Reason for revert:
Suspect for crashing found, relanding for canary coverage.
Original issue's description:
> Revert of Do not remove write barriers for stores of old space references in most recent old space allocation. (patchset #1 id:1 of https://codereview.chromium.org/1478113002/ )
>
> Reason for revert:
> Broken canary. Trying to find out root cause.
>
> Original issue's description:
> > Do not remove write barriers for stores of old space references in most recent old space allocation.
> >
> > BUG=chromium:561449
> > LOG=n
> >
> > Committed: https://crrev.com/369778ec55a63ebe51e8fa8497edb5b681069b9b
> > Cr-Commit-Position: refs/heads/master@{#32368}
>
> TBR=ulan@chromium.org,bmeurer@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:561449
>
> Committed: https://crrev.com/da56525478f1820e3da629576ab61acc5f84daac
> Cr-Commit-Position: refs/heads/master@{#32406}
TBR=ulan@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:561449
Review URL: https://codereview.chromium.org/1493313002
Cr-Commit-Position: refs/heads/master@{#32555}
Reason for revert:
Suspect for crashing found, relanding for canary coverage.
Original issue's description:
> Revert of [heap] Remove eager shortcut in JSFunction visitor. (patchset #1 id:1 of https://codereview.chromium.org/1476223002/ )
>
> Reason for revert:
> Still investigating bad canary.
>
> Original issue's description:
> > [heap] Remove eager shortcut in JSFunction visitor.
> >
> > This removes an optimization in the static JSFunction visitor that
> > eagerly marked through to the SharedFunctionInfo for code flushing
> > candidates. This causes all processing in VisitJSFunction to be
> > side-stepped and hence might cause leaks.
> >
> > R=hpayer@chromium.org
> >
> > Committed: https://crrev.com/a29f0576c32e8fda90bf7ab19c6d170568150a7f
> > Cr-Commit-Position: refs/heads/master@{#32332}
>
> TBR=mstarzinger@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
>
> Committed: https://crrev.com/672b49119b857c4f96234b03e48b4b60de256969
> Cr-Commit-Position: refs/heads/master@{#32463}
TBR=mstarzinger@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1486413006
Cr-Commit-Position: refs/heads/master@{#32554}
Between requesting finalization of incremental marking and the time where we handle the request in the stack guard, the current full GC may have finished. In that case the stack guard triggers to late and tries to finalize marking in a state where marking is not going on.
Note that a cleaner fix would be to express the finalization phase in a special marking phase. I will do that in a follow-up CL.
BUG=
Review URL: https://codereview.chromium.org/1493133003
Cr-Commit-Position: refs/heads/master@{#32552}
This drops the specific slot containing the new.target value from our
construct stub frames. This side-channel has been deprecated and will
no longer be accessed by any consumers.
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/1489353004
Cr-Commit-Position: refs/heads/master@{#32550}
Whenever the InstanceOfStub finds a proxy (either passed as object or
somewhere on the prototype chain), it should bailout to the
%HasInPrototypeChain runtime function, which will do the right thing
(soonish).
R=yangguo@chromium.org
BUG=v8:1543
LOG=n
Review URL: https://codereview.chromium.org/1492243003
Cr-Commit-Position: refs/heads/master@{#32549}
This passes the new.target value in a register instead of through a
side-channel via the construct stub. Note that this marks the last
consumer of said side-channel and the special slot in the construct
stub frame can be removed as a follow-up.
R=bmeurer@chromium.org,yangguo@chromium.org
TEST=mjsunit/es6/regress/regress-new-target-context
Review URL: https://codereview.chromium.org/1492793002
Cr-Commit-Position: refs/heads/master@{#32548}
It didn't support subclassing case at all and in non-subclassing case the runtime
allocation didn't do the slack tracking step.
BUG=chromium:563339
LOG=Y
Review URL: https://codereview.chromium.org/1488023002
Cr-Commit-Position: refs/heads/master@{#32547}
port 411c5b7fb0 (r32524)
original commit message:
Also remove the ResultMode from ToBooleanStub and always return true or
false and use the same mechanism in fullcodegen. This is in preparation
for adding ToBoolean hints to TurboFan.
Drive-by-fix: We can use the power of the ToBooleanIC in TurboFan now
that the ResultMode is gone (and the runtime always returns true or
false from the miss handler).
BUG=
Review URL: https://codereview.chromium.org/1500483002
Cr-Commit-Position: refs/heads/master@{#32543}
port 531dde9f80 (r32516)
original commit message:
The new step-in implementation no longer tries to predict the step-in
target, so we don't need the arguments count nor call type anymore.
BUG=
Review URL: https://codereview.chromium.org/1493993002
Cr-Commit-Position: refs/heads/master@{#32540}
The optimized code generated by Crankshaft cannot properly deal
with proxies (in the prototype chain), and there's probably no
point in trying to make that work^Wfast with Crankshaft at all.
TurboFan will handle that properly; Crankshaft just bails out
to fullcodegen, which then goes to the runtime, which should do
the right thing soon.
BUG=v8:1543
LOG=n
Review URL: https://codereview.chromium.org/1492983002
Cr-Commit-Position: refs/heads/master@{#32539}
port 3e7e3ed726 (r32508)
original commit message:
* Add a sibling interface to InterpreterAssembler called
CodeStubAssembler which provides a wrapper around the
RawMachineAssembler and is intented to make it easy to build
efficient cross-platform code stubs. Much of the implementation
of CodeStubAssembler is shamelessly stolen from the
InterpreterAssembler, and the idea is to eventually merge the
two interfaces somehow, probably moving the
InterpreterAssembler interface over to use the
CodeStubAssembler. Short-term, however, the two interfaces
shall remain decoupled to increase our velocity developing the
two systems in parallel.
* Implement the StringLength stub in TurboFan with the new
CodeStubAssembler. Replace and remove the old Hydrogen-stub
version.
* Remove a whole slew of machinery to support JavaScript-style
code stub generation, since it ultimately proved unwieldy,
brittle and baroque. This cleanup includes removing the shared
code stub context, several example stubs and a tangle of build
file changes.
BUG=
Review URL: https://codereview.chromium.org/1492213002
Cr-Commit-Position: refs/heads/master@{#32538}
port 19741ac977 (r32301)
original commit message:
The Float32RoundTruncate operator rounds float32 numbers towards zero.
The operator is currently implemented on x64, ia32, arm, and arm64.
Additionally I added support for the float32 vrintz, vrintn, and vrinta
instructions to the arm simulator.
BUG=
Review URL: https://codereview.chromium.org/1493213002
Cr-Commit-Position: refs/heads/master@{#32537}
Both the is_const and declaration_scope fields can be reliably derived
from the mode field. needs_init cannot be, unfortunately, due to the
special case of CONST in for loops.
Also inline the sole remaining non-trivial caller of
Parser::DeclarationScope(VariableMode).
Review URL: https://codereview.chromium.org/1487603003
Cr-Commit-Position: refs/heads/master@{#32536}
These bits were relevant back when we had nested lexical modules, but
I don't think they'll be of any use for ES2015 modules.
Review URL: https://codereview.chromium.org/1485053002
Cr-Commit-Position: refs/heads/master@{#32534}
Port 3e7e3ed726
Original commit message:
* Add a sibling interface to InterpreterAssembler called
CodeStubAssembler which provides a wrapper around the
RawMachineAssembler and is intented to make it easy to build
efficient cross-platform code stubs. Much of the implementation
of CodeStubAssembler is shamelessly stolen from the
InterpreterAssembler, and the idea is to eventually merge the
two interfaces somehow, probably moving the
InterpreterAssembler interface over to use the
CodeStubAssembler. Short-term, however, the two interfaces
shall remain decoupled to increase our velocity developing the
two systems in parallel.
* Implement the StringLength stub in TurboFan with the new
CodeStubAssembler. Replace and remove the old Hydrogen-stub
version.
* Remove a whole slew of machinery to support JavaScript-style
code stub generation, since it ultimately proved unwieldy,
brittle and baroque. This cleanup includes removing the shared
code stub context, several example stubs and a tangle of build
file changes.
R=danno@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:4587
LOG=n
Review URL: https://codereview.chromium.org/1492633006
Cr-Commit-Position: refs/heads/master@{#32532}
Port 411c5b7fb0
Original commit message:
Also remove the ResultMode from ToBooleanStub and always return true or
false and use the same mechanism in fullcodegen. This is in preparation
for adding ToBoolean hints to TurboFan.
Drive-by-fix: We can use the power of the ToBooleanIC in TurboFan now
that the ResultMode is gone (and the runtime always returns true or
false from the miss handler).
R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:4583
LOG=n
Review URL: https://codereview.chromium.org/1490363003
Cr-Commit-Position: refs/heads/master@{#32531}
update.sh is gone in chromium, and using update.py will do the right
thing both before and after the deletion in chromium (previously,
update.py used to call update.sh internally on non-win).
This also has the benefit of working on Windows.
No intended behavior change.
BUG=chromium:494442
LOG=n
Review URL: https://codereview.chromium.org/1495653002
Cr-Commit-Position: refs/heads/master@{#32529}
This hackily disambiguates multiple calls for the iterator protocols in ForOf / Yield* by adding -2 / -1 to the pos.
BUG=v8:3953
LOG=y
Review URL: https://codereview.chromium.org/1491923003
Cr-Commit-Position: refs/heads/master@{#32527}
While execution will not return to this location, stack iteration
logic will attempt to find the code object associated with the return
address. This makes sure that it maps to the correct object and not
to the one immediately following it in memory.
R=joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
Review URL: https://codereview.chromium.org/1490343002
Cr-Commit-Position: refs/heads/master@{#32526}
Split out of PropertyAttributes, and used for all filtering purposes.
Also moved PropertyAttributes into the v8::internal:: namespace.
No change in behavior intended.
Review URL: https://codereview.chromium.org/1492653004
Cr-Commit-Position: refs/heads/master@{#32525}
Also remove the ResultMode from ToBooleanStub and always return true or
false and use the same mechanism in fullcodegen. This is in preparation
for adding ToBoolean hints to TurboFan.
Drive-by-fix: We can use the power of the ToBooleanIC in TurboFan now
that the ResultMode is gone (and the runtime always returns true or
false from the miss handler).
R=mstarzinger@chromium.org
BUG=v8:4583
LOG=n
Review URL: https://codereview.chromium.org/1491223002
Cr-Commit-Position: refs/heads/master@{#32524}
Reason for revert:
Speculative revert for crashing Canary.
Original issue's description:
> Reland of [heap] Refactor evacuation for young and old gen into visitors. (patchset #1 id:1 of https://codereview.chromium.org/1483393002/ )
>
> Reason for revert:
> Reland after fixing the potential root cause of the canary crasher.
>
> Original issue's description:
> > Revert of [heap] Refactor evacuation for young and old gen into visitors. (patchset #5 id:80001 of https://codereview.chromium.org/1470253002/ )
> >
> > Reason for revert:
> > Still investigating bad canary.
> >
> > Original issue's description:
> > > [heap] Refactor evacuation for young and old gen into visitors.
> > >
> > > Create a visitor for evacuating objects for young and old generation. This is
> > > the first step of preparing a task to process, both, newspace and oldspace
> > > pages in parallel.
> > >
> > > BUG=chromium:524425
> > > LOG=N
> > >
> > > Committed: https://crrev.com/138d9bae5d7014e0d205634a49b5eac3697744c8
> > > Cr-Commit-Position: refs/heads/master@{#32349}
> >
> > TBR=mlippautz@chromium.org
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > NOTRY=true
> > BUG=chromium:524425
> >
> > Committed: https://crrev.com/aa24a3135ec308e1f84bce334844caf0cae2437a
> > Cr-Commit-Position: refs/heads/master@{#32462}
>
> TBR=mlippautz@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:524425
>
> Committed: https://crrev.com/120b640dfce5f02cecc5af72ca0b2b3b93ce8652
> Cr-Commit-Position: refs/heads/master@{#32500}
TBR=hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425
Review URL: https://codereview.chromium.org/1495583002
Cr-Commit-Position: refs/heads/master@{#32522}
Reason for revert:
Still failing on GC stress
https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/690
Original issue's description:
> Reland of "[heap] Clean up stale store buffer entries for aborted pages."
>
> This reverts commit d4fc4a8cad.
>
> 1. Let X be the aborted slot (slot in an evacuated object in an aborted page)
> 2. Assume X contains pointer to Y and Y is in the new space, so X is in the
> store buffer.
> 3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
> 4. The current mark-sweep finishes. The slot X is in free space and is also in
> the store buffer.
> 5. A string of length 9 "abcdefghi" is allocated in the new space. The string
> looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
> previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
> object before.
> 6. Scavenge happens.
> 7. Slot X is still in free space and in store buffer. [It causes scavenge of
> the object Y in
> store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
> it is not important].
> 8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi
> is written in X.
> 9. The scavenge finishes.
> 9. Another scavenge starts.
> 10. We crash in
> store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
> processing slot X, because it doesn't point to valid map.
>
> BUG=chromium:524425, chromium:564498
> LOG=N
> R=hpayer@chromium.org, ulan@chromium.org
>
> Committed: https://crrev.com/fc6ff534003480e49dc481d9c665e961ab709c02
> Cr-Commit-Position: refs/heads/master@{#32514}
TBR=hpayer@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425, chromium:564498
Review URL: https://codereview.chromium.org/1492823002
Cr-Commit-Position: refs/heads/master@{#32520}
We can constant fold %_IsJSReceiver(x) based on whether x is always a
receiver or can never be a receiver. This is important as
%_IsJSReceiver is inserted by the JSInliner.
R=jarin@chromium.org
BUG=v8:4544
LOG=n
Review URL: https://codereview.chromium.org/1486383003
Cr-Commit-Position: refs/heads/master@{#32519}
The new step-in implementation no longer tries to predict the step-in
target, so we don't need the arguments count nor call type anymore.
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/1484893003
Cr-Commit-Position: refs/heads/master@{#32516}
port 4f4947898d (r32262)
original commit message:
The Float32RoundUp operator rounds float32 numbers towards infinity.
The operator is currently implemented on x64, ia32, arm, and arm64.
BUG=
Review URL: https://codereview.chromium.org/1491843003
Cr-Commit-Position: refs/heads/master@{#32515}
This reverts commit d4fc4a8cad.
1. Let X be the aborted slot (slot in an evacuated object in an aborted page)
2. Assume X contains pointer to Y and Y is in the new space, so X is in the
store buffer.
3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4. The current mark-sweep finishes. The slot X is in free space and is also in
the store buffer.
5. A string of length 9 "abcdefghi" is allocated in the new space. The string
looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
object before.
6. Scavenge happens.
7. Slot X is still in free space and in store buffer. [It causes scavenge of
the object Y in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
it is not important].
8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi
is written in X.
9. The scavenge finishes.
9. Another scavenge starts.
10. We crash in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
processing slot X, because it doesn't point to valid map.
BUG=chromium:524425, chromium:564498
LOG=N
R=hpayer@chromium.org, ulan@chromium.org
Review URL: https://codereview.chromium.org/1494503004
Cr-Commit-Position: refs/heads/master@{#32514}
* Add a sibling interface to InterpreterAssembler called
CodeStubAssembler which provides a wrapper around the
RawMachineAssembler and is intented to make it easy to build
efficient cross-platform code stubs. Much of the implementation
of CodeStubAssembler is shamelessly stolen from the
InterpreterAssembler, and the idea is to eventually merge the
two interfaces somehow, probably moving the
InterpreterAssembler interface over to use the
CodeStubAssembler. Short-term, however, the two interfaces
shall remain decoupled to increase our velocity developing the
two systems in parallel.
* Implement the StringLength stub in TurboFan with the new
CodeStubAssembler. Replace and remove the old Hydrogen-stub
version.
* Remove a whole slew of machinery to support JavaScript-style
code stub generation, since it ultimately proved unwieldy,
brittle and baroque. This cleanup includes removing the shared
code stub context, several example stubs and a tangle of build
file changes.
BUG=v8:4587
LOG=n
Review URL: https://codereview.chromium.org/1475953002
Cr-Commit-Position: refs/heads/master@{#32508}
The main part of the Proxy constructor was already in C++, there's
actually no point in keeping a JavaScript wrapper.
R=cbruni@chromium.org
BUG=v8:1543
LOG=n
Review URL: https://codereview.chromium.org/1491893002
Cr-Commit-Position: refs/heads/master@{#32507}
