Because SizeFor only returns aligned values, when we check values
returned there against kMaxSize, they can be larger if they were
rounded up.
It wasn't possible to write a test for the 2-byte version that didn't
regularly OOM.
Bug: chromium:752764
Change-Id: Id2f387449e0fafe633a2fde1ac728be31487f62d
Reviewed-on: https://chromium-review.googlesource.com/607935
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47252}
Experimental run, just for getting data from RuntimeCallstats bots.
To be reverted soon - expected to break various things.
BUG=v8:5516
NOTREECHECKS=true
Change-Id: I6d235fddee36b0f0efe70065166d25ed40d6e163
Reviewed-on: https://chromium-review.googlesource.com/557863
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47248}
Splits out AttachOuterScopeInfo from DeclarationScope::Analyze and attaches
the outer scope info after parsing has completed (when parsing on the main
thread, which is the only time we have an outer scope info) instead of
during Compiler::Analyse().
BUG=v8:5203
TBR=yangguo@chromium.org
Change-Id: Idd8d2409fb20f09a9f6bbf5cff7e6edcf90077d7
Reviewed-on: https://chromium-review.googlesource.com/605889
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47243}
This fixes an old bug uncovered by
https://chromium-review.googlesource.com/591651
The bug is a race between the concurrent sweeper clearing slots and
the mutator adding slots and trimming fixed array:
1) The sweeper starts sweeping a page with an existing fixed array.
2) The sweeper pre-caches the slots clearing mode by checking if the
slot set pointer on the page is null or not. (This is the bug).
3) The mutator updates the fixed array such that new slots are added.
4) The mutator trims the fixed array such that the added slots are
now in free space.
5) The sweeper adds the trimmed part of the fixed array to free list,
but does not clear slots there because of the cached flag.
6) A new object is allocated from the free list entry and it has
a bogus slot entry recorded.
Bug: chromium:752750
TBR: mlippautz@chromium.org
Change-Id: I4f70514fa05b692a27d992954cb4c314ef4cac07
Reviewed-on: https://chromium-review.googlesource.com/608047
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47242}
- Previous fix is https://chromium-review.googlesource.com/c/583531 but it
diverges Scopes created by PreParser from Scopes created by Parser.
- This CL creates the inner block scope a bit earlier and (temporarily) pushes
it into the scope chain for parsing the variable declarations in a for
loop. The previous approach was to first parse the variable declarations and
then reparent the AST nodes / Scopes created while parsing it afterwards.
- This CL partially reverts https://chromium-review.googlesource.com/c/583531;
the new fix only touches parser-base.h (diff between patch sets 2 and 3 is the
fix).
- The Ignition golden changes are basically undoing the changes done in that CL
too.
Bug: chromium:740591
Change-Id: Iceff1383ef066317e754942bb5ff0c70a91bc937
Reviewed-on: https://chromium-review.googlesource.com/603787
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47241}
Revert CollectCallOrConstructFeedback to just CollectCallFeedback again
and provide a separate copy of the code for ConstructWithSpread, where
the idea is that this will be unified with the Construct bytecode
handler, once there's support for spreading the final argument _and_
passing the AllocationSite at the same time.
This is following up on discussion with rmcilroy@ at
https://goo.gl/Cxy5mD where the outcome was to keep Call and Construct
logic separate for the sake of clarity.
Bug: v8:5517, v8:6399, v8:6679
Change-Id: I20ebe1d5ed80986359742cf5411f4abaad8b6a60
Reviewed-on: https://chromium-review.googlesource.com/606469
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47240}
To speed up compilation times, jumbo allows files to be compiled
together. This is a well known method ("unity builds") to both
compile faster and create a poor man's "full program optimization".
We are only interested in compile times.
Background:
https://chromium.googlesource.com/chromium/src/+/master/docs/jumbo.md
Note that jumbo builds are not enabled by default. To try this out,
add use_jumbo_build=true to your GN args.
BUG=chromium:746958
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ieb9fdccb6c135e9806dbed91c09a29aa8b8bee11
Reviewed-on: https://chromium-review.googlesource.com/579090
Commit-Queue: Mostyn Bramley-Moore <mostynb@opera.com>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47239}
This fixes a bug affecting module namespace objects, which are currently
implemented using native accessors.
Bug: v8:6681, v8:1569
Change-Id: I6a678652573a332c47315497d927c390d9da0926
Reviewed-on: https://chromium-review.googlesource.com/606027
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47238}
Don't return NoChange when the new_target input to a JSConstruct node is
already a HeapConstant, but rather use that constant in the interesting
lowering below. This was introduced accidentally by
https://chromium-review.googlesource.com/604790
earlier. Also don't use ShouldUseCallICFeedback predicate here, as that
doesn't really make sense for JSConstruct, but is mostly interesting for
JSCall (hence the name).
Bug: v8:5517, v8:6399, v8:6679
Change-Id: I96201281cf1a10f2bfd2dc3859455161eb310ccf
Reviewed-on: https://chromium-review.googlesource.com/607887
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47237}
To avoid breaking Chromium we expose a stub method first, and will start
using it only when V8 rolls into Chromium and we implement it there.
Bug: chromium:751993
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ida1f96f2dfa833552e7adfa36a580a6ef1bdd1aa
Reviewed-on: https://chromium-review.googlesource.com/604812
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Sergei Datsenko <dats@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47233}
This reverts commit 649b1e70e7.
Reason for revert: A1 Jetstream bots are still failing.
Original change's description:
> [wasm] Reland "[wasm] redirect wasm calls to js functions through a GCed table"
>
> This reverts commit 25f03308a7.
>
> Reason for revert: Fix the cause of bot failure and reland
>
> Original change's description:
> > Revert "[wasm] redirect wasm calls to js functions through a GCed table"
> >
> > This reverts commit eb65f35e96.
> >
> > Reason for revert: Broke jetstream benchmark on android.
> >
> > BUG=chromium:750828
> >
> > Original change's description:
> > > [wasm] redirect wasm calls to js functions through a GCed table
> > >
> > > With this patch, rather than embedding the JSReceiver address directly
> > > in the WasmToJS wrappers, we put that in a fixed array with global handle
> > > scope and instead embed the location of the handle and the index in the
> > > wrapper. This ensures that the wrapper doesn't need to be patched if the
> > > GC kicks in. This is needed to get the WASM code off the GCed heap.
> > >
> > > R=mtrofin@chromium.org
> > >
> > > Bug:
> > > Change-Id: Ie5a77a78cdecec51b04f702c63b8e4285e6a2d8d
> > > Reviewed-on: https://chromium-review.googlesource.com/581682
> > > Commit-Queue: Aseem Garg <aseemgarg@chromium.org>
> > > Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#46884}
> >
> > TBR=mtrofin@chromium.org,aseemgarg@google.com,aseemgarg@chromium.org,clemensh@chromium.org
> >
> > # Not skipping CQ checks because original CL landed > 1 day ago.
> >
> > Change-Id: I26f49ee0a1fe73cc5d8852ded87b56638be39ebf
> > Reviewed-on: https://chromium-review.googlesource.com/596268
> > Commit-Queue: Aseem Garg <aseemgarg@chromium.org>
> > Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#47059}
>
> R=mtrofin@chromium.org,aseemgarg@google.com,aseemgarg@chromium.org,clemensh@chromium.org,sullivan@chromium.org
>
> Change-Id: I29ef35f6e612a706d9f571da3e7beb1da8b5052b
> Bug: chromium:750828
> Reviewed-on: https://chromium-review.googlesource.com/597010
> Commit-Queue: Aseem Garg <aseemgarg@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47177}
TBR=bradnelson@chromium.org,sullivan@chromium.org,mtrofin@chromium.org,aseemgarg@google.com,aseemgarg@chromium.org,clemensh@chromium.org
Bug: chromium:750828
Change-Id: I04b12c0eb0705ad809822a7d7461423be77d942a
Reviewed-on: https://chromium-review.googlesource.com/606867
Commit-Queue: Aseem Garg <aseemgarg@chromium.org>
Reviewed-by: Aseem Garg <aseemgarg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47231}
This CL consolidates ownership of parameters used to compile code (which
we always specialize) in 2 places:
- ModuleEnv for compile-time data
- WasmCompiledModule for runtime data
The parameters in question are: memory size and start; globals start;
address of indirect function tables (and their signatures, respectively);
and address to be used for wasm call sites.
Ideally, we'd collapse this down to one place, however, we need
specialization data to survive serialization. We can achieve this we get off
the GC heap and use a different wasm code serializer.
The CL:
- removes aliasing of parts of the specialization data, and moves
to using ModuleEnv as a token of passing around compile-time data, instead
of a mixture of ModuleEnv, WasmInstance, and some other structures. ModuleEnv
is responsible for providing a consistent view of the specialization data,
e.g. valid memory sizes (multiples of page size), and matching sized function
tables and signatures.
- removes WasmInstance, as its data is now contained by ModuleEnv.
- removes ModuleBytesEnv. We now pass the wire bytes explicitly. They can't
always be assumed as present (e.g. streaming compilation), and probably more
refactoring may need to happen once streaming compilation lands and we
better understand our dependencies.
Change-Id: Id7e6f2cf29e51b5756eee8b6f8827fb1f375e5c3
Reviewed-on: https://chromium-review.googlesource.com/592531
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47229}
We are only calling {checkAvailable} with uint32_t, thus the type
received should also be uint32_t. This also gives better error messages
for integers >kMaxInt.
R=titzer@chromium.org
Change-Id: I40655b80dcc601e05fbb0c92cedba72ca806e2b3
Reviewed-on: https://chromium-review.googlesource.com/605893
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47227}
Add support for the simulation of MIPS SIMD MI10 instruction group,
which included Load Vector and Store Vector instructions. Add
corresponding test for these instructions.
Bug:
Change-Id: I7cbc9d8dff2a779d9a716f539cd9a2bbb8ac694a
Reviewed-on: https://chromium-review.googlesource.com/595567
Reviewed-by: Miran Karić <Miran.Karic@imgtec.com>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Cr-Commit-Position: refs/heads/master@{#47226}
A spec change (a0dfeba1a8) introduced a number of Await operations to the spec. In turn, this caused generated bytecode for async generators to grow drastically.
This commit moves the Await within AsyncGeneratorYield (https://tc39.github.io/proposal-async-iteration/#sec-asyncgeneratoryield step 5) into a new TFJ builtin, similar in structure to AsyncGeneratorAwait, but instead of resuming the generator on resolution of the Promise, the current generator request's Promise is fulfilled instead.
This results in a reduction in generated bytecode without losing any statically available information.
BUG=v8:5855
Change-Id: Ib5bcf06132d221beffdea30639a7b4437030143b
Reviewed-on: https://chromium-review.googlesource.com/582487
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47224}
This patch removes creation of fillers in the middle of a large page and
fixes assert in Heap::NotifyObjectLayoutChange.
The fillers in large pages are useless since we do not sweep large
object space.
Bug: chromium:752426
Change-Id: I01c230223f28d6d54b7362ee70e9d83de50678fd
Reviewed-on: https://chromium-review.googlesource.com/601994
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47221}
This moves deserializer setup boilerplate inside the deserializers, and
makes improper usage less likely. For instance:
ObjectDeserializer deserializer(&scd);
/* ... deserializer setup ... */
MaybeHandle<HeapObject> obj = deserializer.Deserialize(isolate);
/* ... result checks and casts ... */
has now become:
/* All setup and casts inside deserializer, impossible to illegally
use the same instance multiple times. */
MaybeHandle<SharedFunctionInfo> maybe_result =
ObjectDeserializer::DeserializeSharedFunctionInfo(
isolate, &scd, source);
Bug: v8:6624
Change-Id: Id5a1848e024e89cf86e5292389ba7c89f31d8e6b
Reviewed-on: https://chromium-review.googlesource.com/604791
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47219}
This avoid introduction of {TypeGuard} nodes during load elimination.
Such type guard could lead to contradicting type information where a
constant {NumberConstant} node was guarded to have {ExternalPointer}
type, which would lead to an impossible constraint on representation
selection.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-752826
BUG=chromium:752826
Change-Id: Ida3815af24ccc8a48474b8d66117b9718f61adda
Reviewed-on: https://chromium-review.googlesource.com/605547
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47218}
This removes the last instance where we did manually what {LowerInt64}
already does.
R=titzer@chromium.org
Change-Id: I5e0de0f8ed1ae31f295e947a9fe36e4142200b65
Reviewed-on: https://chromium-review.googlesource.com/602238
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47217}
This makes sure we perform a proper holder lookup when trying to inline
API accessors calls in TurboFan. Inlining is completely disabled in case
the holder is not found, otherwise the appropriate holder is passed via
the {PropertyAccessInfo} structure (if different from the receiver).
R=bmeurer@chromium.org
TEST=cctest/test-api/ReceiverSignature
BUG=chromium:752149
Change-Id: I7b192724afd99d651b6477b2f2c8b403a10efb9d
Reviewed-on: https://chromium-review.googlesource.com/603615
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47216}
This reverts commit 1dfaec2647.
Reason for revert: Does not fix the performance regression, see bug.
Original change's description:
> Partial revert of "Remove ~MaybeHandle and statically assert that handles are trivially copyable"
>
> Reason: cause Blink regression on Android
>
> Original CL: https://chromium-review.googlesource.com/c/538463/
>
> Bug: chromium:735910
> Change-Id: I405e71f6ffeaf9fa467036a6fafa0271a60de9d3
> Reviewed-on: https://chromium-review.googlesource.com/593247
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Loo Rong Jie <loorongjie@gmail.com>
> Cr-Commit-Position: refs/heads/master@{#46995}
R=yangguo@chromium.org,loorongjie@gmail.com,jbroman@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: chromium:735910
Change-Id: I65eecd575fb1b77471c6dd83a01df6c4e8a85214
Reviewed-on: https://chromium-review.googlesource.com/603797
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47213}
Another pure refactoring CL. This extracts methods used only by Deserializer
subclasses.
Bug: v8:6624
Change-Id: Ib4dd7cdc591dff217e282e68a490c8c7129b9c96
Reviewed-on: https://chromium-review.googlesource.com/602188
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47211}
Change the CALL_IC machinery inside of Ignition to collect new.target
feedback for Construct and ConstructWithSpread bytecodes instead of
collecting feedback about the target, and adapt TurboFan's JSCallReducer
to consume feedback for new.target instead of target on JSConstruct
nodes.
This enables TurboFan to inline JSCreate - and thus the actual instance
allocation - into derived leaf constructors even if the leaf constructor
itself is not inlined, and thereby removes this weird performance cliff.
The feedback for target in case of class constructors is provided by
the function context specialization, and in case of `new A`, we can
just use the feedback for new.target, as both target and new.target are
A in that case.
Bug: v8:5517, v8:6399, v8:6679
Change-Id: I0475e2500e787fd672ed037ac0faed78a8fa5dc0
Reviewed-on: https://chromium-review.googlesource.com/604790
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47210}
This code appears to have been wrong forever, as it only
threw in strict mode (presumably predating ES2015 const).
In order to get exactly the right behavior, special
handling of sloppy named function expressions is required.
Rather than polluting PropertyAttributes with another
dummy value, this CL simply adds a bool output argument
to Context::Lookup to indicate that case.
Bug: v8:6677
Change-Id: I34daa5080d291808f10cbaefc91d716f0b22963b
Reviewed-on: https://chromium-review.googlesource.com/602690
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47207}
The ConstructFunctionForwardVarargs and ConstructForwardVarargs
builtins, which are used when inlining the Reflect.construct
builtin into TurboFan optimized code, didn't properly check the
new.target parameter whether it's a constructor.
Bug: chromium:752481
Change-Id: I9b8f8c429d6eaed0ff8d27fc3f6b52eb906766a2
Reviewed-on: https://chromium-review.googlesource.com/604187
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47206}
This is part of the effort to consolidate the ownership of
wasm instantiation/specialization parameters.
This change is focused solely on the interpreter part of that effort, to
verify we're not regressing performance in interpreter benchmarks.
There are two aspects being addressed:
- dataflow-wise, we always fetch the interpreter's memory view from the
runtime objects (i.e. WasmInstanceObject/WasmCompiledModule). This is
consistent with how other instance-specific information is obtained
(e.g. code, indirect functions).
- representation-wise, we do not reuse ModuleEnv/WasmInstance just for
the memory view, because it is surprising that other instance info isn't
accessed from there.
Bug:
Change-Id: I536fbffd8e1f142a315fa1770ba9b08319f56a8e
Reviewed-on: https://chromium-review.googlesource.com/602083
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47205}
The code accidentally jumped over the actual left-shift part when the
head of the array was the hole.
Bug: chromium:752722
Change-Id: I300a3ebcfafb07d6ecebc01fa57c66eb26f349ac
Reviewed-on: https://chromium-review.googlesource.com/603717
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47204}
