Test mjsunit/regress/regress-992389 explicitly sets the jitless flag
when run.
Skip this test when run on builds without embedded-builtins.
Bug: v8:9632, chromium:992389
Change-Id: Ieb52a33006b1104080d8f5adb8c4f2c36e4413af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758317
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63240}
Instead of inserting "deletion" entries into the store buffer, keep a
list of invalidated objects to filter out invalid old-to-new slots.
The first CL https://crrev.com/c/1704109 got reverted because both the
sweeper and the main task were modifying the invalidated slots data
structure concurrently. This CL changes this, such that the sweeper
only modifies the invalidated slots during the final atomic pause when
the main thread is not running. The sweeper does not need to clean this
data structure after the pause, since the "update pointers" phase
already removed all invalidated slots.
The second CL https://crrev.com/c/1733081 got reverted because the
sweeper might find more free space than the full GC before it. If an
object shrinks after the pause but before the sweep, the invalidated
object might span free memory and potentially new allocated objects.
Therefore shrink invalidated objects when processing swept pages on
the main thread. Also clean recorded slots in the gap.
TBR=petermarshall@chromium.org
Bug: v8:9454
Change-Id: I80d1fa3bbc24e97f7c97a373aaad66f105456f12
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751795
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63239}
Information required for deoptimization is passed from codegen to the
deoptimizer through so-called translations. Translations contain,
among many other things, a 'height' field. It is used during deopts to
calculate the unoptimized frame height (but note that it does not
correspond exactly to the frame height itself - further calculations
on the deopt side are needed to get to the real frame height).
The height field has roughly the following data flow:
1. During codegen, we serialize whatever
FrameStateDescriptor::GetHeight() returns.
2. During deopts, serialized translations are converted into
TranslatedFrame objects in TranslatedState::CreateNextTranslatedFrame.
3. These are later used to arrive at the real frame height in multiple
spots, e.g. in DoComputeInterpretedFrame and friends.
Prior to this CL, we were adding and subtracting 1 in basically random
spots. For example, for interpreted and construct stub frames we added
1 in step 1 and subtracted 1 in step 3. For continuation frames, we
added 1 in step 2 and subtracted it in step 3. Argument adaptor frames
were left untouched.
This CL removes all these +-1's. The height field now contains
locals_count() for interpreted frames, and parameters_count() for
everything else. I also tried to make the meaning of adds/subs clearer
through use of named constants like kTheReceiver.
Bug: v8:9534
Change-Id: I6fd26886ff5aa63930f413d879d5480578d9dc7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751724
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63238}
This reverts commit 29585a06cc.
Reason for revert: Breaks GC stress bots -
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/24009https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/27281
Original change's description:
> [turbofan] Various serializer/broker improvements
>
> They are all somewhat entangled, sorry for the big CL.
>
> - Brokerize remaining feedback vector slots.
> - Introduce Hints::SingleConstant helper.
> - Introduce SerializationPolicy enum.
> - Eliminate use of nullptr for megamorphic load/store ic feedback.
> Instead use the corresponding ProcessedFeedback with an empty list
> of maps or the like. new class MegamorphicFeedback.
> - Separate processing of feedback from serialization. This eliminates
> code duplication.
> - Be very careful when clearing hints not to overwrite hints that are
> being processed.
> - Move AccessInfos out of NamedAccessFeedback. Always store them in
> property_access_infos_ map on broker. (This was actually unused
> before, somewhat by mistake.)
> - Support map inference in concurrent inlining. Rewrite
> ElementAccessFeedback such that we can refine it with the set of
> inferred maps.
>
> TBR: mvstanton@chromium.org
> Change-Id: I05e9eb250bdffc6dff29db01742550a86a41cb31
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752853
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63232}
TBR=mvstanton@chromium.org,neis@chromium.org
Change-Id: I88625d92fddf993db63661666c59af05a47b2b58
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758314
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63237}
The --jitless and --interpreted-frames-native-stack flags are
incompatible since the latter requires code generation while the
former prohibits code generation.
Bug: v8:9619
Change-Id: Ic954724edd6a2d28e1bf2f6a79649f86e812abcf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758312
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63235}
This removes the last dependencies on {JSGraph} from the wasm compiler.
Since the pipeline does not run appropriate lowerings, access to the
simplified or the javascript operator level is disallowed. With this
change that rule is statically enforced.
R=thibaudm@chromium.org
Change-Id: I4a97e63ffc5df1b7704477ac5c68707f5b195166
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758305
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63234}
This reverts commit 82111e2286.
Reason for revert: Speculative revert, could be causing timeouts - https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm%20-%20sim%20-%20debug/17567
Original change's description:
> [CSA][cleanup] TNodify some methods related to prototype and property lookup
>
> This is a CL in a string of CLs that aims to TNodify CSA. In particular,
> there were some loads that were done in AnyTagged instead of
> TaggedPointer. TNode-ifying them brings improvement in pointer
> compression since we are able to decompress using the Pointer
> decompression.
>
> TNodified:
> * LoadJSFunctionPrototype
> * TryPrototypeChainLookup
> * OrdinaryHasInstance
>
> Also TNodified loads regarding:
> * FeedbackCell::kValueOffset
> * HeapObject::kMapOffset
> * JSFunction::kSharedFunctionInfoOffset
> * JSFunction::kFeedbackCellOffset
> * Map::kInstanceTypeOffset
> * Map::kInstanceDescriptorsOffset
> * Map::kPrototypeOffset
>
> Drive-by cleanup: StoreJSArrayLength and StoreElements were unused.
>
> Bug: v8:6949, v8:9396
> Change-Id: I89697b5c02490906be1eee63cf3d9e60a1094d48
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755844
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63216}
TBR=rmcilroy@chromium.org,solanes@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:6949, v8:9396
Change-Id: Ib6ae8fe86a598ed1066894595565e1162cf7dd1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758310
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63233}
They are all somewhat entangled, sorry for the big CL.
- Brokerize remaining feedback vector slots.
- Introduce Hints::SingleConstant helper.
- Introduce SerializationPolicy enum.
- Eliminate use of nullptr for megamorphic load/store ic feedback.
Instead use the corresponding ProcessedFeedback with an empty list
of maps or the like. new class MegamorphicFeedback.
- Separate processing of feedback from serialization. This eliminates
code duplication.
- Be very careful when clearing hints not to overwrite hints that are
being processed.
- Move AccessInfos out of NamedAccessFeedback. Always store them in
property_access_infos_ map on broker. (This was actually unused
before, somewhat by mistake.)
- Support map inference in concurrent inlining. Rewrite
ElementAccessFeedback such that we can refine it with the set of
inferred maps.
TBR: mvstanton@chromium.org
Change-Id: I05e9eb250bdffc6dff29db01742550a86a41cb31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752853
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63232}
- Move undef closer to end of usage
- Move I64x2ExtractWithF64x2 closer to Extract tests, and into ifdef
scope so it runs on arm64 builds
Change-Id: I7138c44097975d02e97f4b2b9bfcddd8eb9735c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1754544
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63227}
This CL adds additional information in PropertyAccessInfos and FieldAccesses about the map that introduced the accessed field. We use this information to prevent load elimination from incorrectly optimizing certain accesses marked const.
Prior to this CL, load elimination simply stored information about eliminatable field accesses based on objects (identified by nodes in the graph) and offsets (i.e., statically known ones). In the presence of const stores and loads this is insufficient, since a single object (in the above sense) may contain distinct *const* properties at the same offset throughout its lifetime. As an example, consider the following piece of code:
let obj = {};
obj.a = 0;
obj[1024] = 1; // An offset of >=1024 forces an elements-kind transition
delete obj.a;
obj.b = 2;
assertEquals(obj.b, 2);
In this scenario, *both* the first ('obj.a = 0') and the second ('obj.b = 2') store to a field will be marked const by the runtime. The reason that storing to 'a' above ends up being marked const, is that 'a' before and after the elements-kind transition is encoded in separate transition trees. Removing 'a' ('delete obj.a') only invalidates const-ness in the dictionary-elements transition tree; not the holey-elements one used at the time of 'obj.a = 0'.
The above situation on its own violates an invariant in load elimination. Namely, we assume that for the same object and offset, we will never encounter two const stores. One can extend the above snippet to coax load-elimination into producing incorrect results. For instance, by "hiding" 'obj.b = 2' in an unoptimized function call, the consecutive load from 'b' will incorrectly produce 0, violating the assert.
R=neis@chromium.org, tebbi@chromium.org
Bug: chromium:980183, chromium:983764
Change-Id: I576a9c7efd416fa9db6daff1f42d483e4bd369b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751346
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63226}
V8_EXPORT is not required for public class templates, and using it may
lead to linker errors when users attempt to dllimport V8.
Change-Id: I0b2db2371d0fcbf50af94ba629670486b8f2bc00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1757284
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63225}
GetIterator currently acts as a property load of the iterator symbol
(soon it will also call it). It makes sense to apply the same early
lowering logic as we do for property loads in the bytecode graph
builder. This also brings our treatment of the bytecode in-line with
the way it's treated in the serializer, which already respects the
early-lowering semantics.
Bug: v8:7790
Change-Id: Ieadc4b307b9f6d9a5aa77ca10c7c818026776f33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758304
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63224}
There are some accesses that we know that are pointers, and we can
specialize them to have Pointer as their Machine Type and Write Barrier.
Drive-by fix: ForJSGeneratorObjectParametersAndRegisters can be changed
to use Pointer.
Bug: v8:7703
Change-Id: I88e371746fc5f08c84795c95b1885264ef6c067c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741658
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63223}
This removes the restriction on load elimination to only track fields
of representations with kTaggedSize, and instead also allows fields with
representations using multiples of kTaggedSize (that is, Float64 and Word64
on pointer-compressed or 32-bit platforms).
In order not to regress JIT-compile time for the common case of
kTaggedSize-sized fields, we maintain information for bigger fields multiple
times, once for each kTaggedSize-multiple offset that covers it. By checking
that all copies of this information are still there when reading from the
load elimination state, updates to the load elimination state don't need to
take special care of bigger fields.
Change-Id: I9b5f3d2d6e3b4f145c20d33fbc764869bf50a365
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752843
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63222}
Create a new function NewHeapNumberForCodeAssembler used only by
CodeAssembler that allocates in read_only_space whenever it is writable
(e.g. when constructing builtins). This can allocate in old_space for
CSA tests that run after read_only_space is sealed.
This move 512 bytes from old_space to read_only_space.
Bug: v8:7464
Change-Id: I3e29b38a8c062fa74feed63ecf0d07625c04347f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752855
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63220}
This reverts commit f54f92dda1.
Reason for revert: CSA_ASSERTS failing while rolling into Chromium,
see https://crbug.com/994103 for details.
Original change's description:
> [builtins] Port RegExpTest to Torque
>
> Bug: v8:8976
> Change-Id: Ia4dc120a31eb363599b47b22b749a3146a9c7c73
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1746083
> Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63211}
TBR=jgruber@chromium.org,tebbi@chromium.org,duongn@microsoft.com,szuend@chromium.org
Change-Id: Id3e1fe4e323826d3a48db667b032f0fddd7cb064
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8976
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1756389
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63217}
This is a CL in a string of CLs that aims to TNodify CSA. In particular,
there were some loads that were done in AnyTagged instead of
TaggedPointer. TNode-ifying them brings improvement in pointer
compression since we are able to decompress using the Pointer
decompression.
TNodified:
* LoadJSFunctionPrototype
* TryPrototypeChainLookup
* OrdinaryHasInstance
Also TNodified loads regarding:
* FeedbackCell::kValueOffset
* HeapObject::kMapOffset
* JSFunction::kSharedFunctionInfoOffset
* JSFunction::kFeedbackCellOffset
* Map::kInstanceTypeOffset
* Map::kInstanceDescriptorsOffset
* Map::kPrototypeOffset
Drive-by cleanup: StoreJSArrayLength and StoreElements were unused.
Bug: v8:6949, v8:9396
Change-Id: I89697b5c02490906be1eee63cf3d9e60a1094d48
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755844
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63216}
Previously we allowed for only one extra parameter on the stack,
this CL makes it dynamic based on the kArgCount value.
Change-Id: I18cd74d0cc0ecba6fb75dcee991a0e907d423d6a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755411
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Reviewed-by: Milad Farazmand <miladfar@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#63215}
Fixes DCHECK failure in DropStackFrameCacheCommon by returning early if
the source_position_table is Exception.
Bug: chromium:990582, v8:8510
Change-Id: I671f3e0cdc9f880dedf8ecd2fffb1083229dc6dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752856
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63209}
This CL increases the maximum number of arguments for CallCFunction to
10 (was 9 previously).
All simulators also support up to 10 arguments now for host-calls.
Bug: v8:9621
Change-Id: Ib21cd39e965cdfcb0b04412261dc02e5fe106e47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752852
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63208}
This change makes the code compatible with both Python 2 and Python 3.
Change-Id: I99d68af9c3163607c3a2fdbafac339a98b7471e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751331
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63207}
Otherwise there is a mismatch between eager parsing (where the reciever
is marked as MaybeAssigned) and lazy parsing (where the receiver is
deserialized and not marked MaybeAssigned) for arrow functions that
have an inner scope that calls eval.
BUG=chromium:989914
Change-Id: I8b8b78140858985a75a971b0e0a95bd61463457b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752851
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63206}
Moved code from the .cc file to the .h file, and added comments on important
methods.
There is still room for more cleanup / refactor, but it doesn't seem worth
it right now.
Bug: v8:9396
Change-Id: Id14d3ccaa853e0704732d468df504c379cd114b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748735
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63205}
The builtin in question was just tail-calling another existing builtin
anyways. Call sites of the above builtin are rare and only appear in
import wrappers, removing the unnecessary hop is more efficient.
R=thibaudm@chromium.org
Change-Id: I42286346119fc627f8b9ef23fb6e4b2da1da80de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752847
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63204}
Consistent naming, moved methods, etc.
There is a follow-up CL that moves code from this .cc to the private
part of the class in the .h file.
Bug: v8:9396
Change-Id: I9efac09baff7403bce1be9712c090d2ea70b60f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748734
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63203}
Since we can just use the lower bits, we can make the compressions no-ops.
As a note, they still change the representation so that the machine graph
verifier is happy.
X64's version of: https://chromium-review.googlesource.com/c/v8/v8/+/1751722
Bug: v8:7703
Change-Id: I728eb8b6b3953f053a7042797f3c498d13e3c948
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751729
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63202}
We cherish the ability to create a (for example) JSFunctionRef by
passing an object handle in phases of the compiler where we can't
inspect the handle to verify the instance type. A slight change to
constructor definitions of classes derived from ObjectRef allows us to
police this typing effectively.
Bug: v8:7790
Change-Id: I6ac8e4780d578e9c9cad80fdc87f399a92bc988d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751343
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Auto-Submit: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63199}
This is a reland of
https://chromium-review.googlesource.com/c/v8/v8/+/1749712 with a fix in
test-run-wasm-simd.cc to use base::Divide to work around C++ undefined
behavior when the denominator is 0.
Bug: v8:8460
Change-Id: Ia0a4ff621cccc6d9b7528717bf3fa7c79e42ba1a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1745819
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63198}
PagedSpace::Available() is mostly used for counters. One may expect
that it'd be constant time or bearly noticeable performance-wise, but
its cost is linear in the number of freelists and number of pages in
the freelists. Overall, d8 --prof showed that it has a important
runtime cost, and prevents freelists from scaling.
This CL makes this counter constant-time, and should improve
performances, even using with our current FreeList strategy
(FreeListLegacy).
Bug: v8:9329
Bug: v8:9093
Change-Id: I7682c5debc78498fe46e8dbce70b2fbd540b0fd0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1746473
Commit-Queue: Darius Mercadier <dmercadier@google.com>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63197}
After compression, the values should only be used for their lower 32-bits (W registers).
This removes unnecessary 'ubfx' zero-extends.
The size of the embedded builtins is reduced by 0.2%.
This improves the ARES-6 by ~1.0%.
Bug: v8:7703
Change-Id: Ib9bd771b51e85717f415a346b37428f8821bf278
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751722
Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63196}
When GC triggered while an exception is pending, a read to
memory that was no longer valid could happen while backtracking in the
regexp interpreter (introduced with commit fb0df2c).
This CL prevents this dirty read, that could have been a security issue.
Bug: chromium:992389, v8:9575
Change-Id: Ie1acd6faa16665e211666c6a8dcf2a9d74e0c886
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751342
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63195}
Port c4d31fea9e
Original Commit Message:
Stack limits were additionally maintained in pseudo-smi roots.
"Pseudo", because we stored the raw limit pointers there, just making
sure their values looked like smis by masking the least significant
bits.
This mechanism is no longer needed now that we can access the stack
limit external references as efficiently as the smi roots.
R=jgruber@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: Ida5c1fe10a494e9c6d665425bd464228978ecd1b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752142
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#63194}
Previously we only used this flag if asm_wasm instantiation failed, but
we should avoid trying asm_wasm again if we failed during the initial
parse/compile, in case we have to recompile due to bytecode flushing. This
also avoids issues if there is a tranisent reason we fail asm_wasm compilation
(e.g., stack overflow) and later recompilations succeed and cause
inconsistencies like in the linked bug.
BUG=chromium:991133
Change-Id: Id156efa9d8625ce3db2058cb279ea23aeb66052f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751784
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63192}
We were going for 64 bits to go back to 32 bits. For example,
TruncateInt64ToInt32(BitcastTaggedSignedToWord(ChangeCompressedToTagged(x)))
when that doesn't modify the value at all.
In order to keep the machine graph verifier happy two bitcast operations
were introduced.
As a drive-by nit cleanup, we were having two empty lines between some
functions implementations in machine-operator-reducer.cc.
Bug: v8:7703
Change-Id: Ifaa0d656010fe4f6f6f4581a2bb6633f060245b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1749383
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63191}
