on stack for a leaf function with no arg usage
Enable es6toprimitive under experimental flag. Update following areas to be spec-compliant: ToPrimitive (abstract operation) Date.prototype[@@toprimitive]() Symbol.prototype[@@toprimitive]() Update unit tests with coverage on: ToNumber (abstract operation) ToString (abstract operation) ToPropertyKey (abstract operation) Abstract rational comparison (abstract operation) Abstract equality comparison (abstract operation) + operator Date() constructor Date.prototype.toJSON()
Merge pull request chakra-core#1319 from suwc:build/suwc/buddy Enable es6toprimitive under experimental flag. Update following areas to be spec-compliant: ToPrimitive (abstract operation) Date.prototype[@@toprimitive]() Symbol.prototype[@@toprimitive]() Update unit tests with coverage on: ToNumber (abstract operation) ToString (abstract operation) ToPropertyKey (abstract operation) Abstract rational comparison (abstract operation) Abstract equality comparison (abstract operation) "+" operator Date() constructor Date.prototype.toJSON()
Fixes chakra-core#1340 and is the result of tc39/ecma262#614
Our current implementation of @@toStringTag is based on an old spec revision from 2015. This change updates the implementation to conform to the current spec. The current behavior for handling legacy and toStringTag feature switching is fragile, and I decided to leave the majority of it in and rename ToStringTagHelper to ToStringTagHelperOld. The legacy code relies on the helper, and will call it even when the @@toStringTag feature is disabled. Other changes of note: - Slightly tweaked the ordering of ToStringHelper so we can take advantage of the existing HostDispatch and TypedArray Debugger handling behavior while still retaining legacy codepaths. - TypedArray toString handler spec update is also guarded by a flag. - Overhauled the tests for @@toStringTag, adding a lot more type coverage. When the feature is turned on by default, we can remove the legacy codepaths for simplicity.
…a syntax error in strict mode Merge pull request chakra-core#1343 from ianwjhalliday:fix1340 Fixes chakra-core#1340
… bailout Merge pull request chakra-core#1337 from ThomsonTan:Fix_IncBailOut When tracking symbols for capturing bailout values incrementally, the dest register for the current instruction might be ignored because the set of changed symbols is cleaned up at the end of OptInstr. The fix captures all the symbols changed after bailout value capture and restore them to changed symbols set when attaching capture values to bailout finally.
…o box in a native frame
… in CRT which has a imprecision bug Merge pull request chakra-core#1350 from ThomsonTan:FixMathPow ::pow(double, int) causes significant imprecision for exponents which is not very small. This is fixed in Visual Studio 2015 update 2 but haven't reached us. No side effect of avoid calling it since we optimize integer exponent in our side.
… by default (since TH1). No point keeping all the if..else condition around.
…sion flag. Merge pull request chakra-core#1310 from akroshg:taflag This flag was turned on by default (since TH1). No point keeping all the if..else condition around.
…e closures change, and assigning local registers to captured vars (as delay-capture needs to do) is causing persistent functional issues. Blocking the assignment of registers in such cases by default to stop the flow of such issues altogether (and restoring the original simple related logic in DefineUserVars). The harder work of re-enabling delay-capture will follow.
Creates a function body to hold the module statements so var and block-scoped declarations don't leak into the root object. Previously, all modules were global code so declarations would leak between module code via the root object. This resolves two bugs: https://microsoft.visualstudio.com/web/wi.aspx?pcguid=cb55739e-4afe-46a3-970f-1b49d8ee7564&id=7657926 https://microsoft.visualstudio.com/web/wi.aspx?pcguid=cb55739e-4afe-46a3-970f-1b49d8ee7564&id=7717411
The module top-level function body should not be defer-parsed but any functions nested inside should be defered as necessary. To support defer, we need to save and restore the info for export-storage symbols during scope info store and restore.
We can already initialize the values in these slots to undefined when we allocate the slots so an initialization in the preamble of the function doesn't gain us anything.
…rrors and root object pollution Merge pull request chakra-core#1292 from boingoing:modulerootfix Creates a function body to hold the module statements so var and block-scoped declarations don't leak into the root object. Previously, all modules were global code so declarations would leak between module code via the root object. This resolves two bugs: https://microsoft.visualstudio.com/web/wi.aspx?pcguid=cb55739e-4afe-46a3-970f-1b49d8ee7564&id=7657926 https://microsoft.visualstudio.com/web/wi.aspx?pcguid=cb55739e-4afe-46a3-970f-1b49d8ee7564&id=7717411
…ning whether we have an inlinee to box in a native frame Merge pull request chakra-core#1347 from rajatd:inlineeToBox
…s to delay-captured vars Merge pull request chakra-core#1349 from pleath:8085214 Delay-capture optimization has been effectively disabled by the stable closures change, and assigning local registers to captured vars (as delay-capture needs to do) is causing persistent functional issues. Blocking the assignment of registers in such cases by default to stop the flow of such issues altogether (and restoring the original simple related logic in DefineUserVars). The harder work of re-enabling delay-capture will follow.
…instead of being global code 1. Module export symbols do not get a register allocted and need to be exempted from debugger symbol tracking by register. This was previously working but broke after module export symbols moved to be non-global. 2. Some debug scenarios can cause the module body itself to be defer-parsed. Previous code assumed that could never happen.
…ng module code into a function body instead of being global code Merge pull request chakra-core#1357 from boingoing:modulefixglobaldeferparse 1. Module export symbols do not get a register allocted and need to be exempted from debugger symbol tracking by register. This was previously working but broke after module export symbols moved to be non-global. 2. Some debug scenarios can cause the module body itself to be defer-parsed. Previous code assumed that could never happen.
…: also treat a function expression as an IIFE if it has a name, provided it is preceded by a unary operator or parenthesis. The name consideration dates from legacy mode, in which a function expression's name could be referred to outside the function.
…eferenceInParentFunc field of the crashing FunctionBody in each case is pointing to the fake global FunctionBody shared by all deferred parses. I haven't been able to prove that this weirdness is responsible for the crashes, but it seems at the least like it's a good thing to fix.
…gible for IIFE heuristic Merge pull request chakra-core#1356 from pleath:iife Trivial change to our deferred-parsing heuristic for detecting IIFE's: also treat a function expression as an IIFE if it has a name, provided it is preceded by a unary operator or parenthesis. The name consideration dates from legacy mode, in which a function expression's name could be referred to outside the function.
…e result of getOwnPropertyDescriptors Merge pull request chakra-core#1345 from jordonwii:issue1342 Fixes chakra-core#1342 For the tests for this change, I adapted @ljharb's tests from the discussion he linked to in the issue and trimmed it down to test just this change.
…point to fake FunctionBody Merge pull request chakra-core#1355 from pleath:setnestedfunc I've observed while investigating a class of site issues that the m_referenceInParentFunc field of the crashing FunctionBody in each case is pointing to the fake global FunctionBody shared by all deferred parses. I haven't been able to prove that this weirdness is responsible for the crashes, but it seems at the least like it's a good thing to fix.
…na*. Merge pull request chakra-core#1366 from dilijev:arena-spell
|
This did not require any change in code. Merging it in. |
chakrabot
pushed a commit
that referenced
this pull request
Aug 2, 2016
Merge pull request #1370 from obastemur:master_to_linux
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.