Commit Graph

56764 Commits

Author SHA1 Message Date
Ross McIlroy
eab992fd40 [cleanup] Add %PrepareForOptimization to some more mjsunit tests.
Bug=v8:8801,v8:8394,v8:9183

Change-Id: I9d88d2aa2b261b0f8df83dd6075b68cbc626161f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1660476
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62172}
2019-06-14 11:34:28 +00:00
Simon Zünd
f16f0bccad [stack-trace] Change column number for wasm frames to module offset
The CL https://crrev.com/c/1646846 changed column numbers for Wasm
frames in Error.stack traces. Instead of using the offset relative to
the beginning of the function, the absolute offset inside the module
is displayed as hex.

This CL propagates that change to the StackTrace C++ API, so
StackFrame::GetColumn() also returns the absolute offset. Note that the
StackFrame API historically uses "0" to signal "no information", so the
line and column numbers for Wasm frames are also adjusted to 1-based,
even though they signify function index and absolute offset
into the module.

This CL does not touch Script::PositionInfo.column. That field still
contains the offset relative to the function start.

Bug: v8:8742
Change-Id: If4fd37fa681c7ebd0823ce0d95eccc1335c35272
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655300
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62171}
2019-06-14 11:33:18 +00:00
Dan Elphick
7b48dd55e1 [builtins] Make ContinueToBuiltinHelper skip off-heap builtin trampolines
This changes Generate_ContinueToBuiltinHelper to generate code to load
the builtin address directly from the builtins table rather than going
via the executable code in the trampoline's code object.

The set up for Generate_ContinueToBuiltinHelper is changed so that the
builtin index is stored on the stack in place of the builtin Code
object which is no longer needed.

Bug: v8:9338
Change-Id: I83f66af99fb27f131fc39ff426fdca4b1d674b70
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648155
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62170}
2019-06-14 11:24:58 +00:00
Andreas Haas
76d33a174e [cleanup] Add PrepareFunctionForOptimization to regression tests(2)
R=mythria@chromium.org

Bug: v8:9183
Change-Id: Ia534816b460eaf005a0017afeb2d55ccb3402a37
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1660473
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62169}
2019-06-14 10:56:48 +00:00
Andreas Haas
054af8477c [cleanup] Add PrepareFunctionForOptimization to regression tests
R=mythria@chromium.org

Bug: v8:9183
Change-Id: Id7c29452ef6d643b59eb3252df188bf288e2de23
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1660469
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62168}
2019-06-14 09:59:20 +00:00
Jakob Kummerow
0d8945853a [wasm-c-api] Fix signature deserialization
Func::type() was broken for functions created with Func::make().

Change-Id: I2867bcf00d9e5c1488165a804598c9ca8081ff25
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655648
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62167}
2019-06-14 09:03:47 +00:00
Andreas Haas
b4324bd106 [cleanup] Remove entries from .gitignore
I removed the following entries:
.d8_history - afaict, this does not exist anymore. If it exists, it
              would be in the out/ directory and thereby ignored anyways.
/hydrogen.cfg - hydrogen is no more.
/obj - this is now also in the out/ directory.
d8_g - I think this does not exist anymore, or would be in the out/
       directory.
shell - If it still exists, it would be in the out/ directory.
shell_g - same here.

NOTRY=true
R=jkummerow@chromium.org

Bug: v8:9183
Change-Id: Iadb8d2533bfdda1190ec3a31a9ca9c199e087fd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1660468
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62166}
2019-06-14 09:02:39 +00:00
Sathya Gunasekaran
beb88c0ad3 [Weakrefs] Fix incorrect check about previous/next weakref
When iterating over the holdings inside the cleanup callback,
we could potentially unregister the weakref which is next or
prev on the key list causing these checks to be incorrect.

Bug: v8:9360, v8:8179
Change-Id: I53ea12346eb4882b16a82677b64ba2c756d23a1c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658161
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62165}
2019-06-14 08:46:34 +00:00
Simon Zünd
1c1aa818af [stack-trace] Introduce two usage counters for two CallSite API builtins
This CL introduces two usage counters for two CallSite functions in
sloppy mode:
  - getFunction()
  - getThis()

Chromium CL: https://crrev.com/c/1657902

Bug: v8:8742
Change-Id: I81e8fec48534f5932a72de86d9d21f3b370c66a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657919
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62164}
2019-06-14 05:33:51 +00:00
Yu Yin
dadb59eb42 [mips][counters] Introduce proper bottleneck for FunctionCallback.
Port ea4206556 https://crrev.com/c/1651470

Original Commit Message:

    API calls made via the CallApiCallback builtin, which is used from the
    ICs and optimized code, are currently misattributed to the wrong counter
    InvokeFunctionCallback instead of FunctionCallback. In addition we don't
    use the C trampoline when only runtime call stats are enabled, but the
    Chrome DevTools profiler is not active, which means that these calls
    will not be attrituted properly at all, and that had to be worked around
    using all kinds of tricks (i.e. disabling fast-paths in ICs when RCS is
    active and not inlining calls/property accesses into optimized code
    depending on the state of RCS).

    All of this was really brittle and only due to the fact that the central
    builtin didn't properly check for RCS (in addition to checking for the
    CDT profiler). With this fix it's now handled in a central place and
    attributed to the correct category, so user code doesn't need to worry
    about RCS anymore and can just call straight into the fast-path.

    core hand-written native code with the API callback logic.

Change-Id: I6bcc8c4d7f4642381803a8b6c8282ceb8f3d056c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1659988
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62163}
2019-06-14 04:47:42 +00:00
v8-ci-autoroll-builder
6676f570b6 Update V8 DEPS.
Rolling v8/build: afe9cbd..be4d13b

Rolling v8/buildtools: 5b97b40..8756a42

Rolling v8/buildtools/third_party/libc++/trunk: 78822a6..ad46488

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/727d7ca..e502dbc

Rolling v8/third_party/depot_tools: 374a128..bc23ca1

Rolling v8/tools/clang: fe6c647..539db7d

TBR=machenbach@chromium.org,sergiyb@chromium.org,tmrts@chromium.org

Change-Id: Icfa6b96961df31243cd0597ca0b1c8c8ee6003bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1660030
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#62162}
2019-06-14 03:56:41 +00:00
Frank Tang
96984a91ad Roll test262
https://chromium.googlesource.com/external/github.com/tc39/test262/+log/a9abd4..49eee8b

Bug: v8:7834
Change-Id: I90de157926001b8db0c7992965b9c2ee762d78ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1656055
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62161}
2019-06-14 00:56:50 +00:00
Yu Yin
10b15ba853 [mips64] Do not use optimized word32 compare on simulator.
Change-Id: I2453256c192a5b58f241c4c73a32e8d41cf55a0e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657973
Auto-Submit: Yu Yin <xwafish@gmail.com>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Yu Yin <xwafish@gmail.com>
Cr-Commit-Position: refs/heads/master@{#62160}
2019-06-14 00:55:40 +00:00
Fabrice de Gans-Riberi
18268d6f18 [fuchsia] Remove uses of ZX_VMO_*NON_RESIZEABLE.
Zircon VMOs are now created non-resizeable by default. This family of
flags is now a no-op and they will soon be removed.

Bug: chromium:973981
Change-Id: I99b5a18b9744e32ebb3f33f1a848ee9b5c51eb0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1659568
Commit-Queue: Fabrice de Gans-Riberi <fdegans@chromium.org>
Commit-Queue: Wez <wez@chromium.org>
Auto-Submit: Fabrice de Gans-Riberi <fdegans@chromium.org>
Reviewed-by: Wez <wez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62159}
2019-06-13 21:51:40 +00:00
Z Nguyen-Huu
0df0c8e3bc Optimize array.reduce, array.reduceRight to sealed, frozen object
Use FastJSArrayForRead pattern.
Add test of array.reduce, array.reduceRight for non-extensible, sealed, frozen objects similar to mjsunit/array-reduce.js

~3x perf improvement in JSTests/ObjectFreeze micro-benchmark
Before:
ArrayReduce
ArrayReduce-Numbers(Score): 0.0740
ArrayReduceRight
ArrayReduceRight-Numbers(Score): 0.0767

After:
ArrayReduce
ArrayReduce-Numbers(Score): 0.249
ArrayReduceRight
ArrayReduceRight-Numbers(Score): 0.261


Bug: v8:6831
Change-Id: I98f54f010256993fcd05bb24be968fb2d0f5c966
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1656851
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62158}
2019-06-13 19:23:50 +00:00
Maya Lekova
53cd537b3d [turbofan] Small cleanup on JSInliningHeuristic
Remove dead code and move a condition earlier, as discussed in
http://doc/1I1yzlXM79M7W5QfVjTwSSTEQsRCjdfo8cgSQXkeqlZQ#heading=h.e7x2k9l4bmi7

Bug: v8:9183
Change-Id: Iaba7233e47ee19d2be5501ce6046f3956532513c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658155
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62157}
2019-06-13 19:05:19 +00:00
Z Nguyen-Huu
7bb31d9f8a add micro-benchmark of array.reduce, array.reduceRight for frozen object
Bug: v8:6831
Change-Id: I61d4080e11e354fb47d5c79c3c26076488f3fe13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1656852
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62156}
2019-06-13 18:36:55 +00:00
Dan Elphick
0cb3f5f5b8 Fix test for lazy source positions
Disable bytecode flushing for test as it messes up lazy source
positions and the flags aren't representative anyway.

Bug: v8:8510
Change-Id: I6d5bc8dcd174a9bfc48f682518e6c62d79acb691
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658152
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62155}
2019-06-13 16:45:18 +00:00
Jakob Gruber
d61a558a23 Reland "[regexp] Move AST-to-Node code to a dedicated file"
This is a reland of 811bfbbc56

Original change's description:
> [regexp] Move AST-to-Node code to a dedicated file
>
> Prior to this CL, jsregexp contains a bunch of things that are slightly
> related but would be cleaner in separate files, including: AST-to-Node
> transformations, the compiler implementation, and a debugging printer.
>
> This CL extracts AST-to-Node transformations.
>
> Bug: v8:9359
> Change-Id: I030cfca5c40cfd72e3a7abe2188e4654cfe2277c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655303
> Auto-Submit: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62148}

Tbr: yangguo@chromium.org
Bug: v8:9359
Change-Id: I68a16086dc56c9a059547033ca8bc1e9de1080db
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658568
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62154}
2019-06-13 16:39:56 +00:00
Seth Brenith
a1462d9f07 [torque] Get rid of @noVerifier annotation on PromiseReactionJobTask
Include API-instantiated functions in the definition of Callable so
that PromiseReactionJobTask::handler can verify correctly. Also make
Callable verification stricter regarding JSProxy instances: they must
have the callable bit set.

Also update test-weak-references to use a different object type, since
FeedbackVector::optimized_code_weak_or_smi should never point to a
FixedArray.

Bug: v8:9311
Change-Id: I4242df993e381a75f5b53302fee8fd2b12e96d34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1650563
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62153}
2019-06-13 16:24:10 +00:00
Mythri A
ccb7ff7524 [ic] Turn megamorphic when storing into an array with readonly length
The store element handlers don't check if the array length is writable
before updating the length. Since this is not expected to be a common
case no need of handling this in the element handlers. Just moving to
megamorphic would be sufficient.

Bug: chromium:967104
Change-Id: I7a7f9ea768266b9ffd6289328d61d2297d455619
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658154
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62152}
2019-06-13 15:53:39 +00:00
Dan Elphick
b4be98d9db [codegen] Rename CallBuiltinPointer to CallBuiltinByIndex
Since TurboAssembler::CallBuiltinPointer actually takes the
builtin_index as input, rename the function to CallBuiltinByIndex.

Bug: v8:9183
Change-Id: I4958d96f18a48a2ec91525d80d597a35e45d5989
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657915
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62151}
2019-06-13 15:49:49 +00:00
Darius Mercadier
f4ebc67405 Add FLAG_trace_gc_freelists and _verbose version
With this flag enabled, some statistics about the oldspace's freelists
(and free/used spaced in general) are printed before and after each
major garbage collection.

It is useful to get some intuition about fragmentation and debug
freelists. (This flag helped me track down the issues fixed by CLs
1647162 and 1648476)

Additionally, the verbose version (FLAG_trace_gc_freelists_verbose)
prints the freelists of each page of old_space.

Bug: v8:9329
Change-Id: Ifa80426bf9d97ac9950459154507a585b039326d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655302
Commit-Queue: Darius Mercadier <dmercadier@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62150}
2019-06-13 15:06:04 +00:00
Leszek Swirski
ee279dc223 Revert "[regexp] Move AST-to-Node code to a dedicated file"
This reverts commit 811bfbbc56.

Reason for revert: Breaks noi18n build (https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20noi18n%20-%20debug/27201)

Original change's description:
> [regexp] Move AST-to-Node code to a dedicated file
> 
> Prior to this CL, jsregexp contains a bunch of things that are slightly
> related but would be cleaner in separate files, including: AST-to-Node
> transformations, the compiler implementation, and a debugging printer.
> 
> This CL extracts AST-to-Node transformations.
> 
> Bug: v8:9359
> Change-Id: I030cfca5c40cfd72e3a7abe2188e4654cfe2277c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655303
> Auto-Submit: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62148}

TBR=yangguo@chromium.org,jgruber@chromium.org,petermarshall@chromium.org

Change-Id: I079e15b02d73d81aef806992f324f08d7008e367
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9359
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658160
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62149}
2019-06-13 15:05:01 +00:00
Jakob Gruber
811bfbbc56 [regexp] Move AST-to-Node code to a dedicated file
Prior to this CL, jsregexp contains a bunch of things that are slightly
related but would be cleaner in separate files, including: AST-to-Node
transformations, the compiler implementation, and a debugging printer.

This CL extracts AST-to-Node transformations.

Bug: v8:9359
Change-Id: I030cfca5c40cfd72e3a7abe2188e4654cfe2277c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655303
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62148}
2019-06-13 14:40:08 +00:00
Sigurd Schneider
df13503dd3 [mjsunit] Disable newly introduced flaking test
Bug: v8:9360
Notry: true
Change-Id: Ic598601d18149bcde5660ae268e81936a3954f3c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658151
Auto-Submit: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62147}
2019-06-13 14:10:52 +00:00
Mike Stanton
6345a24072 [Turbofan] Brokerize scope info access in promise call reductions
This is a first step in eliminating heap access from a bevy of promise
reductions in js-call-reducer.cc. We begin by recognizing calls to
the affected builtins at serialization time, then serializing what
data is necessary.

Bug: v8:7790
Change-Id: Iaa1581eee730e8d3610a97c71eed635f77029455
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657921
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62146}
2019-06-13 13:36:02 +00:00
Mike Stanton
759bd180e1 [Turbofan] Brokerize the map inference class
There was a remaining TODO...

Bug: v8:7790
Change-Id: I82c65d4c1b636dbfe6f29ce35c195f4bb5ea1c08
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657927
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62145}
2019-06-13 12:55:22 +00:00
Sigurd Schneider
66412e0f55 [arm64] Fix handling of handles in assembler
Previously, the handle's location was used as a proxy for the heap
object, i.e, we put the handle into the constant pool, to avoid the
need for GC visiting the constant pool entries during code generation.
The handle locations are replaced by the corresponding heap object
when the code is copied to the heap.

This CL changes the handling in the assembler: Instead of putting
in the handle location (which is a machine word) we put in a small
index number into a table. This will be useful for putting 32bit
constants into the constant pool.

This new approach also has the advantage that ordering the
constant pool entries by value produces a deterministic order
after this change.

Change-Id: Id47d56d487a0b64d1d1504a47937c8779ee02b13
Bug: v8:7703
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648094
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62144}
2019-06-13 12:38:12 +00:00
Toon Verwaest
e79e81cdf5 [runtime] Throw RangeError if we try to get too many values or entries
Bug: chromium:973363
Change-Id: Id2e46702f73e901df5f26b764d98fb3d4f681a98
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657914
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62143}
2019-06-13 12:28:02 +00:00
Milad Farazmand
2bdbc1d33f ppc64, aix: Pass CallFrequency object by const reference to avoid value copy error.
Bug: v8:8193
GCC bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61976

Change-Id: Ia5ecf96ad409705e3d54fc77b081fc4907d0aa1e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1649711
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#62142}
2019-06-13 12:20:53 +00:00
Jakob Gruber
6d990aee80 [execution] Extract interrupt scopes and stack guard
Refactor-only, this moves interrupt scopes and stack guard code into
their own dedicated files.

Change-Id: I5723a04786a04bba31a0da54622f3cd0b926ef07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655288
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62141}
2019-06-13 12:03:52 +00:00
Tamer Tas
b9a128f751 [infra] create a builder for pointer compression without dchecks
{V8 Linux 64 - pointer compression} builder uploads dchecks enabled builds.

This CL creates a new builder that compiles V8 without dchecks enabled.

This CL uses the inverted naming predicate {without dchecks} to avoid renaming
the existing builder to {with dchecks} to avoid doing renames over multiple
repositories for a temporary builder that we'll remove after the ptr compression
merge to master.

R=sergiyb@chromium.org
CC=machenbach@chromium.org

Bug: v8:9345
Change-Id: I9e8cc1a9eb59325fd8eecc8fdcd2778b4da005c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657922
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Sergiy Belozorov <sergiyb@chromium.org>
Auto-Submit: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Sergiy Belozorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62140}
2019-06-13 11:59:12 +00:00
Pierre Langlois
b87f29e80c [tracing] Fix JSON format to mention "spaces" instead of "pages".
As shown in the commit description of https://crrev.com/c/1619763, the JSON
format was supposed to refer to a list of "spaces" and not "pages", this was a
typo.

Bug: v8:9186
Change-Id: I1a674dac8af4b27b7ee46041e8c7a533bad8e68b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657917
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#62139}
2019-06-13 11:17:27 +00:00
Mythri A
98696649d3 [ic] Remove a check on FLAG_lazy_feedback_allocation when updating caches
This check shouldn't have been there. Even with lazy feedback allocation
we still transition to pre-monomorphic from uninitialized. We could
remove pre-monomorphic states with lazy-feedback allocation but that
requires changes at several other places.

Change-Id: I8f878a83f0fe3200eb530a34a74811639dcdc153
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1634920
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62138}
2019-06-13 09:57:27 +00:00
Maya Lekova
77fa93ded9 Reland "[turbofan] Brokerize reduction of API calls"
This is a reland of ca10d2babe

Original change's description:
> [turbofan] Brokerize reduction of API calls
> 
> JSCallReducer::ReduceCallApiFunction is now heap access free.
> 
> Bug: v8:7790
> Change-Id: I5718d73589d0bed14149ef0bc084b8a6ab1b9b5b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1624792
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Michael Stanton <mvstanton@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62014}

Bug: v8:7790
Change-Id: Idc6acd18f0bf703ed072353c17471b4067ff1e61
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648236
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62137}
2019-06-13 09:09:09 +00:00
Sathya Gunasekaran
94498b45f0 [WeakRefs] Rename to KeepDuringJob, ClearKeptObjects
Align with the spec defined names.

Bug: v8:8179
Change-Id: I892a2627c7712112b47a87e7a658dc4066540482
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655654
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62136}
2019-06-13 08:57:39 +00:00
Sathya Gunasekaran
8665a710ca [WeakRefs] Make unregister spec compliant
- Return true or false, not undefined
- Check that unregister token is an object

Bug: v8:8179
Change-Id: I1a4ff7730158dba16efb552fb2f4892c8d31412c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1653120
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62135}
2019-06-13 08:48:16 +00:00
Toon Verwaest
1ff4a0c426 [runtime] Make bitfield2 immutable across named property transitions
Swap bits between bitfield2 and bitfield3 so that bitfield2 doesn't change
across named property transitions. This will allow us to share bf1/bf2 through
the descriptor array.

Change-Id: I3579ae89189ae0729cd492db1afb29cf90981f6a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657908
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62134}
2019-06-13 08:39:36 +00:00
Benedikt Meurer
44b5a52496 Reland "[ic] Fix typo in Runtime_CloneObjectIC_Miss."
This is a reland of 823795fc2b, the reason
for the revert was flushing out a bug that was now fixed independently in
https://chromium-review.googlesource.com/c/v8/v8/+/1655307

Drive-by-fix: Correct wrong offset in CloneObjectIC fast-path.

Original change's description:
> [ic] Fix typo in Runtime_CloneObjectIC_Miss.
>
> https://chromium-review.googlesource.com/1649554 introduced a typo into
> Runtime_CloneObjectIC_Miss, where it wouldn't update the IC state UNLESS
> the source map is deprecated, which is the wrong way around of course.
>
> Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343
> Change-Id: I7d6e0709e66ce4aaaf4a628d64ab801b84c8993c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655291
> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62106}

Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343
Change-Id: I763d9eeab95043bed3bc4849fc3ddcda7787169a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655651
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62133}
2019-06-13 05:49:51 +00:00
Jakob Gruber
4e3b1874dd [execution] Only take a single lock while handling interrupts
StackGuard::HandleInterrupts used to take a lock for testing and
clearing each individual interrupt bit. This CL changes that to a
single read up front.

Slight behavioral changes:

1. A TERMINATE_EXECUTION interrupt is now handled first; we
immediately exit and preserve all other interrupts (in case V8 is
later resumed).
2. Since interrupts are read once, it is no longer possible to request
an interrupt *within* HandleInterrupts that will later be processed
within the same HandleInterrupts call.
3. Stack limits are reset immediately after reading the interrupt
bits, and prior to actually processing the interrupts.

Bug: v8:9328
Change-Id: I3048bb413213d11307df49e0014b64a2b43444e0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1653115
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62132}
2019-06-13 05:41:59 +00:00
v8-ci-autoroll-builder
449de1d9f1 Update V8 DEPS.
Rolling v8/build: 4b9a126..afe9cbd

Rolling v8/buildtools: 2e18a95..5b97b40

Rolling v8/buildtools/third_party/libc++/trunk: 5938e05..78822a6

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/4d6b614..727d7ca

TBR=machenbach@chromium.org,sergiyb@chromium.org,tmrts@chromium.org

Change-Id: I3e4002f3059491dabcdc10bb2caffacfd35bcc75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657450
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#62131}
2019-06-13 03:41:59 +00:00
Z Nguyen-Huu
8e0ef9b9a0 Add fast path for proxy with preventExtensions trap
ObjectPreventExtensions and ReflectPreventExtensions are now Torque builtins (previously CPP) and the Proxy path is implemented completely in Torque while everything else calls into runtime (and is thus a bit slower than previously).

Perf improvement in micro-benchmark JSTests/Proxies
Before:
PreventExtensionsWithoutTrap-Proxies(Score): 1978
PreventExtensionsWithTrap-Proxies(Score): 739

After:
PreventExtensionsWithoutTrap-Proxies(Score): 3017
PreventExtensionsWithTrap-Proxies(Score): 2044

Bug: v8:6664
Change-Id: I6505d730cea6b0d197f6f5d0540b39056c8b763d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1652688
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62130}
2019-06-12 20:57:31 +00:00
Andrey Lushnikov
7b1f0c4f6c [heapprofiler] QueryObjects: do not return objects retained by feedback information
This was originally reported at https://github.com/GoogleChrome/puppeteer/issues/4545

R=ulan, alph

Change-Id: I5134506e56cd40e49b358cd47590913b81013b6d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1649473
Commit-Queue: Andrey Lushnikov <lushnikov@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62129}
2019-06-12 18:33:49 +00:00
Aleksei Koziatinskii
915aeab1b5 inspector: fix queryObjects when page contains JSModuleNamespace
JSModuleNamespace does not have well defined CreationContext: current
implementation of JSReceiver::GetCreationContext crashes on CHECK.

R=lushnikov@chromium.org,yangguo@chromium.org

Bug: none
Change-Id: Ie2c0bfa39117d42d81f9709c21376c177b18e5ba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1652559
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62128}
2019-06-12 18:27:19 +00:00
Z Nguyen-Huu
a26adb2b41 Optimize array.map for sealed, frozen objects
Extend same approach for FastJSArray to FastJSArrayForRead in ArrayMap builtin

~6x perf improvement in micro-benchmark JSTests/ObjectFreeze
Before:
ArrayMap
ArrayMap-Numbers(Score): 0.0887

After:
ArrayMap
ArrayMap-Numbers(Score): 0.531

Bug: v8:6831
Change-Id: I06cba44ca4c9198977c6da522b782b61f9df04fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1653732
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62127}
2019-06-12 18:13:55 +00:00
Milad Farazmand
e18b2e11be PPC/s390: [counters] Introduce proper bottleneck for FunctionCallback.
Port ea4206556e

Original Commit Message:

    API calls made via the CallApiCallback builtin, which is used from the
    ICs and optimized code, are currently misattributed to the wrong counter
    InvokeFunctionCallback instead of FunctionCallback. In addition we don't
    use the C trampoline when only runtime call stats are enabled, but the
    Chrome DevTools profiler is not active, which means that these calls
    will not be attrituted properly at all, and that had to be worked around
    using all kinds of tricks (i.e. disabling fast-paths in ICs when RCS is
    active and not inlining calls/property accesses into optimized code
    depending on the state of RCS).

    All of this was really brittle and only due to the fact that the central
    builtin didn't properly check for RCS (in addition to checking for the
    CDT profiler). With this fix it's now handled in a central place and
    attributed to the correct category, so user code doesn't need to worry
    about RCS anymore and can just call straight into the fast-path.

    core hand-written native code with the API callback logic.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I2d200be4544cf62393330bb2891b6ba6f088db68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655343
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#62126}
2019-06-12 16:59:25 +00:00
Milad Farazmand
04936d0959 PPC: Fixing the EmptyFreeListCategoriesRemoved test on pLinux and AIX
Original commit: 303ca9ac26

Change-Id: I276bc68253fe4cedecdd2a77db0e8dbbc998c1a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1652504
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#62125}
2019-06-12 16:39:56 +00:00
Z Nguyen-Huu
aff557b61b add micro-benchmark of Array.map for frozen objects
Bug: v8:6831
Change-Id: I79cd1e25ddca17f0d5026bee737cd3fde0041e85
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1653733
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62124}
2019-06-12 16:37:07 +00:00
Seth Brenith
3834c6377c [torque] Stricter object field verification, part 1
This change adjusts object initialization order for a few classes so
that the GC can never see those objects in an invalid, partially-
initialized state.

AccessorInfo: Just zeros out a few fields upon construction. This is the
simplest case.

FunctionTemplateInfo: Slightly changes the order in which fields are
set, so that the Smi field is set ahead of the call to SetCallHandler,
which can GC. Also a pretty simple case.

JSListFormat, JSPluralRules, JSRelativeTimeFormat, JSSegmenter: The spec
requires that we start with OrdinaryCreateFromConstructor, which has
observable side effects (it fetches the prototype from the new.target).
So we split JSObject::New in half: the first half does all of the user-
visible things and returns a Map, which we can pass to the second half
when we're ready to actually allocate the object.

JSTypedArray: Extends the pattern from JSListFormat into Torque code:
start with a Map and don't allocate the object until we're ready to set
all of its properties.

Bug: v8:9311
Change-Id: Id7703e8a0727ec756c774cfbb56af787658a111a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1646844
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62123}
2019-06-12 16:16:55 +00:00