This ensure that all inline allocations generated by {JSCreateLowering}
will fit into a regular heap page. Allocations targeting LO-space must
be done via a slower runtime call.
R=bmeurer@chromium.org
BUG=chromium:669850
Review-Url: https://codereview.chromium.org/2533353003
Cr-Commit-Position: refs/heads/master@{#41412}
The current CHECK/DCHECK implementation fails statically if a signed
value is compared against an unsigned value. The common solution is to
cast on each caller, which is tedious and error-prone (might hide bugs).
This CL implements signed vs. unsigned comparisons by executing up to
two comparisons. For example, if i is int32_t and u is uint_32_t, a
DCHECK_LE(i, u) would create the check
i <= 0 || static_cast<uint32_t>(i) <= u.
For checks against constants, at least one of the checks can be removed
by compiler optimizations.
The tradeoff we have to make is to sometimes silently execute an
additional comparison. And we increase code complexity of course, even
though the usage is just as easy (or even easier) as before.
The compile time impact seems to be minimal:
I ran 3 full compilations for Optdebug on my local machine, one time on
the current ToT, one time with this CL plus http://crrev.com/2524093002.
Before: 143.72 +- 1.21 seconds
Now: 144.18 +- 0.67 seconds
In order to check that the new comparisons are working, I refactored
some DCHECKs in wasm to use the new magic, and added unit test cases.
R=ishell@chromium.org, titzer@chromium.orgCC=ahaas@chromium.org, bmeurer@chromium.org
Committed: https://crrev.com/5925074a9dab5a8577766545b91b62f2c531d3dc
Review-Url: https://codereview.chromium.org/2526783002
Cr-Original-Commit-Position: refs/heads/master@{#41275}
Cr-Commit-Position: refs/heads/master@{#41411}
This shows around a 2.2x speedup compared to the old JS implementation (and
3.5x compared to CPP) for the fast path.
Adds ToUint32 to CodeStubAssembler.
BUG=v8:5339
Review-Url: https://codereview.chromium.org/2532403002
Cr-Commit-Position: refs/heads/master@{#41408}
This code is no longer used in full-codegen since all computed property
names in object literals go through Ignition first.
BUG=v8:5657
Review-Url: https://codereview.chromium.org/2543643002
Cr-Commit-Position: refs/heads/master@{#41405}
Incremental parsing of asm.js means we can see function tables that
are unused in the AsmWasmBuilder before they've been initialized.
BUG=669899
R=aseemgarg@chromium.org
Review-Url: https://codereview.chromium.org/2546553002
Cr-Commit-Position: refs/heads/master@{#41403}
If we just call CreateDebugInfo in GetPossibleBreakpoints then we won't call PrepareFunctionForBreakPoints and won't be able to step into this function or pause at breakpoint inside.
BUG=v8:5695
R=dgozman@chromium.org,yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2540943002
Cr-Commit-Position: refs/heads/master@{#41401}
This is necessary for signal-based out of bounds handling in WebAssembly.
Adds a ProtectedStore instruction that is analogous to the previously added
ProtectedLoad instruction. Rather than using bounds checks, ProtectedStore emits
an out of line section of code that throws a JavaScript exception and provides
the necessary metadata for a signal handler to be able to find the out of line
code.
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5277
Review-Url: https://codereview.chromium.org/2516413003
Cr-Commit-Position: refs/heads/master@{#41398}
The "writable" property descriptor may legally change during the call to
AnythingToArrayLength(). This change needs to be honoured before calling
JSArray::SetLength(). The change is only honoured when the "length"
property was previously writable, so that changes during a call to
DefineOwnPropertyIgnoreAttributes() is ignored.
BUG=v8:5688
R=cbruni@chromium.org, verwaest@chromium.org, jkummerow@chromium.org
Review-Url: https://codereview.chromium.org/2543553002
Cr-Commit-Position: refs/heads/master@{#41396}
Before, we were treating objects with the builtin ArrayValues iterator
method as array-like, where the iterator would iterate through to the
full length of the object.
This optimization was not sound, because it does not ensure that the
next method hasn't been modified. Even if it hasn't been modified,
it's entirely possible to be modified during iteration. Thus, this
optimization has been removed due to its observability.
BUG=v8:5699
R=littledan@chromium.org, cbruni@chromium.org
Review-Url: https://codereview.chromium.org/2544503002
Cr-Commit-Position: refs/heads/master@{#41394}
This was causing more confusion than benefit, so we're removing it.
It's re-defined to empty for now, to avoid touching the ~100 files which
use it, we can remove it completely during a quiet period when it's less
likely to conflict with other work.
Review-Url: https://codereview.chromium.org/2535383005
Cr-Commit-Position: refs/heads/master@{#41393}
JS operators always have an implicit context input, so just use that instead.
BUG=
Review-Url: https://codereview.chromium.org/2541813002
Cr-Commit-Position: refs/heads/master@{#41392}
This is an experiment to see the impact of the limit on OOM crashes.
BUG=chromium:667388
Review-Url: https://codereview.chromium.org/2514313004
Cr-Commit-Position: refs/heads/master@{#41391}
These byte pointers (module_start and module_end) were only valid
during decoding. During instantiation or execution, they can get
invalidated by garbage collection.
This CL removes them from the WasmModule struct, and introduces a new
ModuleStorage struct as interface to the wasm wire bytes.
Since the storage is often needed together with the ModuleEnv, a new
ModuleStorageEnv struct holds both a ModuleEnv and a ModuleStorage.
The pointers in the ModuleStorage should never escape the live range of
this struct, as they might point into a SeqOneByteString or ArrayBuffer.
Therefore, the WasmInterpreter needs to create its own copy of the
whole module.
Runtime functions that previously used the raw pointers in WasmModule
(leading to memory errors) now have to use the SeqOneByteString in the
WasmCompiledModule.
R=titzer@chromium.org
BUG=chromium:669518
Review-Url: https://codereview.chromium.org/2540133002
Cr-Commit-Position: refs/heads/master@{#41388}
JSFrameSpecialization depends on the layout of the frame and doesn't work
with interpreted frames. Disable it since it is only used for OSR from asmjs code, which shouldn't go through the bytecode graph builder in many cases.
BUG=669517
Review-Url: https://codereview.chromium.org/2538823002
Cr-Commit-Position: refs/heads/master@{#41387}
port df2578d2ec (r41368)
original commit message:
Improves performance in simple, single element case by 5% and in multiple
elements cases by 2%.
BUG=
Review-Url: https://codereview.chromium.org/2540803004
Cr-Commit-Position: refs/heads/master@{#41377}
This adds consistency checks for function kind and scope type to
SharedFunctionInfoVerify.
It also fixes an inconsistency in the creation of a ScopeInfo.
R=adamk@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2537093002
Cr-Commit-Position: refs/heads/master@{#41375}
When removing a scope (see FinalizeBlockScope), remember the removal by making
the scope its own sibling. This avoid recalculating the information later on.
R=adamk@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2536993003
Cr-Commit-Position: refs/heads/master@{#41374}
Make the AsmWasmBuilder drive the process of typing and potentially parsing
function bodies. This will allow us to keep only a single asm.js function's
AST in memory as we convert to WebAssembly.
This is needed to keep our memory footprint low.
Add some additional output to a few tests that's helpful to see which stage they fail at.
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
LOG=N
R=marja@chromium.org,adamk@chromium.org,aseemgarg@chromium.org,titzer@chromium.org
Review-Url: https://codereview.chromium.org/2398023002
Cr-Commit-Position: refs/heads/master@{#41372}
Rename it to better represent the reason. Also makes the inspector sentence
"Not Optimized: Optimized too many times" look less confusing.
Review-Url: https://codereview.chromium.org/2530423003
Cr-Commit-Position: refs/heads/master@{#41369}
Improves performance in simple, single element case by 5% and in multiple
elements cases by 2%.
BUG=chromium:608675
LOG=N
Review-Url: https://codereview.chromium.org/2497243002
Cr-Commit-Position: refs/heads/master@{#41368}
Functions with asm-wasm data shouldn't be marked for optimization, since
they will be optimized using the asm-wasm data instead.
Review-Url: https://codereview.chromium.org/2537103002
Cr-Commit-Position: refs/heads/master@{#41367}
This removes support for dynamic scoping via with-statement constructs
from the {FullCodeGenerator}. Consequently optimized code containing
such constructs must use the {BytecodeGraphBuilder} and can no longer
use the {AstGraphBuilder} for graph building.
R=rmcilroy@chromium.org
BUG=v8:5657
Review-Url: https://codereview.chromium.org/2533283002
Cr-Commit-Position: refs/heads/master@{#41365}
Since the majority of bytecodes have a next instruction, and we iterate
over the bytecodes backwards, we can keep the previous seen (i.e.
sequentially next) bytecode's liveness on a variable instead of looking
it up again.
Review-Url: https://codereview.chromium.org/2541463002
Cr-Commit-Position: refs/heads/master@{#41361}
The EscapeStatusAnalysis didn't know anything about the simplified
operator ConvertTaggedHoleToUndefined, thus leading to a crash. We
now just handled it by pretending that any allocation that goes into
such a node escapes.
BUG=chromium:669451
R=tebbi@chromium.org
Review-Url: https://codereview.chromium.org/2533263002
Cr-Commit-Position: refs/heads/master@{#41359}
This removes reservation of unused {BailoutId} numbers for all class
literals. These language constructs are by now solely funneled through
bytecode and specific ids for deoptimization are no longer needed.
R=rmcilroy@chromium.org
BUG=v8:5657
Review-Url: https://codereview.chromium.org/2535223002
Cr-Commit-Position: refs/heads/master@{#41358}
This removes support for iterator loops (i.e. for-of loop constructs)
from the {FullCodeGenerator}. Consequently optimized code containing
such constructs must use the {BytecodeGraphBuilder} and can no longer
use the {AstGraphBuilder} for graph building.
R=bmeurer@chromium.org
BUG=v8:5657
Review-Url: https://codereview.chromium.org/2534883004
Cr-Commit-Position: refs/heads/master@{#41357}
Adds a bytecode_age field to BytecodeArray objects. This is incremented each
time the bytecode array is marked by GC, and reset to zero if the bytecode
is executed.
This is used to enable the CompilationCache for interpreted functions,
where Interpreted entries are evicted once the bytecode becomes old.
BUG=chromium:666275,v8:4680
Review-Url: https://codereview.chromium.org/2534763003
Cr-Commit-Position: refs/heads/master@{#41356}
Replaces the graph-based liveness analyzer in the bytecode graph builder
with an initial bytecode-based liveness analysis pass, which is added to
the existing loop extent analysis.
Now the StateValues in the graph have their inputs initialised to
optimized_out, rather than being modified after the graph is built.
Review-Url: https://codereview.chromium.org/2523893003
Cr-Commit-Position: refs/heads/master@{#41355}
MarkingParity was used to avoid performing an operation on an object if it was
marked multiple times. We no longer mark things multiple times, so this concept
is no longer required.
BUG=chromium:666275
Review-Url: https://codereview.chromium.org/2529173002
Cr-Commit-Position: refs/heads/master@{#41354}
For bound functions on the right-hand side of instanceof we can
constant-fold to the actual [[BoundTargetFunction]], actually
instance OrdinaryHasInstance. Move the Function.prototype[@@hasInstance]
reduction up to the JSCallReducer to allow this optimization to become
effective (and also enable other optimizations).
BUG=v8:5267
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2537763002
Cr-Commit-Position: refs/heads/master@{#41352}
This ensures the deoptimization triggered due to materialization of
objects by the {TranslatedState} works in conjunction with OSR. The
optimized code used for OSR is not installed on the function, hence
needs to be specified explicitly when requesting deoptimization for
specific stack frames.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-668795
BUG=chromium:668795
Review-Url: https://codereview.chromium.org/2534143002
Cr-Commit-Position: refs/heads/master@{#41348}
Reason for revert:
Breaks the build:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20shared/builds/14886
Original issue's description:
> [ignition/turbo] Perform liveness analysis on the bytecodes
>
> Replaces the graph-based liveness analyzer in the bytecode graph builder
> with an initial bytecode-based liveness analysis pass, which is added to
> the existing loop extent analysis.
>
> Now the StateValues in the graph have their inputs initialised to
> optimized_out, rather than being modified after the graph is built.
>
> Committed: https://crrev.com/1852300954c216c29cf93444430681d213e87925
> Cr-Commit-Position: refs/heads/master@{#41344}
TBR=jarin@chromium.org,rmcilroy@chromium.org,yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2541443002
Cr-Commit-Position: refs/heads/master@{#41346}
This introduces three new types OtherCallable, CallableProxy (and OtherProxy),
and BoundFunction to make it possible to express Callable in the Type system.
It also forces all undetectable receivers to be Callable, which matches the
use case for undetectable, namely document.all (guarded by proper checks and
tests).
It also uses these new types to properly optimize instanceof (indirectly via
OrdinaryHasInstance) based on the type of the constructor and the object. So
we are able to constant-fold certain instanceof expressions based on types
and completely avoid the builtin call.
R=jarin@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2535753004
Cr-Commit-Position: refs/heads/master@{#41345}
Replaces the graph-based liveness analyzer in the bytecode graph builder
with an initial bytecode-based liveness analysis pass, which is added to
the existing loop extent analysis.
Now the StateValues in the graph have their inputs initialised to
optimized_out, rather than being modified after the graph is built.
Review-Url: https://codereview.chromium.org/2523893003
Cr-Commit-Position: refs/heads/master@{#41344}
FunctionTemplateInfo::SetPrototypeProviderTemplate adds support for sharing
prototypes between several function templates. This is used to properly set up
Image.prototype and HTMLImageElement.protoype which should be equal according
to the spec.
BUG=chromium:2969
Review-Url: https://codereview.chromium.org/2531653002
Cr-Commit-Position: refs/heads/master@{#41343}
The range-based exception handler table is by now only used for bytecode
arrays. The semantics of the interpreter are that bytecode offsets point
to the beginning of the currently executing bytecode instruction. Uses
hence need to compensate for lookups based on a "retrun address". This
change removes the need for such off-by-one compensations by changing
lookup semantics to be based on "current instruction" offsets.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2534893002
Cr-Commit-Position: refs/heads/master@{#41339}
Microbenchmarks show a 4x improvement on the fast path and 2.5x improvement on
the slow path when compared to the CPP builtin implementation.
Compared to the old JS implementation, the fast path is 20% faster and the slow
path 35% slower.
BUG=v8:5339,v8:5562
Review-Url: https://codereview.chromium.org/2527963002
Cr-Commit-Position: refs/heads/master@{#41338}
If the prototype's map is not marked as fast, it is made fast after
setup, breaking current RegExp fast path checks.
BUG=v8:5339
Review-Url: https://codereview.chromium.org/2537483002
Cr-Commit-Position: refs/heads/master@{#41336}
V8 internally uses conversions.h to convert number to string, we can use these methods too instead of slow std::stringstream with std::locale.
BUG=chromium:661497,v8:5551
R=dgozman@chromium.org
Review-Url: https://codereview.chromium.org/2534013002
Cr-Commit-Position: refs/heads/master@{#41334}
TypedArrays need specific checks before calling OrdinaryDefineOwnProperty.
BUG=v8:5328
Review-Url: https://codereview.chromium.org/2431223005
Cr-Commit-Position: refs/heads/master@{#41333}
Due to a typo in runtime-i18n.js, 'ç'(U+00E7) was not uppercased while
'÷'(U+00F7) was incorrectly uppercased to '×'(U+00D7).
Add a comprehensive test for Latin-1 supplemental block (U+00A0 ~ U+00FF).
(they're special-cased for speed-up and needs to have a test for the range.).
TEST=intl/general/case-mapping
BUG=v8:5681
Review-Url: https://codereview.chromium.org/2533033003
Cr-Commit-Position: refs/heads/master@{#41331}
Reason for revert:
Seems to regress speedometer on Ignition and doesn't cause any improvements elsewhere.
BUG=chromium:668651
Original issue's description:
> [turbofan] Utilize String comparison feedback.
>
> Make use of the previously introduced String feedback for compare
> operations in TurboFan.
>
> R=jarin@chromium.org
> BUG=v8:5267,v8:5400
>
> Committed: https://crrev.com/5d4253ecfb6ddcbbd7eb5654e728efa9559284a2
> Cr-Commit-Position: refs/heads/master@{#41163}
TBR=jarin@chromium.org,bmeurer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5267,v8:5400
Review-Url: https://codereview.chromium.org/2531183003
Cr-Commit-Position: refs/heads/master@{#41324}
Removed a redundant check: If completion is not normal, then #iterator cannot be undefined.
Review-Url: https://codereview.chromium.org/2533803002
Cr-Commit-Position: refs/heads/master@{#41321}
This removes the supporting function to perform a range-lookup in the
exception handler table for unoptimized code. Such tables are by now
guaranteed to be empty, the deoptimizer cannot encounter this case.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2529343003
Cr-Commit-Position: refs/heads/master@{#41318}
Before, the encoded variant was stored in the compiled module, and the
decoded one in the debug info (per instance).
The decoded table was a FixedArray of ByteArrays.
Now, also the decoded table is a flat ByteArray, and it encodes whether
it is encoded or decoded. This saves memory and allows to store encoded
and decoded variant in the same field. The table is automatically
decoded on the first use.
This CL also removes some unused and unimplemented methods from
WasmDebugInfo (probably merge artifacts). That class is now pretty much
empty, but we might still need it for breakpoint support.
R=titzer@chromium.org, ahaas@chromium.org
Review-Url: https://codereview.chromium.org/2522953002
Cr-Commit-Position: refs/heads/master@{#41316}
All super constructor calls go through the ignition + turbofan pipeline, so this is dead code.
BUG=v8:5657
Review-Url: https://codereview.chromium.org/2525233003
Cr-Commit-Position: refs/heads/master@{#41313}
They're supposed to be stable across several parse passes, so we'll also
store them in the associated SharedFunctionInfos
To achieve this, the PreParser and Parser need to generated the same number of
FunctionLiterals. To achieve this, we teach the PreParser about desuggaring of
class literals.
For regular functions, the function IDs are assigned in the order they occur in
the source. For arrow functions, however, we only know that it's an arrow function
after parsing the parameter list, and so the ID assigned to the arrow function is
larger than the IDs assigned to functions defined in the parameter list. This
implies that we have to reset the function ID counter to before the parameter list
when re-parsing an arrow function. To be able to do this, we store the number of
function literals found in the parameter list of arrow functions as well.
BUG=v8:5589
Review-Url: https://codereview.chromium.org/2481163002
Cr-Commit-Position: refs/heads/master@{#41309}
ThreadedList is more memory-efficient than ZoneList. This also enables
us to use ThreadedList when making Preparser track parameters (upcoming
work).
BUG=v8:5501
Review-Url: https://codereview.chromium.org/2531593002
Cr-Commit-Position: refs/heads/master@{#41307}
The BytecodeGraphBuilder assumes that deoptimization is always enabled,
so always enable it when compiling from bytecode.
BUG=chromium:668654
Review-Url: https://codereview.chromium.org/2531683004
Cr-Commit-Position: refs/heads/master@{#41303}
A missing @@IsConcatSpreadable check caused the fast path inside the slow path
to be incorrect and follow the default concat strategy when the arguments
arrays contain only doubles.
BUG=chromium:668414
Review-Url: https://codereview.chromium.org/2527173002
Cr-Commit-Position: refs/heads/master@{#41301}
This code is no longer used by full-codegen since all functions which
use new.target, rest parameters or the internal this function binding
now grow through Ignition first, and never tier up to fullcodegen.
BUG=v8:5657
R=rmcilroy@chromium.org
Review-Url: https://codereview.chromium.org/2528293002
Cr-Commit-Position: refs/heads/master@{#41298}
For a couple of those Array builtins we can specify a useful type that
will help us to eliminate a couple of checks on their outputs.
R=yangguo@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2529233002
Cr-Commit-Position: refs/heads/master@{#41295}
Assign types to the remaining builtins on the String.prototype where we
know a meaningful type, i.e. where the type is not dependent on some
callable function that is pass or loaded.
BUG=v8:5267
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2532463002
Cr-Commit-Position: refs/heads/master@{#41294}
If code has AsmWasm data we shouldn't try to optimize the JS as well, since
it will instead be optimized using the WASM data.
BUG=
Review-Url: https://codereview.chromium.org/2534463003
Cr-Commit-Position: refs/heads/master@{#41293}
This code is no longer used in full-codegen or ast-graph-builder since all
functions which have class literals go through Ignition first.
BUG=v8:5657
Review-Url: https://codereview.chromium.org/2534463002
Cr-Commit-Position: refs/heads/master@{#41282}
This removes lots of boilerplate typedefs, with the caveat of renaming
CSA::Label and Variable to CLabel and CVariable within builtins-regexp.
BUG=v8:5339
Review-Url: https://codereview.chromium.org/2524363002
Cr-Commit-Position: refs/heads/master@{#41281}
This removes support for try-catch as well as try-finally constructs
from the {FullCodeGenerator}. Consequently optimized code containing
such constructs must use the {BytecodeGraphBuilder} and can no longer
use the {AstGraphBuilder} for graph building.
R=jarin@chromium.org
BUG=v8:5657
Review-Url: https://codereview.chromium.org/2521233002
Cr-Commit-Position: refs/heads/master@{#41279}
Reason for revert:
Seems to cause compile errors on Android. Will investigate on Monday.
Original issue's description:
> [base] Pass scalar arguments by value in CHECK/DCHECK
>
> This not only potentially improves performance, but also avoids weird
> linker errors, like the one below, where I used Smi::kMinValue in a
> DCHECK_EQ.
>
> > [421/649] LINK ./mksnapshot
> > FAILED: mksnapshot
> > src/base/logging.h|178| error: undefined reference to
> 'v8::internal::Smi::kMinValue'
>
> R=bmeurer@chromium.org, ishell@chromium.org
>
> Committed: https://crrev.com/76723502528c5af003fdffc3520632ea2a13fef3
> Cr-Commit-Position: refs/heads/master@{#41273}
TBR=bmeurer@chromium.org,ishell@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2527883004
Cr-Commit-Position: refs/heads/master@{#41278}
Reason for revert:
Need to revert previous CL because of Android compile error, and this one depends in it.
Original issue's description:
> [base] Define CHECK comparison for signed vs. unsigned
>
> The current CHECK/DCHECK implementation fails statically if a signed
> value is compared against an unsigned value. The common solution is to
> cast on each caller, which is tedious and error-prone (might hide bugs).
> This CL implements signed vs. unsigned comparisons by executing up to
> two comparisons. For example, if i is int32_t and u is uint_32_t, a
> DCHECK_LE(i, u) would create the check
> i <= 0 || static_cast<uint32_t>(i) <= u.
> For checks against constants, at least one of the checks can be removed
> by compiler optimizations.
>
> The tradeoff we have to make is to sometimes silently execute an
> additional comparison. And we increase code complexity of course, even
> though the usage is just as easy (or even easier) as before.
>
> The compile time impact seems to be minimal:
> I ran 3 full compilations for Optdebug on my local machine, one time on
> the current ToT, one time with this CL plus http://crrev.com/2524093002.
> Before: 143.72 +- 1.21 seconds
> Now: 144.18 +- 0.67 seconds
>
> In order to check that the new comparisons are working, I refactored
> some DCHECKs in wasm to use the new magic.
>
> R=bmeurer@chromium.org, titzer@chromium.org
>
> Committed: https://crrev.com/5925074a9dab5a8577766545b91b62f2c531d3dc
> Cr-Commit-Position: refs/heads/master@{#41275}
TBR=ishell@chromium.org,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2531533003
Cr-Commit-Position: refs/heads/master@{#41277}
This code is no longer used by full-codegen since all functions which use with statments,
call eval or have lookup variable access now go through Ignition first.
BUG=v8:5657
Review-Url: https://codereview.chromium.org/2514393002
Cr-Commit-Position: refs/heads/master@{#41276}
The current CHECK/DCHECK implementation fails statically if a signed
value is compared against an unsigned value. The common solution is to
cast on each caller, which is tedious and error-prone (might hide bugs).
This CL implements signed vs. unsigned comparisons by executing up to
two comparisons. For example, if i is int32_t and u is uint_32_t, a
DCHECK_LE(i, u) would create the check
i <= 0 || static_cast<uint32_t>(i) <= u.
For checks against constants, at least one of the checks can be removed
by compiler optimizations.
The tradeoff we have to make is to sometimes silently execute an
additional comparison. And we increase code complexity of course, even
though the usage is just as easy (or even easier) as before.
The compile time impact seems to be minimal:
I ran 3 full compilations for Optdebug on my local machine, one time on
the current ToT, one time with this CL plus http://crrev.com/2524093002.
Before: 143.72 +- 1.21 seconds
Now: 144.18 +- 0.67 seconds
In order to check that the new comparisons are working, I refactored
some DCHECKs in wasm to use the new magic.
R=bmeurer@chromium.org, titzer@chromium.org
Review-Url: https://codereview.chromium.org/2526783002
Cr-Commit-Position: refs/heads/master@{#41275}
If code is flushed on a SFI, we can still use the bytecode if it was compiled,
since this never gets flushed.
This fixes a DCHECK where we were trying to compile the bytecode multiple
times after the baseline code was flushed.
BUG=chromium:668133
Review-Url: https://codereview.chromium.org/2526243002
Cr-Commit-Position: refs/heads/master@{#41274}
This not only potentially improves performance, but also avoids weird
linker errors, like the one below, where I used Smi::kMinValue in a
DCHECK_EQ.
> [421/649] LINK ./mksnapshot
> FAILED: mksnapshot
> src/base/logging.h|178| error: undefined reference to
'v8::internal::Smi::kMinValue'
R=bmeurer@chromium.org, ishell@chromium.org
Review-Url: https://codereview.chromium.org/2524093002
Cr-Commit-Position: refs/heads/master@{#41273}
For dictionary-mode receivers, the KeyedStoreGeneric stub can store
properties directly in most cases. Doing so avoids the need to have
an entry in the stub cache for every map/property combination.
Original review: https://codereview.chromium.org/2504403005/
Review-Url: https://codereview.chromium.org/2528883003
Cr-Commit-Position: refs/heads/master@{#41272}
Make apply calls with double array arguments such as
Math.min.apply(Math, [1.1, 2.2]) 1.6x faster.
Drive-by-fix: pass in the isolate to ElementsAccessor::GetImpl.
BUG=v8:4826
Review-Url: https://codereview.chromium.org/2521043005
Cr-Commit-Position: refs/heads/master@{#41268}
This makes sure call-site rendering for certain {TypeError} messages is
based on the correct underlying {JSFunction}, even when inlined frames
are present. Only the {FrameSummary} knows the exact function.
R=verwaest@chromium.org
TEST=message/regress/regress-crbug-661579
BUG=chromium:661579
Review-Url: https://codereview.chromium.org/2521103005
Cr-Commit-Position: refs/heads/master@{#41264}
This has two parts:
- in redundancy elimination, if we see addition with left hand side that
was bounds-checked, we reconnect the lhs to the bounds check if it has better
type.
- in representation inference, eliminate overflow checks if the input types
guarantee no overflow.
Review-Url: https://codereview.chromium.org/2527083002
Cr-Commit-Position: refs/heads/master@{#41260}
In the ParseInfo constructor that takes a SharedFunctionInfo, we must
set the module flag when the function represents a module.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2525013002
Cr-Commit-Position: refs/heads/master@{#41257}
The old algorithm produces unnecessary decimal digits. The new one
converts the significand of the input double into an uint64_t to be
just as precise as necessary.
R=tebbi@chromium.org
BUG=chromium:658712,chromium:666376
Review-Url: https://codereview.chromium.org/2520363002
Cr-Commit-Position: refs/heads/master@{#41255}
RuntimeTimerScopes always subtract their own time from the parent timer's
counter to properly account for the own time. Once a scope is destructed it
adds it own timer to the current active counter. However, if the current
counter is changed with CorrectCurrentCounterId we will attribute all the
subtimers to the previous counter, and add the own time to the new counter.
This way it is possible to end up with negative times in certain counters but
the overall would still be correct.
BUG=
Review-Url: https://codereview.chromium.org/2511093002
Cr-Commit-Position: refs/heads/master@{#41254}
Reason for revert:
Secondary dependency to revert https://codereview.chromium.org/2522393002/
Original issue's description:
> [cleanup] Refactor builtins-number.cc
>
> Introducing a TF_BUILTIN macro that wraps CodeStubAssembler usage
> into a convenient interface (using a subclass under the hood).
>
> Committed: https://crrev.com/cbf59c4c704e83a43b52c5ba6825df576fdaece8
> Cr-Commit-Position: refs/heads/master@{#41236}
TBR=ishell@chromium.org,jkummerow@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2529873002
Cr-Commit-Position: refs/heads/master@{#41252}
The deprecated pipeline is used for asm.js only, where we forcibly
disable inlining anyways (for performance reasons), so inlining via
the AstGraphBuilder is essentially dead code by now, thus there's no
point in trying to keep that around in the code base.
Also nuke the test-run-inlining.cc file, which would require some heavy
surgery (for probably little benefit), and move the useful tests for
mjsunit tests instead.
BUG=v8:2206,v8:5657
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2527053002
Cr-Commit-Position: refs/heads/master@{#41245}
This exposes scopes for suspended generator objects by adding a
[[Scopes]] internal property to generator objects, similar to how
scopes for functions currently not on the stack are handled.
BUG=chromium:667286
Review-Url: https://codereview.chromium.org/2516973003
Cr-Commit-Position: refs/heads/master@{#41244}
Also lower JSToBoolean(x) where x is either some detectable receiver or
null, or any kind of receiver, null or undefined. Also fix a couple of
minor issues with the JSToBoolean lowering and tests.
R=yangguo@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2530773002
Cr-Commit-Position: refs/heads/master@{#41241}
Recognize a couple of builtins on the RegExp.prototype in the Typer and
assign useful types to them, so we can optimize various checks on their
results.
R=yangguo@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2531463002
Cr-Commit-Position: refs/heads/master@{#41240}
This fixes a bug where the re-creation of phi nodes leads to divergence. The fix makes sure that once a node created a phi node, it sticks to it and does not forget about it, even if the inputs suddenly agree again. The bug appeared on the trybots in https://codereview.chromium.org/2512733003/.
Also I added a line to mark effect phi nodes on the queue. This is unrelated, but seems to be an obvious ommission.
R=bmeurer@chromium.org
BUG=v8:5633
Review-Url: https://codereview.chromium.org/2522253002
Cr-Commit-Position: refs/heads/master@{#41239}
Descriptions for (typed)arrays will use parenthesis instead of square brackets
"Array(10)" instead of "Array[10]". This CL also adds size hints to descriptions
of maps and sets.
Related CL for DevTools: https://codereview.chromium.org/2524913002/
BUG=405845
Review-Url: https://codereview.chromium.org/2521853003
Cr-Commit-Position: refs/heads/master@{#41237}
Introducing a TF_BUILTIN macro that wraps CodeStubAssembler usage
into a convenient interface (using a subclass under the hood).
Review-Url: https://codereview.chromium.org/2517833005
Cr-Commit-Position: refs/heads/master@{#41236}
Add support for WebAssembly.Memory objects to be simultaneously referenced by multiple Instance objects. GrowingMemory should maintain a consistent view of memory across instances.
- Store a link to instances that share WebAssembly.Memory in the WasmMemoryObject, updated on instantiate.
- Implement WasmInstanceWrapper as a wrapper around the instance object to keep track of previous/next instances, instance object is stored as a WeakCell that can be garbage collected.
- MemoryInstanceFinalizer maintains a valid list of instances when an instance is garbage collected.
- Refactor GrowInstanceMemory to GrowMemoryBuffer that allocates a new buffer, and UncheckedUpdateInstanceMemory that updates memory references for an instance.
R=titzer@chromium.org, mtrofin@chromium.org, bradnelson@chromium.org
Committed: https://crrev.com/30ef8e33f3a199a27ca8512bcee314c9522d03f6
Committed: https://crrev.com/3c98e339599b068f1ed630afb7601ff942424d31
Review-Url: https://codereview.chromium.org/2471883003
Cr-Original-Original-Commit-Position: refs/heads/master@{#41121}
Cr-Original-Commit-Position: refs/heads/master@{#41198}
Cr-Commit-Position: refs/heads/master@{#41234}
Reason for revert:
The test is very flaky on the bots, e.g.:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20ASAN/builds/17031https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20shared/builds/14776
Original issue's description:
> [counters] RuntimeStats: fix wrong bookkeeping when dynamically changing counters
>
> RuntimeTimerScopes always subtract their own time from the parent timer's
> counter to properly account for the own time. Once a scope is destructed it
> adds it own timer to the current active counter. However, if the current
> counter is changed with CorrectCurrentCounterId we will attribute all the
> subtimers to the previous counter, and add the own time to the new counter.
> This way it is possible to end up with negative times in certain counters but
> the overall would still be correct.
>
> BUG=
>
> Committed: https://crrev.com/f6c74d964d9387df4bed3d8c1ded51eb9e8aa6e8
> Committed: https://crrev.com/491651792d7818aed04eaeffb9890b5a309b543e
> Cr-Original-Commit-Position: refs/heads/master@{#41142}
> Cr-Commit-Position: refs/heads/master@{#41214}
TBR=ishell@chromium.org,fmeawad@chromium.org,lpy@chromium.org,cbruni@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2526843002
Cr-Commit-Position: refs/heads/master@{#41229}
Since we are specializing on the native context, we don't have to load
the vector from the closure. For one thing, this reduces the machinery for
nodes that use a vector in their generic incarnation.
BUG=
R=mstarzinger@chromium.org
Review-Url: https://codereview.chromium.org/2529463002
Cr-Commit-Position: refs/heads/master@{#41221}
This fixes the message reported via the {TypeError} thrown when trying
to call a non-constructable function as a constructor. Also adds some
more related message tests for similar exceptions.
R=bmeurer@chromium.org
TEST=message/call-non-constructable
BUG=chromium:661579
Review-Url: https://codereview.chromium.org/2523803003
Cr-Commit-Position: refs/heads/master@{#41220}
For dictionary-mode receivers, the KeyedStoreGeneric stub can store
properties directly in most cases. Doing so avoids the need to have
an entry in the stub cache for every map/property combination.
Original review: https://codereview.chromium.org/2504403005/
Review-Url: https://codereview.chromium.org/2524943002
Cr-Commit-Position: refs/heads/master@{#41218}
In order for profiles of optimized code to have accurate source
positions, we need to prepare for this when compiling. If the profiler
is enabled late, this may be missing, leading to inaccurate profile
data. A compromise to solve this is to prepare for accurate positions if
the debugger (and therefore DevTools) is active, even if we are not
currently capturing a profile.
The alternative is to deopt everything upon profiling, but that would
affect the profile significantly.
R=alph@chromium.org, bmeurer@chromium.org, neis@chromium.org, tebbi@chromium.org
Review-Url: https://codereview.chromium.org/2519003002
Cr-Commit-Position: refs/heads/master@{#41217}
Eval calls are tracked by ParserBase::CheckPossibleEvalCall which
doesn't use (Pre)?Parser::IsDirectEvalCall.
Also we no longer seem to care about IsBinaryOperation (Parser didn't
have it either).
BUG=
Review-Url: https://codereview.chromium.org/2528603003
Cr-Commit-Position: refs/heads/master@{#41216}
RuntimeTimerScopes always subtract their own time from the parent timer's
counter to properly account for the own time. Once a scope is destructed it
adds it own timer to the current active counter. However, if the current
counter is changed with CorrectCurrentCounterId we will attribute all the
subtimers to the previous counter, and add the own time to the new counter.
This way it is possible to end up with negative times in certain counters but
the overall would still be correct.
BUG=
Committed: https://crrev.com/f6c74d964d9387df4bed3d8c1ded51eb9e8aa6e8
Review-Url: https://codereview.chromium.org/2511093002
Cr-Original-Commit-Position: refs/heads/master@{#41142}
Cr-Commit-Position: refs/heads/master@{#41214}
This is similar to how the native context has an empty function set up as it's closure field.
BUG=666984
Review-Url: https://codereview.chromium.org/2528603002
Cr-Commit-Position: refs/heads/master@{#41212}
Passing in the isolate to retrieve the heap constants (undefine, the_hole, null)
has a positive performance impact.
BUG=
Review-Url: https://codereview.chromium.org/2517153002
Cr-Commit-Position: refs/heads/master@{#41210}
Reason for revert:
Test crashes after an unrelated revert: https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/7189
Reverting because of recommendation from WASM team.
Original issue's description:
> [wasm] WebAssembly.Memory object can be referenced by multiple Instance objects.
>
> Add support for WebAssembly.Memory objects to be simultaneously referenced by multiple Instance objects. GrowingMemory should maintain a consistent view of memory across instances.
> - Store a link to instances that share WebAssembly.Memory in the WasmMemoryObject, updated on instantiate.
> - Implement WasmInstanceWrapper as a wrapper around the instance object to keep track of previous/next instances, instance object is stored as a WeakCell that can be garbage collected.
> - MemoryInstanceFinalizer maintains a valid list of instances when an instance is garbage collected.
> - Refactor GrowInstanceMemory to GrowMemoryBuffer that allocates a new buffer, and UncheckedUpdateInstanceMemory that updates memory references for an instance.
>
> R=titzer@chromium.org, mtrofin@chromium.org, bradnelson@chromium.org
>
> Committed: https://crrev.com/30ef8e33f3a199a27ca8512bcee314c9522d03f6
> Committed: https://crrev.com/3c98e339599b068f1ed630afb7601ff942424d31
> Cr-Original-Commit-Position: refs/heads/master@{#41121}
> Cr-Commit-Position: refs/heads/master@{#41198}
TBR=bradnelson@chromium.org,mtrofin@chromium.org,titzer@chromium.org,gdeepti@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2529573002
Cr-Commit-Position: refs/heads/master@{#41208}
Reason for revert:
Blocks roll: https://codereview.chromium.org/2526573002/
Original issue's description:
> [stubs] KeyedStoreGeneric: inline dictionary property stores
>
> For dictionary-mode receivers, the KeyedStoreGeneric stub can store
> properties directly in most cases. Doing so avoids the need to have
> an entry in the stub cache for every map/property combination.
>
> Committed: https://crrev.com/af168e330e95c4460fd1bb7734f0e9a750f2e748
> Cr-Commit-Position: refs/heads/master@{#41185}
TBR=ishell@chromium.org,rmcilroy@chromium.org,jkummerow@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2528583002
Cr-Commit-Position: refs/heads/master@{#41207}
port 0925554111 (r41135)
original commit message:
This removes the deprecated generator support for resumable functions
from {FullCodeGenerator}. The existing {AstNumbering} heuristic already
triggers Ignition for most resumable functions, with this change we make
said heuristic a hard choice and remove the deprecated code. This also
has the advantage that any suspended {JSGeneratorObject} instance on the
heap is guaranteed to have code based on a bytecode array.
BUG=
Review-Url: https://codereview.chromium.org/2522653003
Cr-Commit-Position: refs/heads/master@{#41204}
port d4f01b8a65 (r41108)
original commit message:
Add fast paths for holey smi and object arrays to
Function.prototype.apply, Reflect.apply and Reflect.construct.
BUG=
Review-Url: https://codereview.chromium.org/2519303002
Cr-Commit-Position: refs/heads/master@{#41203}
The AstGraphBuilder pipeline is only used for asm.js now, so the whole
type feedback mechanism is essentially dead code currently, thus we
better nuke it.
BUG=v8:5267,v8:5657
Review-Url: https://codereview.chromium.org/2523953002
Cr-Commit-Position: refs/heads/master@{#41201}
port 93c6595200 (r40887)
original commit message:
This changes {FrameState} nodes modeling "after" states to use bytecode
offsets pointing to the deoptimizing bytecode. This is in sync with the
normal execution, as the bytecode offset is advanced after operations
complete in regular bytecode handlers.
The change is necessary to ensure lazy deoptimized frames contain an
accurate bytecode offset while they are on the stack. Such frames can be
inspected by various stack walks. The continuation builtin will advance
the bytecode offset upon return.
BUG=
Review-Url: https://codereview.chromium.org/2520203002
Cr-Commit-Position: refs/heads/master@{#41199}
Add support for WebAssembly.Memory objects to be simultaneously referenced by multiple Instance objects. GrowingMemory should maintain a consistent view of memory across instances.
- Store a link to instances that share WebAssembly.Memory in the WasmMemoryObject, updated on instantiate.
- Implement WasmInstanceWrapper as a wrapper around the instance object to keep track of previous/next instances, instance object is stored as a WeakCell that can be garbage collected.
- MemoryInstanceFinalizer maintains a valid list of instances when an instance is garbage collected.
- Refactor GrowInstanceMemory to GrowMemoryBuffer that allocates a new buffer, and UncheckedUpdateInstanceMemory that updates memory references for an instance.
R=titzer@chromium.org, mtrofin@chromium.org, bradnelson@chromium.org
Committed: https://crrev.com/30ef8e33f3a199a27ca8512bcee314c9522d03f6
Review-Url: https://codereview.chromium.org/2471883003
Cr-Original-Commit-Position: refs/heads/master@{#41121}
Cr-Commit-Position: refs/heads/master@{#41198}
Now that we have a JumpLoop bytecode, we can heavily simplify the
branch/loop analysis by assuming that only JumpLoop bytecodes are
backwards edges, and performing the loop analysis as a single
(backwards) pass.
This allows us to get rid of the branch analysis entirely, and builds a
framework to do liveness analysis in the same pass.
Review-Url: https://codereview.chromium.org/2519983002
Cr-Commit-Position: refs/heads/master@{#41194}
Previous fuzzer fix broke the case when the pending assessment came from the same
block. In that case, the assessments table does not have an entry yet for the block,
because we register only when we're done processing a block.
BUG=667745
Review-Url: https://codereview.chromium.org/2519973004
Cr-Commit-Position: refs/heads/master@{#41193}
The GetPositionInfo function only operates on WasmCompiledModule, so it
should be a method of that class.
This CL also splits the method in two, such that I can reuse the
GetContainingFunction method for breakpoint support.
R=titzer@chromium.org
BUG=chromium:613110
Review-Url: https://codereview.chromium.org/2521293002
Cr-Commit-Position: refs/heads/master@{#41191}
Wrapper creation for import functions with i64 return values on 32-bit
platforms crashed because the number of return values of the wrapper
did not match the number of input nodes of the return node.
The issue is fixed by not creating special wrappers for 32-bit platforms
in the first place. This is valid because wrappers with i64 return
values are never actually executed.
R=titzer@chromium.org
BUG=v8:5661
Review-Url: https://codereview.chromium.org/2517173003
Cr-Commit-Position: refs/heads/master@{#41190}
The handwritten-assembly implementations of both dispatcher and
generic stub have been replaced by Turbofan-generated stubs.
Review-Url: https://codereview.chromium.org/2523473002
Cr-Commit-Position: refs/heads/master@{#41188}
For dictionary-mode receivers, the KeyedStoreGeneric stub can store
properties directly in most cases. Doing so avoids the need to have
an entry in the stub cache for every map/property combination.
Review-Url: https://codereview.chromium.org/2504403005
Cr-Commit-Position: refs/heads/master@{#41185}
... but be less pessimistic about context allocation (see below).
We might have just (pessimistically) context-allocated a variable based
on references coming from an inner function, but after that we still
need to set maybe_assigned (pessimistically).
This makes test-parsing/InnerAssignment pass with
FLAG_lazy_inner_functions.
This was undetected until now because we didn't have lazy parsing enabled
for small scripts.
Less pessimistic approach: now that inner functions laziness decisions
are stable (if we have once compiled a piece of code with lazy inner
functions, we never compile the same code with eager inner functions),
we don't need to be as pessimistic with context allocation as before.
BUG=v8:5501
Review-Url: https://codereview.chromium.org/2521513004
Cr-Commit-Position: refs/heads/master@{#41183}
This makes sure the {kScratchRegister} is not used across macro
instructions (e.g. {LeaveFrame}) that would clobber its content.
Generally it is highly unsafe to use such scratch registers with a
life-range spanning macro instructions.
R=neis@chromium.org
Review-Url: https://codereview.chromium.org/2521973002
Cr-Commit-Position: refs/heads/master@{#41181}
This makes the test in the bug ~10x faster. It could inadvertently make other things slower, so revert eagerly if included in a range where performance tanks.
BUG=chromium:666852
Review-Url: https://codereview.chromium.org/2525573002
Cr-Commit-Position: refs/heads/master@{#41178}
StepFrame is a combination of StepIn/StepOut, e.g. it breaks to the next
frame change. This is not part of the public API, but we want to keep it
for internal tests.
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2514303003
Cr-Commit-Position: refs/heads/master@{#41177}
* Fix setting script-scope variables through inspector by internalizing
their names.
* Reconstruct values of Number, String, and Boolean classes.
* Adapt a couple of tests for API restrictions.
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2512963002
Cr-Commit-Position: refs/heads/master@{#41175}
When disassembling functions for the inspector, we used an internal
text representation before. This CL implements the official text
format like it is understood by the spec interpreter.
Example output:
func $main (param i32) (result i32)
block i32
get_local 0
i32.const 2
i32.lt_u
if
i32.const -2
return
end
get_local 0
call_indirect 0
end
R=rossberg@chromium.org, titzer@chromium.org
BUG=chromium:659715
Review-Url: https://codereview.chromium.org/2520943002
Cr-Commit-Position: refs/heads/master@{#41172}
