We collect instance type statistics in FatalProcessOutOfMemory into an
array, which is allocated to the max instance type value. While we want
to leave space to ensure new instance types do not affect constants in
the API, we can be more frugal.
We currently serialize 350 maps into the startup/context snapshot. Even
if we assign a distinct instance type to each of these maps, we would
still have more than enough to spare with this change.
R=ulan@chromium.org
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I3e583c2c8da3342e9132d96046b5d80cd41afd72
Reviewed-on: https://chromium-review.googlesource.com/842542
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50302}
We used to frequently break the ABI when we introduced new instance
types because some instance types are hard-coded in v8.h.
Now that we have more instance types available, we can leave some
room to anticipate future new instance types.
Also take this opportunity to reorder some instance types.
Also see: https://github.com/nodejs/node/issues/17754
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I9b59eeab9dfcdf11d779f0b700fc5dce30d3eebe
Reviewed-on: https://chromium-review.googlesource.com/833874
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50223}
... by "inlining" the Tuple2 object into the data handler.
Bug: v8:7206, v8:5561
Change-Id: I8517b2faa8d13bd16b8ec99c7ea8ab97c73a5f2a
Reviewed-on: https://chromium-review.googlesource.com/819233
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50164}
... instead of checking if the property cell is still empty when loading/storing
through JSGlobalObject prototype.
Also invalidate the validity cell when new global lexical variables appear in the
script.
Bug: v8:5561
Change-Id: Iaf122dffe76d57b32e2b69291dee079e772b271c
Reviewed-on: https://chromium-review.googlesource.com/819230
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50100}
This ensures that MigrateFastToFast does not overflow the length of the
property array.
Bug: chromium:789393
Change-Id: I77adc319c1c8c469ea482bad35ead8661d535192
Reviewed-on: https://chromium-review.googlesource.com/824167
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50086}
- Introduce explicit CallXXX helpers in PropertyCallbackArguments for
all Callback functions exposed in the api.
- Add bit on the Interceptors for checking whether they for names or
indices.
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Id862e4e39ba75b4610156adfe83f3eecfb2c048f
Reviewed-on: https://chromium-review.googlesource.com/799910
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49969}
For instance, it now knows that Number(x) has type Number.
(In this particular case, we used to know that already due to
js-call-reduction of Number but that was recently disabled because
of BigInts.)
Bug: v8:6791
Change-Id: If5c57d46fc8448ca530a9ce7c9d14d63daa0f31c
Reviewed-on: https://chromium-review.googlesource.com/811264
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49909}
They will eventually be used instead of Tuple3/FixedArray by the IC system.
Bug: v8:5561, v8:7159
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I39faad1b2dc10ce7d42cb7477ea87b64d1e0b44c
Reviewed-on: https://chromium-review.googlesource.com/806178
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49908}
- When a dictionary mode prototype changes, invalidate the validity cell.
- The dictionary mode prototypes don't need to be gathered into an array in InitPrototypeChecks.
Bug: v8:7159
Change-Id: I1c7bbaf4b20556f44df18be1463d38fa4fbabe05
Reviewed-on: https://chromium-review.googlesource.com/793732
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49857}
1) Make sure we don't enable prototype setup mode for parent class and its prototype
objects.
2) Make sure we create builtins and their prototypes with completed setup mode.
3) Drive-by-fix: setup typed array classes in bootstrapper.cc instead of typedarray.js,
and drop %FunctionSetPrototype().
Bug: v8:7115, v8:5902
Change-Id: I58ac091d85647abc3307bd47baf48e378e3695c5
Reviewed-on: https://chromium-review.googlesource.com/790992
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49655}
This CL also includes fixes for CF issues found while the previous
reland was active.
Bug: v8:5799, chromium:783902, chromium:783926, chromium:783822
Change-Id: I1f7d9b037d90838469c45f5d72771a77444c662e
Reviewed-on: https://chromium-review.googlesource.com/764067
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49457}
The only empty PropertyArray is the empty_property_array object on the
isolate. Allowing empty PropertyArrays causes the turbofan to ignore the
existing hash when growing the backing store again. We currently only end
up with the empty PropertyArray when following back transitions.
Bug: chromium:781218, chromium:783713
Change-Id: If41dd09b965cdc8d957b9ca50ba3c8a7f4254769
Reviewed-on: https://chromium-review.googlesource.com/763230
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49318}
This is necessary in order to support class literals boilerplates which will
contain descriptor arrays not attached to maps.
This CL introduces Heap::descriptor_array_map() which will be used only for
descriptor arrays templates created as a part of class literal boilerplate.
We don't use the new map for all descriptors for now because in order to handle
chicken-egg problem in deserializer which can be solved in a clean and readable
way only if introduce a DESCRIPTOR_ARRAY_TYPE instance type which we can't
currently do because the InstanceType enum is already "full".
Bug: v8:5799
Change-Id: I732d236b0dda2c436ab3ce3ac5967f6c66162df3
Reviewed-on: https://chromium-review.googlesource.com/758360
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49271}
This change
- adds new maps for elements, global, and named dictionaries.
- adds support to embed these dictionaries in the startup snapshot.
- adds support to embed these dictionaries in the code cache.
- refactors the rehashing logic.
TBR=mstarzinger@chromium.org, ishell@chromium.org, jgruber@chromium.org
Bug: v8:6593
Change-Id: I2455fe2a9cc6e93247940de99de5f124c2ada137
Reviewed-on: https://chromium-review.googlesource.com/756693
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49167}
This reverts commit 3877bf6f4b.
Reason for revert: failed compilation on Win64/clang:
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20clang/builds/9015
Original change's description:
> Snapshot: support rehashing property and element dictionaries.
>
> This change
> - adds new maps for elements, global, and named dictionaries.
> - adds support to embed these dictionaries in the startup snapshot.
> - adds support to embed these dictionaries in the code cache.
> - refactors the rehashing logic.
>
> R=ishell@chromium.org, jgruber@chromium.org, mstarzinger@chromium.org
>
> Bug: v8:6593
> Change-Id: I8d9a7ba7145f1af4e6e15301a4d5611f07c77f33
> Reviewed-on: https://chromium-review.googlesource.com/753323
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49155}
TBR=yangguo@chromium.org,mstarzinger@chromium.org,jgruber@chromium.org,ishell@chromium.org
Change-Id: I0b45d2d07da97b9a7953abf4ad24eec4ea944306
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6593
Reviewed-on: https://chromium-review.googlesource.com/755493
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49156}
This change
- adds new maps for elements, global, and named dictionaries.
- adds support to embed these dictionaries in the startup snapshot.
- adds support to embed these dictionaries in the code cache.
- refactors the rehashing logic.
R=ishell@chromium.org, jgruber@chromium.org, mstarzinger@chromium.org
Bug: v8:6593
Change-Id: I8d9a7ba7145f1af4e6e15301a4d5611f07c77f33
Reviewed-on: https://chromium-review.googlesource.com/753323
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49155}
This adds support to the KeyedLoadIC to ignore out of bounds accesses
for Strings and return undefined instead. We add a dedicated bit to the
Smi handler to encode the OOB state and have TurboFan generate appropriate
code for that case as well. This is mostly useful when programs
accidentially access past the length of a string, which was observed and
fixed for example in Babel recently, see
https://github.com/babel/babel/pull/6589
for details. The idea is to also extend this mechanism to Arrays and
maybe other receivers, as reading beyond the length is also often used
in jQuery and other popular libraries.
Note that this is considered a mitigation for a performance cliff and
not a general optimization of OOB accesses. These should still be
avoided and handled properly instead.
This seems to further improve the babel test on the web-tooling-benchmark
by around 1%, because the OOB access no longer turns the otherwise
MONOMORPHIC access into MEGAMORPHIC state.
Bug: v8:6936, v8:7014
Change-Id: I9df03304e056d7001a65da8e9621119f8e9bb55b
Reviewed-on: https://chromium-review.googlesource.com/744022
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49049}
Rename |property_attributes| to |initial_property_attributes| and ensure
that it is used as a storage of values only for AccessorInfos installed in
API Templates (i.e. ObjectTemplate and FunctionTemplate).
When an AccessorInfo is installed directly into an existing JS object
(via JSObject::SetAccessor) or into a DescriptorArray (when certain V8
objects' shapes are configured) it is not necessary to thread attributes
being set through the AccessorInfo instance.
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ibe61026f08c42549756f694129a286635ffe5769
Reviewed-on: https://chromium-review.googlesource.com/730425
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48978}
Abstract equality comparison of a BigInt and a String converts the
latter to BigInt. This conversion can fail; since we do not want to
pass a context to the comparison function, we must signal such failure
without throwing an exception.
This CL uses the existing ShouldThrow enum to configure behavior of
String-to-BigInt conversion, moving it out of Object into globals.h.
Bug: v8:6791, v8:6979
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ibb98675079b8392cf03bbcbbbd5556108500a32d
Reviewed-on: https://chromium-review.googlesource.com/734172
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48946}
and use a newly-introduced "enum class Operation" in all
other places that so far passed Token::Values around.
Also delete some related dead code along the way.
Bug: v8:6921
Change-Id: I062f396d304aa62298cfeff202e3132a4a5597c1
Reviewed-on: https://chromium-review.googlesource.com/736851
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48944}
Have JSProxy and JSGlobalProxy use the properties or hash technology
like we use for all other JSReceivers. Also unify and simplify the
code dealing with these hashes.
Bug: v8:6344, v8:6911
Change-Id: Ic995639c74211ba6f33acd73428b8c6d95bf7919
Reviewed-on: https://chromium-review.googlesource.com/737833
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48930}
This is a reland of eeaffa9f33
Original change's description:
> [objects] Introduce {CodeDataContainer} object type.
>
> This introduces the {CodeDataContainer} as a container for all mutable
> fields associated with a {Code} object. For now only the kind-specific
> flags are moved, but more fields can/will be moved gradually. The goal
> is to make all fields in the {Code} header be immutable eventually.
>
> R=jarin@chromium.org
> BUG=v8:6792
>
> Change-Id: I2eeba893afaba877fb6117e1f18371898c3a175e
> Reviewed-on: https://chromium-review.googlesource.com/732987
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48902}
Bug: v8:6792
Change-Id: I31a127df4bb8ee5fedb4d73755df4deae6e1d352
Reviewed-on: https://chromium-review.googlesource.com/738109
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48928}
This reverts commit eeaffa9f33.
Reason for revert: Breaks msan compile (uninitialized value in snapshot):
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/builds/17824
Original change's description:
> [objects] Introduce {CodeDataContainer} object type.
>
> This introduces the {CodeDataContainer} as a container for all mutable
> fields associated with a {Code} object. For now only the kind-specific
> flags are moved, but more fields can/will be moved gradually. The goal
> is to make all fields in the {Code} header be immutable eventually.
>
> R=jarin@chromium.org
> BUG=v8:6792
>
> Change-Id: I2eeba893afaba877fb6117e1f18371898c3a175e
> Reviewed-on: https://chromium-review.googlesource.com/732987
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48902}
TBR=mstarzinger@chromium.org,jarin@chromium.org
Change-Id: I74fe833b074752d640cff4aa4680f250e1bd8780
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6792
Reviewed-on: https://chromium-review.googlesource.com/738029
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48904}
This introduces the {CodeDataContainer} as a container for all mutable
fields associated with a {Code} object. For now only the kind-specific
flags are moved, but more fields can/will be moved gradually. The goal
is to make all fields in the {Code} header be immutable eventually.
R=jarin@chromium.org
BUG=v8:6792
Change-Id: I2eeba893afaba877fb6117e1f18371898c3a175e
Reviewed-on: https://chromium-review.googlesource.com/732987
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48902}
... mainly by adapting Object::Compare and
CodeStubAssembler::RelationalComparison.
TBR=rmcilroy@chromium.org
Change-Id: I34448d45b4950b9318263c4a667aa9db7d77232d
Bug: v8:6791
Reviewed-on: https://chromium-review.googlesource.com/730730
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48873}
HTMLCollection and NodeList have InstanceType
JS_SPECIAL_API_OBJECT_TYPE, and therefore always run the slow case
of GetAlignedPropertyFromInternalField. This slows down the performance
of indexedPropertyGetter for both types, which are very commonly used
in websites.
Bug:
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I36bd2cd7d9bbc19149e15174f6868b8a1f1658c8
Reviewed-on: https://chromium-review.googlesource.com/726529
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Adithya Srinivasan <adithyas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48760}
A followup CL will move feedback slot allocation to the bytecode generator,
which means it won't be done for asm_wasm code and the function will have an
incorrect vector spec. Since asm_wasm doesn't use a feedback vector, just
prevent it from being allocated for this code.
BUG=v8:6921
Change-Id: I65a06f60bd75b54e5ef0df323184aad841e26177
Reviewed-on: https://chromium-review.googlesource.com/725703
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48692}
Now that {DeoptimizationOutputData} does not exists anymore we can
rename {DeoptimizationInputData} to just {DeoptimizationData}.
R=jarin@chromium.org
Change-Id: Ib67967539d33714cc15e5d5b6dde522a9ede64b2
Reviewed-on: https://chromium-review.googlesource.com/725349
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48684}
This CL fixes all occurences that don't require special OWNER reviews,
or can be reviewed by Michi.
After this one, we should be able to reenable the readability/check
cpplint check.
R=mstarzinger@chromium.org
Bug: v8:6837, v8:6921
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng;master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ic81d68d5534eaa795b7197fed5c41ed158361d62
Reviewed-on: https://chromium-review.googlesource.com/721120
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48670}
New code should use nullptr instead of NULL.
This patch updates existing use of NULL to nullptr where applicable,
making the code base more consistent.
BUG=v8:6928,v8:6921
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng;master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I4687f5b96fcfd88b41fa970a2b937b4f6538777c
Reviewed-on: https://chromium-review.googlesource.com/718338
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48557}
