Simple transitions are now stored in a map's "transitions" field (as a WeakCell wrapping the target map); full TransitionArrays are used when that's not sufficient.
To encapsulate these storage format implementation details, functions for manipulating and querying transitions have been refactored to be static functions on the TransitionArray class, and take maps as inputs.
Review URL: https://codereview.chromium.org/980573002
Cr-Commit-Position: refs/heads/master@{#27029}
We now have BreakLocation::Iterator to iterate via RelocIterator, and
create a BreakLocation when we are done iterating. The reloc info is
stored in BreakLocation in a GC-safe way and instantiated on demand.
R=ulan@chromium.org
BUG=v8:3924
LOG=N
Review URL: https://codereview.chromium.org/967323002
Cr-Commit-Position: refs/heads/master@{#26983}
This reverts commit b57be748b1 and
disables the test/mjsunit/debug-clearbreakpointgroup.js because
BreakLocationIterator::ClearBreakPoint is already broken for unrelated reasons (see v8:3924).
BUG=v8:3877
LOG=N
TEST=cctest/test-heap/Regress3877
Review URL: https://codereview.chromium.org/957373002
Cr-Commit-Position: refs/heads/master@{#26893}
Reason for revert:
Breaks test/mjsunit/debug-clearbreakpointgroup.js on arm64.debug.
Original issue's description:
> Fix memory leak caused by field type in descriptor array.
>
> When a field type is a map, it is wrapped in a weak cell upon storing to the descriptor array.
>
> Map::GetFieldType(i) does the unwrapping.
>
> BUG=v8:3877
> LOG=N
> TEST=cctest/test-heap/Regress3877
>
> Committed: https://crrev.com/77d3ae0e119893ac8d34ea6ca090cddd5bbf987e
> Cr-Commit-Position: refs/heads/master@{#26879}
TBR=verwaest@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3877
Review URL: https://codereview.chromium.org/960103003
Cr-Commit-Position: refs/heads/master@{#26883}
When a field type is a map, it is wrapped in a weak cell upon storing to the descriptor array.
Map::GetFieldType(i) does the unwrapping.
BUG=v8:3877
LOG=N
TEST=cctest/test-heap/Regress3877
Review URL: https://codereview.chromium.org/955063002
Cr-Commit-Position: refs/heads/master@{#26879}
When the property is not found on the [[HomeObject]] prototype chain
then we should do a [[DefineOwnProperty]] on the instance.
BUG=v8:3330
LOG=N
Review URL: https://codereview.chromium.org/934463003
Cr-Commit-Position: refs/heads/master@{#26754}
Additionally handlify the "transition" field so that GC can stop caring about it.
BUG=
Review URL: https://codereview.chromium.org/935033003
Cr-Commit-Position: refs/heads/master@{#26718}
Previous approach for property reconfiguration was to create a free-floating map with generalized representations of all fields. This patch does it right.
When property is reconfigured either by changing its kind (kData <-> kAccessor) or its attributes it implies creation of a new branch in transition tree. If such a branch already existed before reconfiguration then it should be merged with the old (or source) branch of the transition tree. Merging procedure includes all the heavy machinery such as property location changes (kDescriptor -> kField), field representation/field type generalization, map deprecation, etc.
Review URL: https://codereview.chromium.org/888623002
Cr-Commit-Position: refs/heads/master@{#26667}
With the new ES6 semantics super construct calls are only valid in
a constructor in a derived class. This is something that is
statically known and we report early SyntaxError in case it occurs.
We therefore do not need to track this any more.
BUG=v8:3330
LOG=N
R=dslomov@chromium.org, adamk
Review URL: https://codereview.chromium.org/924123002
Cr-Commit-Position: refs/heads/master@{#26644}
It doesn't do anything for now, but it implies strict mode. Added tests to
test-parsing.cc to test that.
BUG=
Review URL: https://codereview.chromium.org/898983002
Cr-Commit-Position: refs/heads/master@{#26460}
The first try failed because I needed to make a better distinction
between clearing ICs according to policy at GC time or unconditional
clearing (say, via %ClearFunctionTypeFeedback).
It was also blocked by an issue in super constructor calls.
This fix (https://codereview.chromium.org/892113002/) needs to land
before checking in this CL.
R=ulan@chromium.org
Review URL: https://codereview.chromium.org/866493003
Cr-Commit-Position: refs/heads/master@{#26420}
This enables adding more language modes in the future.
For maximum flexibility, LanguageMode is a bitmask, so we're not restricted to
use a sequence of language modes which are progressively stricter, but we can
express the language mode as combination of features.
For now, LanguageMode can only be "sloppy" or "strict", and there are
STATIC_ASSERTS in places which need to change when more modes are added.
LanguageMode is a bit like the old LanguageMode when "extended" mode was still
around (see https://codereview.chromium.org/8417035 and
https://codereview.chromium.org/181543002 ) except that it's transmitted through
all the layers (there's no StrictModeFlag).
BUG=
Review URL: https://codereview.chromium.org/894683003
Cr-Commit-Position: refs/heads/master@{#26419}
In DevTools we need one more flag for script origin - is debugger script. We already have "is shared origin" flag. The new flag added by analogy with the old but new has accessor in script object.
R=yurys@chromium.org
Review URL: https://codereview.chromium.org/879553002
Cr-Commit-Position: refs/heads/master@{#26324}
This solves an issue with the custom startup snapshot, in cases where
deserializing the isolate requires more than one page per space.
R=hpayer@chromium.org
Review URL: https://codereview.chromium.org/876613002
Cr-Commit-Position: refs/heads/master@{#26285}
Along the way:
- Thread isolate parameter explicitly through code that used to
rely on getting it from the zone.
- Canonicalize the parameter position of isolate and zone for
affected code
- Change Hydrogen New<> instruction templates to automatically
pass isolate
R=mstarzinger@chromium.org
LOG=N
Review URL: https://codereview.chromium.org/868883002
Cr-Commit-Position: refs/heads/master@{#26252}
This method circumvented JS semantics, and should not be used.
BUG=
Review URL: https://codereview.chromium.org/854493004
Cr-Commit-Position: refs/heads/master@{#26157}
This is not needed anymore since all ICs use weak cells to embed maps.
BUG=v8:3629
LOG=N
Review URL: https://codereview.chromium.org/817223003
Cr-Commit-Position: refs/heads/master@{#25928}
There are no users of this infrastructure yet, so it's behind an off-by-default flag.
Review URL: https://codereview.chromium.org/768633002
Cr-Commit-Position: refs/heads/master@{#25829}
This completes the first round of optimizations for Map and Set.
All non-key-dependent methods now have a Hydrogen version, and
for keyed methods, string versions are optimized.
Review URL: https://codereview.chromium.org/796503002
Cr-Commit-Position: refs/heads/master@{#25763}
They both now run fast (due to utilizing transitions instead of always
creating new maps) and sealed or non-extensible objects can stay in
fast mode after transitioning.
This almost entirely reuses the code for transitioning objects
frozen by Object.freeze(), with the added benefit of freeing
up a bit on the map (we no longer keep track of frozen-ness,
as that bit wasn't used for anything interesting).
BUG=v8:3662,chromium:115960
LOG=y
Review URL: https://codereview.chromium.org/776143005
Cr-Commit-Position: refs/heads/master@{#25759}
This was previously landed in commit 8599f5f, but failed the
collections mjsunit test on ia32 with --deopt-every-n=1. The fixed
patch adds a ClearFlag(HValue::kCanOverflow) call after every
arithmetic operation, which should remove all the deopt points in these
intrinsics.
Ideally, it seems like there should be a way to verify that there are
no deopt points for these inline optimized functions, since there's
nothing to deopt to. But I don't currently know of such a thing.
Review URL: https://codereview.chromium.org/782073002
Cr-Commit-Position: refs/heads/master@{#25715}
When compiling with the macro DCHECK_ALWAYS_ON defined, DCHECKs and
supporting code gets compiled and enabled.
This increases test coverage for chromium release buildbots
BUG=v8:3731
R=jkummerow@chromium.org
LOG=y
Review URL: https://codereview.chromium.org/760213005
Cr-Commit-Position: refs/heads/master@{#25701}
Reason for revert:
Deopt fuzzer reports that something's still broken, reverting until
I can create a minimal repro.
Original issue's description:
> Optimize add/set/delete operations for string keys in Maps and Sets
>
> This was previously landed in commit 66e2f60, but failed the
> collections mjsunit test with --deopt-every-n=1 due to a typo
> in the shrinking code. This patch corrects and simplifies the
> shrinking logic, and the tests now pass.
>
> R=dslomov@chromium.org
>
> Committed: 8599f5f047TBR=dslomov@chromium.org
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/742353006
Cr-Commit-Position: refs/heads/master@{#25696}
This was previously landed in commit 66e2f60, but failed the
collections mjsunit test with --deopt-every-n=1 due to a typo
in the shrinking code. This patch corrects and simplifies the
shrinking logic, and the tests now pass.
R=dslomov@chromium.org
Review URL: https://codereview.chromium.org/777663003
Cr-Commit-Position: refs/heads/master@{#25695}
This combines Map::DoneInobjectSlackTracking and Map::ConstructionCount into one more generic 4-bit counter.
Counter values from 15 down to 8 are used for in-object slack tracking, values from 7 down to 0 are free to be used for a new counter when in-object slack tracking is inactive.
Review URL: https://codereview.chromium.org/767253002
Cr-Commit-Position: refs/heads/master@{#25689}
Reason for revert:
Caused test failures in mjsunit/es6/collections with --deopt-every-n-times=1
Original issue's description:
> Optimize add/set/delete operations for string keys in Maps and Sets
TBR=dslomov@chromium.org,arv@chromium.org
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/777233003
Cr-Commit-Position: refs/heads/master@{#25670}
This relands macroassembler instructions and weak cell caching and
does not include parts that caused "Linux ASan LSan" test failures.
BUG=v8:3663
LOG=N
Review URL: https://codereview.chromium.org/764003003
Cr-Commit-Position: refs/heads/master@{#25615}
Previously, a separate string to be hashed (in order to help determine the need to
use a cached Template Call Site) was built up by joining UTF8 spans within a template.
Now, the hash key is generated from the original spans, removing the need to allocate a new
buffer and copy bytes into it.
BUG=
Review URL: https://codereview.chromium.org/765473006
Cr-Commit-Position: refs/heads/master@{#25549}
This is needed for 64bit alignment sensitive platforms (PowerPC)
Exposed bugs with new GC compare and swap changes updating the
field.
Example failing test:
out/ppc64.debug/cctest test-decls/ExistsInPrototype
BUG=
Review URL: https://codereview.chromium.org/740443002
Cr-Commit-Position: refs/heads/master@{#25472}
This generalization caused unnecessary map deprecation when the transition tree of the split map is full.
BUG=chromium:431807
LOG=N
Review URL: https://codereview.chromium.org/736953003
Cr-Commit-Position: refs/heads/master@{#25427}
Revert "Fix for an assertion failure in Map::FindTransitionToField(...). Appeared after r25136."
This revert is made in order to revert r25099 which potentially causes renderer hangs.
R=verwaest@chromium.org
Review URL: https://codereview.chromium.org/722873004
Cr-Commit-Position: refs/heads/master@{#25332}
This implements correct semantics for "extensible" top level lexical scope.
The entire lexical scope is represented at runtime by GlobalContextTable, reachable from native context and accumulating global contexts from every script loaded into the context.
When the new script starts executing, it does the following validation:
- checks the GlobalContextTable and global object (non-configurable own) properties against the set of declarations it introduces and reports potential conflicts.
- invalidates the conflicting PropertyCells on global object, so that any code depending on them will miss/deopt causing any contextual lookups to be reexecuted under the new bindings
- adds the lexical bindings it introduces to the GlobalContextTable
Loads and stores for contextual lookups are modified so that they check the GlobalContextTable before looking up properties on global object, thus implementing the shadowing of global object properties by lexical declarations.
R=adamk@chromium.org, rossberg@chromium.org
Review URL: https://codereview.chromium.org/705663004
Cr-Commit-Position: refs/heads/master@{#25220}
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@25220 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
After r24737 pointer updating is done by atomic operations which strictly
require target address to be 8-byte alignment on MIPS64.
The alignment is broken on 64-bit arches because InstructionSize is first field
and has Int size.
Order of fields in object layout are changed to make kNextCodeLinkOffset
divisible by 8. The size of code object header remains the same.
TEST=cctest/test-debug/* on MIPS64
BUG=
R=jkummerow@chromium.org, paul.lind@imgtec.com
Review URL: https://codereview.chromium.org/682673002
Cr-Commit-Position: refs/heads/master@{#24914}
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24914 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Private symbols we create in the heap don't have names, but we can
resolve them to a constant string.
This gives handy debugger output like:
(gdb) job 0x2020c67d
0x2020c67d: [Symbol]
- hash: 547385396
- name: 0x20208091 <undefined> (uninitialized_symbol)
- private: 1
- own: 1
$7 = void
(gdb)
or with ShortPrint() in an array:
...
[5]: 0x2020c67d <Symbol: 547385396 (uninitialized_symbol)>
...
Printing help for internal symbols
R=yangguo@chromium.org
Review URL: https://codereview.chromium.org/677633003
Cr-Commit-Position: refs/heads/master@{#24869}
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24869 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Each time a transition is added to a hidden class, the whole
transitions array must be copied, which causes poor performance
in some circumstances. This change limits the maximum size of
the transition array, avoiding this behavior in the pathological
case. For example, this improves the performance of the EtchMark
benchmark by nearly 60%.
BUG=v8:3616
LOG=
R=verwaest@chromium.org, svenpanne@chromium.org
Review URL: https://codereview.chromium.org/635883003
Patch from Kevin M. McCormick <mckev@amazon.com>.
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24857 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Added a new %HasComplexElements runtime function (meaning elements that are
non-writable, non-configurable, or have getters and setters) and use it
in UseSparseVariant to filter out cases where the sparse optimizations
can cause V8 to fall out of spec compliance.
Renamed SmartMove/SmartSlice to SparseMove/SparseSlice and guarded them
with the new and improved UseSparseVariant.
These two changes combine let us pass nearly every test in bug-2615.js,
as well as fixing reverse and join on sparse arrays.
Note that there are various test changes in this patch that correct existing
tests to match the correct-by-spec behavior.
This patch depends on https://codereview.chromium.org/666883009, which
better-aligns the behavior of SmartMove with SimpleMove.
BUG=v8:2615,v8:3612,v8:3621
LOG=y
R=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/656423004
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24855 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This adds flags in Scope to track wheter a Scope uses "this" and,
"arguments". The information is exposed via Scope::uses_this(),
and Scope::uses_arguments(), respectively. Flags for tracking
usage on any inner scope uses are available as well via
Scope::inner_uses_this(), and Scope::inner_uses_arguments().
Knowing whether scopes use "this" and "arguments" will be handy
to generate the code needed to capture their values when generating
the code for arrow functions.
BUG=v8:2700
LOG=
R=rossberg@chromium.org
Review URL: https://codereview.chromium.org/422923004
Patch from Adrian Perez de Castro <aperez@igalia.com>.
git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24663 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
