This is a reland of d82600ecc8
Added missing builtin serializations that were breaking Clusterfuzz,
layout tests and Speedometer.
Original change's description:
> [turbofan] Serialize missing objects
>
> Added a few objects to the standard objects list, as well as specific
> builtins when the corresponding runtime calls are detected in the
> serializer. Now JSHeapCopyReducer is needed only when concurrent
> inlining is disabled.
>
> Bug: v8:7790
> Change-Id: I91d933611b0352df8ede4fded665f13669591fef
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781053
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63509}
Bug: v8:7790, chromium:1000136
Change-Id: I4775014bfe8100fb76f60e4088f1bdf2a8da64a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781681
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63525}
Also extend load poisoning testing for arm and arm64.
This is a port of I1ef202296744a39054366f2bc424d6952c3bbe9d,
originally introduced for arm.
Change-Id: I7d317bba6be633dd1e563daa7231d3c5e930f8e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691032
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63519}
This reverts commit ab089c7864.
Reason for revert: Breaking GC stress (https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/27523)
Original change's description:
> [turbofan] Prepare for moving part of CreateGraph into the background
>
> - Pass Refs, not Handles, to graph builder, and drop bytecode array argument
> (get it from SFI instead).
> - Add some fields to FeedbackVectorRef that are needed to avoid heap access
> in BytecodeGraphBuilderPhase.
> - Rename FeedbackVectorRef's SerializeSlots to Serialize, since it's more
> than just the feedback slots.
> - Rearrange the last steps in PipelineCompilationJob::PrepareJobImpl such
> that CreateGraph is last.
>
> Bug: v8:7790
> Change-Id: I4b17790d1d74da41ba63ee68e3a33968662fc398
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781682
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63515}
TBR=neis@chromium.org,mslekova@chromium.org
Change-Id: I4dc95907657597d12cbe1ce6a8ebb694ef44e915
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7790
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781687
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63517}
- Pass Refs, not Handles, to graph builder, and drop bytecode array argument
(get it from SFI instead).
- Add some fields to FeedbackVectorRef that are needed to avoid heap access
in BytecodeGraphBuilderPhase.
- Rename FeedbackVectorRef's SerializeSlots to Serialize, since it's more
than just the feedback slots.
- Rearrange the last steps in PipelineCompilationJob::PrepareJobImpl such
that CreateGraph is last.
Bug: v8:7790
Change-Id: I4b17790d1d74da41ba63ee68e3a33968662fc398
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781682
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63515}
This reverts commit d82600ecc8.
Reason for revert: Blocking the roll, see https://ci.chromium.org/p/chromium/builders/try/linux-rel/181725
Original change's description:
> [turbofan] Serialize missing objects
>
> Added a few objects to the standard objects list, as well as specific
> builtins when the corresponding runtime calls are detected in the
> serializer. Now JSHeapCopyReducer is needed only when concurrent
> inlining is disabled.
>
> Bug: v8:7790
> Change-Id: I91d933611b0352df8ede4fded665f13669591fef
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781053
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63509}
TBR=neis@chromium.org,mslekova@chromium.org
Change-Id: I5eb8a8371994822debb852fc2a090ba585826d4a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7790
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1782157
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63514}
Added a few objects to the standard objects list, as well as specific
builtins when the corresponding runtime calls are detected in the
serializer. Now JSHeapCopyReducer is needed only when concurrent
inlining is disabled.
Bug: v8:7790
Change-Id: I91d933611b0352df8ede4fded665f13669591fef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781053
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63509}
.. and use it for generating faster loads of external references. This
changes the stack check instruction sequence from
mov ecx,0x567651dc // The address of the stack limit.
cmp esp,[ecx]
to
cmp esp,[ebx+0x3c]
This addressing mode was likely forgotten when we recently added root
register support on ia32.
Bug: chromium:998751,v8:9534
Change-Id: I3521519da1e9d373dfcd83831b3e399e0e9c895b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781056
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63508}
Similar to https://crrev.com/c/1781047, WordEqual already does the right
truncation in the instruction selector.
Bug: v8:8948
Change-Id: I92e74bafab6a467aeca1570494e9044f9cf18c46
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781049
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63504}
Allow the backward spilling heuristic to look and spill before the start
of the current range.
This solves a common scenario where control-flow aware allocation
cannot apply the heuristic as efficiently as splintering because it
creates smaller live ranges.
Bug: v8:9088
Change-Id: I7f8af8bb9c82849fbae0c652baa5011fd890690e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776085
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63502}
... which already does good the right job of generating 32-bit comparisons
while Word32Equal() seems to break some optimizations in TurboFan and produce
a little bit slower code.
Bug: v8:8948
Change-Id: I288656479fa32c34a7253c4879cb3566d7470a6a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781047
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63501}
This is a reland of 0736599a69.
This is a reland of 7e1fbe8f34.
Original change description:
> [ic] In-place Double -> Tagged transitions
>
> With no more MutableHeapNumber, we can make Double -> Tagged transitions
> in-place, at the cost of an extra map check when accessing double fields
> to make sure they are still doubles.
>
> Bug: v8:9606
> Change-Id: I74ff39ed6fba62ee223cd37dfe761f7d73020e1c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743973
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63374}
TBR=verwaest@chromium.org, tebbi@chromium.org
Bug: v8:9606
Change-Id: I2d1b7416064d743582f4983fb868316b7e8a4cf2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1777661
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63499}
Print the file name instead of the function name, as the
function name can be ambiguous.
Bug: v8:7790
Change-Id: I079eb0e5a0012aff1d241618d132ecd2d3d93c8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781043
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63498}
- Add serialization for CallNoFeedback, which was missing.
- Extend serialization for CallJSRuntime.
- Serialize for calls to higher-order Array builtins.
- Serialize for calls to Function#apply and Function#call.
- Serialize for calls to Reflect.apply and Reflect.construct.
- Serialize for calls to Promise constructor.
- Fix ConvertReceiverMode in serialization for CallProperty.
Bug: v8:7790
Change-Id: I4bba6f45f9b7948ed2ba9c70bd423a23ec29ecf7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763530
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63497}
E.g. make the setup of the ObjectRef hash table more explicit.
Tbr: jgruber@chromium.org
Bug: v8:7790
Change-Id: I58c03848e7da5c418ff2d6ae1e71b644278f406b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776089
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63475}
Port f72c844aa7
Original Commit Message:
Port f5ab7d38be
Port 65f3861e3b
Original Commit Message:
In a new test suite: "wasm-api-tests", using a new binary "wasm_api_tests",
powered by gtest/gmock (like unittests).
Also fix a bunch of issues that these tests uncovered, mostly to ensure
that the stack is walkable.
R=miladfar@ca.ibm.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I565fba1a2437eb49be0c5247740f3fcac7b071db
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1775723
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#63460}
The maximal unoptimized frame size is calculated during instruction
selection and will be needed during code generation (it will be
applied as an offset to the stack check). Pass the information along
to the code generator through PipelineData.
Bug: v8:9534
Change-Id: Ia72cd70d57c3de2db9fe43d91b9378d8e2ab8a0a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762302
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63451}
TLDR: Inline less, but more where it matters. ~10% decrease in Turbofan
compile time including off-thread, while improving Octane scores by ~2%.
How things used to work:
There is a flag FLAG_min_inlining_frequency that limits inlining by
the callsite being sufficiently frequently executed. This call frequency
was measured relative to invocations of the parent (= the function we
originally optimize). At the same time, the limit was very low (0.15),
meaning we mostly relied on the total amount of inlined code
(FLAG_max_inlined_bytecode_size_cumulative) to limit inlining.
How things work now:
Instead of measuring call frequency relative to parent invocations, we
should have a measure that predicts how often the callsite in question
will be executed in the future. An obvious attempt at that would be to
measure how often the callsite was executed in absolute numbers in the
past. But depending on how fast feedback stabilizes, it can take more
or less time until we optimize a function. If we just take the absolute
call frequency up to the point in time when we optimize, we would
inline more for functions that stabilize slowly, which doesn't make
sense. So instead, we measure absolute call count per KB of executed
bytecodes of the parent function.
Since inlining big functions is more expensive, this threshold is
additionally scaled linearly with the bytecode-size of the inlinee.
The resulting formula is:
call_frequency >
FLAG_min_inlining_frequency *
(bytecode.length() - FLAG_max_inlined_bytecode_size_small) /
(FLAG_max_inlined_bytecode_size - FLAG_max_inlined_bytecode_size_small)
The new threshold is chosen in a way that it effectively limits
inlining, which allows us to increase
FLAG_max_inlined_bytecode_size_cumulative without increasing inlining
in general.
The reduction in compile time (x64 build) of ~10% was observed in Octane,
ARES-6, web-tooling-benchmark, and the standalone TypeScript benchmark.
The hope is that this will reduce CPU-time in real-world situations
too.
The Octane improvements come from inlining more in places where it
matters.
Bug: v8:6682
Change-Id: I99baa17dec85b71616a3ab3414d7e055beca39a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768366
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63449}
This CL try to use a phi as a branch condition if the control flow from the
branch is known from previous conditions. This change will open up more branch
folding opportunities for later pass.
Change-Id: I26316ab3a68c2d58d0df53691981288a996d4ba1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1674484
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63434}
in order to find out if that is the failing CHECK in a chrome crash
report...
Bug: chromium:996819
Change-Id: Ifdebbc88b0525e61a5b3f83caa0ce4279a8efb75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1774718
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63428}
Remove unnecessary call to Serialize.
Change a Handle cast to a Ref cast.
Add a CHECK to JSHeapBroker::SetFeedback that the source is valid.
Bug: v8:7790
Change-Id: I6a2f10d45456c6b128beff009016009457dc109c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773248
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63421}
Since we use Word32Equal with a (truncating) ReinterpretCast for pointer
compressed TaggedEqual, we also have to allow it in the machine
verifier.
Change-Id: Ic16af837f03ebc51dde5bdc7f0c574b2aaf11909
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771784
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63410}
Using the tool again, the previous iteration accidentally ignored
Node/TNode behind a typedef. Automatic replacement of types with
manual cleanup/addition of CASTs where necessary.
Bug: v8:9396
Change-Id: I33b6d229669cb80586d5d8e82c04542df671f0b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768367
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63409}
Host info used to be stored on the global reference underlying a Ref;
now it is stored in a JSWeakMap and hence tied to the lifetime of the
actual object on V8's heap.
Additionally, the internal metadata needed for C-API functions is now
stored on the SharedFunctionInfo and no longer overlaps with the host
info mechanism.
Bonus content:
Roll 6db391e: Remove a few more leftover uses of _enum types
Change-Id: Ibb1fa4b0dd5157fef15c030bac705a11aa3beaea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768368
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63400}
Forbid using LoadRoot in CSA (with a bailout via CodeAssembler), so that
users are forced to use helper macros for roots, which have statically
known types. Convert all current uses of LoadRoot to use these macros,
introducing new ones where necessary.
Bug: v8:9396
Change-Id: I91214fca6e5ace7554d79605706a8a60117468fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762526
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63398}
ChangeTaggedSignedToInt32(ChangeCompressedSignedToTaggedSigned((x)) ->
ChangeCompressedSignedToInt32(x)
This pattern shows up in the Octane Richards benchmark (on arm64):
sxtw x11, w10
asr w11, w11, #1
This patch will remove the sxtw.
ChangeCompressedSignedToInt32(CheckedInt32ToCompressedSigned(x)) -> x
This pattern shows up in the Octane Richards benchmark (on arm64):
adds w10, w10, w10
b.vs #+0x1118
asr w11, w10, #1
stur w10, [x6, #19]
cmp w11, #0x1a
This patch will remove the asr, and produce:
adds w11, w10, w10
b.vs #+0x1108
stur w11, [x6, #19]
cmp w10, #0x1a
Bug: v8:7703
Change-Id: I5843e0a4f723b202857ee86130f835cd048d7e31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763529
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Rodolph Perfetta <rodolph.perfetta@arm.com>
Cr-Commit-Position: refs/heads/master@{#63389}
Even when a field is marked const, we may emit multiple consecutive in-literal stores to that field. That is, in 'JSNativeContextSpecialization::BuildPropertyStore', when the access mode is 'kStoreInLiteral' and we are accessing a const field, we may produce a StoreField node, even though another StoreField (that stores something other than 'Uninitialized') to the same const field dominates it. This appears to be sound, since earlier stores to literals cannot be observed anyways.
Unfortunately this behavior conflicts with the double const store invariant in load elimination: Roughly speaking, we assume that load elimination may never observe two consecutive const stores to the same field on the same object.
The apparent solution would be to treat 'kStoreInLiteral' accesses like regular 'kStore' accesses: For consecutive stores to const properties we don't emit StoreField, but instead emit code that checks whether the value about to be written is equivalent to the previously written one, and otherwise deopt ('DeoptimizeReason::kWrongValue'). Unfortunately this turns out impractical, since for 'kStoreInLiteral' accesses we can't easily decide whether we're dealing with the first such store or one of the consecutive ones. Also see this abandoned CL: https://chromium-review.googlesource.com/c/v8/v8/+/1762020.
This CL instead adds an exception to the invariant in load elimination. We track whether a store arose from a 'kStoreInLiteral' access, and use this information when visiting StoreField nodes in load elimination.
R=neis@chromium.org, tebbi@chromium.org
Bug: chromium:987205
Change-Id: I8829752aa0637e9599677d20aad2d706d40d7fe6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763535
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#63385}
Replace all usages of VectorSlotPair with FeedbackSource.
Bug: v8:7790
Change-Id: I0ac6e9cd8f5730154cc1842e267ca1ebfdebc874
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763536
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63378}
With no more MutableHeapNumber, we can make Double -> Tagged transitions
in-place, at the cost of an extra map check when accessing double fields
to make sure they are still doubles.
Bug: v8:9606
Change-Id: I74ff39ed6fba62ee223cd37dfe761f7d73020e1c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743973
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63374}
Replace uses of WordEqual on two tagged representation nodes with a new
TaggedEqual helper, which on pointer compressed configs only compares
the bottom 32-bits of the word. We no longer allow using WordEqual on
anything not known to be a WordT (i.e. Node* or TNode<Object>).
In the future, this may allow us to ignore the top bits of an
uncompressed Smi, and have simpler decompression, though this patch is
not sufficient for such a change.
As a necessary drive-by, TNodify a bunch of stuff.
Bug: v8:8948
Change-Id: Ie11b70709e5d3073f12551b37b420a172a71bc99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763531
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63372}
Out of memory should be the only reason for {FinalizeCode} to return an
empty handle in wasm heap stub compilation. Crash accordingly.
R=mstarzinger@chromium.org
Bug: chromium:990223
Change-Id: I996721c69bfe600a7c13937a65c93d0b19b91c45
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768578
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63366}
While we only need to check stability of the receiver map if its
inference was "unreliable", we must check stability of each prototype's
map unconditionally.
Bug: chromium:997100
Change-Id: I20071ac9eb74c810ad2ab1d78abfb54a1a006c29
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768576
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63364}
This is a reland of 1e472c423b
No change, this was a speculative revert to unblock the roll.
TBR=jgruber
Original change's description:
> [compiler] Track the maximal unoptimized frame size
>
> This is another step towards considering the unoptimized frame size in
> stack checks within optimized code.
>
> With the changes in this CL, we now keep track of the maximal
> unoptimized frame size of the function that is currently being
> compiled. An optimized function may inline multiple unoptimized
> functions, so a single optimized frame can deopt to multiple
> frames. The real frame size thus differs in different parts of the
> optimized function.
>
> We only care about the maximal frame size, which we calculate
> conservatively as an over-approximation, and track in
> InstructionSelector::max_unoptimized_frame_height_ for now. In future
> work, this value will be passed on to codegen, where it will be
> applied as an offset to the stack pointer during the stack check.
>
> (The motivation behind this is to avoid stack overflows through deopts,
> caused by size differences between optimized and unoptimized frames.)
>
> Note that this offset only ensure that the topmost optimized frame can
> deopt without overflowing the stack limit. That's fine, because we only
> deopt optimized frames one at a time. Other (non-topmost) frames are
> only deoptimized once they are returned to.
>
> Drive-by: Print variable and total frame height in --trace-deopt.
>
> Bug: v8:9534
> Change-Id: I821684a9da93bff59c20c8ab226105e7e12d93eb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762024
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Auto-Submit: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63330}
Bug: v8:9534
Change-Id: I686f200e7be1f419e23e50789e11607a0b2886d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1766645
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63356}
This reverts commit 1e472c423b.
Reason for revert: Speculative revert, to attempt to fix crashes that block the V8 roll. Example failure run:
https://ci.chromium.org/p/chromium/builders/try/linux-rel/173465
Original change's description:
> [compiler] Track the maximal unoptimized frame size
>
> This is another step towards considering the unoptimized frame size in
> stack checks within optimized code.
>
> With the changes in this CL, we now keep track of the maximal
> unoptimized frame size of the function that is currently being
> compiled. An optimized function may inline multiple unoptimized
> functions, so a single optimized frame can deopt to multiple
> frames. The real frame size thus differs in different parts of the
> optimized function.
>
> We only care about the maximal frame size, which we calculate
> conservatively as an over-approximation, and track in
> InstructionSelector::max_unoptimized_frame_height_ for now. In future
> work, this value will be passed on to codegen, where it will be
> applied as an offset to the stack pointer during the stack check.
>
> (The motivation behind this is to avoid stack overflows through deopts,
> caused by size differences between optimized and unoptimized frames.)
>
> Note that this offset only ensure that the topmost optimized frame can
> deopt without overflowing the stack limit. That's fine, because we only
> deopt optimized frames one at a time. Other (non-topmost) frames are
> only deoptimized once they are returned to.
>
> Drive-by: Print variable and total frame height in --trace-deopt.
>
> Bug: v8:9534
> Change-Id: I821684a9da93bff59c20c8ab226105e7e12d93eb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762024
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Auto-Submit: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63330}
TBR=neis@chromium.org,sigurds@chromium.org,jgruber@chromium.org
Change-Id: I7b225c30bfc4e1d958276583f512a1ec5fa2b458
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9534
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1764626
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63350}
For import wrappers, we add a special "callable" parameter as the last
parameter. This parameter is not set in the TurboFan graph but in the
code generator. Therefore this parameter has to be allocated in a
special register and cannot be lowered generically. With this CL we
detect in the CallDescriptor lowering if the last parameter is this
special "callable" parameter. If so, we preserve it in the lowered
CallDescriptor in the same register.
R=jkummerow@chromium.org
Bug: v8:7741
Change-Id: I884baa41813011c811612ec84f4e3cfe86a0e83a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762014
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63344}
This was deleted in 5b2ab2f6f7, it seems only
the first part of the condition should have been deleted.
This changes (from the embedded builtins):
movz x9, #0x2
cmp x9, x8
Back to:
cmp x8, #0x2
This saves 0.29% in the embedded builtins size for a pointer-compression enabled arm64 build.
Also a minor cleanup by removing the commutative boolean parameter and always commuting the
FlagsContinuation. For a commutative operation the FlagsContinuation will stay the same.
Change-Id: I5bba84a07bb32284b4756bc6293560ee106745f2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762522
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#63337}
Also: add hint for "prototype" property. This makes us not miss
the ObjectCreate map in any of our tests.
Bug: v8:7790
Change-Id: Icc9f91ebaf466a1cdfba27526335b930c744b9c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762519
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63336}
Automated cleanup which finds patterns of `Node* a = foo` where `foo` is
a TNode expression, and replaces Node* with the appropriate TNode.
Bug: v8:9396
Change-Id: I8b0cd9baf10e74d6e2e336eae62eca6cfe6a9c11
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762515
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63335}
This fixes a serious performance regression in Octane2 future variant.
Bug: v8:7790
Change-Id: Ie72d7b8ecf8af12e06a0ecae216cfb456908fe5d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763542
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63333}
This is another step towards considering the unoptimized frame size in
stack checks within optimized code.
With the changes in this CL, we now keep track of the maximal
unoptimized frame size of the function that is currently being
compiled. An optimized function may inline multiple unoptimized
functions, so a single optimized frame can deopt to multiple
frames. The real frame size thus differs in different parts of the
optimized function.
We only care about the maximal frame size, which we calculate
conservatively as an over-approximation, and track in
InstructionSelector::max_unoptimized_frame_height_ for now. In future
work, this value will be passed on to codegen, where it will be
applied as an offset to the stack pointer during the stack check.
(The motivation behind this is to avoid stack overflows through deopts,
caused by size differences between optimized and unoptimized frames.)
Note that this offset only ensure that the topmost optimized frame can
deopt without overflowing the stack limit. That's fine, because we only
deopt optimized frames one at a time. Other (non-topmost) frames are
only deoptimized once they are returned to.
Drive-by: Print variable and total frame height in --trace-deopt.
Bug: v8:9534
Change-Id: I821684a9da93bff59c20c8ab226105e7e12d93eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762024
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63330}
Bug: v8:7790
Change-Id: I02de7cb5b89a20a4eb10407cb1ff56ed3ece098f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762520
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63322}
This CL was reviewed originally in https://crrev.com/c/1518181.
Bug: v8:7741
Change-Id: Iddb139a24c4b9aee6694e20cb5d04e9f9887160c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752859
Auto-Submit: Sven Sauleau <sven@cloudflare.com>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63321}
The LinkageLocation currently consists of two fields, a bit_field and a
machine_type. The existing equality check only checked the equality of
the bit_field, which meant that a FP register location and a GP register
location could alias. I added a static {IsSameLocation} function which
checks that not just the bit_field but also if one of the two locations
at least has a subtype of the other. Note that we do not check for
type-equality because {CanTailCall} checks, which are the main user of
the LinkageLocation equality check, should pass even if the result types
are in a sub-typing relationship.
R=mstarzinger@chromium.org
Bug: v8:9396
Change-Id: Iaa2d11311d0c18e8ffc1dd934e369106ab2456a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763533
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63319}
The linkage should not have any knowledge about the existance of nodes.
R=mstarzinger@chromium.org
Bug: v8:9396
Change-Id: If10bf113c6ec19c434573a8d9bb7b736caef5dee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763532
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63313}
Since the mutability of HeapNumbers is determined by their owning
object's descriptor array, we can remove the MutableHeapNumber type
entirely, at the cost of a few fewer DCHECKs and a couple of TODOs
to use the descriptor array information.
This is a necessary step towards a follow-up which allows in-place
Double -> Tagged transitions
Design doc: https://docs.google.com/document/d/1VeKIskAakxQFnUBNkhBmVswgR7Vk6T1kAyKRLhqerb4/
Bug: v8:9606
Change-Id: I13209f9c86f1f204088f6fd80089e17d956b4a50
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743972
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63294}
Bug: v8:9528
Change-Id: I7df27c3ee949a4c44fa0f78cfded6d8c34575e6b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1754445
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63292}
ReduceTypedArrayPrototypeToStringTag, ReduceObjectGetPrototype and
ReduceObjectGetPrototype are now heap-access free.
Bug: v8:7790
Change-Id: If7f7ae4c7712326240aa50e02189fee94a57afa9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762022
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63291}
The deoptimizer calculates frame layout based on the translation's
`height` field, together with additional data (e.g.: are we looking at
the topmost frame? what kind of deopt are we in?). The result is the
final deoptimized frame size in bytes, together with a bunch of
intermediate results such as the variable frame size (= without the
fixed-size portion).
In order to consider the deoptimized frame size in optimized stack
checks, we will need to calculate the frame layout during compilation
in addition to what we currently do during deoptimization. This CL
moves in that direction by extracting relevant parts of frame layout
calculation into classes that can be reused by both compiler and
deoptimizer.
These helpers will support both precise and conservative modes; the
deoptimizer will use the precise mode (since it has full information),
while the instruction selector will use the conservative mode.
Bug: v8:9534
Change-Id: I93d6c39f10d251733f4625d3cc161b2010652d02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760825
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63279}
... at graph building time already, just like we do for other property
accesses.
Bug: v8:7790
Change-Id: I7ffc8ee4fb1df91fc59271edd7b70c14f531330a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762018
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63278}
Bug: v8:7790
Change-Id: I2b9971b7944837a5a6943e401b8c9d91f25c515e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762016
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63270}
This brings the graph builder in sync with the serializer (and
exponentiation in sync with the other binary operators).
Bug: chromium:995430, v8:7790
Change-Id: I809b6f3756f75392cdc6747f8bcee8cdf0ee0f74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762013
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63269}
... by making the operator have a control output, since we could deopt
after my last change.
Bug: chromium:995562, v8:7790
Change-Id: Ibc8c44708b4d43c4b2c3dfab2fd8fdf79c7ea671
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762010
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63268}
Chromium has checks which don't like static initializers in binaries,
which fires on effect_control_linearizer.cc. We can remove these by
making kMinusZeroBits (and family) constexpr, but to do this we have to
avoid bit_cast. Instead, set the correct bit pattern manually (thankfully
IEEE 754 0.0 is just zero bits, and -0.0 is 0.0 with a set sign bit).
Change-Id: If1695ff715ad8f821e956757f8f9f7c850895011
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762009
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63266}
Rewrite the reducer in terms of the ordinary keyed-store reducer and
reuse the existing serializer machinery for that as well.
Bug: v8:7790
Change-Id: I5909739feee1d77dca1827166bad3d2a61561784
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760807
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63254}
- Eliminate unconditional heap reads in tracing code.
- Change operator<< on ObjectRef to additionally print
the Brief() output when the broker is disabled.
- Print line number in TRACE_BROKER_MISSING and make
some messages more consistent.
- Make PrintCandidates output clearer.
- Be more consistent about dereferencing optionals.
Bug: v8:7790, chromium:990478
Change-Id: I2917529d5138a0d63ad476d3f8fee6a963767b23
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758311
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63242}
This is a reland of 29585a06cc after
removing an incorrect DCHECK.
Original change's description:
> [turbofan] Various serializer/broker improvements
>
> They are all somewhat entangled, sorry for the big CL.
>
> - Brokerize remaining feedback vector slots.
> - Introduce Hints::SingleConstant helper.
> - Introduce SerializationPolicy enum.
> - Eliminate use of nullptr for megamorphic load/store ic feedback.
> Instead use the corresponding ProcessedFeedback with an empty list
> of maps or the like. new class MegamorphicFeedback.
> - Separate processing of feedback from serialization. This eliminates
> code duplication.
> - Be very careful when clearing hints not to overwrite hints that are
> being processed.
> - Move AccessInfos out of NamedAccessFeedback. Always store them in
> property_access_infos_ map on broker. (This was actually unused
> before, somewhat by mistake.)
> - Support map inference in concurrent inlining. Rewrite
> ElementAccessFeedback such that we can refine it with the set of
> inferred maps.
>
> TBR: mvstanton@chromium.org
> Change-Id: I05e9eb250bdffc6dff29db01742550a86a41cb31
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752853
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63232}
TBR: mvstanton@chromium.org
Bug: v8:7790
Change-Id: Ia4acd31b339a941ee065e1ae4835bb7b85d5685e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758319
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63241}
Information required for deoptimization is passed from codegen to the
deoptimizer through so-called translations. Translations contain,
among many other things, a 'height' field. It is used during deopts to
calculate the unoptimized frame height (but note that it does not
correspond exactly to the frame height itself - further calculations
on the deopt side are needed to get to the real frame height).
The height field has roughly the following data flow:
1. During codegen, we serialize whatever
FrameStateDescriptor::GetHeight() returns.
2. During deopts, serialized translations are converted into
TranslatedFrame objects in TranslatedState::CreateNextTranslatedFrame.
3. These are later used to arrive at the real frame height in multiple
spots, e.g. in DoComputeInterpretedFrame and friends.
Prior to this CL, we were adding and subtracting 1 in basically random
spots. For example, for interpreted and construct stub frames we added
1 in step 1 and subtracted 1 in step 3. For continuation frames, we
added 1 in step 2 and subtracted it in step 3. Argument adaptor frames
were left untouched.
This CL removes all these +-1's. The height field now contains
locals_count() for interpreted frames, and parameters_count() for
everything else. I also tried to make the meaning of adds/subs clearer
through use of named constants like kTheReceiver.
Bug: v8:9534
Change-Id: I6fd26886ff5aa63930f413d879d5480578d9dc7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751724
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63238}
This reverts commit 29585a06cc.
Reason for revert: Breaks GC stress bots -
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/24009https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/27281
Original change's description:
> [turbofan] Various serializer/broker improvements
>
> They are all somewhat entangled, sorry for the big CL.
>
> - Brokerize remaining feedback vector slots.
> - Introduce Hints::SingleConstant helper.
> - Introduce SerializationPolicy enum.
> - Eliminate use of nullptr for megamorphic load/store ic feedback.
> Instead use the corresponding ProcessedFeedback with an empty list
> of maps or the like. new class MegamorphicFeedback.
> - Separate processing of feedback from serialization. This eliminates
> code duplication.
> - Be very careful when clearing hints not to overwrite hints that are
> being processed.
> - Move AccessInfos out of NamedAccessFeedback. Always store them in
> property_access_infos_ map on broker. (This was actually unused
> before, somewhat by mistake.)
> - Support map inference in concurrent inlining. Rewrite
> ElementAccessFeedback such that we can refine it with the set of
> inferred maps.
>
> TBR: mvstanton@chromium.org
> Change-Id: I05e9eb250bdffc6dff29db01742550a86a41cb31
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752853
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63232}
TBR=mvstanton@chromium.org,neis@chromium.org
Change-Id: I88625d92fddf993db63661666c59af05a47b2b58
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758314
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63237}
This removes the last dependencies on {JSGraph} from the wasm compiler.
Since the pipeline does not run appropriate lowerings, access to the
simplified or the javascript operator level is disallowed. With this
change that rule is statically enforced.
R=thibaudm@chromium.org
Change-Id: I4a97e63ffc5df1b7704477ac5c68707f5b195166
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758305
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63234}
They are all somewhat entangled, sorry for the big CL.
- Brokerize remaining feedback vector slots.
- Introduce Hints::SingleConstant helper.
- Introduce SerializationPolicy enum.
- Eliminate use of nullptr for megamorphic load/store ic feedback.
Instead use the corresponding ProcessedFeedback with an empty list
of maps or the like. new class MegamorphicFeedback.
- Separate processing of feedback from serialization. This eliminates
code duplication.
- Be very careful when clearing hints not to overwrite hints that are
being processed.
- Move AccessInfos out of NamedAccessFeedback. Always store them in
property_access_infos_ map on broker. (This was actually unused
before, somewhat by mistake.)
- Support map inference in concurrent inlining. Rewrite
ElementAccessFeedback such that we can refine it with the set of
inferred maps.
TBR: mvstanton@chromium.org
Change-Id: I05e9eb250bdffc6dff29db01742550a86a41cb31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752853
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63232}
This CL adds additional information in PropertyAccessInfos and FieldAccesses about the map that introduced the accessed field. We use this information to prevent load elimination from incorrectly optimizing certain accesses marked const.
Prior to this CL, load elimination simply stored information about eliminatable field accesses based on objects (identified by nodes in the graph) and offsets (i.e., statically known ones). In the presence of const stores and loads this is insufficient, since a single object (in the above sense) may contain distinct *const* properties at the same offset throughout its lifetime. As an example, consider the following piece of code:
let obj = {};
obj.a = 0;
obj[1024] = 1; // An offset of >=1024 forces an elements-kind transition
delete obj.a;
obj.b = 2;
assertEquals(obj.b, 2);
In this scenario, *both* the first ('obj.a = 0') and the second ('obj.b = 2') store to a field will be marked const by the runtime. The reason that storing to 'a' above ends up being marked const, is that 'a' before and after the elements-kind transition is encoded in separate transition trees. Removing 'a' ('delete obj.a') only invalidates const-ness in the dictionary-elements transition tree; not the holey-elements one used at the time of 'obj.a = 0'.
The above situation on its own violates an invariant in load elimination. Namely, we assume that for the same object and offset, we will never encounter two const stores. One can extend the above snippet to coax load-elimination into producing incorrect results. For instance, by "hiding" 'obj.b = 2' in an unoptimized function call, the consecutive load from 'b' will incorrectly produce 0, violating the assert.
R=neis@chromium.org, tebbi@chromium.org
Bug: chromium:980183, chromium:983764
Change-Id: I576a9c7efd416fa9db6daff1f42d483e4bd369b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751346
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63226}
GetIterator currently acts as a property load of the iterator symbol
(soon it will also call it). It makes sense to apply the same early
lowering logic as we do for property loads in the bytecode graph
builder. This also brings our treatment of the bytecode in-line with
the way it's treated in the serializer, which already respects the
early-lowering semantics.
Bug: v8:7790
Change-Id: Ieadc4b307b9f6d9a5aa77ca10c7c818026776f33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758304
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63224}
There are some accesses that we know that are pointers, and we can
specialize them to have Pointer as their Machine Type and Write Barrier.
Drive-by fix: ForJSGeneratorObjectParametersAndRegisters can be changed
to use Pointer.
Bug: v8:7703
Change-Id: I88e371746fc5f08c84795c95b1885264ef6c067c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741658
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63223}
This removes the restriction on load elimination to only track fields
of representations with kTaggedSize, and instead also allows fields with
representations using multiples of kTaggedSize (that is, Float64 and Word64
on pointer-compressed or 32-bit platforms).
In order not to regress JIT-compile time for the common case of
kTaggedSize-sized fields, we maintain information for bigger fields multiple
times, once for each kTaggedSize-multiple offset that covers it. By checking
that all copies of this information are still there when reading from the
load elimination state, updates to the load elimination state don't need to
take special care of bigger fields.
Change-Id: I9b5f3d2d6e3b4f145c20d33fbc764869bf50a365
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752843
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63222}
Create a new function NewHeapNumberForCodeAssembler used only by
CodeAssembler that allocates in read_only_space whenever it is writable
(e.g. when constructing builtins). This can allocate in old_space for
CSA tests that run after read_only_space is sealed.
This move 512 bytes from old_space to read_only_space.
Bug: v8:7464
Change-Id: I3e29b38a8c062fa74feed63ecf0d07625c04347f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752855
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63220}
Moved code from the .cc file to the .h file, and added comments on important
methods.
There is still room for more cleanup / refactor, but it doesn't seem worth
it right now.
Bug: v8:9396
Change-Id: Id14d3ccaa853e0704732d468df504c379cd114b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748735
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63205}
The builtin in question was just tail-calling another existing builtin
anyways. Call sites of the above builtin are rare and only appear in
import wrappers, removing the unnecessary hop is more efficient.
R=thibaudm@chromium.org
Change-Id: I42286346119fc627f8b9ef23fb6e4b2da1da80de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752847
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63204}
Consistent naming, moved methods, etc.
There is a follow-up CL that moves code from this .cc to the private
part of the class in the .h file.
Bug: v8:9396
Change-Id: I9efac09baff7403bce1be9712c090d2ea70b60f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748734
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63203}
Since we can just use the lower bits, we can make the compressions no-ops.
As a note, they still change the representation so that the machine graph
verifier is happy.
X64's version of: https://chromium-review.googlesource.com/c/v8/v8/+/1751722
Bug: v8:7703
Change-Id: I728eb8b6b3953f053a7042797f3c498d13e3c948
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751729
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63202}
We cherish the ability to create a (for example) JSFunctionRef by
passing an object handle in phases of the compiler where we can't
inspect the handle to verify the instance type. A slight change to
constructor definitions of classes derived from ObjectRef allows us to
police this typing effectively.
Bug: v8:7790
Change-Id: I6ac8e4780d578e9c9cad80fdc87f399a92bc988d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751343
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Auto-Submit: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63199}
This is a reland of
https://chromium-review.googlesource.com/c/v8/v8/+/1749712 with a fix in
test-run-wasm-simd.cc to use base::Divide to work around C++ undefined
behavior when the denominator is 0.
Bug: v8:8460
Change-Id: Ia0a4ff621cccc6d9b7528717bf3fa7c79e42ba1a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1745819
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63198}
After compression, the values should only be used for their lower 32-bits (W registers).
This removes unnecessary 'ubfx' zero-extends.
The size of the embedded builtins is reduced by 0.2%.
This improves the ARES-6 by ~1.0%.
Bug: v8:7703
Change-Id: Ib9bd771b51e85717f415a346b37428f8821bf278
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751722
Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63196}
We were going for 64 bits to go back to 32 bits. For example,
TruncateInt64ToInt32(BitcastTaggedSignedToWord(ChangeCompressedToTagged(x)))
when that doesn't modify the value at all.
In order to keep the machine graph verifier happy two bitcast operations
were introduced.
As a drive-by nit cleanup, we were having two empty lines between some
functions implementations in machine-operator-reducer.cc.
Bug: v8:7703
Change-Id: Ifaa0d656010fe4f6f6f4581a2bb6633f060245b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1749383
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63191}
This makes sure that the above predicate is independent of any global
process-wide state. The state of enabled features is now passed in
explicitly.
R=thibaudm@chromium.org
Change-Id: I5d44e2b0c0843d2e4f26aaf0d58d23afd5943726
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751348
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63188}
We were doing the SmiCheck in Compressed, but then using the Tagged one to go
to Int32.
Bug: v8:7703
Change-Id: Ib65084590eb611f9abea9383ee307d21959caa21
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748698
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63185}
Port 5b2ab2f6f7
Original Commit Message:
Now that all uses of LoadStackPointer have been removed, this CL cleans
up related code:
- Removed LoadStackPointer.
- Removed ArchStackPointer.
- Removed IA32StackCheck.
- Removed X64StackCheck.
- Removed StackCheckMatcher.
All stack checks now follow a simple path without matchers or special
register constraints: they load the limit and pass it to
StackPointerGreaterThan, which is finally handled by code generation.
R=jgruber@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I68a66054dc1422e7fc0598ef4d112a031ba94cc1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1750223
Reviewed-by: Milad Farazmand <miladfar@ca.ibm.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#63184}
Previously these were called (real) stack limit on one end, (real)
jslimit on the other. With this CL we consistently use jslimit
everywhere.
Tbr: tebbi@chromium.org
Bug: v8:9534
Change-Id: I9f86ac113bb9682544c365d54f666c1312a073a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748738
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63179}
The BytecodeGraphBuilder still looks at the heap. This CL mostly
eliminates heap lookups for:
* CreateArrayLiteral
* CreateObjectLiteral
* CreateRegExpLiteral
What remains is the lookup embedded in the creation of a VectorSlotPair,
which will be addressed in a subsequent change.
Bug: v8:7790
Change-Id: I5e4167f5542b84ed3684ad61f3dd1ef8ad84c96b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1745482
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63173}
This CL eliminates managed heap reads from the ByteCodeGraphBuilder
from constants. These reads and serializations are made at serialization
time.
Bug: v8:7790
Change-Id: I5c59ea1f097d11f48994f41ac296cfc64121db25
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1746477
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63169}
We were only considering eliminating Stores of size Tagged. There doesn't
appear to be a reason why. This CL enables store store elimination for all
sizes.
For example, in pointer compression, it means that Compressed values can
be targeted. In 32 bit versions, it means that doubles can now be targeted.
This is safe under the assumption that every byte of a JS object is only
ever accessed through one offset. For instance, byte 15 of a given object
may be accessed using a two-byte read at offset 14, or a four-byte read at
offset 12, but never both in the same program.
Change-Id: I865d412ed5b4db53a0154cf4da6303c407fdbda7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1746469
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63168}
Port 0aa204febf
Original Commit Message:
This CL unifies how stack checks are handled in the Turbofan pipeline
across architectures, in preparation for properly handling stack
overflows caused by deoptimization in follow-up work. It will also
open up possibilities to simplify related logic.
How this used to work: JSStackCheck was lowered to a UintLessThan
with the stack pointer (sp) and stack limit as inputs. On x64 and ia32,
this node pattern was later recognized during instruction selection
and rewritten to dedicated operators. On other platforms, including
arm and arm64, special logic exists to avoid useless
register-to-register moves when accessing the sp.
This CL introduces a new StackPointerGreaterThan operator, which takes
the stack limit as its sole input. This is what JSStackCheck now lowers
to. This is threaded through to code generation, where we emit the
appropriate code (in the future, we will apply an additional offset to
the sp here).
In follow-up CLs, we can remove or replace remaining uses of
LoadStackPointer in CSA, Wasm, and the interpreter; and then remove
the LoadStackPointer operator, related node matchers, related register
constraints, and the pseudo-smi stack limit roots.
R=jgruber@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Change-Id: I175c110d30190bb543001b6fa77cd65cf22e5874
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748002
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#63167}
Now that all uses of LoadStackPointer have been removed, this CL cleans
up related code:
- Removed LoadStackPointer.
- Removed ArchStackPointer.
- Removed IA32StackCheck.
- Removed X64StackCheck.
- Removed StackCheckMatcher.
All stack checks now follow a simple path without matchers or special
register constraints: they load the limit and pass it to
StackPointerGreaterThan, which is finally handled by code generation.
Bug: v8:9534
Change-Id: Ib1d7be1502a471541d6441f3261aac0c949525fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748737
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63166}
The matcher used to be needed to avoid first moving rsp to an
allocated register for LoadStackPointer. This is no longer the case
with the new stack check structure based on StackPointerGreaterThan.
This CL updates the wasm stack check and removes now-unneeded
matchers.
The generated stack check code remains unchanged from before:
// Load the stack limit through the instance then compare against rsp.
REX.W movq rcx,[rbp-0x10]
REX.W movq rcx,[rcx+0x2f]
REX.W cmpq rsp,[rcx]
// And on ia32:
mov ecx,[ebp-0x8]
mov ecx,[ecx+0x17]
cmp esp,[ecx]
Bug: v8:9534
Change-Id: I9240ad922d19d498a2661c143b12d629ac14d093
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748733
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63165}
This removes LoadStackPointer and its last remaining use in the
interpreter assembler.
Bug: v8:9534
Change-Id: I19aafb12c5fd50248841a3d92448e64243c723ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748729
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63164}
CSA's stack checks (in CodeStubAssembler::PerformStackCheck) were
previously carefully crafted to hit the stack check node pattern
matchers later on during instruction selection (see StackCheckMatcher).
This brittle mechanism is no longer needed now that stack checks use the
new StackPointerGreaterThan machine operator.
Bug: v8:9534
Change-Id: Idca169df1cadc6db237a8d36883ec1a79418f288
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748728
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63163}
Turbofan applies the following optimization to external reference
loads on arm64 and x64: if the root-relative offset to an external
reference's address is known to be constant (and the root register has
been initialized), calculate the external reference as |kRootRegister
+ <offset>| instead of loading it from the external reference table.
There are two main cases to consider:
1. External references to arbitrary addresses in the native address
space, e.g. libc_memcpy. These kinds of external references have a
fixed address within the same running process, but may (and likely
will) change between processes (e.g.: mksnapshot and later chromium),
and the root-relative offset is different for each Isolate within the
same process.
These kinds of external references can be optimized as above when
*not* generating code which will later be serialized, and *not*
generating isolate-independent code.
2. External references to addresses within the fixed-size region of
the Isolate (essentially: within IsolateData). Since these move with
the Isolate, their root-relative offset is guaranteed to be constant
at all times.
The optimization can always be applied to these cases as long as the
root register has been initialized.
Prior to this CL, we only recognized and optimized for case 1. This CL
additionally adds support for 2.
An example of improved code generated due to this CL:
Before:
// r13 is the kRootRegister on x64.
// 0x3010 is the root-relative offset to Isolate::context_address.
leaq rdx, [r13+0x3010]
movq r8, [rdx]
After:
movq rdx, [r13+0x3010]
Bug: v8:9534
Change-Id: Idfcca751e98a56c0e5ead2c701c12a677df75399
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748727
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63158}
This adds two helper functions in code-generator-{ia32,x64}:
- HasAddressingMode: is the addressing mode not equal to kNone?
- HasRegisterInput: is the specified input in a register?
Bug: v8:9534
Change-Id: I690ee52e247b347a7ef5ba0c98bba47c321ca6b5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748726
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63157}
This CL unifies how stack checks are handled in the Turbofan pipeline
across architectures, in preparation for properly handling stack
overflows caused by deoptimization in follow-up work. It will also
open up possibilities to simplify related logic.
How this used to work: JSStackCheck was lowered to a UintLessThan
with the stack pointer (sp) and stack limit as inputs. On x64 and ia32,
this node pattern was later recognized during instruction selection
and rewritten to dedicated operators. On other platforms, including
arm and arm64, special logic exists to avoid useless
register-to-register moves when accessing the sp.
This CL introduces a new StackPointerGreaterThan operator, which takes
the stack limit as its sole input. This is what JSStackCheck now lowers
to. This is threaded through to code generation, where we emit the
appropriate code (in the future, we will apply an additional offset to
the sp here).
In follow-up CLs, we can remove or replace remaining uses of
LoadStackPointer in CSA, Wasm, and the interpreter; and then remove
the LoadStackPointer operator, related node matchers, related register
constraints, and the pseudo-smi stack limit roots.
Bug: v8:9534
Change-Id: I0e3f1beeed65b163c4ee5787600bed8c3cc671e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1738863
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63156}
We weren't fully using InsertChangeCompressedToTagged and similar, which
in turn made it so that we were using more NewNode. This CL unifies the
way that we generate the insertion of Change nodes regarding decompressions.
Dribe-by fix: make InsertChangeCompressedPointerToTaggedPointer actually
use Pointer.
Bug: v8:7703
Change-Id: I1d8835a54914cdab93f652ff17e39e8271a585df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741661
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63154}
The Osr context is a pointer, and we can make it clear in the Typer.
Known pitfall: If we have a context within a context, the innner context
pointer is typed as Any.
Change-Id: Ia4d7e43ef42ef03f835e4b71d32d117ae835feee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741659
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63153}
The BytecodeGraphBuilder still looks at the heap. This CL completely
eliminates heap lookups for:
* CreateBlockContext
* CreateFunctionContext
* CreateEvalContext
* CreateCatchContext
* CreateWithContext
Bug: v8:7790
Change-Id: I8b88215ba14a11955729b33bd0ee57219719666d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1745484
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63146}
Some of the Float(32|64) to CompressedSigned cases had their functions
defined already so they are virtually free to implement.
We are still missing the unsigned case so I am keeping the TODO.
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:7703
Change-Id: Ibf40d5948226fd48aebe7f8e257c117d6a5ad478
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708483
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63143}
This is the first in a series of changes to reduce the number of
bytecodes generated for the iteration protocol based operations.
The GetIterator bytecode introduced in this change currently loads the
@@iterator symbol from an object that was previously done using the
LdaNamedProperty bytecode. This change uses builtin-based mechanism
that would be extended to perform additional operations in the future
on absorbing the bytecodes associated with the GetIterator operation
from the iteration protocol.
Bug: v8:9489
Change-Id: I83b8b55c27bae8260bf227f355eeca1ba80cd8f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1701852
Commit-Queue: Swapnil Gaikwad <swapnilgaikwad@google.com>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63139}
Cleans up a plethora of JumpIfUndefined().JumpIfNull()
occurances by introducing a new JumpIfUndefinedOrNull
bytecode.
Change-Id: I715e9dd82ca8309e0f3eb6514ddec19b4efe7dbe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743148
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63130}
In instruction selector we were tagging as Compressed or Tagged Any when
we could have been more specific. Also, we were marking as Word32 or Word64
when we should have been using CompressedSigned or TaggedSigned, respectively.
Drive-by cleanup: Rename MarkAsReference to MarkAsTagged.
Bug: v8:7703
Change-Id: I4df7a17e25cfa51a1e11eac0af40be21efb50990
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1739367
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63119}
There were some accesses that could be specialized to Pointer
instead of Any.
Also updated the WriteBarrierKind to match. Any -> full barrier,
Pointer -> Pointer barrier, Signed -> no barrier.
There were some accesses that were not used, and therefore got deleted.
Bug: v8:9396
Change-Id: Ie249e6571080fa6e24d9022344775de679966144
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1733070
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63096}
When serializing frame states into translations (later used by
deopts), we pass certain values, depending on the frame kind, to be
serialized as the frame height.
This CL moves the calculation of this height value into the
FrameStateDescriptor. In a follow-up, we may want to simplify the way
these height values are passed and processed by deopts.
The motivation behind this is to simplify calculation of unoptimized
stack frame sizes during compilation.
Bug: v8:9534
Change-Id: I20d2b57a42cea0c238b9c887dba0280f6aad76de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1728609
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63085}
This reverts commit 9499ec0d43.
Reason for revert: Breaks lots of stuff, e.g.
https://ci.chromium.org/p/v8/builders/ci/V8-Blink%20Linux%2064%20-%20future/9401
Original change's description:
> [TurboFan] Brokerize remaining feedback vector slots
>
> This CL adds new ProcessedFeedback subclasses, corresponding to various IC
> types:
>
> * ForIn
> * Comparison ops
> * Binary/Unary ops
> * InstanceOf
> * Calls
>
> The feedback is gathered at serialization time and used in several places,
> namely:
>
> * Bytecode graph building,
> * and its helper class JSTypeHintLowering (with its "early lowering")
> * Native context specialization
> * JSCallReducer
>
> Design doc: https://docs.google.com/document/d/1JLG0VFV8xmsAIJexU19xzlbNyP51ONqfo_Gf_2DcPC8/edit?usp=sharing
>
> Bug: v8:7790
> Change-Id: I53c3d7a17f844384f38c4ee0f0b082c114217a02
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710663
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63028}
TBR=mvstanton@chromium.org,neis@chromium.org,mslekova@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:7790
Change-Id: Id0c4d6651611fc3964010f7615d0ad0485169ebc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1735315
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63073}
When a fast path was added for Math.hypot, the algorithm was also
simplified. This simplification turns out to be incorrect in some rare
edge cases. This cl reverts back to the original algorithm and converts it to torque.
Original cl: https://chromium-review.googlesource.com/c/v8/v8/+/1684178
Bug: v8:9546
Change-Id: If4e21504732f46081a8de823f50f499917f1a20c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1725200
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63070}
Instead of exposing a {kNext} constant to be used to construct the next
bitfield, expose a templatized {Next} type alias. This ensures that the
storage type is the same for all bitfields created this way. It's also
shorter.
Apart from the expected changes in the code base, the AST node classes
are changed to expose a {NextBitField} templated type alias instead of
a {kNextBitFieldIndex} constant. They thus follow the same pattern as
{BitField} itself.
R=jkummerow@chromium.org, mstarzinger@chromium.org, verwaest@chromium.org
Bug: v8:9396
Change-Id: I70a1b0bd71cde694ec53444de0ca55e4cf0a3836
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1728615
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63068}
Also add a IsExtreme(double) overload.
This wasn't causing issues because there was no codepath
which exercised it (only approx operations did).
Change-Id: If7583fb567137c428d16c0d2cdfc37e086f7f3fd
Bug: v8:8460
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1726675
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63053}
JSBoundFunctionRef::serialized() and JSFunctionRef::serialized() should
tolerate being called when the heap broker is disabled, because these
methods are now called in the JSCallReducer (in order to log whether
information was missing at serialization time).
Bug: v8:7790
Change-Id: Iac8e68178422bd9bb4ebe2acb412ff42ac87cf4a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1733075
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63045}
Previously we were also taking into account the machine type
Change-Id: Ic76aad578f00ef24cf17b349d94cdade8f9ee29d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1733072
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63044}
The mode without write barriers works only if incremental marking
is disabled and the single generation mode is enabled.
Bug: v8:9533
Change-Id: Iecf83b0810f757c9b50e7fb338a2905af938f1d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1716471
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63033}
When the flag is on and some of the functions don't have bytecode,
we should gracefully print "no bytecode" instead of crashing.
Bug: chromium:983267
Change-Id: Id4e3385cd871a2dd5bead38c29a41b38319cc8d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731003
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63031}
This CL adds new ProcessedFeedback subclasses, corresponding to various IC
types:
* ForIn
* Comparison ops
* Binary/Unary ops
* InstanceOf
* Calls
The feedback is gathered at serialization time and used in several places,
namely:
* Bytecode graph building,
* and its helper class JSTypeHintLowering (with its "early lowering")
* Native context specialization
* JSCallReducer
Design doc: https://docs.google.com/document/d/1JLG0VFV8xmsAIJexU19xzlbNyP51ONqfo_Gf_2DcPC8/edit?usp=sharing
Bug: v8:7790
Change-Id: I53c3d7a17f844384f38c4ee0f0b082c114217a02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710663
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63028}
From JSNativeContextSpecialization::ReduceKeyedLoadFromHeapConstant
to JSNativeContextSpecialization::ReduceElementLoadFromHeapConstant.
Change-Id: Ib07a6a4bd599dc71a9a100b2f1f6baef68acbe0b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1728618
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63027}
This removes the explicit {kCallWithCallerSavedRegisters} opcode which
is just a regular call node with special handling for saving/restoring
caller saved registers before/after the call. This is now handled via
the {CallDescriptor::kCallerSavedRegisters} flag.
R=neis@chromium.org
BUG=v8:9396
Change-Id: Ie6421085eb2be8a067040222cd5215a9b1013048
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1728611
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63021}
On Windows ARM64, OS stack walking does not work because the V8 ARM64 backend
doesn't emit unwinding info and also because it doesn't emit ABI compliant
stack frames. This was fixed for Windows X64 (https://crrev.com/c/1469329) and
documented below:
https://docs.google.com/document/d/1-wf50jFlii0c_Pr52lm2ZU-49m220nhYMrHDi3vXnh0
This problem can be fixed similarly for Windows ARM64 by observing that V8
frames usually all have the same prolog which maintains a chain via frame
pointer (fp or x29 register).
stp fp, lr, [sp, ...]
One exception is JSEntry which stops fp pointer chain and needs to be handled
specially.
So it is possible to define XDATA with UNWIND_CODE which specify how Windows
should walk through V8 dynamic frames. The same as X64, since V8 Code objects
are all allocated in the same code-range for an Isolate, it is possible to
register at most 2 XDATA and a group of PDATA entries to cover stack walking
for all the code generated inside that code-range. This is more than 1
PDATA/XDATA because according to the Windows ARM64 exeption handling document,
1 PDATA can cover less than 1MB code range (see below doc).
https://docs.microsoft.com/en-us/cpp/build/arm64-exception-handling
This PR implements stackwalk for Windows ARM64 to be on par with X64, including
embedded builtins, jitted code and wasm jitted code, but not including register
handler for handling exception only, because there is no backward compatibility
to maintain for Windows ARM64 which was released since 1709 windows build.
Bug: chromium:893460
Change-Id: Ic74cbdad8af5cf342185030a4c53796f12ea5429
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1701133
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63002}
Do not pass the deoptimization index in a register, instead infer it
from the address we made the deoptimization call from. This makes the
deoptimization exit sequence one instruction long instead of two.
This requires emitting all deoptimization exits at the end of the
function in a contiguous block, making sure no constant or veneer
pools are emitted in between. This means that soft deoptimizations
require an additional branch to the end of the function, which
counteracts the removal of the move instruction, however soft
deoptimizations are rare compared to eager and lazy ones.
This reduces the code size of optimised functions for benchmarks like
Octane and ARES-6 by about 4%.
Change-Id: I771f9104a07de7931a4bb9c5836e25fb55b1a2a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714876
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62991}
Previously, this was run as a microtask and this CL changes it to run
as a separate task as mandated by the current WeakRef spec.
This CL also introduces a FinalizationGroup type to the V8 API
representing the JSFinalizationGroup. This has a `Cleanup`
function that runs the cleanup callback associated with it.
SetHostCleanupFinalizationGroupCallback is added to set
the embedder defined HostCleanupFinalizationGroupCallback.
ClearKeptObject is exposed on the v8::Isolate to reset the strongly
held set of objects.
The general workflow is the following:
(a) When the GC notices that a given finalization group has dirty
cells, it calls HostCleanupFinalizationGroupCallback with the given
finalization group.
(b) As part of HostCleanupFinalizationGroupCallback, the embedder
enqueues a task that at some point later calls
FinalizationGroup::Cleanup.
(c) At some point in the future, FinalizationGroup::Cleanup is called,
which runs the cleanup callback of the finalization group.
This patch also includes d8 changes to use these new APIs. Currently,
d8 cycles through the enqueued finalization groups after a synchronous
turn (and it's microtask checkpoint) and runs the cleanup callbacks.
Change-Id: I06eb4da2c103b2792a9c62bc4b98fd4e5c4892fc
Bug: v8:8179
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655655
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62984}
This allows to return bool values from Torque macros and branch on them
without performance penalty, reconstructing good control flow.
Drive-by cleanup: Delete EnsureDeferredCodeSingleEntryPoint(), since
it's no longer needed. Constructing a graph and then re-inferring
deferred blocks based on branch hints achieves this effect
automatically.
Bug: v8:7793
Change-Id: Idb6802372b407549e4760f290933d5b8f1e9d952
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1681132
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62979}
Serialize for all cases of JSNativeContextSpecialization::ReduceJSInstanceOf.
Bug: v8:7790
Change-Id: I147991353b86619808257a92961b7051105511f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722558
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62965}
This is a reland of 658ff20085
Original change's description:
> [utils] Make BitField final
>
> We have hundreds of classes that derive from {BitField} without adding
> any functionality. This CL switches all such occurrences to 'using'
> declarations instead.
>
> Before:
> class MyBitField : public BitField<int, 6, 4, MyEnum> {};
> After:
> using MyBitField = BitField<int, 6, 4, MyEnum>;
>
> This might reduce compilation time by reducing the number of existing
> classes.
>
> The old pattern is forbidden now by making {BitField} final.
>
> R=yangguo@chromium.org
>
> Bug: v8:9396, v8:7629
> Change-Id: I8a8364707e8eae0bb522af2459c160e3293eecbb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722565
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62956}
Bug: v8:9396, v8:7629
Change-Id: Ic68541af9d1e8d0340691970922f282b24a9767f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1724379
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62959}
This reverts commit 658ff20085.
Reason for revert: Fails no-i18n bot: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20noi18n%20-%20debug/27826
Original change's description:
> [utils] Make BitField final
>
> We have hundreds of classes that derive from {BitField} without adding
> any functionality. This CL switches all such occurrences to 'using'
> declarations instead.
>
> Before:
> class MyBitField : public BitField<int, 6, 4, MyEnum> {};
> After:
> using MyBitField = BitField<int, 6, 4, MyEnum>;
>
> This might reduce compilation time by reducing the number of existing
> classes.
>
> The old pattern is forbidden now by making {BitField} final.
>
> R=yangguo@chromium.org
>
> Bug: v8:9396, v8:7629
> Change-Id: I8a8364707e8eae0bb522af2459c160e3293eecbb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722565
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62956}
TBR=yangguo@chromium.org,clemensh@chromium.org
Change-Id: I50234a09c77aa89fdcf1e01c2497cc08d3ac79a8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9396, v8:7629
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1724377
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62958}
We have hundreds of classes that derive from {BitField} without adding
any functionality. This CL switches all such occurrences to 'using'
declarations instead.
Before:
class MyBitField : public BitField<int, 6, 4, MyEnum> {};
After:
using MyBitField = BitField<int, 6, 4, MyEnum>;
This might reduce compilation time by reducing the number of existing
classes.
The old pattern is forbidden now by making {BitField} final.
R=yangguo@chromium.org
Bug: v8:9396, v8:7629
Change-Id: I8a8364707e8eae0bb522af2459c160e3293eecbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722565
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62956}
Prefer using the wasm engine's allocator, as the isolate may not be
available during asynchronous compilation.
Bug: v8:9554
Change-Id: Iee3777efb62d18de6b2a64fa7a71d4ef4c6b3a92
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722559
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62955}
This makes function objects constructed via the {WebAssembly.Function}
constructor callable directly from JavaScript (not just from within
WebAssembly modules). Semantics are as if the function performed the
transition JS-to-Wasm and then Wasm-to-JS in sequence.
R=clemensh@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742
Change-Id: Ic7dcf36ccfda1b473f2541e49419f4d2ee38bc2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1720809
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62953}
In export wrapper compilation, the isolate was used to get enabled
features. This prevents asynchronous compilation, so this is replaced
with an enabled_features argument passed from the main thread.
R=mstarzinger@chromium.org
Bug: v8:9554
Change-Id: Iab8a090841170dc235273dda58997cde716ee13f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722554
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62949}
In export wrappers generated code, load the undefined value from the
wasm instance rather than from the isolate. With asynchronous
compilation, the isolate may not be available.
R=mstarzinger@chromium.org
Bug: v8:9554
Change-Id: Ic448bda82c2125fc9c9f8715bce26870308715d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1722556
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62946}
In some cases, we end up with a ChangeCompressedPointerToTaggedPointer next
to a CheckedTaggedToTaggedPointer. In this case, the checked one is not
needed since we are sure we are dealing with a pointer (and not a Smi).
This doesn't get resolved in the simplfied lowering phase due to having a
Phi[Tagged] in the middle of those two nodes.
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:7703
Change-Id: Ia4a44b36423c2242d5c663f9b93b09924190fe8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709426
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62941}
If we are sure that we are dealing with a Compressed value, we can check
for sminess in 32 bits.
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:7703
Change-Id: Icf77d8bcd1decfd392b4887241a9b559f11814c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1718146
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62940}
The propagation of tenuring from outer allocations to inner allocations
was blocked in pointer compression since we now had Compress nodes between
AllocateRaw and StoreField.
This was causing issues in GC. It popped up in the Octane2.1/Splay
benchmark, where we had big regressions.
This CL updates the memory optimizer so that it can use the Compress nodes
as bridges and can perform the optimization successfully. Note that the
Compress nodes only appear on the value input of the StoreField.
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:7703, v8:9519
Change-Id: I6b0cc67955c6cc696e8c426b85c87a1794098ed0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714650
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62938}
... mostly by turning them into pointer arguments.
After this CL, all remaining non-const reference arguments in
the compiler directory are in the backend.
Bug: v8:9429
Change-Id: I6a546da0fe93179e1a0b12296632591cbf209808
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1719185
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62930}
- Move SerializePrototype out of DependOnStablePrototypes into
ComputePropertyAccessInfo.
- Brokerize JSNativeContextSpecialization::InferHasInPrototypeChain.
- Brokerize JSNativeContextSpecialization::ReduceJSOrdinaryHasInstance
(modulo the call to ReduceJSInstanceOf).
- Brokerize JSNativeContextSpecialization::ReduceJSHasInPrototypeChain.
- Serialize for JSCallReducer::ReduceObjectPrototypeIsPrototypeOf.
- Serialize for JSNativeContextSpecialization::ReduceJSInstanceOf. This
is still incomplete.
Bug: v8:7790
Change-Id: Ic56eab5ddd8d725a13d2980e5b55db53ae82e822
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709408
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62920}
Avoids unnecessary compression and decompression nodes since we
are going to be able to check for smis without needing to decompress and
re-compress.
It was doing a CheckedInt32ToTaggedSigned ->
ChangeTaggedSignedToCompressedSigned combo, where we could just do
CheckedInt32ToCompressedSigned.
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:7703
Change-Id: I0bbbbb5bd4744c49840c84b2fcb775fe6b603de0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714878
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62917}
The two inputs are a Word32And and an Int32Constant. There is no need to
do this in 64 bits.
Bug: v8:9396
Change-Id: Ie564ac2f43e98192bf9853855b6c766248264886
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715462
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62909}
This is a reland of 7ba8e662cc
Fixed unresolved symbol error on CFI build.
Original change's description:
> [turbofan] Make code and comment match in FastFunctionPrototypeBind
>
> Additionally, used number of own descriptors in both CSA and the
> reduction of Function.prototype.bind.
>
> Change-Id: I7b86e059d20faa1160cdc0126932fff924226eee
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714655
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62885}
Change-Id: If4d6b4c963a089dca09dd9aa9ec94784b3a21825
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715450
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62894}
The if above asks for field_representation to have Compressed or Any
Machine Representation. Therefore, it can never be Signed.
The functionality doesn't change. If field_representation is Signed,
it will hit the kNoWriteBarrier at the bottom.
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:9396
Change-Id: I39eff3ae082e91d0494134b053c353a2c0ff02c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1702615
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62890}
This removes a shortcut to a "CEntryStub" from the instance object and
instead loads those values via the root set which is also referenced
from the instance. It makes instance objects smaller.
R=clemensh@chromium.org
Change-Id: I2e77cf2cb6949873bb461fb1ed0787e4a413aa5f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714656
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62888}
If we already know it has CompressedPointer representation, let's use
that information to decompress more efficiently.
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:7703
Change-Id: I3591bf67a7c0369c40ca6e7af16183530f8cd269
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709049
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62887}
This reverts commit 7ba8e662cc.
Reason for revert: Breaks CFI - https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20-%20cfi/21295
Original change's description:
> [turbofan] Make code and comment match in FastFunctionPrototypeBind
>
> Additionally, used number of own descriptors in both CSA and the
> reduction of Function.prototype.bind.
>
> Change-Id: I7b86e059d20faa1160cdc0126932fff924226eee
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714655
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62885}
TBR=neis@chromium.org,jgruber@chromium.org,mslekova@chromium.org
Change-Id: I6a92741c214f8b86702445c60a311cc4800593e9
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1715449
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62886}
Additionally, used number of own descriptors in both CSA and the
reduction of Function.prototype.bind.
Change-Id: I7b86e059d20faa1160cdc0126932fff924226eee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714655
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62885}
Even in the most basic case (the task queue only ever contains a single
element), this function triggers ~4KB in zone allocations. These
allocations are basically lost and can never be reused. Avoid this by
allocating inside a new temporary zone that is only alive during the
ComputeLoopState function call.
This reduces allocation size for the zone used during load elimination
from ~30KB to ~15KB when compiling a trivial for-loop example.
An alternative solution would be to switch to something similar to
SmallVector (which uses a statically-sized stack storage before
switching to heap allocations), but based on zones instead of malloc.
Bug: v8:9427,v8:6150
Change-Id: Ic25abe6d48ac718c9ced2f9ef581f244030980fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714869
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62883}
Also add tests for it.
Drive-by fix: Use ChangeInt32ToCompressedSmi since we have it
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:7703
Change-Id: I45f04f8857acfc57b69eb4022a24ba082d28a91f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708480
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62871}
With compressed pointers, `kArchStoreWithBarrier` is a 32-bit store instead of
64-bit, and this means the index has a differerent immediate range.
Bug: v8:7703
Change-Id: If61c8544b0da87ba2779ba2c1a6963b52e3e5d9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710674
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62861}
This removes two shortcuts ("UndefinedValue" and "NullValue") from the
instance object and instead loads those values via the root set which is
also referenced from the instance. It makes instance objects smaller.
Note that this also contains an optimization to make sure "undefined" is
only loaded once and then re-used within a single wrapper.
R=clemensh@chromium.org
Change-Id: I421f202230e91790fa9c8263770b4e4bbd3c47bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710670
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62860}
In serialization for concurrent TurboFan, we need to fully consume
context chains to the root. This interferes with existing protections,
firing the assert IsBootstrappingOrValidParentContext if the chain
is queried to root. Instead, use unchecked_previous().
Bug: v8:7790
Change-Id: Id69885570fb88486c2f292023509bb02413a8ac5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710666
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62846}
port 4ca8b4dhttps://crrev.com/c/1701856
Original Commit Message:
This adds decoding and compilation of the "atomic.fence" operator, which
is intended to preserve the synchronization guarantees of higher-level
languages.
Unlike other atomic operators, it does not target a particular linear
memory. It may occur in modules which declare no memory, or a non-shared
memory, without causing a validation error.
See proposal: https://github.com/WebAssembly/threads/pull/141
See discussion: https://github.com/WebAssembly/threads/issues/140
Change-Id: Ia60d58a6bf58e8236591d515d30184418cee47c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710337
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Yu Yin <xwafish@gmail.com>
Cr-Commit-Position: refs/heads/master@{#62843}
This makes sure the language mode of the module is correctly propagated
through the WebAssembly module, so that exported functions are allocated
with the correct language mode. It extends the existing {ModuleOrigin}
enum to consist of three values now.
R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-985154
BUG=chromium:985154
Change-Id: Id7b566738b1e710cc5001b894022bcd0f2c01bc3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708484
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62826}
This adds decoding and compilation of the "atomic.fence" operator, which
is intended to preserve the synchronization guarantees of higher-level
languages.
Unlike other atomic operators, it does not target a particular linear
memory. It may occur in modules which declare no memory, or a non-shared
memory, without causing a validation error.
See proposal: https://github.com/WebAssembly/threads/pull/141
See discussion: https://github.com/WebAssembly/threads/issues/140R=clemensh@chromium.org
TEST=cctest/test-run-wasm-atomics/RunWasmXXX_AtomicFence
BUG=v8:9452
Change-Id: Ibf7e46227f7edfe5c81c097cfc15924c59614067
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1701856
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62821}
With a write barrier, stores with negative offsets would allocate a temporary
register to hold the offset when the `str` instruction is able to encode it.
For instance, when writing the object map:
```
;; This could be 'str x2, [x5, #-1]'
movn x4, #0x0
str x2, [x5, x4]
and x16, x5, #0xfffffffffffc0000
ldr x16, [x16, #8]
tbnz w16, #2, #+0xba8 ; Jump out-of-line
```
The reason behind this is that the out-of-line code uses an 'add' instruction on
the offset to compute the field address, putting pressure on the instruction
selector to make sure the immediate fits in both 'str' and 'add'.
But, this is not necessary since the macro-assembler is able to turn the 'add'
into a 'sub' or use a temporary register if needed.
Change-Id: I8838e4b81a0c0c1f90aa3d67861a9da1a6dfed06
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708471
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#62803}
We can save memory by only serializing a context chain to a
*required* depth if we know it.
Bug: v8:7790
Change-Id: I97d21f8cd7b56b26fddd95e00a26d5e520d96170
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1678358
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62795}
Specifically the SharedFunctionInfo and the NativeContext.
Bug: v8:7790
Change-Id: Idd1b1b4c7d8eee3ada42b99fee870dff46b631c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1706472
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62789}
GCC compile issue in AIX: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61976
There is a gcc compile issue in AIX: Being passed by values may occur a
copy error, which can be avoided by being passed by reference. This is
why the old way of CallFrequency object 'being passed by values’ has
been changed to the new way of CallFrequency object 'being passed by
references' to avoid this issue.
Bug: v8:8193
Change-Id: I3f2e662a9ef5b641b6e978c3e91167bacc0d13d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1689027
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#62788}
It's sufficient to expose a run function and flags.
Bug: v8:7790
Change-Id: I956a545ddce9e469e6a6196a4b63d9e3a119526d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1706469
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62774}
This adds a simple counter to Turbofan that's incremented throughout the compilation, hopefully
frequently enough so we can use it to detect divergence and performance bugs.
In addition, we assert that this counter never gets too high. That's the equivalent of a simple
timeout, just more deterministic. The limitations on Turbofan input size should guarantee that
we never exceed this limit. Since we probably do exceed it rarely, this check is only a DCHECK and
intended to detect performance and divergence issues, but not supposed to be performed in release
builds.
In addition, this CL adds UMA stats to observe the real world distribution of the tick measurement.
Bug: v8:9444
Change-Id: I182dac6ecac64715e3f5885ff5c7c17549351cd0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1695475
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62754}
The context was not set during streaming compilation.
The initial upload is the original CL and patch set 1 is the fix.
Original CL:
> [wasm] Compile JS to WASM wrappers asynchronously
>
> R=mstarzinger@chromium.org, ahaas@chromium.org
>
> Bug: v8:9231
> Change-Id: I9e18073bbe25bf8c9c5f9ace102316e6209d0459
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1669699
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62672}
R=mstarzinger@chromium.org, ahaas@chromium.org
Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
Bug: v8:9231
Change-Id: I61fc11a6de54cc6e93f3600487a89fa5d2350f0e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1701850
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Auto-Submit: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62721}
RepresentationChanger::GetTaggedPointerRepresentation did not handle
kCompressed cases correctly for BigInts. This led to a crash of BigInt
benchmarks in js-perf-test.
Bug: v8:9407
Change-Id: Id1d60a81afc528c8d4180bd5de9d237f2f0abd0a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1701848
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62718}
The bytecode graph builder may insert additional jumps for the
SwitchOnGeneratorState bytecode and for loop headers. This plays into
what the graph builder considers dead/alive. We want the serializer to
process all the bytecodes that the graph builder will process, so the
serializer needs to do something similar.
Bug: v8:7790
Change-Id: I1f1d51f4a8951149e365b3c998cef7f613bb4953
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1647694
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62712}
When --concurrent-inlining is on, run bytecode analysis for all relevant
functions at serialization time, and store the results in the broker.
Change bytecode analysis such that running it for OSR produces information
that subsumes the non-OSR case. This lets us avoid doing and storing two
analyses for the top-level function in case we do OSR and the function
gets inlined into itself.
Bug: v8:7790
Change-Id: I7d5df0b2652e6e5c758c85578e51b4f8d041b0d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1690959
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62711}
The object itself is already decompressed, and we're simply re-decompressing by
nuking the upper bits through sign extension.
Additionally this CL changes the branchless decompression sequence on x64 to be
cmov-based since that's shorter and faster. It's still slower than branchful
though, so we likely won't use it.
Change-Id: Ie6f9d38fb390b7300a236bf85d0db58d1ee959b0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1701842
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62708}
... by making them const or converting them to pointers.
Bug: v8:9429
Change-Id: If4a7832944f5dc35cec04c11087499a552a7469a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1700073
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62705}
This CL introduces new non-speculative operators BigIntAdd
and BigIntNegate. Instead of keeping speculative operators
until effect-control-linearization phase, they are now lowered
to non-speculative variants in the simplified lowering and
surrounded by the necessary checks. This adapts BigInt operators
to the common style of other operators (like Numbers).
Bug: v8:9407
Change-Id: I89ea7aef0d78c67b103971f8f63525b196ad3c0c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1695467
Commit-Queue: Nico Hartmann <nicohartmann@google.com>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62699}
This CL adds a speculative operator for BigInt negation that is
lowered to the respective builtin call and is optimized to native
64 bit machine operations if truncated. In particular, this change
allows negative BigInt constants (e.g. -5n) to be lowered.
Bug: v8:9407
Change-Id: Ia98fd6dee18a31ce56efbe537f4352b1582539e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1695463
Commit-Queue: Nico Hartmann <nicohartmann@google.com>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62684}
The code generated for ChangeUint64ToBigInt in the
EffectControlLinearizer did not initialize the optional padding
field of newly allocated BigInts. This padding field is present
on 64 bit builds without pointer compression enabled. This CL
fixes this by 0-filling the padding field if present.
Bug: v8:9407
Change-Id: I511e163e676dc966a3eb6dfb92b5065e36329225
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1695464
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@google.com>
Cr-Commit-Position: refs/heads/master@{#62683}
The bytecode graph builder currently creates the tagged template if
it hasn't yet been done. This CL moves that work to serialization time.
Bug: v8:7790
Change-Id: I9571c5ad2f553584869056fb0cf501e03563d6f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1687670
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62681}
