Use private symbols to mark default promise handler, instead of calling out to default
handlers defined in JS. We check for this symbol in PromiseHandle and perform the
appropriate behavior as the default handlers.
Catch prediction logic is updated to account for a symbol.
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2695593002
Cr-Commit-Position: refs/heads/master@{#43135}
Removes handles from bytecode generation, instead storing
un-internalized AstValues (and other, similar values such as Scopes and
AstRawStrings) in the constant array builder.
This will allow us in the future to generate the bytecode before
internalizing the AST.
BUG=v8:5832
Change-Id: I3b8be8f7329a484eb1e5d12808b001d3475239da
Reviewed-on: https://chromium-review.googlesource.com/439326
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43115}
Collecting precise invocation counts need to be explicitly
enabled. Once enabled, we disable optimization (optimized
code does not increment invocation count, and may inline
callees), and make sure feedback vectors interesting for
code coverage is not garbage-collected.
R=hpayer@chromium.org, jgruber@chromium.org
BUG=v8:5808
Review-Url: https://codereview.chromium.org/2686063002
Cr-Commit-Position: refs/heads/master@{#43082}
This CL includes runtime and IC parts of the tracking. It is controlled by
compile-time flag FLAG_constant_field_tracking and currently disabled.
Transition from kConst to kMutable still involves map deprecation.
BUG=v8:5495
Review-Url: https://codereview.chromium.org/2598543003
Cr-Commit-Position: refs/heads/master@{#43081}
Installing a feedback vector in a closure is a multi-step process.
The closure actually points to a Cell that points to a feedback
vector or undefined if we haven't created one yet.
This happens because we often create closures before we've compiled
the code.
JSFunction::EnsureLiterals is the bottleneck in our system that
creates a feedback vector if necessary. The predicates it used to
determine what to do were arcane. This CL allows it to think it
terms of state, and clarifies the reading of that useful
bottleneck.
I also did a few renamings in parts of the code that referred
to a "literals array," which we don't have any more.
BUG=
Review-Url: https://codereview.chromium.org/2681773004
Cr-Commit-Position: refs/heads/master@{#43035}
Now we can inline vector-based IC dispatchers to bytecode handlers.
BUG=v8:5917
Change-Id: Ie81750f252a730240097e514e69b348f410a48b7
Reviewed-on: https://chromium-review.googlesource.com/439265
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43028}
... and TypeFeedbackMetadata to FeedbackMetadata.
BUG=
Change-Id: I2556d1c2a8f37b8cf3d532cc98d973b6dc7e9e6c
Reviewed-on: https://chromium-review.googlesource.com/439244
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#42999}
- entries preview available even if debugger agent is disabled,
- less deprecated mirrors usage in debugger-script.js
- no usage of debugger context - zero probability of leaking it.
- better test coverage.
BUG=v8:5510
R=yangguo@chromium.org,jgruber@chromium.org,alph@chromium.org,luoe@chromium.org
Review-Url: https://codereview.chromium.org/2672213002
Cr-Commit-Position: refs/heads/master@{#42978}
This adapts the inlining logic to allow for inlining based solely on a
statically known underlying SharedFunctionInfo instead of a concrete
closure of the call target.
In cases where the closure is known, its bound context is constant
promoted just as before. In the new cases where only the SFI for an
entire class of closures is known, we use the dynamic SSA-value of the
bound context.
R=bmeurer@chromium.org
BUG=v8:2206
Review-Url: https://codereview.chromium.org/2626783003
Cr-Commit-Position: refs/heads/master@{#42968}
TypeFeedbackVectors are strongly rooted by a closure. However, in modern
JavaScript closures are created and abandoned more freely. An important
closure may not be present in the root-set at time of garbage collection,
even though we've cached optimized code and use it regularly. For
example, consider leaf functions in an event dispatching system. They may
well be "hot," but tragically non-present when we collect the heap.
Until now, we've relied on a weak root to cache the feedback vector in
this case. Since there is no way to signal intent or relative importance,
this weak root is as susceptible to clearing as any other weak root at
garbage collection time.
Meanwhile, the feedback vector has become more important. All of our
ICs store their data there. Literal and regex boilerplates are stored there.
If we lose the vector, then we not only lose optimized code built from
it, we also lose the very feedback which allowed us to create that optimized
code. Therefore it's vital to express that dependency through the root
set.
This CL does this by creating a strong link to a feedback
vector at the instantiation site of the function closure.
This instantiation site is in the code and feedback vector
of the outer closure.
BUG=v8:5456
Review-Url: https://codereview.chromium.org/2674593003
Cr-Commit-Position: refs/heads/master@{#42953}
We don't need Code::CALL_IC for anything now that the CallICStub is
migrated and no longer hooks into the traditional IC system.
R=yangguo@chromium.org
BUG=v8:5049
Review-Url: https://codereview.chromium.org/2669193002
Cr-Commit-Position: refs/heads/master@{#42890}
They have the same lifetime. It's a match!
Both structures are native context dependent and dealt with (creation,
clearing, gathering feedback) at the same time. By treating the spaces used
for literal boilerplates as feedback vector slots, we no longer have to keep
track of the materialized literal count elsewhere.
A follow-on CL removes even more parser infrastructure related to this count.
BUG=v8:5456
Review-Url: https://codereview.chromium.org/2655853010
Cr-Commit-Position: refs/heads/master@{#42771}
- kDebugPromiseCreated(task, parent_task)
This event occurs when promise is created (PromiseHookType::Init). V8Debugger uses this event to maintain task -> parent task map.
- kDebugEnqueueAsyncFunction(task)
This event occurs when first internal promise for async function is created. V8Debugger collects stack trace at this point.
- kDebugEnqueuePromiseResolve(task),
This event occurs when Promise fulfills with resolved status. V8Debugger collects stack trace at this point.
- kDebugEnqueuePromiseReject(task),
This event occurs when Promise fulfills with rejected status. V8Debugger collects stack trace at this point.
- kDebugPromiseCollected,
This event occurs when Promise is collected and no other chained callbacks can be added. V8Debugger removes information about async task for this promise.
- kDebugWillHandle,
This event occurs when chained promise function (either resolve or reject handler) is called. V8Debugger installs parent promise's stack (based on task -> parent_task map) as current if available or current promise's scheduled stack otherwise.
- kDebugDidHandle,
This event occurs after chained promise function has finished. V8Debugger restores asynchronous call chain to previous one.
With this change all instrumentation calls are related to current promise (before WillHandle and DidHandle were related to next async task).
Before V8Debugger supported only the following:
- asyncTaskScheduled(task1)
- asyncTaskStarted(task1)
- asyncTaskFinished(task1)
Now V8Debugger supports the following:
- asyncTaskScheduled(parent_task)
..
- asyncTaskCreated(task, parent_task),
- asyncTaskStarted(task), uses parent_task scheduled stack
- asyncTaskScheduled(task)
- asyncTaskFinished(task)
Additionally: WillHandle and DidHandle were migrated to PromiseHook API.
More details: https://docs.google.com/document/d/1u19N45f1gSF7M39mGsycJEK3IPyJgIXCBnWyiPeuJFE
BUG=v8:5738
R=dgozman@chromium.org,gsathya@chromium.org,yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2650803003
Cr-Commit-Position: refs/heads/master@{#42644}
V8 has internal mechanism to ignore steps and breaks inside internal scripts, in this CL it's reused for blackboxing implementation.
Advantages:
- much faster blackboxing implementation (before we at least wrap and collect current call stack for each step),
- get rid of StepFrame action and potential pause in blackboxed code after N StepFrame steps,
- simplification of debugger agent logic.
Disadvtanges:
- currently when user was paused in blackboxed code (e.g. on breakpoint) and then makes step action, debugger ignores blackboxed state of the script and allows to use step actions as usual - this behavior is regressed, we still able to support it on frontend side.
Current state and proposed changes for blackboxing: https://docs.google.com/document/d/1hnzaXPAN8_QC5ENxIgxgMNDbXLraM_OXT73rAyijTF8/edit?usp=sharing
BUG=v8:5842
R=yangguo@chromium.org,dgozman@chromium.org,alph@chromium.org
Review-Url: https://codereview.chromium.org/2633803002
Cr-Commit-Position: refs/heads/master@{#42614}
Manipulating the signaling NaN used for the hole and uninitialized double
field sentinel in C++, e.g. with bit_cast or HeapNumber::value()/set_value(),
will change its value on ia32 (the x87 stack is used to return values and
stores to the stack silently clear the signalling bit).
BUG=v8:5495
Review-Url: https://codereview.chromium.org/2652553003
Cr-Commit-Position: refs/heads/master@{#42609}
We are planning to add a few more debugger related bits, and are running
out of compiler hints bits. The new bit field is going to be part of the
debug info struct. If the debug info is not available, we store the bit
field in its place on the shared function info.
Review-Url: https://codereview.chromium.org/2649873002
Cr-Commit-Position: refs/heads/master@{#42594}
Convert strings to numbers if possible in the runtime call and store
in excluded property list.
BUG=v8:5549
Review-Url: https://codereview.chromium.org/2639333004
Cr-Commit-Position: refs/heads/master@{#42581}
Allocate space in the backing store for computed property names.
The property backing store was pre-allocated for the constant
properties up to the first non-constant (computed name) property.
To use lowering for storing data properties in literals
with computed property names effectively, a fast store is needed, i.e.,
available space in the property backing store for properties
with computed names.
backing_store_size is the number of all properties (including
computed names, but without __proto__)
that is calculated in the ast and passed to the runtime function that allocates
the property backing store. backing_store_size and
constant_properties constitute a BoilerplateDescription.
backing_store_size might be slightly too high because computed names
can evaluate to the same name, but that should be a rare
case so over-allocating is OK.
If a property is __proto__, we don't store it as a regular
property, because the map changes. Keep track of
has_seen_proto in the parser to calculate the
backing store size correctly.
BUG=v8:5625
Review-Url: https://codereview.chromium.org/2632503003
Cr-Commit-Position: refs/heads/master@{#42576}
Let the Typer assign proper types to Map, Set, WeakMap and WeakSet
builtins. Also assign a proper type to Array.isArray, Object.assign
and Object.create.
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2640783006
Cr-Commit-Position: refs/heads/master@{#42535}
Also update a call in cctest to check the result.
BUG=chromium:681843
Review-Url: https://codereview.chromium.org/2647573003
Cr-Commit-Position: refs/heads/master@{#42513}
Since the script origin is part of the key used in the compilation
cache, this ensures that the cache never confuses a module with a
non-module script.
BUG=v8:1569,v8:5685
Review-Url: https://codereview.chromium.org/2611643002
Cr-Commit-Position: refs/heads/master@{#42490}
A future linear version of the hash table will only need the element count and
deleted element count. Hence moving them to the beginning of the underlying
fixed array makes the transition easier.
BUG=v8:5717
Review-Url: https://codereview.chromium.org/2630373002
Cr-Commit-Position: refs/heads/master@{#42459}
This rewrites the rest property into a runtime call which sets up the
correct properties in the newly created object.
- Changes flag to --harmony-object-rest-spread
- Changes pattern rewriter to desugar rest property
- Adds new runtime function CopyDataPropertiesWithExcludedProperties
BUG=v8:5549
Review-Url: https://codereview.chromium.org/2620943002
Cr-Commit-Position: refs/heads/master@{#42430}
In the ideal case, this will speed up Object.create(null) by ~10x.
Drive-by-fix: Spread usage of new IsSpecialReceiverMap() and
IsSpecialReceiverInstanceType(InstanceType) helpers.
BUG=v8:5788
Review-Url: https://codereview.chromium.org/2622723003
Cr-Commit-Position: refs/heads/master@{#42336}
In the ideal case, this will speed up Object.create(null) by ~10x.
Drive-by-fix: Spread usage of new IsSpecialReceiverMap() and
IsSpecialReceiverInstanceType(InstanceType) helpers.
BUG=v8:5788
Review-Url: https://codereview.chromium.org/2622723003
Cr-Commit-Position: refs/heads/master@{#42321}
Before, in `var p1 = p.then(() => {}) we would trigger the
before/after callbacks with p as the associated promise, but we must
call it with p1.
Also removes promise from PromiseReactionJobInfo.
Review-Url: https://codereview.chromium.org/2633443002
Cr-Commit-Position: refs/heads/master@{#42295}
The constant field tracking implies data constants to be stored
in fields instead of descriptor arrays. This CL does necessary
modifications to the JSModuleNamespace map setup.
BUG=v8:1569, v8:5495
Review-Url: https://codereview.chromium.org/2625093005
Cr-Commit-Position: refs/heads/master@{#42294}
This is a necessary cleanup before introducing PropertyConstness bit.
BUG=v8:5495
Review-Url: https://codereview.chromium.org/2624903003
Cr-Commit-Position: refs/heads/master@{#42277}
Reason for revert:
Blocks roll, ASan detects leaking ExternalStrings.
Original issue's description:
> Internalize strings in-place (reland^2)
>
> using newly introduced ThinStrings, which store a pointer to the actual,
> internalized string they represent.
>
> BUG=v8:4520
>
> (Previously landed as #42168 / af51befe69)
> (Previously landed as #42193 / 4c699e349a)
>
> Review-Url: https://codereview.chromium.org/2549773002
> Cr-Commit-Position: refs/heads/master@{#42235}
> Committed: ec45e6ed2eTBR=ishell@chromium.org,hpayer@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4520
Review-Url: https://codereview.chromium.org/2626893005
Cr-Commit-Position: refs/heads/master@{#42271}
Literal arrays and feedback vectors for a function can be garbage
collected if we don't have a rooted closure for the function, which
happens often. It's expensive to come back from this (recreating
boilerplates and gathering feedback again), and the cost is
disproportionate if the function was inlined into optimized code.
To guard against losing these arrays when we need them, we'll now
create literal arrays when creating the feedback vector for the outer
closure, and root them strongly in that vector.
BUG=v8:5456
Review-Url: https://codereview.chromium.org/2620753003
Cr-Original-Commit-Position: refs/heads/master@{#42258}
Committed: 3188780410
Review-Url: https://codereview.chromium.org/2620753003
Cr-Commit-Position: refs/heads/master@{#42264}
Reason for revert:
gc stress:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/8105
also on mac
Original issue's description:
> [TypeFeedbackVector] Root literal arrays in function literals slots
>
> Literal arrays and feedback vectors for a function can be garbage
> collected if we don't have a rooted closure for the function, which
> happens often. It's expensive to come back from this (recreating
> boilerplates and gathering feedback again), and the cost is
> disproportionate if the function was inlined into optimized code.
>
> To guard against losing these arrays when we need them, we'll now
> create literal arrays when creating the feedback vector for the outer
> closure, and root them strongly in that vector.
>
> BUG=v8:5456
>
> Review-Url: https://codereview.chromium.org/2620753003
> Cr-Commit-Position: refs/heads/master@{#42258}
> Committed: 3188780410TBR=bmeurer@chromium.org,mstarzinger@chromium.org,yangguo@chromium.org,mvstanton@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5456
Review-Url: https://codereview.chromium.org/2626863004
Cr-Commit-Position: refs/heads/master@{#42260}
Literal arrays and feedback vectors for a function can be garbage
collected if we don't have a rooted closure for the function, which
happens often. It's expensive to come back from this (recreating
boilerplates and gathering feedback again), and the cost is
disproportionate if the function was inlined into optimized code.
To guard against losing these arrays when we need them, we'll now
create literal arrays when creating the feedback vector for the outer
closure, and root them strongly in that vector.
BUG=v8:5456
Review-Url: https://codereview.chromium.org/2620753003
Cr-Commit-Position: refs/heads/master@{#42258}
using newly introduced ThinStrings, which store a pointer to the actual,
internalized string they represent.
BUG=v8:4520
(Previously landed as #42168 / af51befe69)
(Previously landed as #42193 / 4c699e349a)
Review-Url: https://codereview.chromium.org/2549773002
Cr-Commit-Position: refs/heads/master@{#42235}
and rename WasmFrame to WasmCompiledFrame.
The WasmToInterpreterFrames are not used yet; this will follow in a
follow-up CL (see tracking bug for the overall picture).
Those frames will represent frames for WASM_TO_INTERPRETER stubs, which
call from wasm code to the wasm interpreter, implemented in C++.
They will support the Summarize method to inspect the stack frames in
the wasm interpreter.
R=yangguo@chromium.org, titzer@chromium.org
BUG=v8:5822
Review-Url: https://codereview.chromium.org/2623773004
Cr-Commit-Position: refs/heads/master@{#42213}
Reason for revert:
blocks roll, see: https://codereview.chromium.org/2628733002/
Debug mode runs into an Abort("External string expected, but not found").
Original issue's description:
> Internalize strings in-place (reland)
>
> using newly introduced ThinStrings, which store a pointer to the actual,
> internalized string they represent.
>
> BUG=v8:4520
>
> (Previously landed as #42168 / af51befe69.
>
> Review-Url: https://codereview.chromium.org/2549773002
> Cr-Commit-Position: refs/heads/master@{#42193}
> Committed: 4c699e349aTBR=ishell@chromium.org,hpayer@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4520
Review-Url: https://codereview.chromium.org/2625073002
Cr-Commit-Position: refs/heads/master@{#42212}
using newly introduced ThinStrings, which store a pointer to the actual,
internalized string they represent.
BUG=v8:4520
(Previously landed as #42168 / af51befe69.
Review-Url: https://codereview.chromium.org/2549773002
Cr-Commit-Position: refs/heads/master@{#42193}
Including a fix: object-macros.h needs to be the last include: otherwise
we'll have a problem when a file does this:
#include "object-macros.h"
#include "x.h" // x.h also includes object-macros.h
BUG=v8:5402
Review-Url: https://codereview.chromium.org/2623573003
Cr-Commit-Position: refs/heads/master@{#42187}
... including property reconfiguring, elements kind change and migration
of a map to an up-to-date non-deprecated version.
BUG=v8:5495
Review-Url: https://codereview.chromium.org/2601643002
Cr-Commit-Position: refs/heads/master@{#42177}
using newly introduced ThinStrings, which store a pointer to the actual,
internalized string they represent.
BUG=v8:4520
Review-Url: https://codereview.chromium.org/2549773002
Cr-Commit-Position: refs/heads/master@{#42168}
The pattern IsNull(isolate) || IsUndefined(isolate) is used in many places all
over the code base.
Review-Url: https://codereview.chromium.org/2601503002
Cr-Commit-Position: refs/heads/master@{#42138}
This patch adds parsing of spread object property.
-- Changes ParsePropertyName to parse Token::ELLIPSIS.
-- Throws if rest is encountered by setting a pattern error.
-- Adds a new PropertyKind enum (SPREAD)
-- Adds a new ObjectLiteralProperty::kind (SPREAD)
-- Adds a new harmony-object-spread flag and protects the parser code
with it.
-- Adds a new runtime function called CopyDataProperties
-- Does not add any support for this feature in fullcodegen.
-- Ignition calls out to a runtime function CopyDataProperties to
perform spread operation.
-- Move FastAssign from builtins-objects.cc to objects.cc
-- Refactor Builtin_ObjectAssign to use SetOrCopyDataProperties
Object rest will be implemented in a follow on patch.
BUG=v8:5549
Review-Url: https://codereview.chromium.org/2606833002
Cr-Commit-Position: refs/heads/master@{#42102}
-- Removes remaning debug from promise.js and moves it to c++
-- Changes debug_id to be a smi in PromiseReactionJobInfo and
PromiseResolveThenableJobInfo.
-- Changes debug_name to be a smi in PromiseReactionJobInfo and
PromiseResolveThenableJobInfo.
-- Adds PromiseDebugActionName and PromiseDebugActionType enums
-- Adds PromiseDebugActionNameToString and
PromiseDebugActionTypeToString helper methods
-- Changes variable `status` to be int in runtime functions.
-- Changes debug_id to start from 1, not 0 for easier bookkeeping.
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2606093002
Cr-Commit-Position: refs/heads/master@{#42052}
Migrate Date.prototype.valueOf and Date.prototype[ @@toPrimitive ]
to use the CodeStubAssembler, to avoid going through C++ always
when comparing or subtracting two dates.
R=epertoso@chromium.org
Review-Url: https://codereview.chromium.org/2608143003
Cr-Commit-Position: refs/heads/master@{#42030}
- Adds CodeAssembler::ConstructJS() to simplify calling JS functions as
constructors, used by NewPromiseCapability()
- Defines PromiseCapability as a special JSObject subclass, with a
non-exensible Map, and read-only non-configurable DataDescriptors which
point to its in-object fields. This allows its fields to be used by JS
builtins until there is no longer any need.
Currently, the performance benefit comes from
https://codereview.chromium.org/2567033003/, but does not appear to
regress performance in any significant way.
BUG=v8:5343
TBR=ulan@chromium.org
Review-Url: https://codereview.chromium.org/2567333002
Cr-Commit-Position: refs/heads/master@{#42014}
This patch stores the promise, resolve, reject properties of the
deferred object created by CreateInternalPromiseCapability and
NewPromiseCapability directly on the promise (if the promise hasn't
been fulfilled), otherwise they are stored on the
PromiseReactionJobInfo.
This patch removes the currently unused
CreateInternalPromiseCapability and inlines the call to create the
deferred promise object.
NewPromiseCapability is the only function that works with a deferred.
This patch results in a 8.5% improvement in benchmarks over 5 runs.
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2590563003
Cr-Commit-Position: refs/heads/master@{#41991}
In certain corner-cases we would grow a FAST_ELEMENTS packed backing store of a
JS_ARGUMENTS_TYPE object without converting to holey elements kinds. As a side
effect you could then read out the_hole.
BUG=v8:5772
Review-Url: https://codereview.chromium.org/2597013004
Cr-Commit-Position: refs/heads/master@{#41921}
Reason for revert:
Speculative revert because of blocked roll: https://codereview.chromium.org/2596013002/
Original issue's description:
> [TypeFeedbackVector] Root literal arrays in function literals slots
>
> Literal arrays and feedback vectors for a function can be garbage
> collected if we don't have a rooted closure for the function, which
> happens often. It's expensive to come back from this (recreating
> boilerplates and gathering feedback again), and the cost is
> disproportionate if the function was inlined into optimized code.
>
> To guard against losing these arrays when we need them, we'll now
> create literal arrays when creating the feedback vector for the outer
> closure, and root them strongly in that vector.
>
> BUG=v8:5456
>
> Review-Url: https://codereview.chromium.org/2504153002
> Cr-Commit-Position: refs/heads/master@{#41893}
> Committed: 93df094081TBR=bmeurer@chromium.org,mlippautz@chromium.org,mvstanton@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5456
Review-Url: https://codereview.chromium.org/2597163002
Cr-Commit-Position: refs/heads/master@{#41917}
This CL includes several small bug fixes for trap handlers. Among the changes:
* Use the correct representation for ProtectedLoads, enabling protected loads of
floating point types.
* Including the protected instruction list in what gets serialized for Code
objects. This is needed to allow deserialization for Wasm modules to work.
* Get the context needed to through and exception from the Isolate rather than
getting it as a parameter to the Protected instructions. Passing it in as an
argument is problematic when code is compiled ahead of time, as the context
may not be known yet. The new approach is similar to how it works for TrapIf
and TrapUnless.
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5277
Review-Url: https://codereview.chromium.org/2591903002
Cr-Commit-Position: refs/heads/master@{#41907}
Literal arrays and feedback vectors for a function can be garbage
collected if we don't have a rooted closure for the function, which
happens often. It's expensive to come back from this (recreating
boilerplates and gathering feedback again), and the cost is
disproportionate if the function was inlined into optimized code.
To guard against losing these arrays when we need them, we'll now
create literal arrays when creating the feedback vector for the outer
closure, and root them strongly in that vector.
BUG=v8:5456
Review-Url: https://codereview.chromium.org/2504153002
Cr-Commit-Position: refs/heads/master@{#41893}
Add inlineable fast-paths for Object::ToPropertyKey, Object::ToLength and
Object::ToIndex for the most common argument types.
BUG=
Review-Url: https://codereview.chromium.org/2587013002
Cr-Commit-Position: refs/heads/master@{#41856}
Add inlineable fast-paths for Object::ToPropertyKey, Object::ToLength and
Object::ToIndex for the most common argument types.
BUG=
Review-Url: https://codereview.chromium.org/2587013002
Cr-Commit-Position: refs/heads/master@{#41839}
STRUCT_LIST and INSTANCE_TYPE_LIST are now forced to have the same order
as the InstanceType enum.
Drive-by-fix 1: Move type check and cast functions closer together in objects-inl.h
Drive-by-fix 2: Remove unused instance types SIGNATURE_INFO_TYPE and TYPE_SWITCH_INFO_TYPE.
BUG=
Review-Url: https://codereview.chromium.org/2578573002
Cr-Commit-Position: refs/heads/master@{#41804}
This CL adds inlineable fast-cases for the above conversion functions in
objects-inl.h and a slower conversion function in objects.cc.
BUG=
Review-Url: https://codereview.chromium.org/2579023002
Cr-Commit-Position: refs/heads/master@{#41766}
Many websites use simple calls to String.prototype.indexOf with either a
one character ASCII needle or needles bigger than the search string. This
CL adds a TFJ builtin for these simple cases, giving up to factor 5 speedup.
Drive-by-fix: Add default Object type to Arguments.at
BUG=
Review-Url: https://codereview.chromium.org/2539093002
Cr-Commit-Position: refs/heads/master@{#41760}
This introduces an explicit struct for the communication channel between
the {ArrayLiteral} AST node and the corresponding runtime methods. Those
methods take a pair of {ElementsKind} as well as an array (can either be
a FixedArray or a FixedDoubleArray) of constant values.
For bonus points it also reduces the size of the involved heap object by
one word (i.e. length field of FixedArray not needed anymore).
R=mvstanton@chromium.org
Review-Url: https://codereview.chromium.org/2581683003
Cr-Commit-Position: refs/heads/master@{#41752}
Reason for revert:
LiveEdit is broken in some cases.
Original issue's description:
> Store SharedFunctionInfos of a Script in a FixedArray indexed by their ID
>
> Now that SharedFunctionInfos have a unique ID (and the IDs are dense),
> we can use them as an index into an array, instead of using a
> WeakFixedArray where we have to do a linear scan.
>
> Hooking up liveedit is a bit more involved, see
> https://docs.google.com/presentation/d/1FtNa3U7WsF5bPhY9uGoJG5Y9hnz5VBDabfOWpb4unWI/edit
> for an overview
>
> BUG=v8:5589
> R=verwaest@chromium.org,jgruber@chromium.org
>
> Committed: https://crrev.com/6595e7405769dc9d49e9568d61485efc6d468baf
> Cr-Commit-Position: refs/heads/master@{#41600}
TBR=jgruber@chromium.org,verwaest@chromium.org,yangguo@chromium.org,jochen@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5589,chromium:673950
NOPRESUBMIT=true
Review-Url: https://codereview.chromium.org/2578433002
Cr-Commit-Position: refs/heads/master@{#41684}
Splits PromiseHandle into two TF builtins to account for catch
prediction. An exception in PromiseHandleReject builtin results in a
"caught" prediction whereas an expception in PromiseHandle results in a
"promise rejection" prediction.
An extra is_exception_caught bit is added to Code to mark this catch
prediction behavior.
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2572623002
Cr-Commit-Position: refs/heads/master@{#41683}
Generalize Messages to include an error level.
Add a parameter to AddMessageHandler to select which error levels to receive, using a mask (default being just errors, i.e. the current behavior).
BUG=v8:4203
R=dgozman@chromium.org,machenbach@chromium.org,danno@chromium.org,bmeurer@chromium.org,jochen@chromium.org
Review-Url: https://codereview.chromium.org/2526703002
Cr-Commit-Position: refs/heads/master@{#41648}
Logging for --perf-prof is not GC safe. Now, we are going to
emit source position info for optimized code when we are
profiling, logging, or debugging, and under the same condition,
pre-compute the line ends array for line number computation.
R=tebbi@chromium.org
BUG=v8:5730
Review-Url: https://codereview.chromium.org/2562973002
Cr-Commit-Position: refs/heads/master@{#41619}
In the asm.js code translated to wasm, we call imported functions via a
WASM_TO_JS stub, which first calls the function and then calls ToNumber
on the return value. Exceptions can happen in both calls.
We were only ever reporting the location of the function call, whereas
asm.js code executed via turbofan reported the location of the type
coercion operator ("+" on "+foo()" or "|" on "foo()|0").
This CL implements the same behaviour for asm.js code translated to
wasm. The following is changed:
- the AsmWasmBuilder records the parent node when descending on a binary
operator (also "+foo()" is represented by a binary operation).
- it stores not one location per call in the source position side
table, but two (one for the call, one for the parent which does the
type coercion).
- the wasm compiler annotates the source positions "0" and "1" to the
two calls in the WASM_TO_JS wrapper (only if the module origin is
asm.js).
- the StackFrame::State struct now also holds the callee_pc_address,
which is set in ComputeCallerState. The WASM frame uses this
information to determine whether the callee frame is WASM_TO_JS, and
whether that frame is at the ToNumber conversion call.
- the same information is also stored in the FrameArray which is used
to reconstruct the stack trace later.
R=titzer@chromium.org, bradnelson@chromium.orgCC=jgruber@chromium.org
BUG=v8:4203,v8:5724
Committed: https://crrev.com/94cd46b55e24fa2bb7b06b3da4d5ba7f029bc262
Review-Url: https://codereview.chromium.org/2555243002
Cr-Original-Commit-Position: refs/heads/master@{#41599}
Cr-Commit-Position: refs/heads/master@{#41613}
Reason for revert:
gc-stress failures
Original issue's description:
> [wasm] Fix location for error in asm.js ToNumber conversion
>
> In the asm.js code translated to wasm, we call imported functions via a
> WASM_TO_JS stub, which first calls the function and then calls ToNumber
> on the return value. Exceptions can happen in both calls.
> We were only ever reporting the location of the function call, whereas
> asm.js code executed via turbofan reported the location of the type
> coercion operator ("+" on "+foo()" or "|" on "foo()|0").
>
> This CL implements the same behaviour for asm.js code translated to
> wasm. The following is changed:
> - the AsmWasmBuilder records the parent node when descending on a binary
> operator (also "+foo()" is represented by a binary operation).
> - it stores not one location per call in the source position side
> table, but two (one for the call, one for the parent which does the
> type coercion).
> - the wasm compiler annotates the source positions "0" and "1" to the
> two calls in the WASM_TO_JS wrapper (only if the module origin is
> asm.js).
> - during stack trace generation (in the StackTraceIterator), when we
> move from the WASM_TO_JS frame to the WASM frame, we remember at which
> call inside the WASM_TO_JS wrapper we are, and encode this information
> in the generated caller state, used for the WASM frame.
> - the same information is also stored in the FrameArray which is used
> to reconstruct the stack trace later.
>
> R=titzer@chromium.org, bradnelson@chromium.org
> CC=jgruber@chromium.org
> BUG=v8:4203,v8:5724
>
> Committed: https://crrev.com/94cd46b55e24fa2bb7b06b3da4d5ba7f029bc262
> Cr-Commit-Position: refs/heads/master@{#41599}
TBR=bradnelson@chromium.org,mstarzinger@chromium.org,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4203,v8:5724
Review-Url: https://codereview.chromium.org/2563613003
Cr-Commit-Position: refs/heads/master@{#41601}
In the asm.js code translated to wasm, we call imported functions via a
WASM_TO_JS stub, which first calls the function and then calls ToNumber
on the return value. Exceptions can happen in both calls.
We were only ever reporting the location of the function call, whereas
asm.js code executed via turbofan reported the location of the type
coercion operator ("+" on "+foo()" or "|" on "foo()|0").
This CL implements the same behaviour for asm.js code translated to
wasm. The following is changed:
- the AsmWasmBuilder records the parent node when descending on a binary
operator (also "+foo()" is represented by a binary operation).
- it stores not one location per call in the source position side
table, but two (one for the call, one for the parent which does the
type coercion).
- the wasm compiler annotates the source positions "0" and "1" to the
two calls in the WASM_TO_JS wrapper (only if the module origin is
asm.js).
- during stack trace generation (in the StackTraceIterator), when we
move from the WASM_TO_JS frame to the WASM frame, we remember at which
call inside the WASM_TO_JS wrapper we are, and encode this information
in the generated caller state, used for the WASM frame.
- the same information is also stored in the FrameArray which is used
to reconstruct the stack trace later.
R=titzer@chromium.org, bradnelson@chromium.orgCC=jgruber@chromium.org
BUG=v8:4203,v8:5724
Review-Url: https://codereview.chromium.org/2555243002
Cr-Commit-Position: refs/heads/master@{#41599}
The patch was reverted due to a bug - we failed to evict OSR-optimized
code in the case where the SharedFunctionInfo OptimizedCodeMap was
empty/cleared.
Since we OSR code rarely, it makes sense to store it and look for it on the native context rather than the SharedFunctionInfo. This makes the OptimizedCodeMap data structure more space efficient, as it doesn't have to store an ast ID for the OSR entry point.
Review-Url: https://codereview.chromium.org/2561083002
Cr-Commit-Position: refs/heads/master@{#41584}
-- Moves promiseHasHandlerSymbol to inobject property
-- Ports PromiseResolveClosure to TF
-- Fix a non spec async-await test which fails now because we do a map
check for native promise check (instead of IsPromise). Changing the
constructor (in the test) invalidates the map check.
This patch results in a 7.1% performance improvement in the bluebird
benchmark (over 5 runs).
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2541283002
Cr-Commit-Position: refs/heads/master@{#41569}
Since we OSR code rarely, it makes sense to store it and look for it on the native context rather than the SharedFunctionInfo. This makes the OptimizedCodeMap data structure more space efficient, as it doesn't have to store an ast ID for the OSR entry point.
BUG=
Review-Url: https://codereview.chromium.org/2549753002
Cr-Commit-Position: refs/heads/master@{#41554}
This just calls into a runtime function for implementation currently.
Intermediate step in speeding up constructor calls containing a spread.
The NewWithSpread bytecode will probably end up having different arguments with future CLs - the constructor and the new.target should have their own regs. For now we are calling into the runtime function, so we need the regs together.
BUG=v8:5659
Review-Url: https://codereview.chromium.org/2541113004
Cr-Commit-Position: refs/heads/master@{#41542}
Reason for revert:
Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/11861
See:
https://github.com/v8/v8/wiki/Blink-layout-tests
Original issue's description:
> Object
> -- New JSObject for promises: JSPromise
>
> Builtins
> -- PromiseThen TFJ
> -- PromiseCreateAndSet TFJ for internal use
> -- PerformPromiseThen TFJ for internal use
> -- PromiseInit for initial promise setup
> -- SpeciesConstructor for use in PromiseThen
> -- ThrowIfNotJSReceiver for use in SpeciesConstructor
> -- AppendPromiseCallback to update FixedArray with new callback
> -- InternalPerformPromiseThen
>
> Promises.js
> -- Cleanup unused symbols
> -- Remove PerformPromiseThen
> -- Remove PromiseThen
> -- Remove PromiseSet
> -- Remove PromiseAttachCallbacks
>
> Runtime
> -- PromiseSet to set promise inobject values
> -- Refactor functions to use FixedArrays for callbacks instead of
> JSArray
> -- Runtime_PromiseStatus to return promise status
> -- Runtime_PromiseResult to return promise result
> -- Runtime_PromiseDeferred to return deferred attached to promise
> -- Runtime_PromiseRejectReactions to return reject reactions attached
> to promise
>
> This CL results in a 13.07% improvement in the promises benchmark
> (over 5 runs).
>
> BUG=v8:5343
>
> Committed: https://crrev.com/30b564c76f490f8f6b311a74b25b26cf0a96be2d
> Cr-Commit-Position: refs/heads/master@{#41503}
TBR=bmeurer@chromium.org,jgruber@chromium.org,caitp@igalia.com,gsathya@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2554013002
Cr-Commit-Position: refs/heads/master@{#41512}
-- New JSObject for promises: JSPromise
Builtins
-- PromiseThen TFJ
-- PromiseCreateAndSet TFJ for internal use
-- PerformPromiseThen TFJ for internal use
-- PromiseInit for initial promise setup
-- SpeciesConstructor for use in PromiseThen
-- ThrowIfNotJSReceiver for use in SpeciesConstructor
-- AppendPromiseCallback to update FixedArray with new callback
-- InternalPerformPromiseThen
Promises.js
-- Cleanup unused symbols
-- Remove PerformPromiseThen
-- Remove PromiseThen
-- Remove PromiseSet
-- Remove PromiseAttachCallbacks
Runtime
-- PromiseSet to set promise inobject values
-- Refactor functions to use FixedArrays for callbacks instead of
JSArray
-- Runtime_PromiseStatus to return promise status
-- Runtime_PromiseResult to return promise result
-- Runtime_PromiseDeferred to return deferred attached to promise
-- Runtime_PromiseRejectReactions to return reject reactions attached
to promise
This CL results in a 13.07% improvement in the promises benchmark
(over 5 runs).
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2536463002
Cr-Commit-Position: refs/heads/master@{#41503}
During bootstrapping when installing the global object we copy over the
properties from the snapshotted global object to the one created from a
provided template. Originally Genesis::TransferNamedProperties just iterated
over the entries, making the final order hash and thus platform dependent.
This CL fixes this by sorting the keys by enumeration index before copying them
to the destination object and thus making the key enumaration on the global
object platform independent.
Drive-by-fix: avoid crash when printing the global object during bootstrapping.
BUG=chromium:669029
Review-Url: https://codereview.chromium.org/2533223002
Cr-Commit-Position: refs/heads/master@{#41502}
Adds a bytecode_age field to BytecodeArray objects. This is incremented each
time the bytecode array is marked by GC, and reset to zero if the bytecode
is executed.
This is used to enable the CompilationCache for interpreted functions,
where Interpreted entries are evicted once the bytecode becomes old.
BUG=chromium:666275,v8:4680
Review-Url: https://codereview.chromium.org/2534763003
Cr-Commit-Position: refs/heads/master@{#41356}
MarkingParity was used to avoid performing an operation on an object if it was
marked multiple times. We no longer mark things multiple times, so this concept
is no longer required.
BUG=chromium:666275
Review-Url: https://codereview.chromium.org/2529173002
Cr-Commit-Position: refs/heads/master@{#41354}
FunctionTemplateInfo::SetPrototypeProviderTemplate adds support for sharing
prototypes between several function templates. This is used to properly set up
Image.prototype and HTMLImageElement.protoype which should be equal according
to the spec.
BUG=chromium:2969
Review-Url: https://codereview.chromium.org/2531653002
Cr-Commit-Position: refs/heads/master@{#41343}
The range-based exception handler table is by now only used for bytecode
arrays. The semantics of the interpreter are that bytecode offsets point
to the beginning of the currently executing bytecode instruction. Uses
hence need to compensate for lookups based on a "retrun address". This
change removes the need for such off-by-one compensations by changing
lookup semantics to be based on "current instruction" offsets.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2534893002
Cr-Commit-Position: refs/heads/master@{#41339}
TypedArrays need specific checks before calling OrdinaryDefineOwnProperty.
BUG=v8:5328
Review-Url: https://codereview.chromium.org/2431223005
Cr-Commit-Position: refs/heads/master@{#41333}
This removes the supporting function to perform a range-lookup in the
exception handler table for unoptimized code. Such tables are by now
guaranteed to be empty, the deoptimizer cannot encounter this case.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2529343003
Cr-Commit-Position: refs/heads/master@{#41318}
They're supposed to be stable across several parse passes, so we'll also
store them in the associated SharedFunctionInfos
To achieve this, the PreParser and Parser need to generated the same number of
FunctionLiterals. To achieve this, we teach the PreParser about desuggaring of
class literals.
For regular functions, the function IDs are assigned in the order they occur in
the source. For arrow functions, however, we only know that it's an arrow function
after parsing the parameter list, and so the ID assigned to the arrow function is
larger than the IDs assigned to functions defined in the parameter list. This
implies that we have to reset the function ID counter to before the parameter list
when re-parsing an arrow function. To be able to do this, we store the number of
function literals found in the parameter list of arrow functions as well.
BUG=v8:5589
Review-Url: https://codereview.chromium.org/2481163002
Cr-Commit-Position: refs/heads/master@{#41309}
For a couple of those Array builtins we can specify a useful type that
will help us to eliminate a couple of checks on their outputs.
R=yangguo@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2529233002
Cr-Commit-Position: refs/heads/master@{#41295}
Assign types to the remaining builtins on the String.prototype where we
know a meaningful type, i.e. where the type is not dependent on some
callable function that is pass or loaded.
BUG=v8:5267
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2532463002
Cr-Commit-Position: refs/heads/master@{#41294}
This removes support for try-catch as well as try-finally constructs
from the {FullCodeGenerator}. Consequently optimized code containing
such constructs must use the {BytecodeGraphBuilder} and can no longer
use the {AstGraphBuilder} for graph building.
R=jarin@chromium.org
BUG=v8:5657
Review-Url: https://codereview.chromium.org/2521233002
Cr-Commit-Position: refs/heads/master@{#41279}
For dictionary-mode receivers, the KeyedStoreGeneric stub can store
properties directly in most cases. Doing so avoids the need to have
an entry in the stub cache for every map/property combination.
Original review: https://codereview.chromium.org/2504403005/
Review-Url: https://codereview.chromium.org/2528883003
Cr-Commit-Position: refs/heads/master@{#41272}
Recognize a couple of builtins on the RegExp.prototype in the Typer and
assign useful types to them, so we can optimize various checks on their
results.
R=yangguo@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2531463002
Cr-Commit-Position: refs/heads/master@{#41240}
For dictionary-mode receivers, the KeyedStoreGeneric stub can store
properties directly in most cases. Doing so avoids the need to have
an entry in the stub cache for every map/property combination.
Original review: https://codereview.chromium.org/2504403005/
Review-Url: https://codereview.chromium.org/2524943002
Cr-Commit-Position: refs/heads/master@{#41218}
Passing in the isolate to retrieve the heap constants (undefine, the_hole, null)
has a positive performance impact.
BUG=
Review-Url: https://codereview.chromium.org/2517153002
Cr-Commit-Position: refs/heads/master@{#41210}
Reason for revert:
Blocks roll: https://codereview.chromium.org/2526573002/
Original issue's description:
> [stubs] KeyedStoreGeneric: inline dictionary property stores
>
> For dictionary-mode receivers, the KeyedStoreGeneric stub can store
> properties directly in most cases. Doing so avoids the need to have
> an entry in the stub cache for every map/property combination.
>
> Committed: https://crrev.com/af168e330e95c4460fd1bb7734f0e9a750f2e748
> Cr-Commit-Position: refs/heads/master@{#41185}
TBR=ishell@chromium.org,rmcilroy@chromium.org,jkummerow@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2528583002
Cr-Commit-Position: refs/heads/master@{#41207}
For dictionary-mode receivers, the KeyedStoreGeneric stub can store
properties directly in most cases. Doing so avoids the need to have
an entry in the stub cache for every map/property combination.
Review-Url: https://codereview.chromium.org/2504403005
Cr-Commit-Position: refs/heads/master@{#41185}
The new SourcePosition class allows for precise tracking of source positions including the stack of inlinings. This CL makes the cpu profiler use this new information. Before, the cpu profiler used the deoptimization data to reconstruct the inlining stack. However, optimizing compilers (especially Turbofan) can hoist out checks such that the inlining stack of the deopt reason and the inlining stack of the position the deoptimizer jumps to can be different (the old cpu profiler tests and the ones introduced in this cl produce such situations for turbofan). In this case, relying on the deoptimization info produces paradoxical results, where the reported position is before the function responsible is called. Even worse, https://codereview.chromium.org/2451853002/ combines the precise position with the wrong inlining stack from the deopt info, leading to completely wrong results.
Other changes in this CL:
- DeoptInlinedFrame is no longer needed, because we can compute the correct inlining stack up front.
- I changed the cpu profiler tests back to test situations where deopt checks are hoisted out in Turbofan and made them robust enough to handle the differences between Crankshaft and Turbofan.
- I reversed the order of SourcePosition::InliningStack to make it match the cpu profiler convention.
- I removed CodeDeoptEvent::position, as it is no longer used.
R=alph@chromium.org
BUG=v8:5432
Review-Url: https://codereview.chromium.org/2503393002
Cr-Commit-Position: refs/heads/master@{#41168}
This renames the {operand_stack} field to {register_file}, to refelct
how said field is used on all {JSGeneratorObject} instances by now. This
is a pure refactoring CL, not changes in semantics.
R=neis@chromium.org
Review-Url: https://codereview.chromium.org/2520913002
Cr-Commit-Position: refs/heads/master@{#41140}
This is the TurboFan counterpart of http://crrev.com/2504263004, but it
is a bit more involved, since in TurboFan we always inline the appropriate
call to the @@hasInstance handler, and by that we can optimize a lot more
patterns of instanceof than Crankshaft, and even yield fast instanceof
for custom @@hasInstance handlers (which we can now properly inline as
well).
Also we now properly optimize Function.prototype[@@hasInstance], even if
the right hand side of an instanceof doesn't have the Function.prototype
as its direct prototype.
For the baseline case, we still rely on the global protector cell, but
we can address that in a follow-up as well, and make it more robust in
general.
TEST=mjsunit/compiler/instanceof
BUG=v8:5640
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2511223003
Cr-Commit-Position: refs/heads/master@{#41092}
With this change, WebAssembly.Memory objects have backing stores allocated as an
8GB region where everything beyond the size of the Wasm heap is inaccessible.
GrowMemory is now implemented by changing the protection on the guard regions to
make the new portions of the heap accessible.
Guard pages are not enabled by default, but this change adds a flag and a test
variant to make sure we get test coverage on them.
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5277
Review-Url: https://codereview.chromium.org/2396433008
Cr-Commit-Position: refs/heads/master@{#41089}
Inspector uses this type for all internal scripts, e.g. injected-script-source.js. Scripts with new type are not reported by remote debugging protocol, frames from them are ignored.
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel
BUG=none
R=yangguo@chromium.org,dgozman@chromium.org
Review-Url: https://codereview.chromium.org/2499273003
Cr-Commit-Position: refs/heads/master@{#41056}
In case of an allocation failure in for-in over holey elements, use precise
number of elements to allocate a smaller buffer for the collected indices.
Drive-by-fix: make is_the_hole accept the isolate for faster checks.
BUG=chromium:609761
Review-Url: https://codereview.chromium.org/2041963003
Cr-Commit-Position: refs/heads/master@{#41010}
Before, we allocated one script per function per instance, and each
script referenced the wasm instance and the function index. Now we only
allocate one script per compiled wasm module, so the script also only
references this WasmCompiledModule, which causes changes to many interfaces.
Instead of fixing the disassemble API only used via debug.js, I decided
to drop it for now. Some later CL will reintroduce it via
DebugInterface.
BUG=v8:5530,chromium:659715
R=yangguo@chromium.org, titzer@chromium.orgCC=jgruber@chromium.org
Review-Url: https://codereview.chromium.org/2493823003
Cr-Commit-Position: refs/heads/master@{#41004}
SourcePosition::InliningId() refers to a the new table DeoptimizationInputData::InliningPositions(), which provides the following data for every inlining id:
- The inlined SharedFunctionInfo as an offset into DeoptimizationInfo::LiteralArray
- The SourcePosition of the inlining. Recursively, this yields the full inlining stack.
Before the Code object is created, the same information can be found in CompilationInfo::inlined_functions().
If SourcePosition::InliningId() is SourcePosition::kNotInlined, it refers to the outer (non-inlined) function.
So every SourcePosition has full information about its inlining stack, as long as the corresponding Code object is known. The internal represenation of a source position is a positive 64bit integer.
All compilers create now appropriate source positions for inlined functions. In the case of Turbofan, this required using AstGraphBuilderWithPositions for inlined functions too. So this class is now moved to a header file.
At the moment, the additional information in source positions is only used in --trace-deopt and --code-comments. The profiler needs to be updated, at the moment it gets the correct script offsets from the deopt info, but the wrong script id from the reconstructed deopt stack, which can lead to wrong outputs. This should be resolved by making the profiler use the new inlining information for deopts.
I activated the inlined deoptimization tests in test-cpu-profiler.cc for Turbofan, changing them to a case where the deopt stack and the inlining position agree. It is currently still broken for other cases.
The following additional changes were necessary:
- The source position table (internal::SourcePositionTableBuilder etc.) supports now 64bit source positions. Encoding source positions in a single 64bit int together with the difference encoding in the source position table results in very little overhead for the inlining id, since only 12% of the source positions in Octane have a changed inlining id.
- The class HPositionInfo was effectively dead code and is now removed.
- SourcePosition has new printing and information facilities, including computing a full inlining stack.
- I had to rename compiler/source-position.{h,cc} to compiler/compiler-source-position-table.{h,cc} to avoid clashes with the new src/source-position.cc file.
- I wrote the new wrapper PodArray for ByteArray. It is a template working with any POD-type. This is used in DeoptimizationInputData::InliningPositions().
- I removed HInlinedFunctionInfo and HGraph::inlined_function_infos, because they were only used for the now obsolete Crankshaft inlining ids.
- Crankshaft managed a list of inlined functions in Lithium: LChunk::inlined_functions. This is an analog structure to CompilationInfo::inlined_functions. So I removed LChunk::inlined_functions and made Crankshaft use CompilationInfo::inlined_functions instead, because this was necessary to register the offsets into the literal array in a uniform way. This is a safe change because LChunk::inlined_functions has no other uses and the functions in CompilationInfo::inlined_functions have a strictly longer lifespan, being created earlier (in Hydrogen already).
BUG=v8:5432
Review-Url: https://codereview.chromium.org/2451853002
Cr-Commit-Position: refs/heads/master@{#40975}
- Creates a new promise-utils.{h, cc} which refactors out the
logic to create resolving functions. This is shared between the
runtime functions and builtins.
- Changes PromiseResolveThenableJobInfo to store the context
since we no longer create the resolving functions in JS.
- Changes EnqueuPromiseResolveThenableJob to take in the promise and
not the callbacks.
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2487053002
Cr-Commit-Position: refs/heads/master@{#40941}
Adds an IsInterpreted() function to both SharedFunctionInfo and JSFunction.
This is used to fix the test-heap code-aging tests since Ignition doesn't
age code.
BUG=v8:4680
Review-Url: https://codereview.chromium.org/2481433002
Cr-Commit-Position: refs/heads/master@{#40868}
This makes use of the newly introduced cell indices to speed up variable
accesses. Imports and local exports are now directly stored in (separate)
arrays. In the future, we may merge the two arrays into a single one, or
even into the module context.
This CL also replaces the LoadImport and LoadExport runtime functions with
a single LoadVariable taking a variable index as argument (rather than a
name).
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2465283004
Cr-Commit-Position: refs/heads/master@{#40808}
Some accessors requires little to no computation at all, its result can be
cached in a private property, avoiding the call overhead.
Calls to the getter are translated into a cheap property load.
Follow-on to crrev.com/2347523003, from peterssen@google.com
BUG=chromium:634276, v8:5548
Review-Url: https://codereview.chromium.org/2405213002
Cr-Commit-Position: refs/heads/master@{#40765}
Instead of having a MODULE variable's index be 0 or 1, let it be the index of
its cell. In this CL, we assign the indices but we continue to only use them to
distinguish imports from exports. Actually using them to directly access the
cells will be done in a later CL.
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2460233003
Cr-Commit-Position: refs/heads/master@{#40752}
This CL adds support for primitive maps to
1) PrototypeIterator,
2) PropertyHandlerCompiler::CheckPrototypes(),
3) Map::GetOrCreatePrototypeChainValidityCell(),
4) Prototype checks in data-driven ICs.
BUG=v8:5561
Review-Url: https://codereview.chromium.org/2466553002
Cr-Commit-Position: refs/heads/master@{#40673}
This is useful for things that don't ever change, but we don't want to
eagerly compute the result.
Doing this from the embedder is difficult, using DefineOwnProperty would
read the property to get the property descriptor, creating an endless
recursion.
R=verwaest@chromium.org,haraken@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2449783006
Cr-Commit-Position: refs/heads/master@{#40648}
Reuses (and renames) the SFI "mark for optimization" flag to also permit
marking for baseline recompilation. The flag now represents a "tier up"
request, and CompileLazy can get baseline code as well as optimized
code.
BUG=v8:5512
Review-Url: https://codereview.chromium.org/2448933002
Cr-Commit-Position: refs/heads/master@{#40612}
For instance, when an import cannot be resolved, actually
point at the corresponding import statement.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2451153002
Cr-Commit-Position: refs/heads/master@{#40594}
Object.create(null) is most likely to be used for dictionary-like objects.
Hence it would be beneficial to directly create a slow-mode object and avoid
additional overhead later-on.
BUG=
Review-Url: https://codereview.chromium.org/2430273007
Cr-Commit-Position: refs/heads/master@{#40551}
The current method of marking functions for optimization, which replaces
the JSFunction's code object with one that triggers optimization, would
never allow unnamed functions to be optimized. This is an issue for a
style of programming which heavily relies on passing around closures.
This patch sets a bit on the SharedFunctionInfo when a JSFunction is
marked. When another JSFunction referring to the same SharedFunctionInfo
is lazily compiled, it immediately triggers a non-concurrent optimize.
BUG=v8:5512
Review-Url: https://chromiumcodereview.appspot.com/2437043002
Cr-Commit-Position: refs/heads/master@{#40506}
Implements the variations of CreateArrayIterator() in TFJ builtins
(ArrayPrototypeValues, ArrayPrototypeEntries and ArrayPrototypeKeys), and
provides two new Object types with numerous maps which identify certain
behaviours, which will be useful for inlining.
Removes src/js/array-iterator.js entirely
Also adds support for printing Symbol literals inserted by the Parser during
desugaring when FLAG_print_builtin_ast is set to true.
BUG=v8:5388
R=bmeurer@chromium.org, cbruni@chromium.orgTBR=ulan@chromium.org
Review-Url: https://codereview.chromium.org/2405253006
Cr-Commit-Position: refs/heads/master@{#40373}
Now that all accesses to the last match info are in C++ and TF code, we can
finally turn the last match info into a FixedArray. Similar to the ArrayList,
it uses its first field to store its length and grows dynamically in amortized
O(1) time.
Unlike previously, this means that the last match info pointer stored on the
context can actually change (in case the FixedArray needs to grow).
BUG=v8:5339
Review-Url: https://codereview.chromium.org/2415103002
Cr-Commit-Position: refs/heads/master@{#40308}
This CL also adds separate runtime call stats buckets for data handlers.
BUG=
Review-Url: https://codereview.chromium.org/2419513002
Cr-Commit-Position: refs/heads/master@{#40281}
This moves the implementation of @@replace from regexp.js to builtins-regexp.cc
(the TurboFan fast path) and runtime-regexp.cc (slow path). The fast path
handles all cases in which the regexp itself is an unmodified JSRegExp
instance, the given 'replace' argument is not callable and does not contain any
'$' characters (i.e. we are doing a string replacement).
BUG=v8:5339
Review-Url: https://codereview.chromium.org/2398423002
Cr-Commit-Position: refs/heads/master@{#40253}
This CL is in preparation for the upcoming port of
RegExp.prototype.replace, which will need use these methods in
runtime-regexp.cc. Moving them in advance makes that diff less noisy.
BUG=v8:5339
Review-Url: https://codereview.chromium.org/2398413002
Cr-Commit-Position: refs/heads/master@{#40229}
For the asm.js to WASM pipeline, the current stack traces only show
low-level WASM information.
This CL maps this back to asm.js source positions.
It does so by attaching the asm.js source Script to the compiled WASM
module, and emitting a delta-encoded table which maps from WASM byte
offsets to positions within that Script. As asm.js code does not throw
exceptions, we only store a mapping for call instructions.
The new AsmJsWasmStackFrame implementation inherits from
WasmStackFrame, but contains the logic to provide the source script and
the position inside of it.
What is still missing is the JSFunction object returned by
CallSite.getFunction(). We currently return null.
R=jgruber@chromium.org, titzer@chromium.org
BUG=v8:4203
Review-Url: https://codereview.chromium.org/2404253002
Cr-Commit-Position: refs/heads/master@{#40205}
This is a re-land of https://codereview.chromium.org/2393303002/ with
an additional call to DisposeModuleEmbedderData() added to fix lsan failures.
Unifies the approaches used for storing the specifier -> module mapping
and the module -> directory mapping, using std::unordered_maps for both
and storing them per-Context.
This requires adding a method to the v8::Module API to get a hash code
for a Module, but allows slimming down the API in return: gone are
SetEmbedderData/GetEmbedderData, along with the fourth argument
to ResolveModuleCallback.
Besides a simpler API, this allows d8 to get closer to the HTML loader,
which requires each Realm to have a persistent module map (though this
capability is not yet exercised by any tests).
BUG=v8:1569
TBR=neis@chromium.org,jochen@chromium.org
Review-Url: https://codereview.chromium.org/2405313002
Cr-Commit-Position: refs/heads/master@{#40186}
Reason for revert:
Fails under LeakSanitizer on auto-roll fyi bot:
https://build.chromium.org/p/client.v8.fyi/builders/Auto-roll%20-%20release%20process/builds/49447
Original issue's description:
> [modules] Store Module metadata in per-Context EmbedderData
>
> Unifies the approaches used for storing the specifier -> module mapping
> and the module -> directory mapping, using std::unordered_maps for both
> and storing them per-Context.
>
> This requires adding a method to the v8::Module API to get a hash code
> for a Module, but allows slimming down the API in return: gone are
> SetEmbedderData/GetEmbedderData, along with the fourth argument
> to ResolveModuleCallback.
>
> Besides a simpler API, this allows d8 to get closer to the HTML loader,
> which requires each Realm to have a persistent module map (though this
> capability is not yet exercised by any tests).
>
> BUG=v8:1569
>
> Committed: https://crrev.com/9cf8fce74cf6e7afd6aea3f3545f6bb61572f277
> Cr-Commit-Position: refs/heads/master@{#40133}
TBR=jochen@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2406973003
Cr-Commit-Position: refs/heads/master@{#40145}
Unifies the approaches used for storing the specifier -> module mapping
and the module -> directory mapping, using std::unordered_maps for both
and storing them per-Context.
This requires adding a method to the v8::Module API to get a hash code
for a Module, but allows slimming down the API in return: gone are
SetEmbedderData/GetEmbedderData, along with the fourth argument
to ResolveModuleCallback.
Besides a simpler API, this allows d8 to get closer to the HTML loader,
which requires each Realm to have a persistent module map (though this
capability is not yet exercised by any tests).
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2393303002
Cr-Commit-Position: refs/heads/master@{#40133}
Also add a test for when the first argument is null or undefined, as there are no tests that cover this currently.
BUG=v8:5364
Review-Url: https://codereview.chromium.org/2399423003
Cr-Commit-Position: refs/heads/master@{#40127}
This CL ports RegExp.prototype.test, RegExp.prototype.match
and RegExp.prototype.search to C++.
Performance regressions are expected but should be improved
in an upcoming CL.
BUG=v8:5339
Review-Url: https://codereview.chromium.org/2394713003
Cr-Commit-Position: refs/heads/master@{#40122}
This allows us to stop using a Symbol, set as the name of the Module's
SharedFunctionInfo, as our storage for a hash.
As part of this, centralize the code for generating a random, non-zero
hash code in one place (there were previously two copies of this code,
and I needed to call it from a third file).
BUG=v8:5483
TBR=jochen@chromium.org
Review-Url: https://codereview.chromium.org/2395233003
Cr-Commit-Position: refs/heads/master@{#40102}
This implements namespace imports (import * as foo from "bar"), except for the
@@iterator property on namespace objects (to be done later).
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2388153003
Cr-Commit-Position: refs/heads/master@{#40096}
This removes the restriction of only allowing lazy compilation for
top-level eval code with a context. We can by now compile such code
without a concrete closure.
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2400973002
Cr-Commit-Position: refs/heads/master@{#40089}
(GcStress failure was unrelated.)
At one time, we hoped to generate the same code for different
native contexts. But in truth, much performance comes from optimizing
on the native context. Now we abandon this pathway.
BUG=
TBR=bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
Review URL: https://codereview.chromium.org/2402663002 .
Cr-Commit-Position: refs/heads/master@{#40086}
This reverts commit 7db0ecdec3.
Manual revert since automatic revert is too large for the web interface.
BUG=
TBR=bmeurer@chromium.org,mstarzinger@chromium.org,yangguo@chromium.org,ahaas@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
Review-Url: https://codereview.chromium.org/2396353002
Cr-Commit-Position: refs/heads/master@{#40082}
Reason for revert:
Possible GCSTRESS failure, investigating.
Original issue's description:
> [turbofan] Discard the shared code entry in the optimized code map.
>
> At one time, we hoped to generate the same code for different
> native contexts. But in truth, much performance comes from optimizing
> on the native context. Now we abandon this pathway.
>
> BUG=
>
> Committed: https://crrev.com/55af3c44c99a6e4cd6d53df775023d760ad2b2c3
> Cr-Commit-Position: refs/heads/master@{#40079}
TBR=mstarzinger@chromium.org,ishell@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2403453002
Cr-Commit-Position: refs/heads/master@{#40081}
At one time, we hoped to generate the same code for different
native contexts. But in truth, much performance comes from optimizing
on the native context. Now we abandon this pathway.
BUG=
Review-Url: https://codereview.chromium.org/2401653002
Cr-Commit-Position: refs/heads/master@{#40079}
This implicitly convers parseFloat on the global object as well, since
it's the same function. This is mostly straight-forward, but adds
another fast case for HeapNumbers as well.
R=ishell@chromium.org
Review-Url: https://codereview.chromium.org/2395373002
Cr-Commit-Position: refs/heads/master@{#40072}
The duplicated enum values are only used by the FastNewClosureStub,
so inline them there, with the help of one new constant (kFunctionKindShift)
in SharedFunctionInfo.
Review-Url: https://codereview.chromium.org/2390043003
Cr-Commit-Position: refs/heads/master@{#40005}
Implement the logic for StringIterator.prototype.next in the JSBuiltinReducer in order to allow inlining when the receiver is a JS_STRING_ITERATOR_TYPE map, built ontop of the SimplifiedOperators StringCharCodeAt and the newly added StringFromCodePoint.
Also introduces a new StringFromCodePoint simplified op which may be useful for other String builtins, such as String.fromCodePoint()
BUG=v8:5388
R=bmeurer@chromium.org, mstarzinger@chromium.org
Review-Url: https://codereview.chromium.org/2373983004
Cr-Commit-Position: refs/heads/master@{#39994}
Before evaluating a module, all variables declared at the top-level
in _any_ of the modules in the dependency graph must be initialized.
This is observable because a module A can access a variable imported
from module B (e.g. a function) at a point when module B's body hasn't
been evaluated yet.
We achieve this by implementing modules internally as generators with
two states (not initialized, initialized).
R=adamk@chromium.org
BUG=v8:1569
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_win_dbg
Committed: https://crrev.com/f4dfb6fbe1cdd9a0f287a1a9c496e1f69f6f5d20
Committed: https://crrev.com/8c52a411583e870bd5ed100864caa58f491c5d88
Review-Url: https://codereview.chromium.org/2375793002
Cr-Original-Original-Commit-Position: refs/heads/master@{#39871}
Cr-Original-Commit-Position: refs/heads/master@{#39892}
Cr-Commit-Position: refs/heads/master@{#39900}
Reason for revert:
Speculative revert for christmas tree
Original issue's description:
> Reland: [modules] Properly initialize declared variables.
>
> Before evaluating a module, all variables declared at the top-level
> in _any_ of the modules in the dependency graph must be initialized.
> This is observable because a module A can access a variable imported
> from module B (e.g. a function) at a point when module B's body hasn't
> been evaluated yet.
>
> We achieve this by implementing modules internally as generators with
> two states (not initialized, initialized).
>
> R=adamk@chromium.org
> BUG=v8:1569
> CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_win_dbg
>
> Committed: https://crrev.com/f4dfb6fbe1cdd9a0f287a1a9c496e1f69f6f5d20
> Committed: https://crrev.com/8c52a411583e870bd5ed100864caa58f491c5d88
> Cr-Original-Commit-Position: refs/heads/master@{#39871}
> Cr-Commit-Position: refs/heads/master@{#39892}
TBR=adamk@chromium.org,mstarzinger@chromium.org,machenbach@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2387593002
Cr-Commit-Position: refs/heads/master@{#39896}
Before evaluating a module, all variables declared at the top-level
in _any_ of the modules in the dependency graph must be initialized.
This is observable because a module A can access a variable imported
from module B (e.g. a function) at a point when module B's body hasn't
been evaluated yet.
We achieve this by implementing modules internally as generators with
two states (not initialized, initialized).
R=adamk@chromium.org
BUG=v8:1569
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_win_dbg
Committed: https://crrev.com/f4dfb6fbe1cdd9a0f287a1a9c496e1f69f6f5d20
Review-Url: https://codereview.chromium.org/2375793002
Cr-Original-Commit-Position: refs/heads/master@{#39871}
Cr-Commit-Position: refs/heads/master@{#39892}
Reason for revert:
Suspect for causing win64 debug problems:
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20debug/builds/12646
Original issue's description:
> [modules] Properly initialize declared variables.
>
> Before evaluating a module, all variables declared at the top-level
> in _any_ of the modules in the dependency graph must be initialized.
> This is observable because a module A can access a variable imported
> from module B (e.g. a function) at a point when module B's body hasn't
> been evaluated yet.
>
> We achieve this by implementing modules internally as generators with
> two states (not initialized, initialized).
>
> R=adamk@chromium.org
> BUG=v8:1569
>
> Committed: https://crrev.com/f4dfb6fbe1cdd9a0f287a1a9c496e1f69f6f5d20
> Cr-Commit-Position: refs/heads/master@{#39871}
TBR=adamk@chromium.org,mstarzinger@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2379063002
Cr-Commit-Position: refs/heads/master@{#39873}
Before evaluating a module, all variables declared at the top-level
in _any_ of the modules in the dependency graph must be initialized.
This is observable because a module A can access a variable imported
from module B (e.g. a function) at a point when module B's body hasn't
been evaluated yet.
We achieve this by implementing modules internally as generators with
two states (not initialized, initialized).
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2375793002
Cr-Commit-Position: refs/heads/master@{#39871}
We must not throw when seeing a cycle while trying to resolve a name through
star exports. (It may be surprising that we do have to throw when seeing an
ambiguity, but this is what the spec says.)
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2376563002
Cr-Commit-Position: refs/heads/master@{#39787}
Use an unordered_map<Module, unordered_set<String>> to keep track
of visited Module/ExportName pairs during ResolveExport.
This required adding a Hash() method to Module, which is accomplished
by allocating a Symbol and storing it in the SharedFunctionInfo::name
slot, then delegating the hash to that Symbol.
Also added a helper method Module::shared() to easily get ahold of
the SharedFunctionInfo and call it in the appropriate places instead
of re-doing the ternary operator.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2367623004
Cr-Commit-Position: refs/heads/master@{#39743}
V8 is collecting a growing amount of fuzzers, all of which take substantial
space on the bots and in chromium build archives. This CL improves that
situation by allowing component (shared library) builds for almost all fuzzers.
The parser fuzzer is handled as an exception since it would require exporting a
large number of additional functions.
A component build results in about a 50-100x improvement in file size for each
fuzzer (~50M-100M to around 1.1M).
BUG=chromium:648864
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_compile_dbg_ng;master.tryserver.chromium.android:android_clang_dbg_recipe
Review-Url: https://codereview.chromium.org/2360983002
Cr-Commit-Position: refs/heads/master@{#39709}
There's no reason (anymore) to have empty imports in special_imports. Remove
them from there and rename special_imports to namespace_imports to be more
precise.
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2368613002
Cr-Commit-Position: refs/heads/master@{#39693}
Resolve imports and indirect exports at instantiation time.
With this CL we have some basic functionality for modules working. Not yet
supported: star exports, namespace imports, cycle detection, proper variable
initialisation in mutually recursive modules.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2362083002
Cr-Commit-Position: refs/heads/master@{#39689}
- Add a new container object to store the data required for
PromiseResolveThenableJob.
- Create a new runtime function to enqueue the microtask event with
the required data.
This patches causes a 4% regression in the bluebird benchmark.
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2314903004
Cr-Commit-Position: refs/heads/master@{#39571}
This patch gives the ability for the embedder to ask for the
module requests of a module, and to pass a ResolveCallback
into Module::Instantiate().
In d8, I've implemented a simple module_map that's used
along with this API to allow loading, compiling, instantiating,
and evaluating a whole tree of modules.
No path resolution is yet implemented, meaning that all
import paths are relative to whatever directory d8 runs
in. And no imports are linked to the exports of the
requested module.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2351113004
Cr-Commit-Position: refs/heads/master@{#39569}
This is some initial cleanup to keep /src clean. The
AccountingAllocator is actually exclusively used by zones and this
common subfolder makes that more clear.
BUG=v8:5409
Review-Url: https://codereview.chromium.org/2344143003
Cr-Commit-Position: refs/heads/master@{#39558}
This means we can no longer take the closure's context to parse, but
need to rely on the outer scope info.
Since it's not possible to get that, however, for lazy functions, we
introduce a new field to SharedFunctionInfo that stores the outer scope
info whenever available.
BUG=v8:5215
R=marja@chromium.org,verwaest@chromium.org,jgruber@chromium.org
Review-Url: https://codereview.chromium.org/2358503002
Cr-Commit-Position: refs/heads/master@{#39548}
We must keep track of the exact order in which modules are requested.
To do so, maintain a map from module specifiers to position while
parsing (in ModuleDescriptor). Descriptor entries now refer to that
position rather than the string. When generating the ModuleInfo, turn
this map into an array of specifiers. We don't need the map anymore
later on, so we do not reconstruct it when deserializing again.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2353633002
Cr-Commit-Position: refs/heads/master@{#39519}
Rename JSModule to Module and make it a Struct rather than a JSObject. We will
later add a separate JSModuleNamespace object to implement the 'import * as foo'
syntax.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2345823002
Cr-Commit-Position: refs/heads/master@{#39477}
This is one part of a WIP implementation of the stage-2 proposal to add
fields to classes: https://github.com/tc39/proposal-class-public-fields
See design doc:
https://docs.google.com/document/d/1WRtNm3ZLNJT1WVr8aq4RJuByYgfuAFAhj20LwTW6JVE/
This adds support for parsing fields in classes, including
infrastructure. In particular, it adds:
* Two booleans on function literal AST nodes
* Two compiler hints on SharedFunctionInfos representing said bools
* A new type of ClassLiteralProperty, FIELD
* Parser support for the syntax
* Syntax tests
* A flag to enable it.
Currently the fields are parsed and then droppped. Subsequent
patches will add semantics, mostly by desugaring in the parser and
the remainder in the non-crankshaft backends.
BUG=v8:5367
Review-Url: https://codereview.chromium.org/2315733003
Cr-Commit-Position: refs/heads/master@{#39459}
Handle some examples of the "asynchronous case" by marking await expressions
as either caught or uncaught; in the caught case, this marks the Promise passed
in as having a catch predicted. The marking is done in AST numbering, which
chooses between two different runtime function calls based on catch prediction.
BUG=v8:5167
Review-Url: https://codereview.chromium.org/2276243002
Cr-Commit-Position: refs/heads/master@{#39394}
This adds partial support of exports to the runtime system and
to the interpreter. It introduces a new HeapObject JSModule that
maps each of the module's export names to a Cell containing the
exported value.
Several aspects of this implementation are subject to change in
follow-up CLs.
BUG=v8:1569
Committed: https://crrev.com/241a0412eed919395a2e163b30b9b66071ce5c17
Review-Url: https://codereview.chromium.org/2302783002
Cr-Original-Commit-Position: refs/heads/master@{#39341}
Cr-Commit-Position: refs/heads/master@{#39352}
Rework Runtime::FunctionForName to take a c-string instead of a v8::String
so that the parser can parse native syntax runtime calls without doing
on-the-fly internalization.
Also adds a c-string variant of IntrinsicIndexForName for the same reasons.
BUG=v8:5215,chromium:634953
Review-Url: https://codereview.chromium.org/2324803002
Cr-Commit-Position: refs/heads/master@{#39346}
Reason for revert:
Failures related to deopt.
Original issue's description:
> [modules] Basic support of exports
>
> This adds partial support of exports to the runtime system and
> to the interpreter. It introduces a new HeapObject JSModule that
> maps each of the module's export names to a Cell containing the
> exported value.
>
> Several aspects of this implementation are subject to change in
> follow-up CLs.
>
> BUG=v8:1569
>
> Committed: https://crrev.com/241a0412eed919395a2e163b30b9b66071ce5c17
> Cr-Commit-Position: refs/heads/master@{#39341}
TBR=adamk@chromium.org,rmcilroy@chromium.org,ulan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2328283002
Cr-Commit-Position: refs/heads/master@{#39345}
This adds partial support of exports to the runtime system and
to the interpreter. It introduces a new HeapObject JSModule that
maps each of the module's export names to a Cell containing the
exported value.
Several aspects of this implementation are subject to change in
follow-up CLs.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2302783002
Cr-Commit-Position: refs/heads/master@{#39341}
Remove the "Entry"/"Entries" suffix as it doesn't add any information and
ModuleInfoEntry would clash with another name being introduced soon.
R=adamk@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2300373002
Cr-Commit-Position: refs/heads/master@{#39333}
The existing PropertyQueryCallback intercepts getOwnPropertyDescriptor, but
it returns only value and attributes, not the accessors. This
PropertyDescriptorCallback returns a descriptor similar to Ecma-262 6.2.4.
You can either set a PropertyQueryCallback or a PropertyDescriptorCallback,
but not both. When you set a callback for DefineProperty(), you can set a
PropertyDescriptorCallback but not a PropertyQueryCallback.
BUG=v8:5359
Review-Url: https://codereview.chromium.org/2311873002
Cr-Commit-Position: refs/heads/master@{#39279}
While fixing the bug, removed code duplication from super load/store
runtime calls, and inlined calls of Object::ReadAbsentProperty (left
over from strong mode).
BUG=v8:5335
Review-Url: https://codereview.chromium.org/2311413002
Cr-Commit-Position: refs/heads/master@{#39257}
This will allow getting the entire scope chain from a SharedFunctionInfo
which in turn will allow for generating bytecode when we just have the
SFI
R=verwaest@chromium.org,marja@chromium.org
BUG=v8:5215
Review-Url: https://codereview.chromium.org/2271993002
Cr-Commit-Position: refs/heads/master@{#39243}
Migrate the isNaN, isFinite, Number.isFinite, Number.isInteger,
Number.isSafeInteger and Number.isNaN predicates to TurboFan
builtins and make them optimizable (for certain input types) in
JavaScript callees being optimized by TurboFan. That means both
the baseline and the optimized version is now always at maximum,
consistent performance. Especially TurboFan suffered from poor
baseline (and optimized) performance because it cannot play the
same weird tricks that Crankshaft plays for %_IsSmi.
This also adds a bunch of new tests to properly cover the use
of the Harmony predicates in optimized code.
R=franzih@chromium.org
BUG=v8:5049,v8:5267
Review-Url: https://codereview.chromium.org/2313073002
Cr-Commit-Position: refs/heads/master@{#39242}
This way we avoid the cyclic dependency between objects.h and heap.h and still
have one definition. Add a static assert that this size is indeed smaller than
the payload of a page.
Follow ups can finally remove the dependency on spaces.h for all heap.h users.
R=ulan@chromium.org,bmeurer@chromium.org,vogelheim@chromium.og
Review-Url: https://codereview.chromium.org/2311203002
Cr-Commit-Position: refs/heads/master@{#39206}
Replace first page size in the snapshots with a heap logic that trims pages
after deserialization. The snapshot provided page sizes was just an
approximation, while the heap knows exactly where to trim.
Furthermore, trim the pages directly after deserialization, leaving no wiggle
room for further objects. This avoids pollution of the immortal immovable pages
with regular objects, e.g. Contexts. The downside is that we potentially require
expanding the space with a new page.
BUG=chromium:636331
Review-Url: https://codereview.chromium.org/2311963002
Cr-Commit-Position: refs/heads/master@{#39200}
This will allow for chaining ScopeInfos together to form the same chains
as contexts chains currently do.
BUG=v8:5215
R=mstarzinger@chromium.org,marja@chromium.org,bmeurer@chromium.org,rmcilroy@chromium.org
Review-Url: https://codereview.chromium.org/2314483002
Cr-Commit-Position: refs/heads/master@{#39192}
With the Indexed/GenericNamedPropertyDefinerCallback it is possible to intercept Object.defineProperty() calls.
Requests that call JSReceiver::OrdinaryDefineOwnProperty() internally, also trigger the interceptor. This includes Object.freeze(), Object.preventExtensions(), and Object.seal().
As without this patch, the query interceptor triggers on
defineProperty, unless the definer callback
intercepts the request.
As without this patch, the query interceptor triggers on defineProperty, unless the definer callback intercepts the request.
BUG=
Committed: https://crrev.com/b9d985975cf3bab0ded0cec9fafd3799f9bde29a
Review-Url: https://codereview.chromium.org/2272383002
Cr-Original-Commit-Position: refs/heads/master@{#39094}
Cr-Commit-Position: refs/heads/master@{#39122}
Reason for revert:
Breaks cctest/test-api-interceptors/QueryInterceptor on the waterfall
Original issue's description:
> [api] Add interceptor for defineProperty().
>
> With the Indexed/GenericNamedPropertyDefinerCallback it is possible to intercept Object.defineProperty() calls.
>
> Requests that call JSReceiver::OrdinaryDefineOwnProperty() internally, also trigger the interceptor. This includes Object.freeze(), Object.preventExtensions(), and Object.seal().
>
> BUG=
>
> Committed: https://crrev.com/b9d985975cf3bab0ded0cec9fafd3799f9bde29a
> Cr-Commit-Position: refs/heads/master@{#39094}
TBR=jochen@chromium.org,franzih@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2303533004
Cr-Commit-Position: refs/heads/master@{#39095}
With the Indexed/GenericNamedPropertyDefinerCallback it is possible to intercept Object.defineProperty() calls.
Requests that call JSReceiver::OrdinaryDefineOwnProperty() internally, also trigger the interceptor. This includes Object.freeze(), Object.preventExtensions(), and Object.seal().
BUG=
Review-Url: https://codereview.chromium.org/2272383002
Cr-Commit-Position: refs/heads/master@{#39094}
The plan is to also use it for With and Catch scopes, so all kinds of
contexts have a pointer back to their ScopeInfo
R=neis@chromium.org,marja@chromium.org
BUG=v8:5215
Review-Url: https://codereview.chromium.org/2301913002
Cr-Commit-Position: refs/heads/master@{#39092}
The only remaining use of this VariableMode is for the names of sloppy
named function expressions. This patch instead uses CONST for such
bindings (just as we do in strict mode) and instead marks those
Variables specially. During code generation a new helper method,
Variable::throw_on_const_assignment(), is called to decide whether
to throw or silently ignore the assignment.
Review-Url: https://codereview.chromium.org/2233673003
Cr-Commit-Position: refs/heads/master@{#39052}
This introduces a new heap object ModuleInfo, which is to ModuleDescriptor
what ScopeInfo is to Scope. When deserializing a scope info that contains
a module info, we deserialize the module info into a module descriptor and
put it into the synthesized module scope.
Currently, module infos only store exports.
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2277253003
Cr-Commit-Position: refs/heads/master@{#39049}
Put the types for the Date builtins into the TypeCache, and add
support for Date.prototype.getDay and Date.prototype.getMinutes.
R=epertoso@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2296593002
Cr-Commit-Position: refs/heads/master@{#39005}
This additionally gets rid of old approach to global shortcuts.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2287173002
Cr-Commit-Position: refs/heads/master@{#38980}
Infer exact types for the various Date getter builtins, and also inline
the Date.prototype.getTime() builtin, which just returns the Date value
and thus doesn't need to check the cache stamp.
R=epertoso@chromium.org
Review-Url: https://codereview.chromium.org/2285213002
Cr-Commit-Position: refs/heads/master@{#38973}
Reason for revert:
Tanks pretty much alle metrics across the board. Probably LO space limit too low but needs investigation.
Original issue's description:
> [heap] Switch to 500k pages
>
> Decrease regular heap object size to 400k. In a follow up, we can now get rid of
> the new space border page while keeping the 1M minimum new space size.
>
> This reverts commit 1617043c10.
>
> BUG=chromium:636331
>
> Committed: https://crrev.com/2101e691caeef656eb91f1c98620b3955d337c83
> Cr-Commit-Position: refs/heads/master@{#38916}
TBR=ulan@chromium.org,verwaest@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:636331
NOPRESUBMIT=true
Review-Url: https://codereview.chromium.org/2289493002
Cr-Commit-Position: refs/heads/master@{#38960}
Decrease regular heap object size to 400k. In a follow up, we can now get rid of
the new space border page while keeping the 1M minimum new space size.
This reverts commit 1617043c10.
BUG=chromium:636331
Review-Url: https://codereview.chromium.org/2278653003
Cr-Commit-Position: refs/heads/master@{#38916}
Unlike Crankshaft, Turbofan does not provide a context when trying to grow
elements. Depending on the code path we might end up updating transitioning
elements kinds in allocation sites for which we need access to the current
context. Unlike GrowCapacityAndConvert, the newly introduced GrowCapacity simply
returns false in cases where map transitions are involved.
BUG=chromium:637279
Patch by Camillo Bruni <cbruni@chromium.org>,
originally reviewed at https://codereview.chromium.org/2244983004/
Review-Url: https://codereview.chromium.org/2252393002
Cr-Commit-Position: refs/heads/master@{#38901}
This makes some information passed implicitly (e.g. the ForceConstructor
flag used to be a special symbol passed as the receiver) explicit.
BUG=
Review-Url: https://codereview.chromium.org/2274823002
Cr-Commit-Position: refs/heads/master@{#38870}
A FrameArray encodes information about a set of stack frames into a fixed
array.
This commit is a pure refactoring to make the structure of fixed array-encoded
frames explicit.
BUG=
Review-Url: https://codereview.chromium.org/2270783002
Cr-Commit-Position: refs/heads/master@{#38852}
Use bool is_strict_ to encode language_mode in scopes using a single bit.
BUG=
Review-Url: https://codereview.chromium.org/2261463002
Cr-Commit-Position: refs/heads/master@{#38724}
Initialize Code::builtin_index to -1. This ensures that it is
non-negative for builtin code objects (since it is set by
Builtins::SetUp), and -1 for everything else.
BUG=
Review-Url: https://codereview.chromium.org/2254193002
Cr-Commit-Position: refs/heads/master@{#38719}
Reason for revert:
Performance regressions in Gameboy, Life, CodeLoad and others. See crbug.com/638210.
Original issue's description:
> Refactor data structures for simple stack traces
>
> Simple stack traces are captured through Isolate::CaptureSimpleStackTrace.
> Captured frames are stored in a FixedArray, which in turn is stored as a
> property (using a private symbol) on the error object itself. Actual formatting
> of the textual stack trace is done lazily when the user reads the stack
> property of the error object.
>
> This would involve many conversions back and forth between index-encoded raw
> data (receiver, function, offset and code), JS CallSite objects, and C++
> CallSite objects.
>
> This commit refactors the C++ CallSite class into a Struct class called
> StackTraceFrame, which is the new single point of truth frame information.
> Isolate::CaptureSimpleStackTrace stores an array of StackTraceFrames, and JS
> CallSite objects (now created only when the user specifies custom stack trace
> formatting through Error.prepareStackTrace) internally only store a reference
> to a StackTraceFrame.
>
> BUG=
>
> Committed: https://crrev.com/b4c1aefb9c369f1a33a6ca94a5de9b06ea4bf5c4
> Cr-Commit-Position: refs/heads/master@{#38645}
TBR=yangguo@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=
Review-Url: https://codereview.chromium.org/2252783007
Cr-Commit-Position: refs/heads/master@{#38700}
Fixed ExtraICStateField which used 1 bits more than were available
BUG=
Review-Url: https://codereview.chromium.org/2258473002
Cr-Commit-Position: refs/heads/master@{#38697}
Reason for revert:
WebGL tests have been updated and rolled (at https://codereview.chromium.org/2227023002), so this should no longer fail outdated tests.
Original issue's description:
> Revert of Amend DataView, ArrayBuffer, and TypedArray methods to use ToIndex. (patchset #8 id:140001 of https://codereview.chromium.org/2090353003/ )
>
> Reason for revert:
> Speculative revert to unblock roll: https://codereview.chromium.org/2107223003/
>
> Original issue's description:
> > Amend DataView, ArrayBuffer, and TypedArray methods to use ToIndex.
> >
> > The spec was modified to relax some requirements which implementors had not been
> > enforcing. Part of this process involved introducing a new abstract operation
> > ToIndex, which had partial overlap with our existing semantics as well as some
> > differences (most notably treating undefined as 0). Test262 tests were introduced to
> > check for the new semantics, some of which we were failing. This patch amends the
> > parts of our implementation corresponding to specification algorithms which use
> > ToIndex to follow its semantics precisely.
> >
> > BUG=v8:4784,v8:5120
> >
> > Committed: https://crrev.com/09720349ea058d178521ec58d0a5676443a5a132
> > Cr-Commit-Position: refs/heads/master@{#37406}
>
> TBR=littledan@chromium.org,adamk@chromium.org,bakkot@google.com
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:4784,v8:5120
>
> Committed: https://crrev.com/b1f7f1f4e41a723d5f997738a07e35a031713b8f
> Cr-Commit-Position: refs/heads/master@{#37417}
TBR=littledan@chromium.org,adamk@chromium.org,hablich@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:4784,v8:5120
Review-Url: https://codereview.chromium.org/2247073004
Cr-Commit-Position: refs/heads/master@{#38689}
Our previous per-arch instantiation thunks for asm.js
didn't support modules that had or were called with anything other
than 3 arguments. Adding support for this.
Addding a runtime test method to check if asm validation succeeded.
Adding a test of validation with different argument count combinations.
R=mstarzinger@chromium.org
TEST=mjsunit/asm/asm-validator.js
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
Review-Url: https://codereview.chromium.org/2229723002
Cr-Commit-Position: refs/heads/master@{#38688}
Now that all backends use the source position builder to record source
positions, simplify the code line logging events to take a source
position table on code creation. This means that the source position
table builder no longer needs to access the isolate until the table is
generated. This is required for off-thread bytecode generation.
BUG=v8:5203
Review-Url: https://codereview.chromium.org/2248673002
Cr-Commit-Position: refs/heads/master@{#38676}
Simple stack traces are captured through Isolate::CaptureSimpleStackTrace.
Captured frames are stored in a FixedArray, which in turn is stored as a
property (using a private symbol) on the error object itself. Actual formatting
of the textual stack trace is done lazily when the user reads the stack
property of the error object.
This would involve many conversions back and forth between index-encoded raw
data (receiver, function, offset and code), JS CallSite objects, and C++
CallSite objects.
This commit refactors the C++ CallSite class into a Struct class called
StackTraceFrame, which is the new single point of truth frame information.
Isolate::CaptureSimpleStackTrace stores an array of StackTraceFrames, and JS
CallSite objects (now created only when the user specifies custom stack trace
formatting through Error.prepareStackTrace) internally only store a reference
to a StackTraceFrame.
BUG=
Review-Url: https://codereview.chromium.org/2230953002
Cr-Commit-Position: refs/heads/master@{#38645}
Decrease regular heap object size to 400k. In a follow up, we can now get rid of
the new space border page while keeping the 1M minimum new space size.
BUG=chromium:636331
This reverts commit 555c961990.
Review-Url: https://codereview.chromium.org/2232653003
Cr-Commit-Position: refs/heads/master@{#38608}
Previously, we would both instrument the code, and add/remove
BreakPointInfo objects through BreakLocation. This is bad design and
unsuitable for having two different code kinds.
We would now add/remove BreakPointInfo objects, and use that as source
of truth when instrumenting the code. If we have both bytecode and FCG
code, we would simply apply these break points twice to either.
Notable changes:
- Removed many functionality from BreakLocation.
- Instrumentation (patching code for breaks) happens by applying break
point info onto code.
- Instrumentation (code patching) is done by the BreakIterator. For
bytecode, it's BytecodeArrayBreakIterator. For FCG code, it's
CodeBreakIterator.
- Changes to code instrumentation mostly involves clearing current
instrumentation and then (re-)applying break points.
- DebugInfo can now reference both bytecode and FCG code.
R=jgruber@chromium.org, mstarzinger@chromium.org
BUG=v8:5265
Review-Url: https://codereview.chromium.org/2238893002
Cr-Commit-Position: refs/heads/master@{#38596}
This adds the --ignition-preserve-bytecode flag which will preserve any
existing bytecode, even if a tier-up to baseline code is performed. This
is preparatory work in order to allow mixed stacks where bytecode and
baseline code can be active at the same time.
It also adds a {HasBaselineCode} predicate symmetric to the existing
{HasBytecodeArray} predicate. Both predicates are independent and any
combination of answers is valid.
Further adaptation of the rest of the runtime will be done step-wise in
follow-up changes.
R=yangguo@chromium.org
BUG=v8:5265
Review-Url: https://codereview.chromium.org/2224923003
Cr-Commit-Position: refs/heads/master@{#38540}
Reason for revert:
Failures on waterfall:
e.g. http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/11134
Original issue's description:
> [heap] Switch to 500k pages
>
> - Decrease regular heap object size to 300k, keeping the same ration (60%)
> between this limit and page size.
>
> In a follow up, we can now get rid of the new space border page while
> keeping the 1M minimum new space size.
>
> Some results (v8.infinite_scroll; 3 runs):
> - evacuate.avg: +15.3% (1.4->1.2)
> - evacuate.max: +24.4% (2.4->1.8)
>
> BUG=chromium:581412
> LOG=N
> R=hpayer@chromium.org, ulan@chromium.org, yangguo@chromium.org
>
> Committed: https://crrev.com/ffe5c670e1559d11e7b252e15fec38765e7dbe4f
> Cr-Commit-Position: refs/heads/master@{#38533}
TBR=hpayer@chromium.org,ulan@chromium.org,yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:581412
Review-Url: https://codereview.chromium.org/2229403003
Cr-Commit-Position: refs/heads/master@{#38537}
- Decrease regular heap object size to 300k, keeping the same ration (60%)
between this limit and page size.
In a follow up, we can now get rid of the new space border page while
keeping the 1M minimum new space size.
Some results (v8.infinite_scroll; 3 runs):
- evacuate.avg: +15.3% (1.4->1.2)
- evacuate.max: +24.4% (2.4->1.8)
BUG=chromium:581412
LOG=N
R=hpayer@chromium.org, ulan@chromium.org, yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2013713003
Cr-Commit-Position: refs/heads/master@{#38533}
This makes break point info independent from the code kind being executed.
BUG=v8:5265
Review-Url: https://codereview.chromium.org/2230143002
Cr-Commit-Position: refs/heads/master@{#38528}
We only need these external v8 APIs to expose serialization externally,
so bypassed having an internal layer for now.
BUG=v8:5072
Review-Url: https://codereview.chromium.org/2228073002
Cr-Commit-Position: refs/heads/master@{#38516}
Use common CodeStubAssembler routines for FixedArray-copying builtin.
Also cleanup a few shared pieces of code along the way.
BUG=chromium:608675
Review-Url: https://codereview.chromium.org/2220673002
Cr-Commit-Position: refs/heads/master@{#38478}
Sanitize the typing rules for the various supported Math builtins, and
add appropriate typing rules for various Number, String, Object and global
builtins as well.
R=franzih@chromium.org
Review-Url: https://codereview.chromium.org/2222053002
Cr-Commit-Position: refs/heads/master@{#38472}
This removes the ability to specify a catch prediction for exception
handler tables that are based on return addresses. The encoding for
handlers still looks the same to keep it in sync with tables based on
ranges, just no payload is stored in the respective bits.
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2205893002
Cr-Commit-Position: refs/heads/master@{#38327}
In the parser, we desugar yield* with the help of a regular yield. One
particular implementation detail of this desugaring is that when the user calls
the generator's throw method, this throws an exception that we immediately
catch. This exception should not be visible to the user, but through Devtools'
"Pause on Caught Exceptions" feature it used to be.
This CL extends the type of catch predictions with a new value for such internal
exceptions and uses that for the offending try-catch statement in yield*. It
instruments the debugger to _not_ trigger an exception event in that case.
R=yangguo@chromium.orgTBR=littledan@chromium.org
BUG=v8:5218
Review-Url: https://codereview.chromium.org/2203803002
Cr-Commit-Position: refs/heads/master@{#38286}
1. Do not mark code_cache as a weak container.
2. Support layout_descriptor field.
Review-Url: https://codereview.chromium.org/2204133002
Cr-Commit-Position: refs/heads/master@{#38285}
This CL introduces a new fast flat instantiations cache for the first 1024 object templates.
After that we fall back to the existing slower dictionary cache.
Drive-by-fix: de-handlify and clean up some code in api-natives.cc
BUG=chromium:630217
Review-Url: https://codereview.chromium.org/2170743003
Cr-Commit-Position: refs/heads/master@{#38146}
This adds a new field to the header of every BytecodeArray which stores
the current nesting level up to which loop back edges are armed as OSR
points. The intention is to arm OSR points incrementally from outermost
to innermost until one fires (similar to OSR from FullCodegen).
R=rmcilroy@chromium.org
BUG=v8:4764
Review-Url: https://codereview.chromium.org/2172583002
Cr-Commit-Position: refs/heads/master@{#38017}
This will get a new call site in an upcoming commit, move it to String
so it's accessible from without runtime-strings.cc.
BUG=
Review-Url: https://codereview.chromium.org/2176553002
Cr-Commit-Position: refs/heads/master@{#37974}
This is in preparation to implementing exception prediction for async
functions. Each handler table entry can now predict "caught", "uncaught", or
"promise". The latter indicates that the exception will lead to a promise
rejection.
To mark the relevant try-catch blocks, we add a new native syntax.
try { } %catch (e) { } indicates a TryCatchStatement with the "promise"
prediction.
The previous implementation of using the function to tell the relevant
try-catch apart from inner try-catch blocks will not work for async functions
since these can have inner try-catch blocks inside the same function.
BUG=v8:5167
Review-Url: https://codereview.chromium.org/2161263003
Cr-Commit-Position: refs/heads/master@{#37966}
This CL fixes weird performance implications when changing layout of Code::flags field:
it happened that the unused ICStateField with MONOMORPHIC value in the handlers' flags
was accidentally offsetting the underflow bug in stub cache probing code on arm, arm64,
mips and mips64.
Stub cache tests now work even when snapshot is enabled.
Drive-by-change: Fixed counters manipulation on arm64 and mips64.
BUG=chromium:618701
Review-Url: https://codereview.chromium.org/2161153002
Cr-Commit-Position: refs/heads/master@{#37910}
It takes the number of additional elements, not the total target
capacity.
Also, avoid right-shifting a negative integer as this is undefined in general
BUG=v8:4909
R=verwaest@chromium.org
Review-Url: https://codereview.chromium.org/2162333002
Cr-Commit-Position: refs/heads/master@{#37901}
Introduce a proper CodeStubAssembler::BranchIfToBooleanIsTrue helper
method, that branches to if_true/if_false labels depending on whether
the value that is passed would yield true or false when fed to
ToBoolean. Use this helper to implement the bytecode handlers w/o having
to materialize the temporary booleans and essentially branching twice.
The CodeStubAssembler::BranchIfToBooleanIsTrue helper favors the most
likely case of a Boolean constant now.
Also migrate the ToBooleanStub to a ToBoolean TurboFan builtin, that
also uses the helper method under the hood.
Remove the now obsolete Oddball::to_boolean field.
R=hpayer@chromium.org, rmcilroy@chromium.org, yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2151163002
Cr-Commit-Position: refs/heads/master@{#37849}
- Fix recording sub types that have their own instance type
- Fix double accounting by keeping a shadow map for tracking recorded status
- Add recording of more fixed array sub types
BUG=hpayer@chromium.org
Review-Url: https://codereview.chromium.org/2147693004
Cr-Commit-Position: refs/heads/master@{#37768}
This adds initial support for ToPrimitive in JavaScript w/o having to
call out to C++. This uses the newly introduced GetPropertyStub.
R=ishell@chromium.org
Review-Url: https://codereview.chromium.org/2152693002
Cr-Commit-Position: refs/heads/master@{#37753}
- Instead of tracing during marking we can now trace in a separate phase in MC.
(Heap is iterable.)
- Add more subtypes for fixed arrays, reducing the unknown bucket to around ~8%
(local run).
- Refactor collection calls to have a single bottleneck.
- Provide JSON-based output format that can be "easily" processed in JS.
BUG=
R=ulan@chromium.org,hpayer@chromium.org
Review-Url: https://codereview.chromium.org/2129173002
Cr-Commit-Position: refs/heads/master@{#37718}
- check that packed elements do not contain the_hole (with fix)
- verify argument objects with elements kind
- use JSObjectVerifiy in all JSObject "subclasses"
- change initialization order for ArrayLiteralBoilerplate to simplify verification
BUG=v8:5188
Review-Url: https://codereview.chromium.org/2126613002
Cr-Commit-Position: refs/heads/master@{#37680}
CallSite::IsConstructor() was unable to recognize builtin construct stubs
(NumberConstructor_ConstructStub and StringConstructor_ConstructStub) as
constructors, and thus these frames were not formatted correctly in stack
traces.
Fix this by explicitly marking their Code objects as construct stubs and
passing along a special receiver value when we encounter such cases in
CaptureSimpleStackTrace.
R=mstarzinger@chromium.org, yangguo@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2125163004
Cr-Commit-Position: refs/heads/master@{#37631}
Drive-by-fix: hydrogen code does not blindly return the
byteLength offset, instead it executes what is defined
in the byteLength getter.
BUG=
Review-Url: https://codereview.chromium.org/2123263002
Cr-Commit-Position: refs/heads/master@{#37595}
Now LookupIterator follows the same pattern of prepare transition, apply transition
and write value when adding new properties to dictionary objects.
JSGlobalObject case:
* Prepare transition phase ensures that there is a "transition" property cell
prepared for receiving a value.
* Apply transition phase does nothing.
* Prepare for data property phase ensures that the existing property cell can
receive the value.
* Write value phase writes value directly to the current property cell.
JSObject case:
* Prepare transition phase prepares the object for receiving a data value (which
could switch an object to dictionary mode).
* Apply transition phase migrates object to a transition map. If the map happened
to be a dictionary mode object's map then an uninitialized entry added to the
properties dictionary.
* Prepare for data property phase does nothing.
* Write value phase just puts value to the properties dictionary.
BUG=chromium:576312
Review-Url: https://codereview.chromium.org/2127583002
Cr-Commit-Position: refs/heads/master@{#37585}
Working on eliminating the use of ClassOf(). This function was checking IS_ARRAYBUFFER.
BUG=
Review-Url: https://codereview.chromium.org/2126603003
Cr-Commit-Position: refs/heads/master@{#37565}
The Number.parseInt (and therefore the parseInt function on the global
object) are often used instead of Math.floor or just plain int32
truncation, and we can easily recognize those cases and provide a fast
path in TurboFan.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2125583002
Cr-Commit-Position: refs/heads/master@{#37518}
This patch implements "immutable prototype exotic objects" from the ECMAScript
spec, which are objects whose __proto__ cannot be changed, but are not otherwise
frozen. They are introduced in order to prevent a Proxy from being introduced
to the prototype chain of the global object.
The API is extended by a SetImmutablePrototype() call in ObjectTemplate, which
can be used to vend new immutable prototype objects. Additionally, Object.prototype
is an immutable prototype object.
In the implementation, a new bit is added to Maps to say whether the prototype is
immutable, which is read by SetPrototype. Map transitions to the immutable prototype
state are not saved in the transition tree because the main use case is just for
the prototype chain of the global object, which there will be only one of per
Context, so no need to take up the extra word for a pointer in each full transition
tree.
BUG=v8:5149
Review-Url: https://codereview.chromium.org/2108203002
Cr-Commit-Position: refs/heads/master@{#37482}
Import fdlibm versions of acos, acosh, asin and asinh, which are more
precise and produce the same result across platforms (we were using
libm versions for asin and acos so far, where both speed and precision
depended on the operating system so far). Introduce appropriate TurboFan
operators for these functions and use them both for inlining and for the
generic builtin.
Also migrate the Math.imul and Math.fround builtins to TurboFan builtins
to ensure that their behavior is always exactly the same as the inlined
TurboFan version (i.e. C++ truncation semantics for double to float
don't necessarily meet the JavaScript semantics).
For completeness, also migrate Math.sign, which can even get some nice
love in TurboFan.
Drive-by-fix: Some alpha-sorting on the Math related functions, and
cleanup the list of Math intrinsics that we have to export via the
native context currently.
BUG=v8:3266,v8:3496,v8:3509,v8:3952,v8:5169,v8:5170,v8:5171,v8:5172
TBR=rossberg@chromium.orgR=franzih@chromium.org
Review-Url: https://codereview.chromium.org/2116753002
Cr-Commit-Position: refs/heads/master@{#37476}
This stores the wasm object and the function index in the script, and
adds functions to get the disassembled wasm code as well as the offset
table mapping from byte position to line and column in the disassembly
solely from the script.
This will be used to show "ui source code" in DevTools, and map raw
locations from the stack trace into this code view.
R=yangguo@chromium.org, ahaas@chromium.org, titzer@chromium.org
BUG=chromium:613110
patch from issue 2063013004 at patchset 80001 (http://crrev.com/2063013004#ps80001)
Review-Url: https://codereview.chromium.org/2105303002
Cr-Commit-Position: refs/heads/master@{#37430}
Converts FastNewClosureStub from a Hydrogen to a TurboFan code stub.
The plan is to start using this in the Interpreter CreateClosure
bytecode handler (in a follow-up CL).
BUG=v8:4280
Review-Url: https://codereview.chromium.org/2100883003
Cr-Commit-Position: refs/heads/master@{#37429}
Reason for revert:
Speculative revert to unblock roll: https://codereview.chromium.org/2107223003/
Original issue's description:
> Amend DataView, ArrayBuffer, and TypedArray methods to use ToIndex.
>
> The spec was modified to relax some requirements which implementors had not been
> enforcing. Part of this process involved introducing a new abstract operation
> ToIndex, which had partial overlap with our existing semantics as well as some
> differences (most notably treating undefined as 0). Test262 tests were introduced to
> check for the new semantics, some of which we were failing. This patch amends the
> parts of our implementation corresponding to specification algorithms which use
> ToIndex to follow its semantics precisely.
>
> BUG=v8:4784,v8:5120
>
> Committed: https://crrev.com/09720349ea058d178521ec58d0a5676443a5a132
> Cr-Commit-Position: refs/heads/master@{#37406}
TBR=littledan@chromium.org,adamk@chromium.org,bakkot@google.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4784,v8:5120
Review-Url: https://codereview.chromium.org/2113593002
Cr-Commit-Position: refs/heads/master@{#37417}
The spec was modified to relax some requirements which implementors had not been
enforcing. Part of this process involved introducing a new abstract operation
ToIndex, which had partial overlap with our existing semantics as well as some
differences (most notably treating undefined as 0). Test262 tests were introduced to
check for the new semantics, some of which we were failing. This patch amends the
parts of our implementation corresponding to specification algorithms which use
ToIndex to follow its semantics precisely.
BUG=v8:4784,v8:5120
Review-Url: https://codereview.chromium.org/2090353003
Cr-Commit-Position: refs/heads/master@{#37406}
This changes many interfaces to accept StandardFrames instead of
JavaScriptFrames, and use the StackTraceFrameIterator instead of the
JavaScriptFrameIterator.
Also, the detailed frame information array now contains the script in
addition to the function, as wasm frames are not associated to any
javascript function.
This is a rebase of (https://codereview.chromium.org/2069823003/), since clemensh's internship has ended.
R=yangguo@chromium.org,ahaas@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2109093003
Cr-Commit-Position: refs/heads/master@{#37379}
This reverts commit 1eb1dfabe4.
The original compilation separation change avoided associating a heap
for the wasm instance if memory was not provided, nor needed. The
grow memory CL assumed the old behavior, where a memory buffer was
always present, but may have had a zero size.
The 2CLS landed shortly after one another. We decided to treat the
grow memory as the race condition winner, so this CL here re-lands
compilation separation, plus adjusts grow memory to deal with
the undefined mem buffer.
BUG=
Review-Url: https://codereview.chromium.org/2102193003
Cr-Commit-Position: refs/heads/master@{#37352}
Support for serializing/deserializing the compiled wasm module.
We want to reuse the javascript snapshotting mechanics, at least in the
short term, when we still use the JS heap for the compiled wasm code.
Given that a module may be compiled in one v8 instance and then
instantiated later, in a different instance, whatever information we need
at instantiation time must also be serializable.
We currently hold on to the un-decoded wasm bytes, for enabling
debugging scenarios. This imposes a ~20% penalty on the memory
requirements of the wasm compiled code. We do not need this data
otherwise, for runtime, and it is sensible to consider eventually loading it
on demand. Therefore, I intentionally avoided relying on it and re-
decoding the wasm module data, and instead saved the information
necessary to support instantiation.
Given how whatever we need to persist must be serializable, the CL
uses a structure made out of serializable objects (fixed arrays mostly)
for storing this information. I preferred going this route rather than
adding more wasm-specific support to the serializer, given that we want
to eventually move off the JS heap, and therefore the serializer.
Additionally, it turns out this extra information is relatively not complex:
minimal structure, little nesting depth, mostly simple data like numbers
or byte blobs, or opaque data like compiled functions.
This CL also moves export compilation ahead of instantiation time.
This change added a helper getter to FixedArray, to make typed retrieval
of elements easier.
BUG=
Review-Url: https://codereview.chromium.org/2094563002
Cr-Commit-Position: refs/heads/master@{#37348}
The serializer does not support serialization of HashTables in general because
after deserialization it might be necessary to rehash the table.
However the UnseededNumberDictionary does not require rehashing and this CL allows
them to be serialized.
This CL also changes the shape of UnseededNumberDictionary: the details field is
no longer part of the entry since no one needs it.
BUG=chromium:576312, chromium:623516
Review-Url: https://codereview.chromium.org/2102073002
Cr-Commit-Position: refs/heads/master@{#37336}
This cl fixes the long-standing bug for for-in with shadowing properties.
BUG=v8:705
Review-Url: https://codereview.chromium.org/2081733002
Cr-Commit-Position: refs/heads/master@{#37333}
The reason for reverting is: This breaks gc-stress bot:
https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot
Abortion of compaction could cause duplicate entries in the typed-old-to-new remembered set. These duplicates could cause a DCHECK to trigger which checks that slots recorded in the remembered set never point to to-space. This reland-CL allows duplicates in the remembered set by removing the DCHECK, and additionally clears entries in the remembered set if objects are moved.
Original issue's description:
Cells were needed originally because there was no typed remembered set to
record direct pointers from code space to new space. A previous
CL (https://codereview.chromium.org/2003553002/) already introduced
the remembered set, this CL uses it.
This CL
* stores direct pointers in code objects, even if the target is in new space,
* records the slot of the pointer in typed-old-to-new remembered set,
* adds a list which stores weak code-to-new-space references,
* adds a test to test-heap.cc for weak code-to-new-space references,
* removes prints in tail-call-megatest.js
Review-Url: https://codereview.chromium.org/2097023002
Cr-Commit-Position: refs/heads/master@{#37325}
the .eh_frame format as part of the jitdump generated when
FLAG_perf_prof is enabled. The final goal is allowing precise unwinding
of callchains that include JITted code when profiling V8 using perf.
Unwinding information is stored in the body of code objects after the
code itself, prefixed with its length and aligned to a 8-byte boundary.
A boolean flag in the header signals its presence, resulting in zero
memory overhead when the generation of unwinding info is disabled or
no such information was attached to the code object.
A new jitdump record type (with id 4) is introduced for specifying
optional unwinding information for code load records. The EhFrameHdr
struct is also introduced, together with a constructor to initialise it
from the associated code object.
At this stage no unwinding information is written to the jitdump, but
the infrastructure for doing so is ready in place.
BUG=v8:4899
LOG=N
Review-Url: https://codereview.chromium.org/1993653003
Cr-Commit-Position: refs/heads/master@{#37296}
This is a building block for GetPropertyStub. It supports querying fast,
slow and global objects without native accessors and interceptors.
BUG=v8:4911
LOG=Y
Review-Url: https://codereview.chromium.org/2079823002
Cr-Commit-Position: refs/heads/master@{#37291}
We can check if the instance type of an object is JS_PROMISE_TYPE to determine if it is a promise rather than test whether the property promise_state_symbol is present.
BUG=
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review-Url: https://codereview.chromium.org/2091243002
Cr-Commit-Position: refs/heads/master@{#37283}
Reason for revert:
This breaks gc-stress bot: https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot
#
# Fatal error in ../../src/heap/mark-compact.cc, line 3715
# Check failed: Page::FromAddress(reinterpret_cast<HeapObject*>(*slot)->address()) ->IsFlagSet(Page::PAGE_NEW_NEW_PROMOTION).
#
I can reproduce locally, and local revert also fixes it -> revert.
Reproduce with:
out/Debug/d8 --test --random-seed=2140216864 --nohard-abort --nodead-code-elimination --nofold-constants --enable-slow-asserts --debug-code --verify-heap --allow-natives-syntax --harmony-tailcalls test/mjsunit/mjsunit.js test/mjsunit/es6/tail-call-megatest-shard2.js --gc-interval=500 --stress-compaction --concurrent-recompilation-queue-length=64 --concurrent-recompilation-delay=500 --concurrent-recompilation
(Maybe run in loop; it's flaky when broken; but passes reliably w/ revert.)
Original issue's description:
> Reland [heap] Avoid the use of cells to point from code to new-space objects.
>
> The reason for reverting was: [Sheriff] Breaks arm debug:
> https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm%20-%20sim%20-%20debug/builds/1038.
>
> The problem was the dereferencing of handles for smi checks. It turned out
> that these smi checks can be removed anyways, both on arm and on mips.
>
> Additionally some rebasing was necessary.
>
> Original issue's description:
>
> Cells were needed originally because there was no typed remembered set to
> record direct pointers from code space to new space. A previous
> CL (https://codereview.chromium.org/2003553002/) already introduced
> the remembered set, this CL uses it.
>
> This CL
> * stores direct pointers in code objects, even if the target is in new space,
> * records the slot of the pointer in typed-old-to-new remembered set,
> * adds a list which stores weak code-to-new-space references,
> * adds a test to test-heap.cc for weak code-to-new-space references,
> * removes prints in tail-call-megatest.js
>
> R=mlippautz@chromium.org
>
> Committed: https://crrev.com/5508e16592522658587da71ba6743c8e832fe4d1
> Cr-Commit-Position: refs/heads/master@{#37217}
TBR=mlippautz@chromium.org,ahaas@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2090983002
Cr-Commit-Position: refs/heads/master@{#37221}
Now we can turn it into a turbofan stub.
Create new instance types JS_ARGUMENTS_TYPE and JS_ERROR_TYPE.
Review-Url: https://codereview.chromium.org/2080243003
Cr-Commit-Position: refs/heads/master@{#37219}
The reason for reverting was: [Sheriff] Breaks arm debug:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm%20-%20sim%20-%20debug/builds/1038.
The problem was the dereferencing of handles for smi checks. It turned out
that these smi checks can be removed anyways, both on arm and on mips.
Additionally some rebasing was necessary.
Original issue's description:
Cells were needed originally because there was no typed remembered set to
record direct pointers from code space to new space. A previous
CL (https://codereview.chromium.org/2003553002/) already introduced
the remembered set, this CL uses it.
This CL
* stores direct pointers in code objects, even if the target is in new space,
* records the slot of the pointer in typed-old-to-new remembered set,
* adds a list which stores weak code-to-new-space references,
* adds a test to test-heap.cc for weak code-to-new-space references,
* removes prints in tail-call-megatest.js
R=mlippautz@chromium.org
Review-Url: https://codereview.chromium.org/2091733002
Cr-Commit-Position: refs/heads/master@{#37217}
This runtime function now also works for Ignition generators. It returns the
source position of the yield at which a suspended generator got suspended. This
works by storing the current bytecode offset at suspension and using an existing
mechanism to map it back to a source position.
TBR=littledan@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2079613003
Cr-Commit-Position: refs/heads/master@{#37140}
Reason for revert:
[Sheriff] Breaks arm debug:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm%20-%20sim%20-%20debug/builds/1038
Original issue's description:
> [heap] Avoid the use of cells to point from code to new-space objects.
>
> Cells were needed originally because there was no typed remembered set to
> record direct pointers from code space to new space. A previous
> CL (https://codereview.chromium.org/2003553002/) already introduced
> the remembered set, this CL uses it.
>
> This CL
> * stores direct pointers in code objects, even if the target is in new space,
> * records the slot of the pointer in typed-old-to-new remembered set,
> * adds a list which stores weak code-to-new-space references,
> * adds a test to test-heap.cc for weak code-to-new-space references,
> * removes prints in tail-call-megatest.js
>
> R=ulan@chromium.org
>
> Committed: https://crrev.com/2d2087b79a293a92a6ed34a2775e481ff2173b3c
> Cr-Commit-Position: refs/heads/master@{#37134}
TBR=titzer@chromium.org,ulan@chromium.org,ahaas@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2087463004
Cr-Commit-Position: refs/heads/master@{#37139}
Cells were needed originally because there was no typed remembered set to
record direct pointers from code space to new space. A previous
CL (https://codereview.chromium.org/2003553002/) already introduced
the remembered set, this CL uses it.
This CL
* stores direct pointers in code objects, even if the target is in new space,
* records the slot of the pointer in typed-old-to-new remembered set,
* adds a list which stores weak code-to-new-space references,
* adds a test to test-heap.cc for weak code-to-new-space references,
* removes prints in tail-call-megatest.js
R=ulan@chromium.org
Review-Url: https://codereview.chromium.org/2045263002
Cr-Commit-Position: refs/heads/master@{#37134}
Named capture groups may be specified using the /(?<name>pattern)/u
syntax, with named backreferences specified as /\k<name>/u. They're
hidden behind the --harmony-regexp-named-captures flag, and are only
enabled for unicode regexps.
R=yangguo@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2050343002
Cr-Commit-Position: refs/heads/master@{#36986}
The former will handle loads of predeclared global variables (vars and
functions), lets, consts and undeclared variables. The latter will handle
named loads from explicit receiver. In addition, named loads does not
depend of the TypeofMode.
TypeofMode related cleanup will be done in the follow-up CL.
BUG=chromium:576312
LOG=Y
TBR=bmeurer@chromium.org
Review-Url: https://codereview.chromium.org/1912633002
Cr-Commit-Position: refs/heads/master@{#36965}
Zero value of ICStateField part made megamorphic stub cache unusable.
We need to revisit hashing algorithm in order to remove the ICStateField.
BUG=chromium:619016
LOG=N
Review-Url: https://codereview.chromium.org/2064713002
Cr-Commit-Position: refs/heads/master@{#36959}
Reason for revert:
Cannot reproduce gc-stress failures locally.
Original issue's description:
> Revert of Replace all remaining Oddball checks with new function (patchset #10 id:180001 of https://codereview.chromium.org/2043183003/ )
>
> Reason for revert:
> failing tests
>
> Original issue's description:
> > Replace all remaining Oddball checks with new function
> >
> > This CL removes the IsUndefined() and Co. methods from Object and HeapObject.
> > The new method all take the isolate as parameter.
> >
> > BUG=
> >
> > Committed: https://crrev.com/ccefb3ae5fe967288d568013fb04e8761eafebc5
> > Cr-Commit-Position: refs/heads/master@{#36921}
>
> TBR=mstarzinger@chromium.org,verwaest@chromium.org,yangguo@chromium.org,ahaas@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=
>
> Committed: https://crrev.com/33b8bc24a12fb062100c0be84456faeb0b9fa5d1
> Cr-Commit-Position: refs/heads/master@{#36923}
TBR=mstarzinger@chromium.org,verwaest@chromium.org,yangguo@chromium.org,ahaas@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2059173002
Cr-Commit-Position: refs/heads/master@{#36957}
Reason for revert:
failing tests
Original issue's description:
> Replace all remaining Oddball checks with new function
>
> This CL removes the IsUndefined() and Co. methods from Object and HeapObject.
> The new method all take the isolate as parameter.
>
> BUG=
>
> Committed: https://crrev.com/ccefb3ae5fe967288d568013fb04e8761eafebc5
> Cr-Commit-Position: refs/heads/master@{#36921}
TBR=mstarzinger@chromium.org,verwaest@chromium.org,yangguo@chromium.org,ahaas@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2060213002
Cr-Commit-Position: refs/heads/master@{#36923}
This CL removes the IsUndefined() and Co. methods from Object and HeapObject.
The new method all take the isolate as parameter.
BUG=
Review-Url: https://codereview.chromium.org/2043183003
Cr-Commit-Position: refs/heads/master@{#36921}
Import base::ieee754::log1p() from fdlibm and introduce a Float64Log1p
TurboFan operator based on that, similar to what we do for Float64Log.
Rewrite Math.log1p() as TurboFan builtin and use that operator to also
inline Math.log1p() into optimized TurboFan functions.
Also unify the handling of the special IEEE 754 functions somewhat in
the TurboFan backends. At some point we can hopefully express this
completely in the InstructionSelector (once we have an idea what to do
with the ST(0) return issue on IA-32/X87).
Drive-by-fix: Add some more test coverage for the log function.
R=yangguo@chromium.org
BUG=v8:5086,v8:5092
Review-Url: https://codereview.chromium.org/2060743002
Cr-Commit-Position: refs/heads/master@{#36914}
There are no ICs left that store their state in this field: vector based
ICs use feedback vector and the rest three (BinaryOpIC, CompareIC and
ToBooleanIC) reconstruct their state from the ExtraICState field.
This CL also removes unused InlineCacheState::DEBUG_STUB which was used
mostly in Code::is_debug_stub(). The latter now checks if the code is one
of the debug builtins instead.
BUG=chromium:618701
LOG=Y
Review-Url: https://codereview.chromium.org/2052763003
Cr-Commit-Position: refs/heads/master@{#36871}
Adding properties to prototypes is faster when we don't force their
maps into fast mode yet. Once a prototype shows up in the IC system,
its setup phase is likely over, and it makes sense to transition it
to fast properties.
This patch speeds up the microbenchmark in the bug by 20x.
Octane-Typescript sees a 3% improvement.
BUG=chromium:607010
Review-Url: https://codereview.chromium.org/2036493006
Cr-Commit-Position: refs/heads/master@{#36828}
This speeds up .bind by >10x as measured by
function f(a,b,c) {}
for (var i = 0; i < 10000000; i++) {
f.bind(1); // or more arguments.
}
(Uses hydrogen-stubs rather than TF due to var-args + possible runtime fallback, which is still unsupported in TF.)
BUG=
Review-Url: https://codereview.chromium.org/2044113002
Cr-Commit-Position: refs/heads/master@{#36817}
This reverts commit d3a43e47dd.
This patch also adds typed_array_fun and typed_array_protoype to the
native context. These are used in InstallTypedArray to set up the
prototype chain correctly for each typed array sub class. This removes
the need to later monkey patch them prototype chain in typedarray.js.
This mechanism is also used to get hold of the TypedArray in
typedarray.js, removing the need for a global TypedArray.
This patch updates CallRuntime.golden to account for the two extra
native runtime calls. This patch also fixes some formatting issues (by
running git cl format).
BUG=chromium:579905, chromium:593634, v8:4085, v8:5073
Review-Url: https://codereview.chromium.org/2046333002
Cr-Commit-Position: refs/heads/master@{#36811}
In most cases we return a Smi and undefined for the other cases. Hence there
is no need to handlify the result unecessary. Additionally pass in the isolate
for the hash-symbol lookup.
BUG=
Review-Url: https://codereview.chromium.org/2044843002
Cr-Commit-Position: refs/heads/master@{#36790}
Using the isolate to check for IsUndefined and IsTheHole is roughly at least
20% faster in the worst-case and up to a factor 2x in the best case.
BUG=
Review-Url: https://codereview.chromium.org/2031533002
Cr-Commit-Position: refs/heads/master@{#36787}
Reason for revert:
Blink:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/7296
Original issue's description:
> [builtins] Properly optimize TypedArray/DataView accessors.
>
> The following getters were moved to the TypedArray/DataView prototype
> chain with ES2015, and hence need different treatment now:
>
> - DataView.prototype.buffer
> - DataView.prototype.byteLength
> - DataView.prototype.byteOffset
> - TypedArray.prototype.buffer
> - TypedArray.prototype.byteLength
> - TypedArray.prototype.byteOffset
> - TypedArray.prototype.length
>
> Instead of having special magic on the LoadIC in the IC system and the
> optimizing compilers, as we used to do before (and which we got rid of
> already), we just treat those as normal accessors and make them
> recognizable via the BuiltinFunctionId mechanism. This allows us to
> remove some of the additional magic from the IC subsystem, and just
> extend the BuiltinFunctionId mechanism in Crankshaft slightly to cover
> these cases too (TurboFan doesn't yet support accessors, but that will
> be fixed soonish anyways).
>
> This addresses most of the 15-20% regression we saw on the Octane
> GameBoy emulator benchmark.
>
> BUG=chromium:579905,chromium:593634,v8:4085,v8:5073
> R=yangguo@chromium.org
>
> Committed: https://crrev.com/1ef737026565ea2becc84f30cfd432e581d50c6b
> Cr-Commit-Position: refs/heads/master@{#36782}
TBR=yangguo@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:579905,chromium:593634,v8:4085,v8:5073
Review-Url: https://codereview.chromium.org/2039093005
Cr-Commit-Position: refs/heads/master@{#36783}
The following getters were moved to the TypedArray/DataView prototype
chain with ES2015, and hence need different treatment now:
- DataView.prototype.buffer
- DataView.prototype.byteLength
- DataView.prototype.byteOffset
- TypedArray.prototype.buffer
- TypedArray.prototype.byteLength
- TypedArray.prototype.byteOffset
- TypedArray.prototype.length
Instead of having special magic on the LoadIC in the IC system and the
optimizing compilers, as we used to do before (and which we got rid of
already), we just treat those as normal accessors and make them
recognizable via the BuiltinFunctionId mechanism. This allows us to
remove some of the additional magic from the IC subsystem, and just
extend the BuiltinFunctionId mechanism in Crankshaft slightly to cover
these cases too (TurboFan doesn't yet support accessors, but that will
be fixed soonish anyways).
This addresses most of the 15-20% regression we saw on the Octane
GameBoy emulator benchmark.
BUG=chromium:579905,chromium:593634,v8:4085,v8:5073
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2042013003
Cr-Commit-Position: refs/heads/master@{#36782}
Passing in the isolate and pointer compare the instnance against the
corresponding constant is always faster than decoding the instance types.
BUG=
Review-Url: https://codereview.chromium.org/2028983002
Cr-Commit-Position: refs/heads/master@{#36744}
Most maps have a small code cache (often only one entry), so this patch
optimizes memory consumption of such cases by using plain FixedArrays,
only switching to CodeCacheHashTables when the number of cached entries
gets so large that linear-scan lookups get too slow.
On loading inbox.google.com, this gets the aggregate size of all maps'
code caches (there are about 13,600 of them) from 4300 KB to 970 KB.
Review-Url: https://codereview.chromium.org/2021373002
Cr-Commit-Position: refs/heads/master@{#36681}
Reason for revert:
There are crashes on Win32 and Win64 bots.
Original issue's description:
> Extend HasProperty stub with dictionary-mode, string wrapper and double-elements objects support.
>
> This CL also replaces some Branch() usages with GotoIf/GotoUnless.
>
> BUG=v8:2743
> LOG=Y
>
> Committed: https://crrev.com/24066b6df4259b302edfa1db884c479008776a7e
> Cr-Commit-Position: refs/heads/master@{#36657}
TBR=verwaest@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:2743
Review-Url: https://codereview.chromium.org/2028333002
Cr-Commit-Position: refs/heads/master@{#36659}
This CL also replaces some Branch() usages with GotoIf/GotoUnless.
BUG=v8:2743
LOG=Y
Review-Url: https://codereview.chromium.org/1995453002
Cr-Commit-Position: refs/heads/master@{#36657}
This CL also updates the elements kind transition lookup logic:
1) First we go back to the root map,
2) Follow elements kind transitions,
3) Replay the property transitions.
BUG=v8:5009
LOG=Y
TBR=bmeurer@chromium.org
Review-Url: https://codereview.chromium.org/2015513002
Cr-Commit-Position: refs/heads/master@{#36652}
Expose more or less the full functionality of the KeyAccumulator in the API:
- use the PropertyFilter introduced for GetOwnPropertyNames
- use KeyCollectionLimit for OWN_ONLY or INLCUDE_PROTOS
- use IndexFilter to eithe SKIP_INDICES or INCLUDE_INDICES
Rewire Object::GetOwnPropertyNames to use GetPropertyNames.
BUG=chromium:148757
Review-Url: https://codereview.chromium.org/2002203002
Cr-Commit-Position: refs/heads/master@{#36595}
These builtins always call into C++ anyways and so there's no point in
having the JavaScript wrapper around them, but instead they can be
implemented as C++ builtins directly.
R=franzih@chromium.org
BUG=v8:5049
Review-Url: https://codereview.chromium.org/2018983002
Cr-Commit-Position: refs/heads/master@{#36569}
This CL makes sure that Symbols-keys are printed the same way for
fast and slow properties. Additionally the elements and properties
are marked clearer in the output.
BUG=
Review-Url: https://codereview.chromium.org/2008893002
Cr-Commit-Position: refs/heads/master@{#36550}
This allows sloppy arguments objects to be allocated by the generic
Heap::AllocateJSObjectFromMap allocation function. An empty elements
backing store for such objects is provided. This is needed in order to
materialize such objects without access to a specific native context.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-613919
BUG=chromium:613919
Review-Url: https://codereview.chromium.org/2014343004
Cr-Commit-Position: refs/heads/master@{#36547}
We get less "pollution" of type feedback if we have one vector per native
context, rather than one for the whole system. This CL moves the vector
appropriately.
BUG=
Review-Url: https://codereview.chromium.org/1906823002
Cr-Commit-Position: refs/heads/master@{#36539}
Adds an API to request the total size of code/bytecode and their associated
metadata in the heap. When requested, the code_space, old_space and
large_object_space is scanned to find any code/bytecode array objects.
This could be slow and hence it should be used with caution.
BUG=v8:5019
LOG=N
Review-Url: https://codereview.chromium.org/1997363002
Cr-Commit-Position: refs/heads/master@{#36534}
Reason for revert:
https://build.chromium.org/p/client.v8/builders/V8%20Mac%20GC%20Stress/builds/6248
Original issue's description:
> [keys] Simplify KeyAccumulator
>
> - Use KeyAccumulator::GetKeys directly instead of JSReceiver::GetKeys
> - Revert KeyAccumulator to single OrderedHashSet implementation.
> - Convert the OrderedHashSet in-place to a FixedArray
> - IndexedInterceptor indices are no longer combined and sorted with the object indices
>
> BUG=
>
> Committed: https://crrev.com/d3324df017046bcde247a5aef6d1b59bfae5908f
> Cr-Commit-Position: refs/heads/master@{#36485}
TBR=jkummerow@chromium.org,verwaest@chromium.org,cbruni@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2010593002
Cr-Commit-Position: refs/heads/master@{#36486}
- Use KeyAccumulator::GetKeys directly instead of JSReceiver::GetKeys
- Revert KeyAccumulator to single OrderedHashSet implementation.
- Convert the OrderedHashSet in-place to a FixedArray
- IndexedInterceptor indices are no longer combined and sorted with the object indices
BUG=
Review-Url: https://codereview.chromium.org/1995263002
Cr-Commit-Position: refs/heads/master@{#36485}
This fixes the SharedFunctionInfo::num_literals field for global builtin
functions (e.g. {Object} and friends) to be accurate. The field was not
being updated by Runtime_SetCode. It also removes the dangerous and by
now obsolete JSFunction::NumberOfLiterals accessor.
R=mvstanton@chromium.org
Review-Url: https://codereview.chromium.org/2007943002
Cr-Commit-Position: refs/heads/master@{#36480}
Script position calculation logic (i.e. line & column numbers for a
given code position) is now based on a single method
Script::GetPositionInfo(). Refactored related code in isolate.cc and
js/messages.js to use the new method. The line_ends accessor is still
in use by chromium and thus cannot be removed yet.
R=yangguo@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2002993002
Cr-Commit-Position: refs/heads/master@{#36458}
Script position calculation logic (i.e. line & column numbers for a
given code position) is now based on a single method
Script::GetPositionInfo(). Refactored related code in isolate.cc and
js/messages.js to use the new method. The line_ends accessor is still
in use by chromium and thus cannot be removed yet.
R=yangguo@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2003483002
Cr-Commit-Position: refs/heads/master@{#36398}
We cannot tier up from interpreted to baseline code when there is an
activation of the function on the stack. This significantly regresses
the performance of recursive functions since they are unlikely to get
tiered up.
This CL adds the ability for a function to be marked for baseline
compilation when it returns. To do this we patch the
InterpreterEntryTrampoline return address to point to
InterpreterMarkBaselineOnReturn, which leaves the
interpreted frame and recompile the function for
baseline.
This improves the score of EarlyBoyer by ~8x for Ignition.
BUG=v8:4280
LOG=N
Review-Url: https://codereview.chromium.org/1965343002
Cr-Commit-Position: refs/heads/master@{#36360}
Script position calculation logic (i.e. line & column numbers for a
given code position) is now based on a single method
Script::GetPositionInfo(). Refactored related code in isolate.cc and
js/messages.js to use the new method and removed the line_ends JS
accessor.
R=yangguo@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/1986173002
Cr-Commit-Position: refs/heads/master@{#36359}
This adds back the instanceof operator support in the backends and
introduces a @@hasInstance protector cell on the isolate that guards the
fast path for the InstanceOfStub. This way we recover the ~10%
regression on Octane EarleyBoyer in Crankshaft and greatly improve
TurboFan and Ignition performance of instanceof.
R=ishell@chromium.orgTBR=hpayer@chromium.org,rossberg@chromium.org
BUG=chromium:597249, v8:4447
LOG=n
Review-Url: https://codereview.chromium.org/1980483003
Cr-Commit-Position: refs/heads/master@{#36275}
When I18N is enabled, use ICU's case conversion API and transliteration
API [1] to implement String.prototype.to{Upper,Lower}Case and
String.prototype.toLocale{Upper,Lower}Case.
* ICU-based case conversion was implemented in runtime-i18n.cc/i18n.js
* The above 4 functions are overridden with those in i18n.js when
--icu_case_mapping flag is turned on. To control the override by the flag,
they're overriden in icu-case-mapping.js
Previously, toLocale{U,L}Case just called to{U,L}Case so that they didn't
support locale-sensitive case conversion for Turkic languages (az, tr),
Greek (el) and Lithuanian (lt).
Before ICU APIs for the most general case are called, a fast-path for Latin-1
is tried. It's taken from Blink and adopted as necessary. This fast path
is always tried for to{U,L}Case. For toLocale{U,L}Case, it's only taken
when a locale (explicitly specified or default) is not in {az, el, lt, tr}.
With these changes, a build with --icu_case_mapping=true passes a bunch
of tests in test262/intl402/Strings/* and intl/* that failed before.
Handling of pure ASCII strings (aligned at word boundary) are not as fast
as Unibrow's implementation that uses word-by-word case conversion. OTOH,
Latin-1 input handling is faster than Unibrow. General Unicode input
handling is slower but more accurate.
See https://docs.google.com/spreadsheets/d/1KJCJxKc1FxFXjwmYqABS0_2cNdPetvnd8gY8_HGSbrg/edit?usp=sharing for the benchmark.
This CL started with http://crrev.com/1544023002#ps200001 by littledan@,
but has changed significantly since.
[1] See why transliteration API is needed for uppercasing in Greek.
http://bugs.icu-project.org/trac/ticket/10582
R=yangguo
BUG=v8:4476,v8:4477
LOG=Y
TEST=test262/{built-ins,intl402}/Strings/*, webkit/fast/js/*, mjsunit/string-case,
intl/general/case*
Review-Url: https://codereview.chromium.org/1812673005
Cr-Commit-Position: refs/heads/master@{#36187}
In the bytecode graphbuilder, translate the two generator-specific
bytecodes as a couple of runtime calls for now.
BUG=v8:4907
LOG=n
Review-Url: https://codereview.chromium.org/1957393004
Cr-Commit-Position: refs/heads/master@{#36134}
Add comments explaining how to iterate over an OrderedHashTable.
Use the correct strategy for iteration in Set::AsArray().
Add a DCHECK bounds check in OrderedHashTable::KeyAt().
BUG=v8:4946
LOG=y
Review-Url: https://codereview.chromium.org/1952093002
Cr-Commit-Position: refs/heads/master@{#36091}
Previously, the species protector was invalidated whenever the __proto__ of
an Array instance was manipulated. Then, if the map's new_target_is_base field
remained set, it was correct to conclude that GetPrototypeOf(array) was
%ArrayPrototype%. However, this choice caused the popular D3 framework to
invalidate the species protector, causing many functions to become slower.
This patch eliminates that aspect of the species protector. Instead, the check
is to look at the instance->map()->prototype(). It is valid to look directly
at the map's prototype slot, ignoring hidden prototypes and proxies, because
- This is only called on Array instances, so the receiver cannot be a Proxy.
- For hidden prototypes, any inaccuracy would only result in conservatively
taking the slow path.
Theoretically, this patch could make methods applied to arrays from other
contexts slower. However, the slowdown would only affect a particular array
instance and not have a global spill-over effect. Further, the slowdown could
be addressed by tracking, either in the instance's map or in the actual
prototype object, whether it is a %ArrayPrototype% from any context, in a way
which is cheap to query, and use that rather than comparing to the currently
executing native context.
In interactive testing, this patch led the OnShape CAD system to experience
faster load times (110+s -> 40s).
BUG=chromium:606207
LOG=Y
Review-Url: https://codereview.chromium.org/1936393002
Cr-Commit-Position: refs/heads/master@{#36033}
The predicate in question was a workaround for when the compilation
pipeline still kept bytecode and baseline code on the same shared
function info. It is not longer needed. In the long run we want a
predicate which can determine the exact tier for each function.
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/1940913002
Cr-Commit-Position: refs/heads/master@{#36007}
The Great Keys Migration:
This is part of a bigger effort to centralize optimizations for key collections
in a central place. This necessary to avoid the penalty that would be introduced
by fixing shadowed property iteration.
BUG=v8:4758, v8:705
LOG=N
Review-Url: https://codereview.chromium.org/1938413002
Cr-Commit-Position: refs/heads/master@{#35991}
This moves __{define,lookup}{Getter,Setter}__ to builtins.cc.
Compared to the first attempt, this patch now preserves non-spec-compliant legacy behavior and does not throw on failure.
Original review: https://codereview.chromium.org/1904313004
Review-Url: https://codereview.chromium.org/1932163002
Cr-Commit-Position: refs/heads/master@{#35899}
Reason for revert:
[Sheriff] Looks like this breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/6442
Original issue's description:
> Remove more dead code after Object.observe removal
>
> This moves __{define,lookup}{Getter,Setter}__ to builtins.cc to free up the JavaScript implementation of DefineOwnProperty for deletion.
TBR=verwaest@chromium.org,jkummerow@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/1929293002
Cr-Commit-Position: refs/heads/master@{#35886}
This moves __{define,lookup}{Getter,Setter}__ to builtins.cc to free up the JavaScript implementation of DefineOwnProperty for deletion.
Review-Url: https://codereview.chromium.org/1904313004
Cr-Commit-Position: refs/heads/master@{#35876}
Instead of replacing the array with an empty one after resuming, overwrite
contents with a new Oddball.
This will simplify the work to be done by the bytecode graphbuilder and
potentially allow for more optimization.
(For full-codegen generators, nothing changes.)
BUG=v8:4907
LOG=n
Review-Url: https://codereview.chromium.org/1923253002
Cr-Commit-Position: refs/heads/master@{#35872}
This adds a baseline tier to the compilation pipeline. Currently this
tier is used to model a path from the interpreter to optimized code via
full-codegen code (to ensure sufficient type feedback). Switching from
the unoptimized tier to the baseline tier is limited to happen only when
there are no activations of the given function on the stack.
R=rmcilroy@chromium.org,bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1903273004
Cr-Commit-Position: refs/heads/master@{#35757}
Use the FastNewSloppyArgumentsStub in the interpreter when function doesn't have
duplicate parameters.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1909903003
Cr-Commit-Position: refs/heads/master@{#35754}
The Oddball::to_number_raw field contains the actual double value of the
Oddball converted to a number, and is located at the same offset as the
HeapNumber::value field, so for lowering changes we don't need to check
for undefined (or any other oddball explicitly).
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1922443002
Cr-Commit-Position: refs/heads/master@{#35753}
The feature was deprecated in M49 and flagged off in M50.
This patch removes it entirely from the codebase.
Review URL: https://codereview.chromium.org/1909433003
Cr-Commit-Position: refs/heads/master@{#35714}
