Introduces a new VariableLocation MODULE for variables that live in a
module's export table. Scope analysis sets this for the approriate variables.
Not yet supported by any backend.
Also, treats all imports as CONST bindings (including namespace imports), rather
than having new special variable modes.
BUG=
Review-Url: https://codereview.chromium.org/2199283002
Cr-Commit-Position: refs/heads/master@{#38426}
Pass in zone() explicitly to SloppyBlockFunctionMap::Declare and VariableMap::Declare instead.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2223773002
Cr-Commit-Position: refs/heads/master@{#38424}
The outer scope of the scope we are compiling doesn't need analysis. Either we're compiling top-level code in which case there is no outer scope. Or we are compiling code at the top-level (eval, function, module), and there won't be anything to resolve in the outer scope. Lastly we could also be compiling with a deserialized scope. In that case the outer scope is already resolved.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2224593002
Cr-Commit-Position: refs/heads/master@{#38419}
Introduce a dedicated MaybeGrowFastElements simplified operator, which
tries to grow a fast elements backing store for a given element that
should be added to an array/object. Use that to lower a growing keyed
store to a sequence of
1) check index is a valid array index,
2) check stored value,
3) maybe grow elements backing store (and deoptimize if it would
normalize), and
4) store the actual element.
The actual growing is done by two dedicated GrowFastDoubleElements
and GrowFastSmiOrObjectElements builtins, which are very similar to
the GrowArrayElementsStub that is used by Crankshaft.
Drive-by-fix: Turn CopyFixedArray into CopyFastSmiOrObjectElements
builtin, similar to the new growing builtins, so we don't need to
inline the store+write barrier for the elements into all optimized
code objects anymore.
Also fix a bug in the OperationTyper for NumberSilenceNaN, which was
triggered by this change.
BUG=v8:5272
Review-Url: https://codereview.chromium.org/2227493002
Cr-Commit-Position: refs/heads/master@{#38418}
Up until now "-0.0 - x" was lowered in the instruction selector. I moved
the lowering now to the MachineOperatorReducer.
I did not remove the lowering from the instruction selector yet, I would
prefer to do that in a separate CL.
R=bmeurer@chromium.org
Review-Url: https://codereview.chromium.org/2226663002
Cr-Commit-Position: refs/heads/master@{#38417}
Properly figure out NaN and -0 cases even for non-integer inputs. This
helps to reduce the number of checks we have to perform in case we try
to go back to int32 after a floating point operation.
R=epertoso@chromium.org
Review-Url: https://codereview.chromium.org/2221863002
Cr-Commit-Position: refs/heads/master@{#38415}
Reason for revert:
We can revert this now that it's landed on 5.3.
Original issue's description:
> Fix an OOB read through CallSite.GetFunctionName
>
> The func_index parameter passed to GetWasmFunctionNameFromTable can be
> user-controlled through the CallSite constructor. Catch out-of-bounds
> reads and return null as the function name in such cases.
>
> This applies to the 5.3 branch and will be reverted on TOT in a bit.
>
> BUG=632965
>
> Committed: https://crrev.com/8592c450a68581d7257c1b2002983c0092cd749a
> Cr-Commit-Position: refs/heads/master@{#38276}
TBR=ahaas@chromium.org,yangguo@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=632965
Review-Url: https://codereview.chromium.org/2225773002
Cr-Commit-Position: refs/heads/master@{#38414}
Properly figure out NaN and -0 cases even for non-integer inputs. This
helps to reduce the number of checks we have to perform in case we try
to go back to int32 after a floating point operation.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2227533002
Cr-Commit-Position: refs/heads/master@{#38413}
Reason for revert:
Leaks block chromium roll:
https://codereview.chromium.org/2219083003/
Example build:
https://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_asan_rel_ng/builds/205435
You can add the trybot from tryserver.chromium.linux, linux_chromium_asan_rel_ng, on reland.
Original issue's description:
> [Reland][Tracing] Embed V8 runtime call stats into tracing.
>
> Currently we have V8 RuntimeCallStats that is independently from tracing when
> running d8 with flag --runtime_call_stats. This patch embeds V8 runtime call
> stats into tracing, by having a global table of runtime call counters each
> isolate, resetting the table each time we enter a top level trace event, and
> dumping the table for each top level trace event. This will make trace file more
> compat, as well as enable runtime call stats in tracing system.
>
> This patch adds ~5% overhead to V8 when the category is enabled, we measure the
> overhead by running a script when category is enabled.
>
> BUG=v8:5089
>
> Committed: https://crrev.com/d014866173eaa2b548c566217b2c94b1d49385fa
> Committed: https://crrev.com/1ca3b73bba4a7253ca8eeef39321d70e7d414331
> Committed: https://crrev.com/3f936a5b17754783e92d2146eaf66c88a78ee45b
> Cr-Original-Original-Commit-Position: refs/heads/master@{#38270}
> Cr-Original-Commit-Position: refs/heads/master@{#38314}
> Cr-Commit-Position: refs/heads/master@{#38403}
TBR=cbruni@chromium.org,fmeawad@chromium.org,bmeurer@chromium.org,adamk@chromium.org,rmcilroy@chromium.org,lpy@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5089
NOTRY=true
NOPRESUBMIT=true
Review-Url: https://codereview.chromium.org/2221853002
Cr-Commit-Position: refs/heads/master@{#38412}
Introduce a dedicated NumberOperationHint enum that represents the
feedback we can use for speculative number operations.
BUG=v8:4930
Review-Url: https://codereview.chromium.org/2220573002
Cr-Commit-Position: refs/heads/master@{#38411}
Assign feedback slots in the type feedback vector for binary operations.
Update bytecode-generator to use these slots and add them as an operand
to binary operations.
BUG=v8:4280
LOG=N
Review-Url: https://codereview.chromium.org/2209633002
Cr-Commit-Position: refs/heads/master@{#38408}
AtomicNumber should make dealing with atomic counters easier. This is not the
case with size_t, as we cannot properly use the Increment() method for negative
numbers.
With this CL we can use AtomicNumber<size_t> and have proper decrements.
R=jochen@chromium.org
Review-Url: https://codereview.chromium.org/2215693002
Cr-Commit-Position: refs/heads/master@{#38407}
This patch folds --optimize-for-size flag and check for low-memory device
into Heap::ShouldOptimizeForMemoryUsage() predicate.
It has the following side effects:
- the heap growing factor for low-memory devices is capped at 1.3 (old value was 2.0).
- the memory reducer will be more aggressive for low-memory devices.
BUG=chromium:634900
Review-Url: https://codereview.chromium.org/2218703004
Cr-Commit-Position: refs/heads/master@{#38406}
- Don't read .constructor when returning a Promise from an async function.
Instead, call out to the internals of Promise.resolve directly.
This is done by adding back in an "optimization" from an earlier form of
the async/await code written by Caitlin Potter.
- Async functions always return a new Promise with a distinct identity,
even if they simply return another Promise.
R=caitp@igalia.com
BUG=v8:4483
Review-Url: https://codereview.chromium.org/2219623002
Cr-Commit-Position: refs/heads/master@{#38404}
Currently we have V8 RuntimeCallStats that is independently from tracing when
running d8 with flag --runtime_call_stats. This patch embeds V8 runtime call
stats into tracing, by having a global table of runtime call counters each
isolate, resetting the table each time we enter a top level trace event, and
dumping the table for each top level trace event. This will make trace file more
compat, as well as enable runtime call stats in tracing system.
This patch adds ~5% overhead to V8 when the category is enabled, we measure the
overhead by running a script when category is enabled.
BUG=v8:5089
Committed: https://crrev.com/d014866173eaa2b548c566217b2c94b1d49385fa
Committed: https://crrev.com/1ca3b73bba4a7253ca8eeef39321d70e7d414331
Review-Url: https://codereview.chromium.org/2187693002
Cr-Original-Original-Commit-Position: refs/heads/master@{#38270}
Cr-Original-Commit-Position: refs/heads/master@{#38314}
Cr-Commit-Position: refs/heads/master@{#38403}
Reason for revert:
asan failures are caused by a flaky stack-verflow (see https://codereview.chromium.org/2218033002 for a fix).
Original issue's description:
> Revert of [api] Clean up scopes and precheck instantiations cache (patchset #3 id:40001 of https://codereview.chromium.org/2206773003/ )
>
> Reason for revert:
> [Sheriff] Leads to mac asan failures:
> https://build.chromium.org/p/client.v8/builders/V8%20Mac64%20ASAN/builds/7835
>
> Original issue's description:
> > [api] Clean up scopes and precheck instantiations cache
> >
> > Make sure all the scopes used in api-natives.cc have inlineable constructors
> > and destructors. Additionally directly precheck the instantiations cache before
> > trying to enter the InvokeScope which sets the save_context.
> >
> > BUG=chromium:630217
> >
> > Committed: https://crrev.com/a2496b942cad524f0f3144b107936eaa9a7c9fd5
> > Cr-Commit-Position: refs/heads/master@{#38346}
>
> TBR=yangguo@chromium.org,cbruni@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:630217
>
> Committed: https://crrev.com/e1b5cb43a9b90546ff5d6cea89ba17c485e842fb
> Cr-Commit-Position: refs/heads/master@{#38356}
TBR=yangguo@chromium.org,machenbach@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:630217
Review-Url: https://codereview.chromium.org/2217353002
Cr-Commit-Position: refs/heads/master@{#38401}
This also gets rid of the pending_error_handler field on DeclarationScope which wasn't actually used.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2218083002
Cr-Commit-Position: refs/heads/master@{#38400}
The old code was using VariableMode, but that signal is both
over-pessimistic (some CONST and LET variables need no hole-initialization)
and inconsistent with other uses of the InitializationFlag enum (such
as %LoadLookupSlot).
This changes no observable behavior, but removes unnecessary hole
initialization and hole checks in a few places, including
block-scoped function declarations, super property lookups,
and new.target.
R=bmeurer@chromium.org, neis@chromium.org
Review-Url: https://codereview.chromium.org/2201193004
Cr-Commit-Position: refs/heads/master@{#38395}
ForInPrepare checked whether the receiver object was null, undefined or
converted to a JSObject. This is already done by the generated bytecode.
BUG=v8:4820
LOG=n
Review-Url: https://codereview.chromium.org/2208043002
Cr-Commit-Position: refs/heads/master@{#38394}
This extends JSNativeContextSpecialization with support for stores to
fast object/smi element backing stores that are marked as copy-on-write.
In this case we first call the CopyFixedArray builtin to take a copy of
the elements backing store, and then store the new elements back to the
object, and finally perform the actual element store.
R=epertoso@chromium.org
BUG=v8:4470
Committed: https://crrev.com/ac98ad22f049a59c48387f1bab1590f135d219c6
Review-Url: https://codereview.chromium.org/2218703003
Cr-Original-Commit-Position: refs/heads/master@{#38370}
Cr-Commit-Position: refs/heads/master@{#38392}
If we infer loop variable bounds, we need to insert a type rename node
(sigma) to make sure that simplified lowering can choose representations
consistently.
Review-Url: https://codereview.chromium.org/2222513002
Cr-Commit-Position: refs/heads/master@{#38391}
Before this change we would first load an 8/16/32-bit value from memory into a 32-bit register, then zero/sign-extend from that register to a 64-bit one. Now we replace that pattern with a single movsx/movzx.
Ported from http://crrev.com/2183923003R=bmeurer@chromium.org
Review-Url: https://codereview.chromium.org/2220483003
Cr-Commit-Position: refs/heads/master@{#38388}
Benedikt, do you think we could also provide these operators on mips,
maybe by expanding them to "-0.0 -x"? If mips can provide these operators,
then we could make Float64Neg and Float32Neg real operators and not just
OptionalOperators.
R=bmeurer@chromium.org
Review-Url: https://codereview.chromium.org/2218023002
Cr-Commit-Position: refs/heads/master@{#38383}
Reason for revert:
Need to revert https://codereview.chromium.org/2216563003 - just reland rebased version
Original issue's description:
> Hook up compiler dispatcher jobs to lazy parser.
>
> The lazy parser actually parses eagerly. It's called lazy because it
> parses functions that were previously lazy parsed. D'uh.
>
> BUG=v8:5215
> R=marja@chromium.org
>
> Committed: https://crrev.com/255cc15f98507e2bba49574f4dc38c74deb0ca2c
> Cr-Commit-Position: refs/heads/master@{#38375}
TBR=marja@chromium.org,jochen@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5215
Review-Url: https://codereview.chromium.org/2211393003
Cr-Commit-Position: refs/heads/master@{#38378}
This is an experiment as far as performance is concerned. If Smi-configured
element loading directly from the dispatcher stub is fast enough, then we
can stop compiling LoadFastElementStubs (and drop the corresponding code).
Review-Url: https://codereview.chromium.org/2180273002
Cr-Commit-Position: refs/heads/master@{#38377}
Reason for revert:
Breaks tree?
Original issue's description:
> [turbofan] Add support for copy-on-write element stores.
>
> This extends JSNativeContextSpecialization with support for stores to
> fast object/smi element backing stores that are marked as copy-on-write.
> In this case we first call the CopyFixedArray builtin to take a copy of
> the elements backing store, and then store the new elements back to the
> object, and finally perform the actual element store.
>
> R=epertoso@chromium.org
> BUG=v8:4470
>
> Committed: https://crrev.com/ac98ad22f049a59c48387f1bab1590f135d219c6
> Cr-Commit-Position: refs/heads/master@{#38370}
TBR=epertoso@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4470
Review-Url: https://codereview.chromium.org/2220513002
Cr-Commit-Position: refs/heads/master@{#38376}
The lazy parser actually parses eagerly. It's called lazy because it
parses functions that were previously lazy parsed. D'uh.
BUG=v8:5215
R=marja@chromium.org
Review-Url: https://codereview.chromium.org/2220463002
Cr-Commit-Position: refs/heads/master@{#38375}
One caveat: the Crankshaft stub used to preserve callee-clobbered double
registers, which is contrary to any real platform ABI that we support. Since the
only current use of this stub is in Crankshaft, the instruction there now must
be marked as double-clobbering. This might result in a small performance
regression. However, when this stub is eventually used in TF-generated code, it
will be called from deferred code that can save doubles only on the rarely-taken
path... something that Crankshaft can't do.
BUG=chromium:608675
Review-Url: https://codereview.chromium.org/2206333003
Cr-Commit-Position: refs/heads/master@{#38371}
This extends JSNativeContextSpecialization with support for stores to
fast object/smi element backing stores that are marked as copy-on-write.
In this case we first call the CopyFixedArray builtin to take a copy of
the elements backing store, and then store the new elements back to the
object, and finally perform the actual element store.
R=epertoso@chromium.org
BUG=v8:4470
Review-Url: https://codereview.chromium.org/2218703003
Cr-Commit-Position: refs/heads/master@{#38370}
Reason for revert:
[Sheriff] Fails on nosnap debug:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosnap%20-%20debug/builds/8403
Original issue's description:
> [Interpreter] Collect type feedback for 'new' in the bytecode handler
>
> Collect type feedback in the bytecode handler for 'new' bytecode. The
> earlier cl (https://codereview.chromium.org/2153433002/) was reverted
> because that implementation did not collect allocation site feedback.
> This regressed delta blue by an order of magnitude. This implementation
> includes collection of allocation site feedback.
>
> BUG=v8:4280, v8:4780
> LOG=N
>
> Committed: https://crrev.com/9d5e6129c4c7f9cbfe81a5fad2a470f219fe137c
> Cr-Commit-Position: refs/heads/master@{#38364}
TBR=bmeurer@chromium.org,rmcilroy@chromium.org,balazs.kilvady@imgtec.com,mythria@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4280, v8:4780
Review-Url: https://codereview.chromium.org/2212343002
Cr-Commit-Position: refs/heads/master@{#38368}
This reduces peak zone memory usage by ~10% on codeload and ~5% on mandreel.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2209573002
Cr-Commit-Position: refs/heads/master@{#38367}
Changes ConstantPoolArrayBuilder to do object lookups using the location
of the handles, rather than dereferencing the handles and comparing the
objects. This also updates CanonicalHandleScope when internalizing AST
nodes to ensure that duplicate objects share the same handles and so are
only added to the constant pool once.
BUG=v8:5203
Review-Url: https://codereview.chromium.org/2204243003
Cr-Commit-Position: refs/heads/master@{#38366}
Collect type feedback in the bytecode handler for 'new' bytecode. The
earlier cl (https://codereview.chromium.org/2153433002/) was reverted
because that implementation did not collect allocation site feedback.
This regressed delta blue by an order of magnitude. This implementation
includes collection of allocation site feedback.
BUG=v8:4280, v8:4780
LOG=N
Review-Url: https://codereview.chromium.org/2190293003
Cr-Commit-Position: refs/heads/master@{#38364}
Adding new methods to the code stub assembler and interpreter
assembler to combine loading and untagging SMIs, so that on 64-bit
architectures we can avoid loading the full 64 bits and load the
32 interesting bits directly instead.
Review-Url: https://codereview.chromium.org/2183923003
Cr-Commit-Position: refs/heads/master@{#38361}
This fixes the runtime profiler to no longer assume that seeing an
optimized frame on the stack implies the underlying function is not
being interpreted when entered normally. This no longer holds with code
generated for OSR directly from bytecode (not installed on function).
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-632800
BUG=chromium:632800
Review-Url: https://codereview.chromium.org/2208603005
Cr-Commit-Position: refs/heads/master@{#38360}
This makes sure we prevent a tier-up for function which also have an
optimized activation of OSR code on the stack. In case the OSR code
deoptimizes, it needs the bytecode to still be around.
R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-5262
BUG=v8:5262
Review-Url: https://codereview.chromium.org/2206363004
Cr-Commit-Position: refs/heads/master@{#38359}
Reason for revert:
[Sheriff] Leads to mac asan failures:
https://build.chromium.org/p/client.v8/builders/V8%20Mac64%20ASAN/builds/7835
Original issue's description:
> [api] Clean up scopes and precheck instantiations cache
>
> Make sure all the scopes used in api-natives.cc have inlineable constructors
> and destructors. Additionally directly precheck the instantiations cache before
> trying to enter the InvokeScope which sets the save_context.
>
> BUG=chromium:630217
>
> Committed: https://crrev.com/a2496b942cad524f0f3144b107936eaa9a7c9fd5
> Cr-Commit-Position: refs/heads/master@{#38346}
TBR=yangguo@chromium.org,cbruni@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:630217
Review-Url: https://codereview.chromium.org/2216903003
Cr-Commit-Position: refs/heads/master@{#38356}
We don't need to add stability dependencies on JSObject prototypes when
storing to an element, because we do the map check (and thereby guard
the elements kind) and we also properly deoptimize on holes if the array
protector is not usable.
R=verwaest@chromium.org
BUG=chromium:616709
Review-Url: https://codereview.chromium.org/2198833002
Cr-Commit-Position: refs/heads/master@{#38355}
When parsing a eagerly-parsed-but-lazily-compiled function, we
used to put some of its AST nodes into a discardable Zone. This
CL puts the function Scope, its inner Scopes and the related AST
nodes (Declarations, VariableProxys) into the temporary Zone
too. This reduces peak memory usage and enables future work to
keep the temporary Zone around for later compilation.
BUG=
Review-Url: https://codereview.chromium.org/2210243002
Cr-Commit-Position: refs/heads/master@{#38348}
Make sure all the scopes used in api-natives.cc have inlineable constructors
and destructors. Additionally directly precheck the instantiations cache before
trying to enter the InvokeScope which sets the save_context.
BUG=chromium:630217
Review-Url: https://codereview.chromium.org/2206773003
Cr-Commit-Position: refs/heads/master@{#38346}
The contract is that the method is only invoked when there are no elements on
the prototype, and this elements type forbids accessor elements. So it is safe
to limit the search to the end of the backing store.
BUG=chromium:634269, v8:5162
R=cbruni@chromium.org, mstarzinger@chromium.org
Review-Url: https://codereview.chromium.org/2209273002
Cr-Commit-Position: refs/heads/master@{#38344}
Only basic things for now, but enough, for example, to emit
mov rax, [rax+0xc]
instead of
mov rax, 0x3
mov rdx, [rdx+rax*4]
on x64.
BUG=
Review-Url: https://codereview.chromium.org/2211633003
Cr-Commit-Position: refs/heads/master@{#38338}
This adds the missing lazy bailout point when defining accessor pairs
within object literals via Runtime::kDefineAccessorPropertyUnchecked.
The runtime function in question can indeed trigger a lazy deopt due
to a DependentCode::kPrototypeCheckGroup dependency.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-633585
BUG=chromium:633585
Review-Url: https://codereview.chromium.org/2207413002
Cr-Commit-Position: refs/heads/master@{#38336}
References in code objects to new-space embedded objects have to be
recorded in a remembered set so that they get updated by the garbage
collector.
TEST=cctest/test-serialize/CodeSerializerEmbeddedObject
R=ulan@chromium.org, yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2200333004
Cr-Commit-Position: refs/heads/master@{#38335}
Compilation breaks when compiling v8 through Chromium using GYP. The isssue
started to appear after https://codereview.chromium.org/2190973003 landed.
It happens because trace_event_common.h header is on different location if we
are compiling v8 through Chromium compared to when we are compiling v8 standalone.
BUG=
Review-Url: https://codereview.chromium.org/2207943002
Cr-Commit-Position: refs/heads/master@{#38333}
This will allow for using DoParseLazy on a background thread, so we can
also parse inner functions on the background thread.
BUG=v8:5215
R=adamk@chromium.org,marja@chromium.org
Review-Url: https://codereview.chromium.org/2201423002
Cr-Commit-Position: refs/heads/master@{#38332}
This removes the ability to specify a catch prediction for exception
handler tables that are based on return addresses. The encoding for
handlers still looks the same to keep it in sync with tables based on
ranges, just no payload is stored in the respective bits.
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2205893002
Cr-Commit-Position: refs/heads/master@{#38327}
An infinite recursion can be triggered when NoSideEffectToString is
called on an error object with its name property set to itself.
BUG=633998
Review-Url: https://codereview.chromium.org/2206313002
Cr-Commit-Position: refs/heads/master@{#38325}
Use a single CheckMaps node instead of the sequence of LoadField,
ReferenceEqual and CheckIf. This also makes it easier to eliminate
the COW check if there are multiple of them in a row.
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2216453002
Cr-Commit-Position: refs/heads/master@{#38321}
port cdae865436 (r38292)
original commit message:
A corresponding flag was added as well to help us find out what breaks when we
do not clear pending exceptions on each JS entry.
BUG=
Review-Url: https://codereview.chromium.org/2212733002
Cr-Commit-Position: refs/heads/master@{#38320}
Promise.resolve
Instead of creating resolve and reject closures, directly
call ResolvePromise after creating the promise.
Using the following as a microbenchmark --
```
var b = 0;
var start = performance.now();
for (var i = 0; i < 1000000; i++) {
Promise.resolve(1).then((val) => {
b += val;
if (b == 1000000) print(performance.now() - start)
});
}
```
I see a 16.01% improvement over 5 runs with this patch.
BUG=v8:5046
Review-Url: https://codereview.chromium.org/2143553002
Cr-Commit-Position: refs/heads/master@{#38318}
Reason for revert:
Mac64 ASAN failure. https://build.chromium.org/p/client.v8/builders/V8%20Mac64%20ASAN/builds/7810/steps/Check/logs/Threading4
Original issue's description:
> [Reland][Tracing] Embed V8 runtime call stats into tracing.
>
> Currently we have V8 RuntimeCallStats that is independently from tracing when
> running d8 with flag --runtime_call_stats. This patch embeds V8 runtime call
> stats into tracing, by having a global table of runtime call counters each
> isolate, resetting the table each time we enter a top level trace event, and
> dumping the table for each top level trace event. This will make trace file more
> compat, as well as enable runtime call stats in tracing system.
>
> This patch adds ~5% overhead to V8 when the category is enabled, we measure the
> overhead by running a script when category is enabled.
>
> BUG=v8:5089
>
> Committed: https://crrev.com/d014866173eaa2b548c566217b2c94b1d49385fa
> Committed: https://crrev.com/1ca3b73bba4a7253ca8eeef39321d70e7d414331
> Cr-Original-Commit-Position: refs/heads/master@{#38270}
> Cr-Commit-Position: refs/heads/master@{#38314}
TBR=cbruni@chromium.org,fmeawad@chromium.org,machenbach@chromium.org,bmeurer@chromium.org,adamk@chromium.org,rmcilroy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5089
Review-Url: https://codereview.chromium.org/2200373003
Cr-Commit-Position: refs/heads/master@{#38315}
Currently we have V8 RuntimeCallStats that is independently from tracing when
running d8 with flag --runtime_call_stats. This patch embeds V8 runtime call
stats into tracing, by having a global table of runtime call counters each
isolate, resetting the table each time we enter a top level trace event, and
dumping the table for each top level trace event. This will make trace file more
compat, as well as enable runtime call stats in tracing system.
This patch adds ~5% overhead to V8 when the category is enabled, we measure the
overhead by running a script when category is enabled.
BUG=v8:5089
Committed: https://crrev.com/d014866173eaa2b548c566217b2c94b1d49385fa
Review-Url: https://codereview.chromium.org/2187693002
Cr-Original-Commit-Position: refs/heads/master@{#38270}
Cr-Commit-Position: refs/heads/master@{#38314}
Moves the creation of SharedFunctionInfo for function literals to the
finalization step. This is required for bytecode generation to be
performed off-thread.
BUG=v8:5203
Review-Url: https://codereview.chromium.org/2179303005
Cr-Commit-Position: refs/heads/master@{#38309}
When we do a checked conversion from Tagged or Float64 to Int32, we used
to always do a minus zero check, even if we already know that the input
cannot be minus zero. Now we actually do the check only if we have
evidence that the input might be minus zero.
R=epertoso@chromium.org
BUG=v8:4583
Review-Url: https://codereview.chromium.org/2202993005
Cr-Commit-Position: refs/heads/master@{#38308}
Avoids compiling baseline code when the function isn't able to be
optimized by crankshaft.
BUG=chromium:632289
Review-Url: https://codereview.chromium.org/2194453002
Cr-Commit-Position: refs/heads/master@{#38304}
Add a new bytecode to create a function context. The handler inlines
FastNewFunctionContextStub.
BUG=v8:4280
LOG=n
Review-Url: https://codereview.chromium.org/2187523002
Cr-Commit-Position: refs/heads/master@{#38301}
If ToObject() has thrown, do not throw another exception. The reason
this does not currently fail is that 1. Errors used to be created
through JS natives, and 2. the JSEntryStub clears any pending
exceptions. So, when calling into JS to create the new error, the old
exception was cleared.
BUG=5259
Review-Url: https://codereview.chromium.org/2208683002
Cr-Commit-Position: refs/heads/master@{#38300}
This new API function allows for setting several internal fields at once.
By avoiding crossing the API each time for setting an internal property we
can speed up the wrapper creation which has to set two fields for every new
object.
BUG=chromium:630217
Review-Url: https://codereview.chromium.org/2185963002
Cr-Commit-Position: refs/heads/master@{#38299}
A corresponding flag was added as well to help us find out what breaks when we
do not clear pending exceptions on each JS entry.
BUG=5259
Review-Url: https://codereview.chromium.org/2208663002
Cr-Commit-Position: refs/heads/master@{#38292}
So far we treated SignedSmall and Signed32 feedback the same for number
operations. However it would be beneficial to generate (a lot) less code
if we only do a Smi check on the inputs instead of doing the full Smi +
HeapNumber + conversion check that we need to do for Signed32 feedback.
R=epertoso@chromium.org
BUG=v8:4583
Review-Url: https://codereview.chromium.org/2207893002
Cr-Commit-Position: refs/heads/master@{#38290}
The helper class in question is no longer needed now that frame states
representing the "before" state is not attached to nodes anymore. They
are represented by appropriate {Checkpoint} nodes in the graph now.
R=bmeurer@chromium.org
BUG=v8:5021
Review-Url: https://codereview.chromium.org/2205243002
Cr-Commit-Position: refs/heads/master@{#38288}
In the parser, we desugar yield* with the help of a regular yield. One
particular implementation detail of this desugaring is that when the user calls
the generator's throw method, this throws an exception that we immediately
catch. This exception should not be visible to the user, but through Devtools'
"Pause on Caught Exceptions" feature it used to be.
This CL extends the type of catch predictions with a new value for such internal
exceptions and uses that for the offending try-catch statement in yield*. It
instruments the debugger to _not_ trigger an exception event in that case.
R=yangguo@chromium.orgTBR=littledan@chromium.org
BUG=v8:5218
Review-Url: https://codereview.chromium.org/2203803002
Cr-Commit-Position: refs/heads/master@{#38286}
1. Do not mark code_cache as a weak container.
2. Support layout_descriptor field.
Review-Url: https://codereview.chromium.org/2204133002
Cr-Commit-Position: refs/heads/master@{#38285}
The MachineOperatorReducer was only reducing word32 expressions of the type x << y | x >>> (32 - y) (and variants) to the equivalent Word32Ror. This CL applies the same pattern-matching logic to Word32Xor.
BUG=
Review-Url: https://codereview.chromium.org/2199323003
Cr-Commit-Position: refs/heads/master@{#38284}
Move all the typing rules for unary and binary number operations to the
OperationTyper and use them for both the regular Typer as well as the
retyper that runs as part of SimplifiedLowering.
R=epertoso@chromium.org
Review-Url: https://codereview.chromium.org/2202883005
Cr-Commit-Position: refs/heads/master@{#38283}
This completely removes the ability from nodes to point directly to the
frame state representing their eager bailout point. All nodes now either
have zero or one frame state inputs. These frame states can by now be
found via checkpoints in the graph.
R=bmeurer@chromium.org
BUG=v8:5021
Review-Url: https://codereview.chromium.org/2020323004
Cr-Commit-Position: refs/heads/master@{#38282}
This removes the frame state input representing the before-state from
nodes having any int32 bitwise operator. Lowering that inserts number
conversions of the inputs has to be disabled when deoptimization is
enabled, because the frame state layout is no longer known.
R=epertoso@chromium.org
BUG=v8:5021,v8:4746
Review-Url: https://codereview.chromium.org/2194383004
Cr-Commit-Position: refs/heads/master@{#38280}
We have a simple instantiation at hand if the new.target is from the same
context, not the other way around.
BUG=chromium:630217
Review-Url: https://codereview.chromium.org/2201113002
Cr-Commit-Position: refs/heads/master@{#38279}
Similarly to how we check whether the entered context has access to the target
context when invoking the function constructor, we should check the involved
contexts before invoking eval().
I forgot to add this in the initial CL that adds the check for the function
constructor. Move the code to a common location, and use it for the GlobalEval
builtin as well.
BUG=chromium:541703
R=verwaest@chromium.org
Review-Url: https://codereview.chromium.org/2199343002
Cr-Commit-Position: refs/heads/master@{#38277}
The func_index parameter passed to GetWasmFunctionNameFromTable can be
user-controlled through the CallSite constructor. Catch out-of-bounds
reads and return null as the function name in such cases.
This applies to the 5.3 branch and will be reverted on TOT in a bit.
BUG=632965
Review-Url: https://codereview.chromium.org/2199333002
Cr-Commit-Position: refs/heads/master@{#38276}
Reason for revert:
Sanitizer failures:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/10989/https://build.chromium.org/p/client.v8/builders/V8%20Mac64%20ASAN/builds/7786/
Original issue's description:
> [Tracing] Embed V8 runtime call stats into tracing.
>
> Currently we have V8 RuntimeCallStats that is independently from tracing when
> running d8 with flag --runtime_call_stats. This patch embeds V8 runtime call
> stats into tracing, by having a global table of runtime call counters each
> isolate, resetting the table each time we enter a top level trace event, and
> dumping the table for each top level trace event. This will make trace file more
> compat, as well as enable runtime call stats in tracing system.
>
> This patch adds ~5% overhead to V8 when the category is enabled, we measure the
> overhead by running a script when category is enabled.
>
> BUG=v8:5089
>
> Committed: https://crrev.com/d014866173eaa2b548c566217b2c94b1d49385fa
> Cr-Commit-Position: refs/heads/master@{#38270}
TBR=cbruni@chromium.org,fmeawad@chromium.org,machenbach@chromium.org,bmeurer@chromium.org,adamk@chromium.org,rmcilroy@chromium.org,lpy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5089
Review-Url: https://codereview.chromium.org/2203913004
Cr-Commit-Position: refs/heads/master@{#38275}
port a758144329 (r38231)
original commit message:
When we narrow a signed32 comparison to uint8 or uint16 representation,
we also need to change the condition to unsigned comparisons otherwise
the comparison will be done on int16/int8 which interprets the narrowed
bits wrong.
BUG=
Review-Url: https://codereview.chromium.org/2206913002
Cr-Commit-Position: refs/heads/master@{#38274}
port 5bc2439783 (r38219)
original commit message:
This will enable the interpreter to add a bytecode and use the stub.
BUG=
Review-Url: https://codereview.chromium.org/2205813002
Cr-Commit-Position: refs/heads/master@{#38271}
Currently we have V8 RuntimeCallStats that is independently from tracing when
running d8 with flag --runtime_call_stats. This patch embeds V8 runtime call
stats into tracing, by having a global table of runtime call counters each
isolate, resetting the table each time we enter a top level trace event, and
dumping the table for each top level trace event. This will make trace file more
compat, as well as enable runtime call stats in tracing system.
This patch adds ~5% overhead to V8 when the category is enabled, we measure the
overhead by running a script when category is enabled.
BUG=5089
Review-Url: https://codereview.chromium.org/2187693002
Cr-Commit-Position: refs/heads/master@{#38270}
The protocol handler generator generates these files into a default location if
not specified by flag as output. We should account for these files and
explicitly set its output location.
R=machenbach@chromium.org
Review-Url: https://codereview.chromium.org/2199253002
Cr-Commit-Position: refs/heads/master@{#38268}
Infer a more precise type even in case where NaN and/or -0 is a possible
outcome of the operation, and use this more precise type to improve code
generation for the modulus itself by trying harder to stick to Word32
operations instead of going to Float64, and also optimize the pattern
where we compare the output of x % y to some non-zero integer constant
K, in which case we can truncate the output of x % y to Word32 if the
type of x % y is Signed32/Unsigned32 \/ NaN \/ MinusZero, as NaN and
MinusZero will both be truncated to zero, which cannot match the non
zero constant K.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2202413002
Cr-Commit-Position: refs/heads/master@{#38267}
A fix would be to walk the reloc info and RecordWriteIntoCode. Doing
so, however, upsets a scavenger DCHECK.
We stumbled upon this issue because we were placing wasm objects
(fixed arrays) in NEW_SPACE, rather than OLD_SPACE. These fixed
arrays were subsequently referenced from Code objects, which were
then cloned.
The current CL ensures wasm constructs are allocated in OLD_SPACE,
by pre-tenuring them (consistent with other wasm allocations). In
addition, it adds a DCHECK for CopyCode clarifying its lack of support
for references to NEW_SPACE.
We can investigate in a subsequent CL making CopyCode more robust,
pending understanding of the Scavenger's assumptions.
BUG=
Review-Url: https://codereview.chromium.org/2201663003
Cr-Commit-Position: refs/heads/master@{#38263}
They may have once been different, but they're now redundant with
each other. This simplifies both Context::Lookup and its callers.
Review-Url: https://codereview.chromium.org/2200303002
Cr-Commit-Position: refs/heads/master@{#38261}
This was being allowed due to the use of BindingFlags instead of VariableMode
to determine whether a looked-up binding was lexical. Because function
declarations are hoisted, they never need hole checks, and so were being
miscategorized as non-lexical.
This patch augments Context::Lookup with a VariableMode out param, which
allows this check to determine precisely whether the binding is lexical.
BUG=v8:4454, v8:5256
Review-Url: https://codereview.chromium.org/2206483004
Cr-Commit-Position: refs/heads/master@{#38260}
Reason for revert:
Broke Node.js tests (test-require-dot etc.)
Original issue's description:
> Put Scopes into temporary Zone
>
> When parsing a eagerly-parsed-but-lazily-compiled function, we
> used to put some of its AST nodes into a discardable Zone. This
> CL puts the function Scope, its inner Scopes and the related AST
> nodes (Declarations, VariableProxys) into the temporary Zone
> too. This reduces peak memory usage and enables future work to
> keep the temporary Zone around for later compilation.
>
> BUG=
>
> Committed: https://crrev.com/eaebdd858b466057ccc39894a172c9b66868e8f7
> Cr-Commit-Position: refs/heads/master@{#38232}
TBR=adamk@chromium.org,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review-Url: https://codereview.chromium.org/2205013002
Cr-Commit-Position: refs/heads/master@{#38258}
This completely removes translation of exception handler predictions
from the graph IR. We now rely on the runtime using deoptimization
infomation via {FrameSummary} for predictions in optimized code.
R=bmeurer@chromium.org
Review-Url: https://codereview.chromium.org/2207533002
Cr-Commit-Position: refs/heads/master@{#38250}
We no longer need NeanderObject, the only user left was the message listener
machanism which could be replace by direct uses of FixedArrays.
BUG=chromium:630217
Review-Url: https://codereview.chromium.org/2195243003
Cr-Commit-Position: refs/heads/master@{#38249}
We cannot just blindly make a representation selection for Phi or Select
based on the truncations, but we also need to consider the type of the
inputs (or actually of the Phi/Select node itself). We can only use
Word32 representation based on Word32 truncation if the inputs are
Number or Oddball, same for Float64.
R=epertoso@chromium.org
BUG=v8:5255
Review-Url: https://codereview.chromium.org/2206553002
Cr-Commit-Position: refs/heads/master@{#38241}
This adds support for lowering keyed access to JSTypedArray objects to
element loads and stores instead of IC calls. There's still a lot of
room for improvement, but the improvements can be done incrementally
later.
We add a dedicated UnsafePointerAdd operator, which sits in the effect
chain, and does the (GC invisible) computation of addresses that are
potentially inside HeapObjects. Also there's now a dedicated Retain
operator, which ensures that we retain a certain tagged value, which is
necessary to ensure that we keep a JSArrayBuffer alive as long as we
might still potentially access elements in its backing store.
R=epertoso@chromium.org
Review-Url: https://codereview.chromium.org/2203693002
Cr-Commit-Position: refs/heads/master@{#38235}
This type is not supposed to be constructable by users. Internally, we
use CallSiteUtils::Construct to create CallSite objects; and we simply
map a thrower builtin as the public CallSite constructor.
R=yangguo@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2201823002
Cr-Commit-Position: refs/heads/master@{#38234}
This makes sure we are not inserting {OsrPoll} instructions for any
statements that are not actually loops and have no back edges. Without
back edges the {BytecodeGraphBuilder} is unable to deduce loop ranges
and hence cannot construct a graph for OSR entry.
R=neis@chromium.org
TEST=mjsunit/regress/regress-5252
BUG=v8:5252
Review-Url: https://codereview.chromium.org/2200733002
Cr-Commit-Position: refs/heads/master@{#38233}
When parsing a eagerly-parsed-but-lazily-compiled function, we
used to put some of its AST nodes into a discardable Zone. This
CL puts the function Scope, its inner Scopes and the related AST
nodes (Declarations, VariableProxys) into the temporary Zone
too. This reduces peak memory usage and enables future work to
keep the temporary Zone around for later compilation.
BUG=
Review-Url: https://codereview.chromium.org/2193793002
Cr-Commit-Position: refs/heads/master@{#38232}
When we narrow a signed32 comparison to uint8 or uint16 representation,
we also need to change the condition to unsigned comparisons otherwise
the comparison will be done on int16/int8 which interprets the narrowed
bits wrong.
R=epertoso@chromium.org
BUG=v8:5254
Review-Url: https://codereview.chromium.org/2202803003
Cr-Commit-Position: refs/heads/master@{#38231}
Use CodeStubAssembler functions instead of LoadObjectField with
the offset.
BUG=
Review-Url: https://codereview.chromium.org/2198133002
Cr-Commit-Position: refs/heads/master@{#38229}
The initialization of static variables that were used originally caused
a data race because multiple threads tried to initialize the variables
at the same time. The use of a LazyInstance guarantees that the
variables get initialized exactly once.
The same problem also existed in c-linkage.cc. There I fixed the problem
by using a local variable instead of a static variable.
BUG=v8:5242
R=titzer@chromium.org
Review-Url: https://codereview.chromium.org/2202433003
Cr-Commit-Position: refs/heads/master@{#38221}
This will enable the interpreter to add a bytecode and use the stub.
BUG=v8:4280
LOG=n
Review-Url: https://codereview.chromium.org/2177273002
Cr-Commit-Position: refs/heads/master@{#38219}
This is a temporary measure to ensure clusterfuzz crashes at two
dedicated sites until the CallSite constructor is made inaccessible from
JS.
R=yangguo@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2196263002
Cr-Commit-Position: refs/heads/master@{#38216}
introduced in https://crrev.com/72f884a19fa4434bba6fc0e013ec4ea0a2366893
The regression comes from adding the next weak field of AllocationSite
as a hidden reference into the snapshot.
Before 72f884 the reference was implicitly ignored because the body
descriptor of AllocationSite did not include it.
This patch explicitly skip the next weak field of AllocationSite.
BUG=chromium:630027
Review-Url: https://codereview.chromium.org/2189643004
Cr-Commit-Position: refs/heads/master@{#38211}
This makes the debug-only scope-name actually debug-only-allocated, replaces num_vars_ usages by variables_.occupancy, and shuffles fields around in the scope class for better packing.
This reduces sizeof(i::Scope) from 360 to 328 bytes on x64.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2201763004
Cr-Commit-Position: refs/heads/master@{#38210}
This prevents the internal store-buffer.h header to be usable outisde of
the "heap" directory. The logic inside that component is only useful
within the GC and is now properly encapsulated.
R=hpayer@chromium.org
Review-Url: https://codereview.chromium.org/2194793005
Cr-Commit-Position: refs/heads/master@{#38201}
This adds initial support to inline a couple of the ArrayBuffer view
accessors like %TypeArray%.prototype.length and.
DataView.prototype.byteLength.
R=epertoso@chromium.org
Review-Url: https://codereview.chromium.org/2199753002
Cr-Commit-Position: refs/heads/master@{#38200}
This CL fixes a long-standing bug with Object.keys where the enumerability
check was omitted if the [ownKeys] trap is not present. The only distinction the
KeyAccumulator needs is whether it collects keys for for-in (is_for_in_) or not.
ForInFilter performs a separate step to filter out non-enumerable keys later-on
while in all the other use-cases we have to filter keys.
BUG=v8:1543, v8:5250
Review-Url: https://codereview.chromium.org/2176113009
Cr-Commit-Position: refs/heads/master@{#38199}
This is another step towards lazily allocating them in the block state.
ClassLiteral should also have a lazy block-scope for the outermost scope,
but currently that doesn't work due to the parameter initializer rewriter
and minor implementation details in ignition and turbofan.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2166843003
Cr-Commit-Position: refs/heads/master@{#38196}
This removes the frame state input representing the before-state from
nodes having any shift operator. Any lowering that woult insert number
conversions of the inputs has already been disabled when deoptimization
is enabled, because the frame state layout is no longer known.
R=epertoso@chromium.org
BUG=v8:5021
Review-Url: https://codereview.chromium.org/2190743003
Cr-Commit-Position: refs/heads/master@{#38194}
Rather than finalizing after rewriting do-expressions, we rewrite in the
outer scope if the block scope was finalized. Rewriting do expressions
cannot introduce any new nodes that requires the block to stay around,
so finalizing before and after is equivalent. (Only a temporary is
introduced which always ends up in a ClosureScope)
BUG=v8:5209
R=rossberg@chromium.org, caitpotter88@gmail.com, adamk@chromium.org
Review-Url: https://codereview.chromium.org/2167713004
Cr-Commit-Position: refs/heads/master@{#38193}
Allow inlining of getters and setters into TurboFan optimized code.
This just adds the basic machinery required to essentially inline
the setter and getter dispatch code for the (keyed) load/store ICs.
There'll be follow up CLs to also actually inline some of the interesting
accessor functions itself, like the byteLength and friends for the
TypedArrays.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2198473002
Cr-Commit-Position: refs/heads/master@{#38192}
This introduces a bunch of new tests that test various aspects of
accessor inlining in TurboFan (without the actual inlining), and does
the appropriate fixes to the AstGraphBuilder. The actual inlining CL
will land separately (so we don't need to revert the tests and fixes
if the accessor CL has to be reverted).
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2197913002
Cr-Commit-Position: refs/heads/master@{#38191}
We have a similar optimization for unchecked integer modulus, which
already boosted some asm.js use cases. Now this optimization is almost
as effcient as Crankshafts known power of 2 right hand side optimization
for modulus, but it can still deal with any rhs (except 0), and doesn't
require the interpreter to also collect known power of two rhs feedback.
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2200453002
Cr-Commit-Position: refs/heads/master@{#38187}
