As Blink needs a way to delete a property without running a script,
make Object::Delete use ENTER_V8_NO_SCRIPT if the receiver object is
not a JSProxy. Also makes Object::DeletePrivate use
ENTER_V8_NO_SCRIPT, too.
Bug: chromium:728583
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ib37959764b99a68d730d1bbc6dba410106d4f452
Reviewed-on: https://chromium-review.googlesource.com/608348
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47779}
Prior to this, AllocateJSArray would go ahead and allocate an empty
FixedArray as elements if passed any capacity that is not a compile-time
constant 0.
Things break later on since we rely on the fact that empty fixed arrays
are always canonicalize, and we use
obj.elements == empty_fixed_array_constant
interchangeably with
obj.elements.length == 0.
This CL introduces two new branches in AllocateJSArray: one if the
capacity is known to be non-zero; and another that explicitly
distinguishes between 0 and non-zero capacities.
Bug: chromium:760790
Change-Id: I7c22b19ce9ce15a46f91b0f75e6b4a1ff3a29a0f
Reviewed-on: https://chromium-review.googlesource.com/645959
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47776}
This reverts commit fbe184a602.
Reason for revert: Baseline performance test score established, re-enabling feature.
Original change's description:
> [modules] Temporarily disable IC support for namespace accesses
>
> To get a proper performance baseline after fixing the perf tests in
> https://chromium-review.googlesource.com/c/v8/v8/+/639396.
>
> This is intended to be reverted after a couple of hours.
>
> Change-Id: If36e4bfa5bd113599652f5c2016f886533af2746
> Reviewed-on: https://chromium-review.googlesource.com/639057
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47753}
TBR=adamk@chromium.org,jkummerow@chromium.org
Change-Id: Ia92e3247bc594e2fa6c937d379fa172244df2d8a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/647966
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47775}
This violates the style guide, and causes problems for jumbo builds.
R=ahaas@chromium.orgCC=mostynb@opera.com
Bug: chromium:746958
Change-Id: Ic583c41b94bfd9ecdb31a9ccadb2e842861fe7f4
Reviewed-on: https://chromium-review.googlesource.com/647710
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47774}
This required splitting wasm-run-utils.h in header and implementation,
since the anonymous namespace in wasm-run-utils.h is now gone.
This is a reasonable refactoring in itself.
R=titzer@chromium.orgCC=mstarzinger@chromium.org, mostynb@opera.com
Bug: chromium:746958
Change-Id: I0f3b30fef1865cd88eca37b69d0c3a9eb19e77ea
Reviewed-on: https://chromium-review.googlesource.com/647587
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47773}
In the BytecodeGraphBuilder we insert a SOFT deopt whenever we see an
IC whose state is UNINITIALIZED, i.e. a LOAD_IC or a STORE_IC. This
greatly reduces the size of the generated graphs (and also helps to
improve generated code quality). However for COMPARE_IC and BINARY_OP_IC
we used to stick in the generic JavaScript node instead, which does
generate code and might block optimizations because its sitting in
the effect chain. This is changed now to always SOFT deopt for
UNINITIALIZED instead, consistently with the other ICs.
Bug: v8:6760
Change-Id: I2ac7469fa86512a2fd909fdde2c6425977694811
Reviewed-on: https://chromium-review.googlesource.com/645858
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47771}
Saving/restoring only registers in the restricted set before calling
RecordWrite code stub, which prepares for turning on
`v8_enable_csa_write_barrier` on all architectures.
Bug: chromium:749486
Change-Id: I6c8ba0c1561513569218e80011673cf24c7d6127
Reviewed-on: https://chromium-review.googlesource.com/641531
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Cr-Commit-Position: refs/heads/master@{#47770}
For stack sizes and control depths, we were sometimes using uint32_t
and sometimes size_t.
This CL switches to uint32_t consistently.
R=titzer@chromium.org
Change-Id: I5ce3d63832bc926584b153cf248006cd78d77b97
Reviewed-on: https://chromium-review.googlesource.com/645861
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47769}
This CL adds support to optimize for..in in fast enum-cache mode to the
same degree that it was optimized in Crankshaft, without adding the same
deoptimization loop that Crankshaft had with missing enum cache indices.
That means code like
for (var k in o) {
var v = o[k];
// ...
}
and code like
for (var k in o) {
if (Object.prototype.hasOwnProperty.call(o, k)) {
var v = o[k];
// ...
}
}
which follows the https://eslint.org/docs/rules/guard-for-in linter
rule, can now utilize the enum cache indices if o has only fast
properties on the receiver, which speeds up the access o[k]
significantly and reduces the pollution of the global megamorphic
stub cache.
For example the micro-benchmark in the tracking bug v8:6702 now runs
faster than ever before:
forIn: 1516 ms.
forInHasOwnProperty: 1674 ms.
forInHasOwnPropertySafe: 1595 ms.
forInSum: 2051 ms.
forInSumSafe: 2215 ms.
Compared to numbers from V8 5.8 which is the last version running with
Crankshaft
forIn: 1641 ms.
forInHasOwnProperty: 1719 ms.
forInHasOwnPropertySafe: 1802 ms.
forInSum: 2226 ms.
forInSumSafe: 2409 ms.
and V8 6.0 which is the current stable version with TurboFan:
forIn: 1713 ms.
forInHasOwnProperty: 5417 ms.
forInHasOwnPropertySafe: 5324 ms.
forInSum: 7556 ms.
forInSumSafe: 11067 ms.
It also improves the throughput on the string-fasta benchmark by
around 7-10%, and there seems to be a ~5% improvement on the
Speedometer/React benchmark locally.
For this to work, the ForInPrepare bytecode was split into
ForInEnumerate and ForInPrepare, which is very similar to how it was
handled in Fullcodegen initially. In TurboFan we introduce a new
operator LoadFieldByIndex that does the dynamic property load.
This also removes the CheckMapValue operator again in favor of
just using LoadField, ReferenceEqual and CheckIf, which work
automatically with the EscapeAnalysis and the
BranchConditionElimination.
Bug: v8:6702
Change-Id: I91235413eea478ba77ace7bd14bb2f62e155dd9a
Reviewed-on: https://chromium-review.googlesource.com/645949
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47768}
This CL moves most of the logic of capturing simple stack frames from the
mentioned method into a FrameArrayBuilder class. This further encapsulates
that logic and makes it easier to refactor this code to use a callback
interface for walking the stack.
Bug:
Change-Id: Ib0b31d9eb8c4031aa64f393982889d0d02b56639
Reviewed-on: https://chromium-review.googlesource.com/645957
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47767}
After the FallThruTo in kExprEnd, the current block {c} is never
unreachable. Hence, the check for {c->unreachable} afterwards can be
removed.
In the loop case, the {TypeCheckFallThru} already adds entries for
non-existing values to the stack, so no need to {PushEndValues}.
Also, add more tests for the loop case.
R=titzer@chromium.org
Change-Id: I8737affaeed2ea663bd6ddafa36532ca9a7379bb
Reviewed-on: https://chromium-review.googlesource.com/645859
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47765}
This helps with patterns such as
((a[i] + n) + m) | 0
where we know n and m are small integers, and a[i] is a holey smi
array where we have never read a hole so far.
In that case, we still perform the additions with overflow checks
since we currently only propagate/use the truncation if the operation
outcome is in the safe-integer range (without taking feedback into
account). The problem here is that both 'n + a[i]' and '(n + a[i]) +
m' have type Union(Range(..., ...), NaN), even though the NaN will
never pass the Smi check on a[i].
This CL changes restricts the static type of
SpeculativeSafeInteger(Add|Subtract) to the safe integer range.
This is safe because we will always either truncate or use the feedback
(i.e., deopt if the inputs are not Signed32). In either case, the
result will always be in safe-integer range.
As a result, we will perform the second addition without
overflow check. Getting rid of the overflow check on the first
is done in a separate CL.
Bug: v8:5267,v8:6764
Change-Id: I27dba0fda832fc1f04477db6dd3495d5b4b2bd0b
Reviewed-on: https://chromium-review.googlesource.com/634903
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47763}
This adds support for lowering {JSCreateArguments} within outermost
frames of type {CreateArgumentsType::kMappedArguments}. It will hence
enable escape analysis to work with such objects and allow for further
optimization.
This also adds a new {NewMappedArgumentsElements} simplfied operator.
Note that escape analysis support for this new operator will be done as
a follow-up.
R=tebbi@chromium.org
Change-Id: I0e2fac25c654f796433f57b116964053b6b68635
Reviewed-on: https://chromium-review.googlesource.com/641454
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47761}
This adds an initial implementation of the DeserializeLazy builtin and
runtime function, as well as --lazy-deserialization and
--trace-lazy-deserialization feature flags.
Since lazy deserialization itself isn't implemented yet, DeserializeLazy
simply replaces itself with the appropriate builtin. The builtin_id is
loaded from the SFI, and the builtin itself is loaded from the Builtins
table.
Bug: v8:6624
Change-Id: I4ef8c3030a8cda19a086b8e569a24d97213b5ed8
Reviewed-on: https://chromium-review.googlesource.com/643289
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47757}
To get a proper performance baseline after fixing the perf tests in
https://chromium-review.googlesource.com/c/v8/v8/+/639396.
This is intended to be reverted after a couple of hours.
Change-Id: If36e4bfa5bd113599652f5c2016f886533af2746
Reviewed-on: https://chromium-review.googlesource.com/639057
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47753}
This makes several changes to SwitchStatement handling:
- Store the CaseClause list inline (as it's always allocated)
- Only rewrite with additional blocks if the Block Scope for
the switch statement isn't empty
- Use Parser::IgnoreCompletion() instead of inserting an additional
`undefined` ExpressionStatement
Bug: v8:6092
Change-Id: Ib08d0ba851dd8e78b3dc74782b8e554541e79182
Reviewed-on: https://chromium-review.googlesource.com/644176
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47751}
Since fullcodegen was removed, all baseline code runs in Ignition now,
so the code_is_interpreted parameter to FeedbackVector::ComputeCounts
is no longer needed.
Bug: v8:6409
Change-Id: I27842a4978079f8166f22db6c695b352a38e1d87
Reviewed-on: https://chromium-review.googlesource.com/646106
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47748}
... for AbstractValue and AbstractControl. This allows to access the
fields directly instead of via {interface_data}, and hence makes the code
more readable. Also, it makes AbstractValue and AbstractControl
non-templates. They are also renamed to ValueBase and ControlBase.
Unfortunately, it requires the introduction of new templates
ValueWithNamedConstructors and ControlWithNamedConstructors, in order to
provide correctly typed named constructors (we cannot define implicit
conversion from {Value,Control}Base to a subtype because of our style
guide, checked by a presubmit check).
R=titzer@chromium.org
Bug: v8:6600
Change-Id: Icb7796d040afbf92309333a03d4286fc782f8d1b
Reviewed-on: https://chromium-review.googlesource.com/643392
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47747}
We emitted rotation by 24 bits with bitwise and, but that is wrong
because the low 8 bits can wrap around and "leak" into the result.
Bug: chromium:739902
Change-Id: Id49251e89405afb1581b8c60cde808c2d8bf693d
Reviewed-on: https://chromium-review.googlesource.com/645848
Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47746}
This violated the style guide, and caused problems for jumbo builds.
R=titzer@chromium.orgCC=mostynb@opera.com
Bug: chromium:746958
Change-Id: Iaa75d444f5b5f595c54058de14b394119390921c
Reviewed-on: https://chromium-review.googlesource.com/645529
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47744}
They violate the style guide, and cause problems for jumbo builds.
This CL removes all occurrences in src/wasm except for the file
wasm-objects.cc, which is a bit more involved and will be fixed in a
separate CL.
R=titzer@chromium.orgCC=mostynb@opera.com
Bug: chromium:746958
Change-Id: If5d9c03e0d6fa364e1d21feda49773468a48fba6
Reviewed-on: https://chromium-review.googlesource.com/645707
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47743}
Except registration all calls should be dominated by actual visiation
and/or copying.
Bug:
Change-Id: Iccc58253d627ecf4b4525de5824f76c048c35150
Reviewed-on: https://chromium-review.googlesource.com/645128
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47742}
Use int instead of byte to store the source position when computing a
location based on the stack trace stored in an error object.
Also add tests, since this code path was not covered before (not even
for small position where it would have succeeded).
Also, add some comments about which positions are 0-based and 1-based.
R=titzer@chromium.org
Change-Id: I313dcd6c47b77093ced9bb687415715d04eafb97
Reviewed-on: https://chromium-review.googlesource.com/645527
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47739}
Now that the ticks are stored in the feedback vector the function
parameter to CodeStubAssembler::UpdateFeedback is unused and we
can remove it (and the need to load the closure on the use sites).
Change-Id: I60bdebd2003ab707a7ad8451d0cb2189b70fd9cf
Reviewed-on: https://chromium-review.googlesource.com/645626
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47738}
This test documents the basic behavior of the EnumCache which is shared
on the DescriptorArray.
Change-Id: Idd40670d99d81bb5e4b6161ffc47f2898ca9d2a9
Reviewed-on: https://chromium-review.googlesource.com/643297
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47735}
This reverts commit c6b153fd69.
Reason for revert: Doesn't compile on the tree.
Original change's description:
> [cctest] Add fuzz tests for generating parallel moves.
>
> These new tests are somewhat similar to the existing gap resolver tests except
> we use the code generator and eventually run the generated code. The main idea
> is to cover cases that are difficult to hit, such as move from/to slots which
> are out of range of loads and stores, but may happen nonetheless.
>
> At this time, the tests only make sure the code generator actually generated
> some code, and that this code runs. In the future, it would be great to also
> check that the moves were actually performed.
>
> Bug: v8:6553
> Change-Id: I089a25fa05b3a20649658bb8952926ab11f91d68
> Reviewed-on: https://chromium-review.googlesource.com/574850
> Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47733}
TBR=bbudge@chromium.org,danno@chromium.org,jarin@chromium.org,pierre.langlois@arm.com,bmeurer@chromium.org
Change-Id: I875ab38e039fdbf58b8f08658c391147d2ec01fa
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6553
Reviewed-on: https://chromium-review.googlesource.com/645446
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47734}
These new tests are somewhat similar to the existing gap resolver tests except
we use the code generator and eventually run the generated code. The main idea
is to cover cases that are difficult to hit, such as move from/to slots which
are out of range of loads and stores, but may happen nonetheless.
At this time, the tests only make sure the code generator actually generated
some code, and that this code runs. In the future, it would be great to also
check that the moves were actually performed.
Bug: v8:6553
Change-Id: I089a25fa05b3a20649658bb8952926ab11f91d68
Reviewed-on: https://chromium-review.googlesource.com/574850
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47733}
