This reverts commit 604b0e1e13.
Reason for revert: Clusterfuzz found an issue.
Original change's description:
> [heap] Introduce old-to-new invalidation set
>
> Introduce list of invalidated objects for old-to-new slots. Objects
> are registered as invalidated in NotifyObjectLayoutChange, however
> no slots are filtered right now. Slots are still deleted, so all
> recorded slots are valid.
>
> Bug: v8:9454
> Change-Id: Ic0ea15283c4075f4051fae6a5b148721265339f7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1765528
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63367}
TBR=ulan@chromium.org,dinfuehr@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:9454
Change-Id: Ic898db38f297824aa54744123f85cd75df957159
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1770676
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63390}
ChangeTaggedSignedToInt32(ChangeCompressedSignedToTaggedSigned((x)) ->
ChangeCompressedSignedToInt32(x)
This pattern shows up in the Octane Richards benchmark (on arm64):
sxtw x11, w10
asr w11, w11, #1
This patch will remove the sxtw.
ChangeCompressedSignedToInt32(CheckedInt32ToCompressedSigned(x)) -> x
This pattern shows up in the Octane Richards benchmark (on arm64):
adds w10, w10, w10
b.vs #+0x1118
asr w11, w10, #1
stur w10, [x6, #19]
cmp w11, #0x1a
This patch will remove the asr, and produce:
adds w11, w10, w10
b.vs #+0x1108
stur w11, [x6, #19]
cmp w10, #0x1a
Bug: v8:7703
Change-Id: I5843e0a4f723b202857ee86130f835cd048d7e31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763529
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Rodolph Perfetta <rodolph.perfetta@arm.com>
Cr-Commit-Position: refs/heads/master@{#63389}
- Rename FunctionLiteral::FunctionType to FunctionSyntaxKind.
- Re-express IsWrappedBit, IsDeclarationBit, IsAnonymousExpressionBit,
and IsNamedExpressionBit in SFI::flags as FunctionSyntaxKind. This
frees up 1 bit in SFI::flags.
- Re-express the analogous bits in ParseInfo as FunctionSyntaxKind.
- Simplifies some logic in the back-and-forth passing of this info
between SFI and ParseInfo.
- Drive-by fix parsing class member initializations as kAccessorOrMethod.
Bug: v8:9644
Change-Id: I6c165d5016d968f5057a32136385ddcdc4a46ef1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1767263
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63388}
This reverts commit 9460101cdb.
Reason for revert: Causes confusion on Blink side, as it introduces
an object with >=2 internal fields that is not a wrapper (see bug).
Bug: chromium:996681
Change-Id: I275b5a064a4ee8c73c05f97be322924a3bc5370e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769148
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63386}
Even when a field is marked const, we may emit multiple consecutive in-literal stores to that field. That is, in 'JSNativeContextSpecialization::BuildPropertyStore', when the access mode is 'kStoreInLiteral' and we are accessing a const field, we may produce a StoreField node, even though another StoreField (that stores something other than 'Uninitialized') to the same const field dominates it. This appears to be sound, since earlier stores to literals cannot be observed anyways.
Unfortunately this behavior conflicts with the double const store invariant in load elimination: Roughly speaking, we assume that load elimination may never observe two consecutive const stores to the same field on the same object.
The apparent solution would be to treat 'kStoreInLiteral' accesses like regular 'kStore' accesses: For consecutive stores to const properties we don't emit StoreField, but instead emit code that checks whether the value about to be written is equivalent to the previously written one, and otherwise deopt ('DeoptimizeReason::kWrongValue'). Unfortunately this turns out impractical, since for 'kStoreInLiteral' accesses we can't easily decide whether we're dealing with the first such store or one of the consecutive ones. Also see this abandoned CL: https://chromium-review.googlesource.com/c/v8/v8/+/1762020.
This CL instead adds an exception to the invariant in load elimination. We track whether a store arose from a 'kStoreInLiteral' access, and use this information when visiting StoreField nodes in load elimination.
R=neis@chromium.org, tebbi@chromium.org
Bug: chromium:987205
Change-Id: I8829752aa0637e9599677d20aad2d706d40d7fe6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763535
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#63385}
This reverts commit dc1cc2232b.
Reason for revert: This was already reverted in https://crrev.com/c/1768897, but the revert did not work.
Original change's description:
> [regexp] Only append to JSRegExpResult's initial map if we add descriptor
>
> Before this cl, we always added slack to JSRegExpResult's initial_map.
> However, this is incorrect. Now we only add slack to JSRegExpResult's initial map
> if we intend to actually append the indices descriptor.
>
> Bug: chromium:996099
> Change-Id: Iac23e92415a9b60409915ff1de9634326ed109c5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763064
> Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63297}
TBR=jgruber@chromium.org,joshualitt@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: chromium:996099
Change-Id: I0c5df2165a3613f72bbcf674337f6f22f4506d90
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768585
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63383}
This reverts commit 5db04cc0dd.
Reason for revert: <INSERT REASONING HERE>
Original change's description:
> Revert "[regexp] Only append to JSRegExpResult's initial map if we add descriptor"
>
> This reverts commit dc1cc2232b.
>
> Revert "[regexp] Implement the match indices proposal"
>
> This reverts commit 9460101cdb.
>
> Reason for revert: Causes confusion on Blink side, as it introduces
> an object with >=2 internal fields that is not a wrapper (see bug).
>
> Bug: chromium:996681
> Change-Id: I5c167e9e15bfbec2aa6b843e3063ead5d52fb26c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768897
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63376}
TBR=yangguo@chromium.org,sigurds@chromium.org,joshualitt@chromium.org
Change-Id: Ic58fc3fc83faaf86bd895da29eacb7d51c443beb
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:996681
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768584
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63379}
Replace all usages of VectorSlotPair with FeedbackSource.
Bug: v8:7790
Change-Id: I0ac6e9cd8f5730154cc1842e267ca1ebfdebc874
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763536
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63378}
With this Cl, a function that has been marked for deoptimization will
not be reported as optimized. This protects against potential races
where an mjsunit tests assertUnoptimized, and the optimized code for
the function has been marked for deoptimization, but not been disposed
of yet.
The potential for this race has been discovered in the context of bug
v8:9563, but this CL is not a fix for that bug.
Change-Id: I89d8aa85f19033e6b823324b3307b95d61367147
Bug: v8:9563
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763543
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63377}
This reverts commit dc1cc2232b.
Revert "[regexp] Implement the match indices proposal"
This reverts commit 9460101cdb.
Reason for revert: Causes confusion on Blink side, as it introduces
an object with >=2 internal fields that is not a wrapper (see bug).
Bug: chromium:996681
Change-Id: I5c167e9e15bfbec2aa6b843e3063ead5d52fb26c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768897
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63376}
With no more MutableHeapNumber, we can make Double -> Tagged transitions
in-place, at the cost of an extra map check when accessing double fields
to make sure they are still doubles.
Bug: v8:9606
Change-Id: I74ff39ed6fba62ee223cd37dfe761f7d73020e1c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743973
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63374}
In order to reflect web reality, TC39 has made some slight changes to
name descriptors, see https://github.com/tc39/ecma262/pull/1490 for
details. V8 was mostly already in compliance with these changes, but
ThrowTypeError and anonymous classes needed some slight changes.
Bug: v8:9646
Change-Id: I163238954938f0c005e3adbc61b90498e01436da
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1764622
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63373}
Replace uses of WordEqual on two tagged representation nodes with a new
TaggedEqual helper, which on pointer compressed configs only compares
the bottom 32-bits of the word. We no longer allow using WordEqual on
anything not known to be a WordT (i.e. Node* or TNode<Object>).
In the future, this may allow us to ignore the top bits of an
uncompressed Smi, and have simpler decompression, though this patch is
not sufficient for such a change.
As a necessary drive-by, TNodify a bunch of stuff.
Bug: v8:8948
Change-Id: Ie11b70709e5d3073f12551b37b420a172a71bc99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763531
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63372}
Introduce list of invalidated objects for old-to-new slots. Objects
are registered as invalidated in NotifyObjectLayoutChange, however
no slots are filtered right now. Slots are still deleted, so all
recorded slots are valid.
Bug: v8:9454
Change-Id: Ic0ea15283c4075f4051fae6a5b148721265339f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1765528
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63367}
Out of memory should be the only reason for {FinalizeCode} to return an
empty handle in wasm heap stub compilation. Crash accordingly.
R=mstarzinger@chromium.org
Bug: chromium:990223
Change-Id: I996721c69bfe600a7c13937a65c93d0b19b91c45
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768578
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63366}
This changes Compiler::CollectSourcePositions to skip finalization of
the BytecodeArray, constant table, handler table, ScopeInfos as well as
internalization of Ast values since only the source position table is
used and the others will be collected soon after by the GC.
It will also now avoid recompiling inner functions that would otherwise
be eagerly compiled.
BytecodeArrayWriter::ToBytecodeArray has been changed to never populate
the source_position_table.
Bug: v8:8510
Change-Id: I2db2f2da6b48fde11f17a20d017c1a54c0a34fc2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763538
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63365}
While we only need to check stability of the receiver map if its
inference was "unreliable", we must check stability of each prototype's
map unconditionally.
Bug: chromium:997100
Change-Id: I20071ac9eb74c810ad2ab1d78abfb54a1a006c29
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768576
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63364}
Do not clear old-to-new slots for the new FixedArray's map and length
word on left trim because these fields are tagged.
Bug: v8:9454
Change-Id: I9947a93f80efc6669498ed4c0171d728aebc782b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1767997
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63363}
Avoid clearing the memory on the embedder-side of a TracedGlobal handle.
When using destructors in TracedGlobal this is safe as long as the embedder
reports the handle on tracing GCs. If the embedder does not report a handle it
is assumed that the containing object is dead as well.
Without using destructors the same argument holds for tracing GCs. In addition,
embedders using the optimization of clearing references on non-tracing GCs
are expected to clear the reference in ResetHandleInNonTracingGC.
It is suggested that only expert embedders make use of (a) no destructors and
(b) IsRootForNonTracingGC.
Change-Id: Ia417c0eb0860094fcaa554e7046d38abac905714
Bug: chromium:995684
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763539
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63362}
Get rid of deletion entries in the store buffer. Clearing a slot now
first empties the store buffer and then directly deletes the slot
from the remembered set.
Bug: v8:9454
Change-Id: I656db593a0478db3fa63324d7f3c6862b4b5e776
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1766130
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63359}
This is a reland of 1e472c423b
No change, this was a speculative revert to unblock the roll.
TBR=jgruber
Original change's description:
> [compiler] Track the maximal unoptimized frame size
>
> This is another step towards considering the unoptimized frame size in
> stack checks within optimized code.
>
> With the changes in this CL, we now keep track of the maximal
> unoptimized frame size of the function that is currently being
> compiled. An optimized function may inline multiple unoptimized
> functions, so a single optimized frame can deopt to multiple
> frames. The real frame size thus differs in different parts of the
> optimized function.
>
> We only care about the maximal frame size, which we calculate
> conservatively as an over-approximation, and track in
> InstructionSelector::max_unoptimized_frame_height_ for now. In future
> work, this value will be passed on to codegen, where it will be
> applied as an offset to the stack pointer during the stack check.
>
> (The motivation behind this is to avoid stack overflows through deopts,
> caused by size differences between optimized and unoptimized frames.)
>
> Note that this offset only ensure that the topmost optimized frame can
> deopt without overflowing the stack limit. That's fine, because we only
> deopt optimized frames one at a time. Other (non-topmost) frames are
> only deoptimized once they are returned to.
>
> Drive-by: Print variable and total frame height in --trace-deopt.
>
> Bug: v8:9534
> Change-Id: I821684a9da93bff59c20c8ab226105e7e12d93eb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762024
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Auto-Submit: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63330}
Bug: v8:9534
Change-Id: I686f200e7be1f419e23e50789e11607a0b2886d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1766645
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63356}
This reverts commit 8ee507f1ca.
Reason for revert: Speculative, to unblock the V8 roller
https://ci.chromium.org/p/chromium/builders/try/linux-rel/173637
Original change's description:
> [ic] Inline constant fields in IC
>
> Previously, the handler would load the constant field from the holder
> everytime by using the descriptor index. Instead, this patch inlines
> the constant field directly into the handler.
>
> Change-Id: Ia731811b135897033f4c5dc973031a30f25a64ed
> Bug: v8:9616
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1688829
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63332}
TBR=gsathya@chromium.org,ishell@chromium.org,verwaest@chromium.org
Change-Id: I36c5648c56f1d78447b7a45504cdebf593c020a1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9616
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1766148
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63353}
This change adds the indexed field for the characters in the definition
of sequential string types, and introduces support for recognizing the
various specific string types in v8_debug_helper. In an attempt to
avoid duplicating info about string instance types, it also refactors
String::Get so that StringShape (a simple class usable by postmortem
tools) can dispatch using a class that defines behaviors for each
concrete type.
Bug: v8:9376
Change-Id: Id0653040f6decddc004c73f8fe93d2187828c2c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1735795
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63352}
This reverts commit 1e472c423b.
Reason for revert: Speculative revert, to attempt to fix crashes that block the V8 roll. Example failure run:
https://ci.chromium.org/p/chromium/builders/try/linux-rel/173465
Original change's description:
> [compiler] Track the maximal unoptimized frame size
>
> This is another step towards considering the unoptimized frame size in
> stack checks within optimized code.
>
> With the changes in this CL, we now keep track of the maximal
> unoptimized frame size of the function that is currently being
> compiled. An optimized function may inline multiple unoptimized
> functions, so a single optimized frame can deopt to multiple
> frames. The real frame size thus differs in different parts of the
> optimized function.
>
> We only care about the maximal frame size, which we calculate
> conservatively as an over-approximation, and track in
> InstructionSelector::max_unoptimized_frame_height_ for now. In future
> work, this value will be passed on to codegen, where it will be
> applied as an offset to the stack pointer during the stack check.
>
> (The motivation behind this is to avoid stack overflows through deopts,
> caused by size differences between optimized and unoptimized frames.)
>
> Note that this offset only ensure that the topmost optimized frame can
> deopt without overflowing the stack limit. That's fine, because we only
> deopt optimized frames one at a time. Other (non-topmost) frames are
> only deoptimized once they are returned to.
>
> Drive-by: Print variable and total frame height in --trace-deopt.
>
> Bug: v8:9534
> Change-Id: I821684a9da93bff59c20c8ab226105e7e12d93eb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762024
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Auto-Submit: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63330}
TBR=neis@chromium.org,sigurds@chromium.org,jgruber@chromium.org
Change-Id: I7b225c30bfc4e1d958276583f512a1ec5fa2b458
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9534
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1764626
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63350}
ClusterFuzz found another case where "weird" embedder calls can cause
signed integer overflow. This patch fixes the last addition in that
function to use unsigned types.
Bug: chromium:991676
Change-Id: Ia77a12020908de8f0a3bd1be7d3722ba5c5c919b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743971
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63349}
This reverts commit 5c59ba4fbc.
Reason for revert: requires more thinking
Original change's description:
> [ic] Fix KeyedLoadIC for ArrayIndex access
>
> Previously, without support for converting strings to numbers we'd
> switch to megamorphic state and go to the runtime always to do the
> conversion causing a performance cliff.
>
> This patch improves the following js-perf-test scores:
> Object-Lookup-String-Constant-BytecodeHandler: 4.25%
> Object-Lookup-Index-String-BytecodeHandler: 5.41%
>
> Bug: v8:9449
> Change-Id: I63787fa84373fc946f1304b0141e48a52a1b4bcb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1690953
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63293}
TBR=mythria@chromium.org,jyan@ca.ibm.com,gsathya@chromium.org,leszeks@chromium.org,ishell@chromium.org,verwaest@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:9449
Change-Id: I6b6ad5901175c2e6bbd7516b13e91471adb5776d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1765532
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63347}
This preserves the object identity of a {WebAssembly.Function} instance
that is being re-exported by a module. Such functions are considered to
have an internal [[FunctionAddress]] slot and hence require their object
identity to be preserved (similar to {WasmExportedFunction} already).
R=jkummerow@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742
Change-Id: I88ba75fcd91ce04440008467f3b218a1ac3047db
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763545
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63346}
This new FreeList should be a reasonable replacement for our old
FreeListLegacy: it is slightly less efficient (~1%), but uses much
less memory (often 5% less old_space size).
It is based on FreeListMany, with the following additions:
- A cache to waste less time iterating empty categories
- A fast path for allocations done in the runtime and generated code
- A slow path (the same as FreeListMany actually) for allocations
done in the GC.
Bug: v8:9329
Change-Id: Ifc10b88df7861266a721afd2c6e6d8357255ec4e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762292
Commit-Queue: Darius Mercadier <dmercadier@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63345}
For import wrappers, we add a special "callable" parameter as the last
parameter. This parameter is not set in the TurboFan graph but in the
code generator. Therefore this parameter has to be allocated in a
special register and cannot be lowered generically. With this CL we
detect in the CallDescriptor lowering if the last parameter is this
special "callable" parameter. If so, we preserve it in the lowered
CallDescriptor in the same register.
R=jkummerow@chromium.org
Bug: v8:7741
Change-Id: I884baa41813011c811612ec84f4e3cfe86a0e83a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762014
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63344}
This CL adds a mechanism that prevents the RuntimeProfiler from
triggering optimization of a function after
%PrepareFunctionForOptimization has been called. This is useful to
prevent flakiness in tests, as sometimes a function that already
got deoptimized would receive a new code object from a concurrent
compile that was triggered by a heuristic just in the right moment
for the assertUnoptimized test to fail. For example, the following
was happening:
PrepareFunctionForOptimization
[marking `testAdd` for optimized recompilation, reason: small function]
[concurrently compiling method `testAdd` using TurboFan]
[manually marking `testAdd` for non-concurrent optimization]
[synchonously compiling method `testAdd` using TurboFan]
[synchonously optimizing `testAdd` produced code object 0xAAAA - took 1.638 ms]
Runtime_GetOptimizationStatus OPTIMIZED `testAdd` (code object 0xAAAA)
DeoptimizeFunction `testAdd` with Code Object 0xAAAA
[concurrently optimizing `testAdd` produced code object 0xBBBB - took 3.377 ms]
Runtime_GetOptimizationStatus OPTIMIZED `testAdd` (code object 0xBBBB)
Bug: v8:9563
Change-Id: Ia4c846aba95281589317d43b82383e70fe0a35f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763546
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63343}
