Previously we used a FixedArray for the FeedbackMetadata, packing bits
of information into Smi fields. On 64-bit platforms, we waste at least
half of the available memory by using the Smi representation.
Given that this is just raw data (no pointers), we can just use a new
type that uses the existing packing scheme to store the data in int32
format instead.
This CL changes FeedbackMetadata to a new subclass of HeapObject. This
is to reduce the API surface exposed, in comparison to extending/using
a more general purpose data structure like ByteArray, which is also just
raw data.
FeedbackMetadata only exposes general purpose methods for accessing
slots, but hides the implementation detail of packing bits into int32
fields.
This CL also introduces a sentinal EmptyFeedbackMetadata, because there
are ~750 empty FeedbackMetadata objects when running an empty program in
V8. These are probably for builtins.
Bug: v8:7500
Change-Id: Ic85563153abbd71a22854cee8519260c32b1e9ab
Reviewed-on: https://chromium-review.googlesource.com/945730
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51842}
This adds a global protector to guard the lookup of "resolve" on the
%Promise% intrinsic object (the initial Promise constructor), making
sure that Promise.resolve yields the initial builtin method. We use
this protector to avoid the lookup of "resolve" all the time inside
of Promise.all and Promise.race, when called with constructor being
the %Promise% intrinsic object.
This improves the performance on the parallel-async-es2017-native
benchmark by roughly 2-3%.
Bug: v8:7253
Change-Id: Ida93b88afbaeae61f17be4cd30ea6a78b4267cea
Reviewed-on: https://chromium-review.googlesource.com/955564
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51810}
... and use Smi Map::kPrototypeChainValid for the cases where direct receiver's
prototype is not JSObject instead of creating a new valid cell for each such
case. This will make a validity cell checking code simpler.
Bug: v8:5988
Change-Id: I52cf55797171cc8021d80e4e441615d0c8fc8bd4
Reviewed-on: https://chromium-review.googlesource.com/951384
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51803}
This makes sure that the object can be identified by a unique instance
type and hence is not accidentally confused with other FixedArrays on
the heap.
R=clemensh@chromium.org
BUG=v8:7509
Change-Id: I20521cdcabbbddecd89ca8cd4bb203a47e1db0cd
Reviewed-on: https://chromium-review.googlesource.com/946253
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51730}
This changes the JSArrayIterator to always have only a single instance
type, instead of the zoo of instance types that we had before, and
which became less useful with the specification update to when "next"
is loaded from the iterator now. This greatly simplifies the baseline
implementation of the array iterator, which now only looks at the
iterated object during %ArrayIteratorPrototype%.next invocations.
In TurboFan we introduce a new JSCreateArrayIterator operator, that
holds the IterationKind and get's the iterated object as input. When
optimizing %ArrayIteratorPrototype%.next in the JSCallReducer, we
check whether the receiver is a JSCreateArrayIterator, and if so,
we try to infer maps for the iterated object from there. If we find
any, we speculatively assume that these won't have changed during
iteration (as we did before with the previous approach), and generate
fast code for both JSArray and JSTypedArray iteration.
Drive-by-fix: Drop the fast_array_iteration protector, it's not
necessary anymore since we have the deoptimization guard bit in
the JSCallReducer now.
This addresses the performance cliff noticed in webpack 4. The minimal
repro on the tracking bug goes from
console.timeEnd: mono, 124.773000
console.timeEnd: poly, 670.353000
to
console.timeEnd: mono, 118.709000
console.timeEnd: poly, 141.393000
so that's a 4.7x improvement.
Also make presubmit happy by adding the missing #undef's.
Bug: v8:7510, v7:7514
Change-Id: I79a46bfa2cd0f0710e09365ef72519b1bbb667b5
Reviewed-on: https://chromium-review.googlesource.com/946098
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51725}
This makes sure that the object can be identified by a unique instance
type and hence is not accidentally confused with other FixedArrays on
the heap.
R=clemensh@chromium.org
BUG=v8:7509
Change-Id: Ib3dcdb4559821d0ad9ca8cced37754e0e3c1d578
Reviewed-on: https://chromium-review.googlesource.com/943781
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51687}
This makes sure that the object can be identified by a unique instance
type and hence is not accidentally confused with other FixedArrays on
the heap.
R=clemensh@chromium.org
BUG=v8:7509
Change-Id: I66e3d779ff9a323b64f5464bdd5fe02aefe468c6
Reviewed-on: https://chromium-review.googlesource.com/943442
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51665}
This is a first step towards using Maps as store transition handlers.
It is expected for this CL to noticeably regress memory consumption
but most of it should be recovered by the next CL.
Bug: v8:5988
Change-Id: Ic2e301f9ccebc36e699383ded8c8cd284a906ce1
Reviewed-on: https://chromium-review.googlesource.com/928646
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51663}
This is preparatory cleanup work for eventually tracking the functions
(rather than concrete closures) in the CALL_IC, also for builtins like
the default PromiseCapability [[Resolve]] and [[Reject]] functions. It
adds a new FeedbackCell type, which is used by JSFunctions consistently
now to reference the feedback vector (or undefined if not the function
is not compiled yet or is a native/asm.js function).
This also changes the calling convention for FastNewClosure builtin and
the JSCreateClosure operator in TurboFan to carry the FeedbackCell here
instead of the parent FeedbackVector and the slot index. In addition we
eliminate the now unused %InterpreterNewClosure runtime function.
Bug: v8:2206, v8:7253, v8:7310
Change-Id: Ib4ce456e276e0273e57c163dcdd0b33abf863656
Reviewed-on: https://chromium-review.googlesource.com/928403
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51474}
This is a reland of dda0419ecd.
Originally reviewed-on: https://chromium-review.googlesource.com/914513
and landed as refs/heads/master@{#51342}.
Bug: v8:6791
Change-Id: I3b3a069da7a0e64c38a81b3110dc5ece4887cb19
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/924665
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51352}
This reverts commit 14108f4c2e.
Reason for revert: Not the culprit for Canary microtask crashes
Original change's description:
> [builtins] Mega-revert to address the Dev blocker in crbug.com/808911.
>
> - Revert "[builtins] Save one word in contexts for Promise.all."
> This reverts commit 7632da067b.
> - Revert "[builtins] Also use the Promise#then protector for Promise#finally()."
> This reverts commit d4f072ced3.
> - Revert "[builtins] Don't mess with entered context for MicrotaskCallbacks."
> This reverts commit 6703dacdd6.
> - Revert "[debugger] Properly deal with settled promises in catch prediction."
> This reverts commit 40dd065823.
> - Revert "[builtins] Widen the fast-path for Promise builtins."
> This reverts commit db0556b7e8.
> - Revert "[builtins] Unify PerformPromiseThen and optimize it with TurboFan."
> This reverts commit a582199c5e.
> - Revert "[builtins] Remove obsolete PromiseBuiltinsAssembler::AppendPromiseCallback."
> This reverts commit 6bf8885290.
> - Revert "[builtins] Turn NewPromiseCapability into a proper builtin."
> This reverts commit 313b490ddd.
> - Revert "[builtins] Inline InternalPromiseThen into it's only caller"
> This reverts commit f7bd6a2fd6.
> - Revert "[builtins] Implement Promise#catch by really calling into Promise#then."
> This reverts commit b23b098fa0.
> - Revert "[promise] Remove incorrect fast path"
> This reverts commit 0f6eafe855.
> - Revert "[builtins] Squeeze JSPromise::result and JSPromise::reactions into a single field."
> This reverts commit 8a677a2831.
> - Revert "[builtins] Refactor promises to reduce GC overhead."
> This reverts commit 8e7737cb58.
>
> Tbr: hpayer@chromium.org
> Bug: chromium:800651, chromium:808911, v8:5691, v8:7253
> Change-Id: I8c8ea5ed32ed62f6cd8b0d027a3707ddd891e5f1
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/906991
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Adam Klein <adamk@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51158}
Change-Id: I09d958cbebd635a325809072a290f2f53df8c5d4
Tbr: adamk@chromium.org,yangguo@chromium.org,bmeurer@chromium.org
Bug: chromium:800651, chromium:808911, v8:5691, v8:7253
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/908988
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51181}
- Revert "[builtins] Save one word in contexts for Promise.all."
This reverts commit 7632da067b.
- Revert "[builtins] Also use the Promise#then protector for Promise#finally()."
This reverts commit d4f072ced3.
- Revert "[builtins] Don't mess with entered context for MicrotaskCallbacks."
This reverts commit 6703dacdd6.
- Revert "[debugger] Properly deal with settled promises in catch prediction."
This reverts commit 40dd065823.
- Revert "[builtins] Widen the fast-path for Promise builtins."
This reverts commit db0556b7e8.
- Revert "[builtins] Unify PerformPromiseThen and optimize it with TurboFan."
This reverts commit a582199c5e.
- Revert "[builtins] Remove obsolete PromiseBuiltinsAssembler::AppendPromiseCallback."
This reverts commit 6bf8885290.
- Revert "[builtins] Turn NewPromiseCapability into a proper builtin."
This reverts commit 313b490ddd.
- Revert "[builtins] Inline InternalPromiseThen into it's only caller"
This reverts commit f7bd6a2fd6.
- Revert "[builtins] Implement Promise#catch by really calling into Promise#then."
This reverts commit b23b098fa0.
- Revert "[promise] Remove incorrect fast path"
This reverts commit 0f6eafe855.
- Revert "[builtins] Squeeze JSPromise::result and JSPromise::reactions into a single field."
This reverts commit 8a677a2831.
- Revert "[builtins] Refactor promises to reduce GC overhead."
This reverts commit 8e7737cb58.
Tbr: hpayer@chromium.org
Bug: chromium:800651, chromium:808911, v8:5691, v8:7253
Change-Id: I8c8ea5ed32ed62f6cd8b0d027a3707ddd891e5f1
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/906991
Commit-Queue: Yang Guo <yangguo@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51158}
This adds a new isolate wide Promise#then protector, which guards the
"then" lookup for all JSPromise instances whose [[Prototype]] is the
initial %PromisePrototype%. Thus arbitrary mutations to the
Promise.prototype (i.e. monkey-patching other methods or installing
new functions) no longer sent you down the slow-path. Use this protector
in Promise.prototype.catch and in Promise.resolve.
Drive-by-fix: Restructure the resolve logic a bit and avoid the
expensive and large SameValue check, which can be turned into a simple
reference equal, as the promise in there is known to be a JSPromise
anyways.
Bug: v8:7253
Change-Id: If68b12c6bc6ca9c4d10552ae84854ebc3b5774f9
Reviewed-on: https://chromium-review.googlesource.com/899302
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51085}
This implements the ideas outlined in the section "Microtask queue"
of the exploration document "Promise and async/await performance" (at
https://goo.gl/WHRar2), except that the microtask queue stays a linear
FixedArray for now, to avoid running into trouble with the parallel
scavenger. This way we can already save a significant amount of
allocations, thereby reducing the GC frequency quite a bit.
All items on the microtask queue are now proper structs that subclass
Microtask, i.e. we also wrap JSFunction and MicrotaskCallback jobs
into structs. We also consistently remember the context for every
microtask (except for MicrotaskCallback where we don't have a
context), and execute it later in exactly that context (as required
by the spec anyways for the Promise related jobs). Particularly
interesting is the PromiseReactionJobTask and its subclasses, since
they are designed to have the same size as the PromiseReaction. When
we resolve a JSPromise we just take the existing PromiseReaction
instances and morph them into PromiseFulfillReactionJobTask or
PromiseRejectReactionJobTask (depending whether you "Fulfill" or
"Reject"). That way the JSPromise class is now only 6 words instead
of 10 words.
Also the PromiseReaction and the reaction tasks can either carry a
JSPromise (for the fast native case) or a PromiseCapability (for the
generic case), which means we don't always pay the overhead of having
to also remember the "deferred resolve" and "deferred reject" handlers
that are only relevant for the generic case anyways.
It also fixes a spec violation where we called "then" before we actually
enqueued the PromiseResolveThenableJob, which is observably wrong.
Calling it later has the advantage that it should be fairly
straight-forward now to completely avoid it for native Promise
instances.
This seems to save around 10-20% on the various Promise benchmarks and
micro-benchmarks. We expect to gain even more as we're now able to
inline various operations into TurboFan optimized code easily.
Bug: v8:7253
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I893d24ca5bb046974b4f5826a8f6dd22f1210b6a
Reviewed-on: https://chromium-review.googlesource.com/892819
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50980}
This is somewhat of a revival of what used to be
UnseededNumberDictionary. The difference to NumberDictionary is that
each entry only has two fields (no field for property details) and there
is no header field for a bitfield.
The reason for this change is memory regression introduced when we
removed UnseededNumberDictionary (6e1c57eaa9). We now use
SimpleNumberDictionary for
- slow template instantiation cache
- code stubs table
- value serializer map
- stack frame cache
- type profile source positions
R=ishell@chromium.org, ulan@chromium.org
Bug: chromium:783695
Change-Id: I3cd32e485060bb379fb2279eeefbbbded7455f0e
Reviewed-on: https://chromium-review.googlesource.com/885811
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50869}
This adds a new operator JSCreatePromise, which currently allocates
a native JSPromise instance and initializes it to pending state.
In addition to that we introduce a new PromiseHookProtector, which
get's invalidated the first time someone enables the debugger or
installs a PromiseHook (via async_hooks for example). As long as
the protector is intact we lower AsyncFunctionPromiseCreate to
JSCreatePromise and AsyncFunctionPromiseRelease to a no-op in
optimized code.
This yields a speedup of roughly 33% on the benchmark mentioned
in the bug.
Bug: v8:7271, v8:7253
Change-Id: Ib5d219f2b6e052a7cc5e6ed5aa66dd3c8885a859
Reviewed-on: https://chromium-review.googlesource.com/883124
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50849}
In collaboration with Qingyan Li <qingyan.liqy@alibaba-inc.com>.
R=jgruber@chromium.org, mlippautz@chromium.org
Bug: v8:7249
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I87f62103ec5b31de274fa22ad275f1c1bcb3ed86
Reviewed-on: https://chromium-review.googlesource.com/846750
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50433}
We collect instance type statistics in FatalProcessOutOfMemory into an
array, which is allocated to the max instance type value. While we want
to leave space to ensure new instance types do not affect constants in
the API, we can be more frugal.
We currently serialize 350 maps into the startup/context snapshot. Even
if we assign a distinct instance type to each of these maps, we would
still have more than enough to spare with this change.
R=ulan@chromium.org
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I3e583c2c8da3342e9132d96046b5d80cd41afd72
Reviewed-on: https://chromium-review.googlesource.com/842542
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50302}
We used to frequently break the ABI when we introduced new instance
types because some instance types are hard-coded in v8.h.
Now that we have more instance types available, we can leave some
room to anticipate future new instance types.
Also take this opportunity to reorder some instance types.
Also see: https://github.com/nodejs/node/issues/17754
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I9b59eeab9dfcdf11d779f0b700fc5dce30d3eebe
Reviewed-on: https://chromium-review.googlesource.com/833874
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50223}
The new frame type is inteneded to represent native C++ stack frames.
JS code may sometimes make calls to helper native functions that do not
provide any special stack layout besides the return address and frame pointer.
Currently the stack iterator bails out when it sees an unknown frame.
The patch allows the iterator to unwind stacks having such frames.
BUG=chromium:768540
Change-Id: I9c273c7015695a6733c0a0c52b522fca7b25de0d
Reviewed-on: https://chromium-review.googlesource.com/794991
Commit-Queue: Alexei Filippov <alph@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50058}
They will eventually be used instead of Tuple3/FixedArray by the IC system.
Bug: v8:5561, v8:7159
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I39faad1b2dc10ce7d42cb7477ea87b64d1e0b44c
Reviewed-on: https://chromium-review.googlesource.com/806178
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49908}
The "array protector" now guards the Object.prototype, the
Array.prototype and the String.prototype, so the name was a
bit misleading nowadays. So the new name "no elements protector"
was chosen.
Bug: v8:6936, v8:7014, v8:7027
Change-Id: I9a9d7caa2caf0ac9e78cc6658de2f0506970dfa2
Reviewed-on: https://chromium-review.googlesource.com/778162
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49471}
Previously, in order to get immortal immovable objects onto
the first page, the serializer would iterate the root list
twice. The first time it would prioritize immortal immovables.
The second time it would serialize the rest.
This does not guarantee that immortal immovable objects
actually end up on the first page, and by now this is not
necessary anymore, since we mark all pages created during
heap init as immortal immovable pages.
R=mlippautz@chromium.org
Change-Id: Ie95fcd779377a75337621ba862bc1a745ed5cbaa
Reviewed-on: https://chromium-review.googlesource.com/768731
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49468}
This CL also includes fixes for CF issues found while the previous
reland was active.
Bug: v8:5799, chromium:783902, chromium:783926, chromium:783822
Change-Id: I1f7d9b037d90838469c45f5d72771a77444c662e
Reviewed-on: https://chromium-review.googlesource.com/764067
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49457}
This is necessary in order to support class literals boilerplates which will
contain descriptor arrays not attached to maps.
This CL introduces Heap::descriptor_array_map() which will be used only for
descriptor arrays templates created as a part of class literal boilerplate.
We don't use the new map for all descriptors for now because in order to handle
chicken-egg problem in deserializer which can be solved in a clean and readable
way only if introduce a DESCRIPTOR_ARRAY_TYPE instance type which we can't
currently do because the InstanceType enum is already "full".
Bug: v8:5799
Change-Id: I732d236b0dda2c436ab3ce3ac5967f6c66162df3
Reviewed-on: https://chromium-review.googlesource.com/758360
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49271}
This change
- adds new maps for elements, global, and named dictionaries.
- adds support to embed these dictionaries in the startup snapshot.
- adds support to embed these dictionaries in the code cache.
- refactors the rehashing logic.
TBR=mstarzinger@chromium.org, ishell@chromium.org, jgruber@chromium.org
Bug: v8:6593
Change-Id: I2455fe2a9cc6e93247940de99de5f124c2ada137
Reviewed-on: https://chromium-review.googlesource.com/756693
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49167}
This reverts commit 3877bf6f4b.
Reason for revert: failed compilation on Win64/clang:
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20clang/builds/9015
Original change's description:
> Snapshot: support rehashing property and element dictionaries.
>
> This change
> - adds new maps for elements, global, and named dictionaries.
> - adds support to embed these dictionaries in the startup snapshot.
> - adds support to embed these dictionaries in the code cache.
> - refactors the rehashing logic.
>
> R=ishell@chromium.org, jgruber@chromium.org, mstarzinger@chromium.org
>
> Bug: v8:6593
> Change-Id: I8d9a7ba7145f1af4e6e15301a4d5611f07c77f33
> Reviewed-on: https://chromium-review.googlesource.com/753323
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49155}
TBR=yangguo@chromium.org,mstarzinger@chromium.org,jgruber@chromium.org,ishell@chromium.org
Change-Id: I0b45d2d07da97b9a7953abf4ad24eec4ea944306
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6593
Reviewed-on: https://chromium-review.googlesource.com/755493
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49156}
This change
- adds new maps for elements, global, and named dictionaries.
- adds support to embed these dictionaries in the startup snapshot.
- adds support to embed these dictionaries in the code cache.
- refactors the rehashing logic.
R=ishell@chromium.org, jgruber@chromium.org, mstarzinger@chromium.org
Bug: v8:6593
Change-Id: I8d9a7ba7145f1af4e6e15301a4d5611f07c77f33
Reviewed-on: https://chromium-review.googlesource.com/753323
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49155}
This is a reland of eeaffa9f33
Original change's description:
> [objects] Introduce {CodeDataContainer} object type.
>
> This introduces the {CodeDataContainer} as a container for all mutable
> fields associated with a {Code} object. For now only the kind-specific
> flags are moved, but more fields can/will be moved gradually. The goal
> is to make all fields in the {Code} header be immutable eventually.
>
> R=jarin@chromium.org
> BUG=v8:6792
>
> Change-Id: I2eeba893afaba877fb6117e1f18371898c3a175e
> Reviewed-on: https://chromium-review.googlesource.com/732987
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48902}
Bug: v8:6792
Change-Id: I31a127df4bb8ee5fedb4d73755df4deae6e1d352
Reviewed-on: https://chromium-review.googlesource.com/738109
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48928}
This reverts commit eeaffa9f33.
Reason for revert: Breaks msan compile (uninitialized value in snapshot):
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/17824
Original change's description:
> [objects] Introduce {CodeDataContainer} object type.
>
> This introduces the {CodeDataContainer} as a container for all mutable
> fields associated with a {Code} object. For now only the kind-specific
> flags are moved, but more fields can/will be moved gradually. The goal
> is to make all fields in the {Code} header be immutable eventually.
>
> R=jarin@chromium.org
> BUG=v8:6792
>
> Change-Id: I2eeba893afaba877fb6117e1f18371898c3a175e
> Reviewed-on: https://chromium-review.googlesource.com/732987
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48902}
TBR=mstarzinger@chromium.org,jarin@chromium.org
Change-Id: I74fe833b074752d640cff4aa4680f250e1bd8780
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6792
Reviewed-on: https://chromium-review.googlesource.com/738029
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48904}
This introduces the {CodeDataContainer} as a container for all mutable
fields associated with a {Code} object. For now only the kind-specific
flags are moved, but more fields can/will be moved gradually. The goal
is to make all fields in the {Code} header be immutable eventually.
R=jarin@chromium.org
BUG=v8:6792
Change-Id: I2eeba893afaba877fb6117e1f18371898c3a175e
Reviewed-on: https://chromium-review.googlesource.com/732987
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48902}
There are only very few custom compiled IC handlers left that go in there, and for each compiled handler we only have 1 cache hit on top25; maximally saving 60ms over 33s. Additionally we'll migrate the remaining handlers to data-driven handlers anyway. Let's try to remove this code.
Bug:
Change-Id: Ib874cc498015046a3ff67c83ea8b10b3c4eb7d0f
Reviewed-on: https://chromium-review.googlesource.com/668409
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48201}
BigInt is a new primitive type of arbitrary precision integers,
proposed in https://tc39.github.io/proposal-bigint.
This CL introduces a corresponding instance type, map, and C++
class to V8 and adds BigInt support to a few operations (see the
test file). Much more is to come. Also, the concrete representation
of BigInts is not yet fixed, currently a BigInt is simply a wrapped
Smi.
Bug: v8:6791
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ia2901948efd7808f17cfc945f0d56e23e8ae0b45
Reviewed-on: https://chromium-review.googlesource.com/657022
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47956}
This patch introduces a new container type ScriptOrModule which
provides the name and the host defined options of the script/module.
This patch also introduces a new PrimitivesArray that can hold
Primitive values, which the embedder can use to store metadata.
The HostDefinedOptions is passed to V8 through the ScriptOrigin, and
passed back to the embedder through HostImportModuleDynamically for
module loading.
Bug: v8:5785, v8:6658, v8:6683
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I56c26fc9a680b273ac0a6691e5ad75f15b8dc80a
Reviewed-on: https://chromium-review.googlesource.com/622158
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47724}
Introduce a proper empty_descriptor_array, which has the proper layout
(length is 2 and the two fields are set properly). Also add a special
EnumCache class and a matching empty_enum_cache. The contract now is
that we only need to check the EnumLength on the map to know whether we
are allowed to use the enum cache. This greatly simplifies the handling
of the enum cache (and also the descriptor arrays), especially for the
future work on optimizing keyed access via the enum cache indices.
Bug: v8:6702
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I5ef517a3041163cd65ef003f691139ea52233e83
Reviewed-on: https://chromium-review.googlesource.com/641030
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47697}
There's no need to have the StringLengthProtector as a PropertyCell,
since it's only used to guard against deoptimization loops. This also
allows us to remove the use of the CompilationDependencies from the
JSTypedLowering.
R=jarin@chromium.org
Bug: v8:6759
Change-Id: I54a37be6b8064ca3475e3b321f928b6a9903f209
Tbr: mstarzinger@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/637303
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47633}
This reverts commit fe50e8178f.
Reason for revert: Too close to branch point
Original change's description:
> [parser] Tentative: turn on FLAG_preparser_scope_analysis.
>
> The main motivation is to get bug reports / crashes from Canary.
>
> This commit is expected to break all kinds of things! The most typical failure
> modes are crashes, CHECK failures and JavaScript executing incorrectly.
>
> BUG=v8:5516
>
> Change-Id: Ifa02b420ad4e8eda46002b334bed2665c8ceeeb2
> Reviewed-on: https://chromium-review.googlesource.com/623751
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Marja Hölttä <marja@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47502}
TBR=adamk@chromium.org,marja@chromium.org,cbruni@chromium.org
Change-Id: I98d2d186cbde6e185b05ef0d3460115a654b6b45
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:5516
Reviewed-on: https://chromium-review.googlesource.com/626796
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47519}
The main motivation is to get bug reports / crashes from Canary.
This commit is expected to break all kinds of things! The most typical failure
modes are crashes, CHECK failures and JavaScript executing incorrectly.
BUG=v8:5516
Change-Id: Ifa02b420ad4e8eda46002b334bed2665c8ceeeb2
Reviewed-on: https://chromium-review.googlesource.com/623751
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47502}
Experimental run, just for getting data from RuntimeCallstats bots.
To be reverted soon - expected to break various things.
BUG=v8:5516
NOTREECHECKS=true
Change-Id: I6d235fddee36b0f0efe70065166d25ed40d6e163
Reviewed-on: https://chromium-review.googlesource.com/557863
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47248}
The interpreter was not able to call imported wasm functions (hitting
UNIMPLEMENTED). This CL fixes this by creating a "CWasmEntry", which is
signature-specific. It has JS linkage and receives the wasm code object
to call and a buffer containing all arguments (similar to the
interpreter entry). It loads all arguments from the buffer and calls the
given code object.
The c-wasm-entry code objects are cached per instance, such that we
only create them once per signature.
These wasm entry stubs will also allow us to call back to compiled code
from the interpreter, which we might want to do to reduce the slowdown
of executing wasm for debugging.
R=titzer@chromium.org
Bug: chromium:735792
Change-Id: I7fecec3a7bec62a9de40fff115b684759b12a28b
Reviewed-on: https://chromium-review.googlesource.com/600308
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47195}
We must ensure required root objects will be filled when such
objects will be deserialized.
Change-Id: I25136d31cb2e0c0a69a51c5635192f17bbe2a9ba
Reviewed-on: https://chromium-review.googlesource.com/579768
Commit-Queue: Vyacheslav Chigrin <vchigrin@yandex-team.ru>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46944}
Instead of having feedback vector as a subtype of FixedArray with
reserved slots, make it a first-class variable-sized object with a
fixed-size header. This allows us to compress counters to ints in the
header, rather than forcing them to be Smis.
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Icc5f088ffbc2e2651b845bc71ea42060639e3e48
Reviewed-on: https://chromium-review.googlesource.com/585129
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46935}
This replaces the linked list of weak cells with a worklist.
TBR=yangguo@chromium.org
BUG=chromium:694255
Change-Id: Ia877e25010ebbec9c05fbbe48cff460a92d3a132
Reviewed-on: https://chromium-review.googlesource.com/587067
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46929}
This must throw for uninitialized properties.
R=adamk@chromium.org
Bug: v8:1569, v8:5487
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng;master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I8beb8bf6a197870eb5c038102ab474dd12f6b6eb
Reviewed-on: https://chromium-review.googlesource.com/582013
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46870}
This is so that we can distinguish hash tables by instance type. We can
then introduce maps for each kind of hash tables to further distinguish.
R=mstarzinger@chromium.org
Bug: v8:6593
Change-Id: Ice9e6bb7b85d825207ac489b6930ac9020d60db8
Reviewed-on: https://chromium-review.googlesource.com/582814
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46861}
This reverts commit 990dd947bc.
Reason for revert: <INSERT REASONING HERE>
Original change's description:
> Introduce HASH_TABLE_TYPE instance type.
>
> This is so that we can distinguish hash tables by instance type. We can
> then introduce maps for each kind of hash tables to further distinguish.
>
> R=mstarzinger@chromium.org
>
> Bug: v8:6593
> Change-Id: I1a532884758e571abdfe2e2743fc5ea611d12f7e
> Reviewed-on: https://chromium-review.googlesource.com/581009
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46828}
TBR=yangguo@chromium.org,mstarzinger@chromium.org
Change-Id: Ia47d408e5cf47983940227b4cc445a704d7f8d19
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6593
Reviewed-on: https://chromium-review.googlesource.com/581493
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46833}
This is so that we can distinguish hash tables by instance type. We can
then introduce maps for each kind of hash tables to further distinguish.
R=mstarzinger@chromium.org
Bug: v8:6593
Change-Id: I1a532884758e571abdfe2e2743fc5ea611d12f7e
Reviewed-on: https://chromium-review.googlesource.com/581009
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46828}
This also makes sure 6.0 and 6.1 have the same constants exposed
in v8.h.
Bug: v8:6592
R=bmeurer@chromium.org
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I3afc0e5e4495594c76229555aab148ac78388f80
Reviewed-on: https://chromium-review.googlesource.com/569618
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46642}
This patch changes the backing store of slow properties to be a
new instance type called PropertyArray.
Currently the only difference between this and a FixedArray is
the map. A future patch will change the length property to store
the hash code.
Bug: v8:5717, v8:6404
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Iaebc98f42e6d93c1392772e6f837787beb64afec
Reviewed-on: https://chromium-review.googlesource.com/539028
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46569}
This is the next step towards faster Map and Set iteration. It
introduces the appropriate instance types for Map and Set
iterators (following the pattern for Array iterators) and migrates
the following builtins to the CodeStubAssembler:
- Set.prototype.entries
- Set.prototype.values
- Map.prototype.entries
- Map.prototype.keys
- Map.prototype.values
- %SetIteratorPrototype%.next
- %MapIteratorPrototype%.next
This already provides a significant performance boost for regular
for-of iteration of Sets and Maps, by a factor of 5-10 depending
on the input. The final step will be to inline some fast-paths
into TurboFan.
Drive-by-fix: Remove obsolete %IsJSSetIterator and %IsJSMapIterator
intrinsics and runtime functions.
TBR=jgruber@chromium.org
Bug: v8:6344, v8:6571, chromium:740122
Change-Id: I3ab0ee49e2afe8d4295707a5ecbd51adda621918
Reviewed-on: https://chromium-review.googlesource.com/563626
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46497}
This reverts commit 3f22832be7.
Reason for revert: Layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/16849
Original change's description:
> [builtins] Port Map and Set iterators to CodeStubAssembler.
>
> This is the next step towards faster Map and Set iteration. It
> introduces the appropriate instance types for Map and Set
> iterators (following the pattern for Array iterators) and migrates
> the following builtins to the CodeStubAssembler:
>
> - Set.prototype.entries
> - Set.prototype.values
> - Map.prototype.entries
> - Map.prototype.keys
> - Map.prototype.values
> - %SetIteratorPrototype%.next
> - %MapIteratorPrototype%.next
>
> This already provides a significant performance boost for regular
> for-of iteration of Sets and Maps, by a factor of 5-10 depending
> on the input. The final step will be to inline some fast-paths
> into TurboFan.
>
> Drive-by-fix: Remove obsolete %IsJSSetIterator and %IsJSMapIterator
> intrinsics and runtime functions.
>
> Bug: v8:6571, chromium:740122
> Change-Id: Iad7a7dec643d8f8b5799327f89a351108ae856bf
> Reviewed-on: https://chromium-review.googlesource.com/563399
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46492}
TBR=jgruber@chromium.org,bmeurer@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:6571, chromium:740122
Change-Id: Iadb48d72e3b85ec8ad880e50ab7912c5502caf07
Reviewed-on: https://chromium-review.googlesource.com/564419
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46495}
This is the next step towards faster Map and Set iteration. It
introduces the appropriate instance types for Map and Set
iterators (following the pattern for Array iterators) and migrates
the following builtins to the CodeStubAssembler:
- Set.prototype.entries
- Set.prototype.values
- Map.prototype.entries
- Map.prototype.keys
- Map.prototype.values
- %SetIteratorPrototype%.next
- %MapIteratorPrototype%.next
This already provides a significant performance boost for regular
for-of iteration of Sets and Maps, by a factor of 5-10 depending
on the input. The final step will be to inline some fast-paths
into TurboFan.
Drive-by-fix: Remove obsolete %IsJSSetIterator and %IsJSMapIterator
intrinsics and runtime functions.
Bug: v8:6571, chromium:740122
Change-Id: Iad7a7dec643d8f8b5799327f89a351108ae856bf
Reviewed-on: https://chromium-review.googlesource.com/563399
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46492}
This CL refactors the internal representation of JavaScript-exposed
WebAssembly objects to be more like other such objects in V8. By introducing
a new instance type for each of the JS-exposed types, we get more robust
typechecking without using embedder fields (which were previously used
when these objects where instance type JS_API_OBJECT).
In addition to the new instance types, the subclasses X of JSObject
(WasmInstanceObject, WasmMemoryObject, WasmModuleObject, WasmTableObject)
now have appropriate Is##X() methods on Object and are now robust.
BUG=v8:6547
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_rel_ng
Review-Url: https://codereview.chromium.org/2964943002
Cr-Commit-Position: refs/heads/master@{#46475}
This way, each lazy function needs to handle only the data relevant to
itself. This reduced data handling overheads.
Other changes:
1) Don't deserialize the data; once it's on the heap, it can stay there. Lazy
function compilation is only done in the main thread.
2) Separate ProducedPreParsedScopeData and ConsumedPreParsedScopeData. It's clearer, because:
- The data looks fundamentally different when we're producing it and when we're
consuming it.
- Cleanly separates the operations we can do in the "producing phase" and in the
"consuming phase".
Bug: v8:5516
Change-Id: I6985a6621f71b348a55155724765624b5d5f7c33
Reviewed-on: https://chromium-review.googlesource.com/528094
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46347}
To be able to use this in optimized code dependency relationships.
Bug:
Change-Id: Ia099a68994b1252de3c72c8d688862ca17ca76d9
Reviewed-on: https://chromium-review.googlesource.com/548716
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46277}
This removes support for code-stub to tail-call into the runtime via the
deoptimizer. The Hydrogen code-stubs would trigger a deopt in order to
materialize a trampoline frame, which would then continue execution in a
runtime function associated with each stub. This is no longer needed for
code-stubs built with the CSA.
R=jarin@chromium.org
BUG=v8:6408
Change-Id: I1ff8dc03ac716200b28e962259a3e233aeda1234
Reviewed-on: https://chromium-review.googlesource.com/548375
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46223}
ThrowIfHole bytecodes were handled by introducing deopt points to check
for a hole. To avoid deopt loops a hole check protector was used to
generate control flow if there was a deopt due to a hole. However, the
normal control flow version should be as fast as the deopt version
in general. The deopt version could potentially consume less compile time
but it may not be worth the complexity added. Hence simplifying it to
only construct the control flow.
Bug: v8:6383
Change-Id: Icace11f7a6e21e64e1cebd104496e3f559bc85f7
Reviewed-on: https://chromium-review.googlesource.com/525573
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45783}
This CL contains a few pieces:
- A new mechanism to create "BuiltinContinuation" checkpoints in TurboFan
graphs, which--when triggered--swizzle the values in the the FrameState to be
parameters to a typically TF-generated builtin that resumes execution to finish
the slow-case functionality.
- Continuation builtins that have special handling in the deoptimizer and their own
new frame type to ensure that the values they need to begin executing can be stashed
away and restored immediately before the builtin is called via a trampoline that runs
when the continuation builtin's frame execution resumes.
- An implementation of Array.prototype.forEach in TurboFan that can be used to
inline it. The inlined forEach implementation uses the checkpoints mechanism
described above to deopt in the middle of the forEach in the cases that optimization
invariants are violated. There is a slightly different continuation stub for each
deopt point in the forEach implementation to ensure the correct side-effects, i.e.
that the deopt of the builtin isn't programmatically observable.
Review-Url: https://codereview.chromium.org/2803853005
Cr-Commit-Position: refs/heads/master@{#45764}
Introduces ThrowReferenceErrorIfHole / ThrowSuperNotCalledIfHole
/ ThrowSuperAlreadyCalledIfNotHole bytecodes to handle hole checks.
In the bytecode-graph builder they are handled by introducing a deopt point
instead of adding explicit control flow. JumpIfNotHole / JumpIfNotHoleConstant
bytecodes are removed since they are no longer required.
Bug: v8:4280, v8:6383
Change-Id: I58b70c556b0ffa30e41a0cd44016874c3e9c5fe1
Reviewed-on: https://chromium-review.googlesource.com/509613
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45720}
This patch also adds sharing of code target entries, which requires
sharing the RelocInfo for those entries as well. The disassembler
is also modified in order to print comments for the RelocInfo that
is now shared.
This improves the snapshot size for arm by about 4%.
BUG=
Review-Url: https://codereview.chromium.org/2869683004
Cr-Commit-Position: refs/heads/master@{#45497}
... by only looking at the handle.
This is in preparation for running code generation off the main thread.
Bug: v8:6048
Change-Id: I19b105c13278a2821a0b2395033e54abf5552a43
Reviewed-on: https://chromium-review.googlesource.com/506190
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45333}
- Migrate make grokdump to GYP and GN
- Move code from d8 into stand-alone execution
- Add test case to ensure it's up-to-date
Review-Url: https://codereview.chromium.org/2809653003
Cr-Commit-Position: refs/heads/master@{#44687}
- Add new address markers:
T: tagged pointer in the minidump
C: address into a module in the minidump
S: pointer into the exception stack in the minidump
*: other address in the minidump
- Show ASCII decoding of address in dd
- Display potential frame markers on the exception stack:
00000032212fdae8: 0000000300000000 ........ Smi(3) EXIT frame marker
- Display relative addresses, useful to detect stack frames:
00000032212fdb68: 00000032212fdb98 S ........ [+6]=00000032212fdcb0 S
00000032212fdb70: 0000010ff5ca0a84 ........
00000032212fdb78: 000001064c1fa881 ........
00000032212fdb80: 0000016a8e52fcb1 ........
00000032212fdb88: 0000010ff5ca0981 ........
00000032212fdb90: 0000000d00000000 ........ Smi(13) INTERNAL frame marker
00000032212fdb98: 00000032212fdcb0 S ........ [+35]=00000032212fdd61 S
Change-Id: I56bd7e6723a34bcb668719246dd5ff2898224928
Reviewed-on: https://chromium-review.googlesource.com/461862
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44269}
The plan is to also use it for With and Catch scopes, so all kinds of
contexts have a pointer back to their ScopeInfo
R=neis@chromium.org,marja@chromium.org
BUG=v8:5215
Review-Url: https://codereview.chromium.org/2301913002
Cr-Commit-Position: refs/heads/master@{#39092}
We use a scratchpad to remember visited allocation sites for post processing
(making tenure decisions). The previous implementation used a rooted FixedArray
with constant length (256) to remember all sites. Updating the scratchpad is a
bottleneck in any parallel/concurrent implementation of newspace evacuation.
The new implementation uses a HashMap with allocation sites as keys and
temporary counts as values. During evacuation we collect a local hashmap of
visited allocation sites. Upon merging the local hashmap back into a global one
we update potential forward pointers of compacted allocation sites. The
scavenger can directly enter its entries into the global hashmap. Note that the
actual memento found count is still kept on the AllocationSite as it needs to
survive scavenges and full GCs.
BUG=chromium:524425
LOG=N
R=hpayer@chromium.org
Review URL: https://codereview.chromium.org/1535723002
Cr-Commit-Position: refs/heads/master@{#33233}
This patch generalizes Object.observe callbacks and promise resolution into a FIFO queue called a "microtask queue".
It also exposes new V8 API which exposes the microtask queue to the embedder. In particular, it allows the embedder to
-schedule a microtask (EnqueueExternalMicrotask)
-run the microtask queue (RunMicrotasks)
-control whether the microtask queue is run automatically within V8 when the last script exits (SetAutorunMicrotasks).
R=dcarney@chromium.org, rossberg@chromium.org, dcarney, rossberg, svenpanne
BUG=
Review URL: https://codereview.chromium.org/154283002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19344 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This is done similar to weak embedded objects in optimized code (r17102). The
reference from optimized code to a cell is treated weakly in marking visitors
if the cell points to a JSObject. After marking we iterate over all cells
embedded in optimized code. If a cell is not marked but its value is marked,
then we revive the cell by marking it. Otherwise, the cell value is dead, so
we mark the code for deoptimization.
BUG=v8:2073
TEST=cctest/test-heap/CellsInOptimizedCodeAreWeak
LOG=Y
R=hpayer@chromium.org, mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/117483002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18616 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Things got quite a bit out of sync (don't we all love copy-n-paste?):
* TypeToString didn't handle SLICED_STRING_TYPE,
SLICED_ASCII_STRING_TYPE, FIXED_DOUBLE_ARRAY_TYPE,
JS_FUNCTION_PROXY_TYPE and JS_DATE_TYPE.
* INSTANCE_TYPE_LIST was missing entries for
SLICED_ASCII_STRING_TYPE, JS_SET_TYPE, and JS_MAP_TYPE.
To improve this maintenance nightmare a little bit, the missing
instance types were added to the INSTANCE_TYPE_LIST macro and this
list is now used via our beloved 2nd order macro technique in
TypeToString. As a side-effect, the strings returned by TypeToString
have a "_TYPE" suffix now, but this doesn't really matter and is a
small price to pay for consistency.
Removed INVALID_TYPE on the way, it had no real use.
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/22681004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16120 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
