Previously only references to function contexts embedded in optimized
were treated weakly, but TurboFan (and to some extend Crankshaft) can
embed any kind of context into optimized code.
R=hpayer@chromium.org
Review URL: https://codereview.chromium.org/1562083003
Cr-Commit-Position: refs/heads/master@{#33155}
port a94d6d6ede (r33108)
original commit message:
The mode requires an extra register, and since we aren't supporting it now, we can dispense with it.
BUG=
Review URL: https://codereview.chromium.org/1561943002
Cr-Commit-Position: refs/heads/master@{#33147}
This correctly marks functions containing a new.target reference as
being disabled with Crankshaft, which would have bailed out anyways.
Also note that this will trigger TurboFan for such functions and hence
widens the TurboFan intake valve.
Review URL: https://codereview.chromium.org/1568763002
Cr-Commit-Position: refs/heads/master@{#33146}
This patch implements @@species, guarded behind the --harmony-species
flag, on Arrays. Methods which return an Array will instead return
the appropriate instance based on the ArraySpeciesCreate algorithm.
The algorithm is implemented in C++ to get access to realm information
and to implement some Array methods in C++, but it is also accessed
from JavaScript through a new runtime function. A couple interactive
Octane runs show no performance regression with the flag turned off,
but turning --harmony-species on will surely have a significant
regression, as Array methods now heavily use ObjectDefineProperty.
BUG=v8:4093
LOG=Y
R=adamk,cbruni
Review URL: https://codereview.chromium.org/1560763002
Cr-Commit-Position: refs/heads/master@{#33144}
The reason is same as the CL #31808 (issue 1430943002, X87: Change the test case for X87 float operations), please refer: https://codereview.chromium.org/1430943002/
Here is the key comments from CL #31808
Some new test cases use CheckFloatEq(...) and CheckDoubleEq(...) function for result check. When GCC compiling the CheckFloatEq() and CheckDoubleEq() function, those inlined functions has different behavior comparing with GCC ia32 build and x87 build.
The major difference is sse float register still has single precision rounding semantic. While X87 register has no such rounding precsion semantic when directly use register value.
The V8 turbofan JITTed has exactly same result in both X87 and IA32 port.
So we add the following sentence to do type case to keep the same precision for Run_WasmCall_Float32Sub.
Such as: volatile float expect = *i +/- *j; // *i +/- *j, etc.
BUG=
Review URL: https://codereview.chromium.org/1561023002
Cr-Commit-Position: refs/heads/master@{#33143}
- Each of the three deprecated Promise functions
- Two nonstandard pieces of Intl functionality
- Accesses of the RegExp.prototype.unicode getter on the prototype
BUG=v8:3785,v8:3238,v8:4633
LOG=N
R=adamk
TBR=hpayer
Review URL: https://codereview.chromium.org/1558113002
Cr-Commit-Position: refs/heads/master@{#33142}
This required refactoring ParsePropertyDefinition to pass the parsed
string name as an out param, since ObjectLiteralProperty stores Smis
for Smi-representable property keys.
Computed properties are not yet handled in this patch.
BUG=v8:3699
LOG=n
Review URL: https://codereview.chromium.org/1563923002
Cr-Commit-Position: refs/heads/master@{#33141}
Utilise Dextu, Dextm on mips64 for widths and positions larger
than 32.
TEST=
BUG=
Review URL: https://codereview.chromium.org/1552483002
Cr-Commit-Position: refs/heads/master@{#33138}
Addresses TODO by Dan --- simply by moving the check and exception
earlier in the function, before calling NewPromiseCapability() or
loading the constructor.
BUG=v8:4633
LOG=N
R=adamk@chromium.org, littledan@chromium.org, cbruni@chromium.org
Fixes 'test262/built-ins/Promise/prototype/then/context-check-on-entry'
Review URL: https://codereview.chromium.org/1561193002
Cr-Commit-Position: refs/heads/master@{#33137}
Several ports to enable r6 compact branch optimizations on MIPS64
Port 3573d3cb58
Original commit message:
MIPS: r6 compact branch optimization.
Port bddf8c9e08
Original commit message:
MIPS: Fix trampoline pool handling in MacroAssembler::BranchShort()
Port 6993cd0de5
Original commit message:
MIPS: Fix 'MIPS:r6 compact branch optimization.'
Jic and jialc compact branch ops are fixed as they does
not have 'forbidden slot' restriction. Also COP1 branches
(CTI instructions) added to IsForbiddenAfterBranchInstr().
Port bb332195d3
Original commit message:
MIPS: Fix trampoline pool handling in MacroAssembler::BranchShort()
Port c91bcf7192
Original commit message:
MIPS: Fix trampoline pool handling in MacroAssembler::BranchShort()
for r6.
BUG=
Review URL: https://codereview.chromium.org/1534183002
Cr-Commit-Position: refs/heads/master@{#33136}
The implementation temporarily modifies jssp to avoid needing a scratch
register, then restores it afterwards. However, the exception path
wasn't properly restoring the value.
With this patch, failures in this part of AssertStackConsistency get
reported properly (with backtrace and a BailoutReason).
BUG=
Review URL: https://codereview.chromium.org/1556993004
Cr-Commit-Position: refs/heads/master@{#33135}
Rolling v8/buildtools to 81863fe70639e85606b541d9d36e9e98c96b957e
Rolling v8/tools/clang to fe8d232767c63ce43873ffef101063a5791d171e
TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org
Review URL: https://codereview.chromium.org/1561063002
Cr-Commit-Position: refs/heads/master@{#33134}
This patch doesn't ship all features of ES2015 variable/scoping
changes, notably omitting the removal of legacy const. I think
function hoisting, let and class in sloppy mode can stand to
themselves as a package, and the legacy const change is much
riskier and more likely to be reverted, so my intention is to
pursue those as a separate, follow-on patch.
R=adamk@chromium.org
BUG=v8:4285,v8:3305
LOG=Y
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1551443002
Cr-Commit-Position: refs/heads/master@{#33133}
JIC and JIALC instructions do not have a forbidden slot so their
simulator implementation should not call CheckForbiddenSlot function.
BUG=
Review URL: https://codereview.chromium.org/1562473002
Cr-Commit-Position: refs/heads/master@{#33130}
Correctly validate promise capabilities in NewPromiseCapabilities() and in
GetCapabilitiesExtractor(). Also explicitly follows Promise.race step 2 and
similar cases in the spec, rather than passing tests asserting these steps
are taken in NewPromiseCapability
Also changes Promise.reject to match specification.
Fixes the following test262 tests:
- built-ins/Promise/all/capability-executor-called-twice.js
- built-ins/Promise/all/capability-executor-not-callable.js
- built-ins/Promise/prototype/then/capability-executor-called-twice.js
- built-ins/Promise/prototype/then/capability-executor-not-callable.js
- built-ins/Promise/reject/capability-executor-called-twice.js
- built-ins/Promise/reject/capability-executor-not-callable.js
- built-ins/Promise/resolve/capability-executor-called-twice.js
- built-ins/Promise/resolve/capability-executor-not-callable.js
- built-ins/Promise/race/capability-executor-called-twice.js
- built-ins/Promise/race/capability-executor-not-callable.js
- built-ins/Promise/reject/S25.4.4.4_A3.1_T1.js
- built-ins/Promise/race/S25.4.4.3_A3.1_T2.js
Per v8:3641, mjsunit/es6/debug-promises/throw-with-undefined-reject.js becomes invalid. The exception is thrown before the chain handler is ever invoked, and is caught externally by d8's own handler --- thus evading the uncaught exception event.
BUG=v8:4633, v8:4631, v8:4243, v8:3641
LOG=N
R=littledan@chromium.org, cbruni@chromium.org
Review URL: https://codereview.chromium.org/1531073004
Cr-Commit-Position: refs/heads/master@{#33128}
Work around ppc assembler use of Mul, Div macros.
Disable several tests that fail for nosse4.
Disable several tests that fail for msan.
BUG=
R=titzer@chromium.org
Review URL: https://codereview.chromium.org/1562513002
Cr-Commit-Position: refs/heads/master@{#33126}
This increases the size of addressable constant pool entries for jumps
to match other bytecodes using operands indexing the constant pool.
This change also introduces reservations for constant pool entries.
Reservations are used for forward jumps to ensure a constant pool entry
will be available when the jump target (label) is bound and the jump is
patched up in the bytecode array.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1546683002
Cr-Commit-Position: refs/heads/master@{#33125}
Throws an error if rest parameters are used. This feature is not
yet supported in interpreter.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1561603002
Cr-Commit-Position: refs/heads/master@{#33120}
For a prototype chain foo -> global_proxy -> global_object, we used to
register a dependency from foo -> global_object. This is incorrect when
the global_proxy/global_object pairing is modified, e.g. when navigating
in iframes. With this patch, we properly register foo -> global_proxy and
global_proxy -> global_object dependencies.
Additionally, when a prototype's prototype changes from null to something
else, this new usage relation must be registered if there are other users
further down on the prototype chain that might expect a complete chain of
registrations to exist (which was the case before, and must be preserved).
BUG=chromium:571517
LOG=n
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/1559323002
Cr-Commit-Position: refs/heads/master@{#33119}
Fixes StateValuesRequireUpdate function to return false if deoptimization is not enabled.
When deoptimization is not enabled there is no need to create nodes for state values.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1551363002
Cr-Commit-Position: refs/heads/master@{#33116}
Deopt support is added on two levels. On the IR level,
a new ObjectState node is added, which represenents an
object to be materialized. ObjectState nodes appear as
inputs of FrameState and StateValues nodes. On the
instruction select/code-generation level, the
FrameStateDescriptor class handles the nesting
introduced by ObjectState, and ensures that deopt code
with CAPTURED_OBJECT/DUPLICATED_OBJECT entries are
generated similarly to what crankshaft's escape
analysis does.
Two unittests test correctness of the IR level implementation.
Correctness for instruction selection / code generation
is tested by mjsunit tests.
R=jarin@chromium.org,mstarzinger@chromium.org
BUG=v8:4586
LOG=n
Review URL: https://codereview.chromium.org/1485183002
Cr-Commit-Position: refs/heads/master@{#33115}
This changes representation inference to be bidirectional:
1. truncations are propagated from uses to definitions.
2. output types are propagated from definitions to uses.
(and nodes are revisited until fixpoint.)
At the moment, (2) is used only superficially; the idea here is to
use the output type propagation to propagate types from type feedback.
For the output types to be usable, we need to keep track of the type
of the JavaScript value rather than the truncated value. Otherwise,
representation inference could not rely on the ranges indicated
by the values.
For example, for "var b = (a|0) + (a|0); return (b/16) >>> 0",
the type of b cannot be int32; otherwise the division "b/16"
would believe that it is fine to do an integer division on
the truncated value, which would give a wrong result for
2^31 <= a < 2^32.
The change makes representation inference a bit more expensive
(the phase is about 20% slower), but since this is only small part
of the overall compiler time, the overall effect is negligible.
If the running time becomes a problem, we could optimize this by
remembering when the nodes are stable (ie., no further changes to
type/truncations) and/or explicit subscriptions for changes.
BUG=v8:4583
R=bmeurer@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/1490763003
Cr-Commit-Position: refs/heads/master@{#33112}
The FP parameters for X87 should be put in stack and the FP return value
should be put in stX_0 register.
So this CL defines the FP_RETURN_REGISTERS as stX_0 only.
BUG=
Review URL: https://codereview.chromium.org/1545203002
Cr-Commit-Position: refs/heads/master@{#33110}
Almost all of the Date builtins always call into C++ at least once
anyway, so parsing, compiling and executing the JavaScript wrappers
is just a waste of time. The most important part here is the Date
constructor itself, which is one of the blockers for new.target in
TurboFan, because compiling the Date constructor takes too much time
with TurboFan (for no reason since we end up in C++ anway).
R=cbruni@chromium.org
Review URL: https://codereview.chromium.org/1556333002
Cr-Commit-Position: refs/heads/master@{#33109}
The mode requires an extra register, and since we aren't supporting
it now, we can dispense with it.
BUG=
Review URL: https://codereview.chromium.org/1559903003
Cr-Commit-Position: refs/heads/master@{#33108}