These crashes were caused by an invalid pointer stored in a tagged
variable in SubStringStub. This can be reproduced by calling the stub on
an external string and ensuring GC kicks in on the subsequent
allocation.
Only the TurboFan implementation of SubStringStub is affected, the current
PlatformStub implementation handles this case just fine.
BUG=chromium:649967
Review-Url: https://codereview.chromium.org/2374603003
Cr-Commit-Position: refs/heads/master@{#39772}
Reason for revert:
Regresses jank and memory. Revert for offline analysis.
Original issue's description:
> [heap] Always use the passed-in collector in CollectGarbage.
>
> Do not overwrite a collector decision.
>
> BUG=
>
> Committed: https://crrev.com/c19abaddafb5ede5e0d5efbe608b7fc5d7c7fcd0
> Cr-Commit-Position: refs/heads/master@{#39585}
TBR=ulan@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=
Review-Url: https://codereview.chromium.org/2369933004
Cr-Commit-Position: refs/heads/master@{#39770}
1) To get proper test coverage for the flag turned off
2) We need more scope analysis in the PreParser to not disable
optimizations for some common cases (inner function "var i" shadowing
outer function vars).
R=verwaest@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2365263005
Cr-Commit-Position: refs/heads/master@{#39768}
Turn the StringEqualStub and friends into proper TurboFan builtins,
which means that we don't need to do on-demand compilation for those
stubs, and use those to defer lowering of the StringEqual, etc.
simplified operators to effect/control linearization (i.e. move it to
the concurrent recompilation part).
BUG=v8:5428
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2363333003
Cr-Commit-Position: refs/heads/master@{#39762}
They are nops, but will be used when verifying the machine graph.
BUG=
Review-Url: https://codereview.chromium.org/2367413002
Cr-Commit-Position: refs/heads/master@{#39758}
The MachineOperatorReducer was only reducing word32 expressions of the type x << y | x >>> (32 - y) (and variants) to the equivalent Word32Ror. This CL applies the same pattern-matching logic to Word32Xor.
BUG=
Committed: https://crrev.com/a86397d890d3caa01a947e2a6e71beb1f58e6e6b
Review-Url: https://codereview.chromium.org/2199323003
Cr-Original-Commit-Position: refs/heads/master@{#38284}
Cr-Commit-Position: refs/heads/master@{#39757}
Reason for revert:
Stability thief found, relanding speculative reverts.
Original issue's description:
> Revert of Preparse functions in the scope that was created when parsing of the function was started (patchset #2 id:20001 of https://codereview.chromium.org/2370713003/ )
>
> Reason for revert:
> Needed for https://codereview.chromium.org/2373443003/
>
> Original issue's description:
> > Preparse functions in the scope that was created when parsing of the function was started
> >
> > This reduces the number of scopes for lazily parsed top-level functions from 3 to 1
> >
> > BUG=v8:5209
> >
> > Committed: https://crrev.com/9618d095903c604a032b33792c068f4a6169503c
> > Cr-Commit-Position: refs/heads/master@{#39725}
>
> TBR=marja@chromium.org,verwaest@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:5209
>
> Committed: https://crrev.com/0cef7100da0b609403c9026fb7307192a898a390
> Cr-Commit-Position: refs/heads/master@{#39729}
TBR=marja@chromium.org,verwaest@chromium.org,hablich@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2377593002
Cr-Commit-Position: refs/heads/master@{#39756}
Reason for revert:
Stability thief found, relanding speculative reverts.
Original issue's description:
> Revert of Preparse inner functions (new try) (patchset #21 id:420001 of https://codereview.chromium.org/2352593002/ )
>
> Reason for revert:
> We currently have some stability issues on Canary. Let's reland this after we verified that we "fixed" Canary again.
>
> Original issue's description:
> > Preparse inner functions (new try)
> >
> > This is an overly pessimistic approach where PreParser only keeps
> > track of unresolved variables, but doesn't declare anything. This
> > will result in context-allocating variables in the outer function
> > unnecessarily, if the variable names clash with variable names
> > used by the inner function (even if the variables are not the
> > same). However, we have been unable to prove that this approach
> > wouldn't be good enough for the practical purposes.
> >
> > Fixes after the previous try ( https://codereview.chromium.org/2322243002/ ):
> > Keep the context-allocation decision stable when compiling fully eagerly.
> >
> > Tests which exercise this functionality:
> > mjsunit/fixed-context-shapes-when-recompiling.js
> >
> > Design document (chromium):
> >
> > https://docs.google.com/a/chromium.org/document/d/1rRv5JJZ0JpOZAZN2CSUwZPFJiBAdRnTiSYhazseNHFg/edit?usp=sharing
> >
> > BUG=
> >
> > Committed: https://crrev.com/7c73cf32c60484cdf37c84f1d61b4640e87068d7
> > Cr-Commit-Position: refs/heads/master@{#39719}
>
> TBR=verwaest@chromium.org,adamk@chromium.org,marja@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=
>
> Committed: https://crrev.com/1e6296b2a7cfc307fd9e722e619f42965da4a267
> Cr-Commit-Position: refs/heads/master@{#39730}
TBR=verwaest@chromium.org,adamk@chromium.org,marja@chromium.org,hablich@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2377513006
Cr-Commit-Position: refs/heads/master@{#39755}
Ignition collects type feedback for binary and compare operations in type
feedback vector and FCG uses Binary/CompareOpICs to collect type feedback.
The feedback collected by ignition is not used by crankshaft. This hits the
performance, when trying to optimize functions that did not tier upto FCG.
This cl merges the feedback collected by ignition and FCG when passing to
crankshaft.
BUG=v8:4280
Review-Url: https://codereview.chromium.org/2361043002
Cr-Commit-Position: refs/heads/master@{#39753}
Without --enable-benchmarking we might get flaky results due to active
finch experiments.
BUG=
NOTRY=true
Review-Url: https://codereview.chromium.org/2369903002
Cr-Commit-Position: refs/heads/master@{#39752}
This CL introduces StoreICTFStub and StoreICTrampolineTFStub and a switch
to enable them instead of respective platform stubs.
This should ease the split of StoreIC to StoreGlobalIC and StoreIC.
StubCache tests now exercise both load and store ICs.
BUG=chromium:576312
Review-Url: https://codereview.chromium.org/2163253002
Cr-Commit-Position: refs/heads/master@{#39751}
If we want to allow this in the future, we must force context-allocation for all
variables that are declared at the module level but not MODULE-allocated.
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2373573003
Cr-Commit-Position: refs/heads/master@{#39745}
Use an unordered_map<Module, unordered_set<String>> to keep track
of visited Module/ExportName pairs during ResolveExport.
This required adding a Hash() method to Module, which is accomplished
by allocating a Symbol and storing it in the SharedFunctionInfo::name
slot, then delegating the hash to that Symbol.
Also added a helper method Module::shared() to easily get ahold of
the SharedFunctionInfo and call it in the appropriate places instead
of re-doing the ternary operator.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2367623004
Cr-Commit-Position: refs/heads/master@{#39743}
Reason for revert:
Speculative revert because of stability problems
Original issue's description:
> [stubs] Port SubStringStub to TurboFan
>
> This ports the platform-specific SubStringStub to TurboFan.
>
> It also contains a minor bug-fix for the case when the requested substring
> length equals the subject string length, but the start index is not equal to 0.
> The old stub implementation returned the subject string, while the new
> implementation calls into runtime, which finally results in a thrown exception.
>
> BUG=v8:5415
>
> Committed: https://crrev.com/49be31921536716706a6790fbbf9c346b975af16
> Cr-Commit-Position: refs/heads/master@{#39653}
TBR=ishell@chromium.org,bmeurer@chromium.org,jgruber@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5415, chromium:649967
NOPRESUBMIT=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2365413002
Cr-Commit-Position: refs/heads/master@{#39737}
Reason for revert:
Tanks EarleyBoyer.
Original issue's description:
> [compiler] Properly guard the speculative optimizations for instanceof.
>
> Add a general feedback slot for instanceof similar to what we already have
> for for-in, which basically has a fast (indicated by the uninitialized
> sentinel) and a slow (indicated by the megamorphic sentinel) mode. Now
> we can only take the fast path when the feedback slot says it hasn't
> seen any funky inputs and nothing funky appeared in the prototype chain.
> In the TurboFan code we also deoptimize whenever we see a funky object
> (i.e. a proxy or an object that requires access checks) in the prototype
> chain (similar to what Crankshaft already did).
>
> Drive-by-fix: Also make Crankshaft respect the mode and therefore
> address the deopt loop in Crankshaft around instanceof.
>
> We might want to introduce an InstanceOfIC mechanism at some point and
> track the map of the right-hand side.
>
> BUG=v8:5267
> R=mvstanton@chromium.org
>
> Committed: https://crrev.com/a0484bc6116ebc2b855de87d862945e2ae07169b
> Cr-Commit-Position: refs/heads/master@{#39718}
TBR=mvstanton@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2365223003
Cr-Commit-Position: refs/heads/master@{#39736}
Crankshaft doesn't actually require VFPv3, so there's no reason to
restrict it. V8 already requires at least VFPv2.
BUG=
Review-Url: https://codereview.chromium.org/2369913002
Cr-Commit-Position: refs/heads/master@{#39731}
Reason for revert:
We currently have some stability issues on Canary. Let's reland this after we verified that we "fixed" Canary again.
Original issue's description:
> Preparse inner functions (new try)
>
> This is an overly pessimistic approach where PreParser only keeps
> track of unresolved variables, but doesn't declare anything. This
> will result in context-allocating variables in the outer function
> unnecessarily, if the variable names clash with variable names
> used by the inner function (even if the variables are not the
> same). However, we have been unable to prove that this approach
> wouldn't be good enough for the practical purposes.
>
> Fixes after the previous try ( https://codereview.chromium.org/2322243002/ ):
> Keep the context-allocation decision stable when compiling fully eagerly.
>
> Tests which exercise this functionality:
> mjsunit/fixed-context-shapes-when-recompiling.js
>
> Design document (chromium):
>
> https://docs.google.com/a/chromium.org/document/d/1rRv5JJZ0JpOZAZN2CSUwZPFJiBAdRnTiSYhazseNHFg/edit?usp=sharing
>
> BUG=
>
> Committed: https://crrev.com/7c73cf32c60484cdf37c84f1d61b4640e87068d7
> Cr-Commit-Position: refs/heads/master@{#39719}
TBR=verwaest@chromium.org,adamk@chromium.org,marja@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2373443003
Cr-Commit-Position: refs/heads/master@{#39730}
Reason for revert:
Needed for https://codereview.chromium.org/2373443003/
Original issue's description:
> Preparse functions in the scope that was created when parsing of the function was started
>
> This reduces the number of scopes for lazily parsed top-level functions from 3 to 1
>
> BUG=v8:5209
>
> Committed: https://crrev.com/9618d095903c604a032b33792c068f4a6169503c
> Cr-Commit-Position: refs/heads/master@{#39725}
TBR=marja@chromium.org,verwaest@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2365393002
Cr-Commit-Position: refs/heads/master@{#39729}
Reason for revert:
wrong CL
Original issue's description:
> Revert of VariableProxy: when cloning, don't even think about creating dangling references. (patchset #1 id:1 of https://codereview.chromium.org/2368253002/ )
>
> Reason for revert:
> Needed for https://codereview.chromium.org/2373443003/
>
> Original issue's description:
> > VariableProxy: when cloning, don't even think about creating dangling references.
> >
> > The code path for cloning resolved VariableProxys (into a different
> > Zone) was never hit, but if it was, it would create a dangling
> > reference, since the Variable would stay in the original Zone.
> >
> > Kudos to verwaest@ for finding this!
> >
> > R=verwaest@chromium.org
> > BUG=
> >
> > Committed: https://crrev.com/fd429bdb9e70cb8c4f8a4bbef0806e008c60440c
> > Cr-Commit-Position: refs/heads/master@{#39723}
>
> TBR=verwaest@chromium.org,marja@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=
>
> Committed: https://crrev.com/8edf2905693a2b486a97a0547ec53bb552f7db15
> Cr-Commit-Position: refs/heads/master@{#39726}
TBR=verwaest@chromium.org,marja@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2366373002
Cr-Commit-Position: refs/heads/master@{#39728}
Reason for revert:
Needed for https://codereview.chromium.org/2373443003/
Original issue's description:
> VariableProxy: when cloning, don't even think about creating dangling references.
>
> The code path for cloning resolved VariableProxys (into a different
> Zone) was never hit, but if it was, it would create a dangling
> reference, since the Variable would stay in the original Zone.
>
> Kudos to verwaest@ for finding this!
>
> R=verwaest@chromium.org
> BUG=
>
> Committed: https://crrev.com/fd429bdb9e70cb8c4f8a4bbef0806e008c60440c
> Cr-Commit-Position: refs/heads/master@{#39723}
TBR=verwaest@chromium.org,marja@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2368303002
Cr-Commit-Position: refs/heads/master@{#39726}
This reduces the number of scopes for lazily parsed top-level functions from 3 to 1
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2370713003
Cr-Commit-Position: refs/heads/master@{#39725}
The code path for cloning resolved VariableProxys (into a different
Zone) was never hit, but if it was, it would create a dangling
reference, since the Variable would stay in the original Zone.
Kudos to verwaest@ for finding this!
R=verwaest@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2368253002
Cr-Commit-Position: refs/heads/master@{#39723}