This patch changes the backing store of slow properties to be a
new instance type called PropertyArray.
Currently the only difference between this and a FixedArray is
the map. A future patch will change the length property to store
the hash code.
Bug: v8:5717, v8:6404
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Iaebc98f42e6d93c1392772e6f837787beb64afec
Reviewed-on: https://chromium-review.googlesource.com/539028
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46569}
Otherwise user code can produce an exception and we will crash.
R=jakob@chromium.org
Bug: chromium:736302
Change-Id: I078150909b0348a63e8c375b508e34fc4751b4ab
Reviewed-on: https://chromium-review.googlesource.com/565628
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46566}
This reverts commit 7b08031041.
Reason for revert: There's still another issue.
Original change's description:
> Reland "[compiler] Move the main pipeline's code assembly pass into the background."
>
> This is a reland of 66b54ab152
> Original change's description:
> > [compiler] Move the main pipeline's code assembly pass into the background.
> >
> > R=bmeurer@chromium.org
> >
> > Bug: v8:6048
> > Change-Id: I60bc35c02b5460416c3b0e2872fc72ebf9b808a5
> > Reviewed-on: https://chromium-review.googlesource.com/563386
> > Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> > Commit-Queue: Georg Neis <neis@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#46499}
>
> TBR=bmeurer@chromium.org
>
> Bug: v8:6048
> Change-Id: Ic841abc893c96271dc4dec7a0d19ba6a8b39164e
> Reviewed-on: https://chromium-review.googlesource.com/565140
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46563}
TBR=neis@chromium.org
Change-Id: I07ac9d44324d7cfed72531c7084bc8ba9ddef799
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6048
Reviewed-on: https://chromium-review.googlesource.com/567059
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46565}
yield* always has an argument.
R=rmcilroy@chromium.org
Bug:
Change-Id: I5d14c0db05b1e1b873831e0f5a18ec479c1399c9
Reviewed-on: https://chromium-review.googlesource.com/566816
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46564}
This is a reland of 66b54ab152
Original change's description:
> [compiler] Move the main pipeline's code assembly pass into the background.
>
> R=bmeurer@chromium.org
>
> Bug: v8:6048
> Change-Id: I60bc35c02b5460416c3b0e2872fc72ebf9b808a5
> Reviewed-on: https://chromium-review.googlesource.com/563386
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46499}
TBR=bmeurer@chromium.org
Bug: v8:6048
Change-Id: Ic841abc893c96271dc4dec7a0d19ba6a8b39164e
Reviewed-on: https://chromium-review.googlesource.com/565140
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46563}
After compiling a function, check that validation produces the same
success/error result.
R=ahaas@chromium.org
Change-Id: I617881e125dccff485f5572557b19709de488d55
Reviewed-on: https://chromium-review.googlesource.com/565722
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46561}
Change DoComputeInterpretedFrame to print the right bytecode
offset, that is, it does not use header size and object tag.
Bug:
Change-Id: Ibdd16a9d1178b4c7487164676007c6b9fdb3a33a
Reviewed-on: https://chromium-review.googlesource.com/566859
Commit-Queue: Juliana Patricia Vicente Franco <jupvfranco@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46558}
This fixes the lowering of Reflect.getPrototypeOf and friends to not
perform a [[ToObject]] coercion, but bailout instead. We ensure to
exclude primitive values from the lowering. This makes the lowering
uniform between "Reflect.getPrototypeOf" and "Object.getPrototypeOf".
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-740116
BUG=chromium:740116
Change-Id: If986ee2a3ae4e8f1fd227bdeb4668f523b0dea84
Reviewed-on: https://chromium-review.googlesource.com/565295
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46556}
Add support for fast
- get Map.prototype.size
- get Set.prototype.size
by porting both the baseline implementation to the CodeStubAssembler and
inlining a fast-path into TurboFan (when the compiler can infer the fact
that the receiver is a proper JSCollection from the surrounding graph,
i.e. from feedback gathered by a dominating LOAD_IC).
R=yangguo@chromium.org
Bug: v8:5269, v8:5717
Change-Id: Ie003fd2551462591273bcb8487b80808dcc6cd82
Reviewed-on: https://chromium-review.googlesource.com/566438
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46555}
Each reducer now has a virtual reducer_name function, returning its name
(the name of the class containing this reducer). This gets displayed when
using the --trace_turbo_reduction flag. Also when using this flags more
messages are displayed.
Actually when a node is replaced in-place (which is called an update
of the node), other reducers can still update it right after the
in-place replacement. When a node is really replaced (not in-place),
then we stop trying to apply reducers to it before we propagate the
reduction through the relevant nodes.
Before a message got printed only for the last reduction it went
through. So in case a node was reduced in-place several times
in a row, only the last update was printed, or none at all if after
being reduced in-place it got reduced by being replaced by another
node: only the non-in-place replacement was showed.
Now each time an in-place reduction is applied to a node, a message
gets printed.
Bug:
Change-Id: Id0f816fecd44c01d0253966c6decc4861be0c2fa
Reviewed-on: https://chromium-review.googlesource.com/563365
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Alexandre Talon <alexandret@google.com>
Cr-Commit-Position: refs/heads/master@{#46552}
Switch statements generate a counter for each clause plus a continuation
counter.
Bug: v8:6000
Change-Id: Ic55a7efda54de1152bd5283d753119aa2764afbd
Reviewed-on: https://chromium-review.googlesource.com/558249
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46550}
This generalizes the existing support for Map and Set iteration in the
CSA a bit and makes it possible to reuse the logic to implement forEach
as well. It also introduces an empty_ordered_hash_table, which is used
as a sentinel for exhausted iterators to avoid the need to deal with
undefined there as well (not observable from JavaScript).
TBR=ulan@chromium.orgR=jgruber@chromium.org
Bug: v8:5269, v8:5717
Change-Id: Ifb9ec5ecb20939aa9b7d2471537f8ccd4af04c8f
Reviewed-on: https://chromium-review.googlesource.com/565260
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46547}
This enforces that its enumeration values fit in a byte, as required
by Map's {instance_type} field (and probably other parts of the
system).
Clang helpfully emits this error message if an enum value goes out
of range:
enumerator value 256 is not representable in the underlying type 'uint8_t' (aka 'unsigned char')
Change-Id: I533cd5afc755e7163c2fd40f7b00d9adfd960895
Reviewed-on: https://chromium-review.googlesource.com/565892
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46544}
- Implement js-api changes for WebAssembly.Memory to accept a shared parameter
- Update allocation to use SharedArrayBuffers
BUG=v8:6532
R=binji@chromium.org, bradnelson@chromium.org
Change-Id: I021491217568751b06fbd7b4b08b1dd88910e21d
Reviewed-on: https://chromium-review.googlesource.com/564058
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46543}
This is a reland of 5b44ba0e34
Original change's description:
> (Reland) [parser] moved load property position after dot
>
> Currently LdaNamedProperty bytecode for expressions like a.b has position before dot. This CL moves this location after dot.
> It's important for later removing of Nop bytecodes in expressions like a.b() where a is local variable, property call and property load should have the same position.
>
> R=jgruber@chromium.org
> TBR=marja@chromium.org
>
> Bug: v8:6425
> Change-Id: I05c21ca5e018da9c432c6bc963c7a96799336d1c
> Reviewed-on: https://chromium-review.googlesource.com/562879
> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46484}
TBR=marja@chromium.org,jgruber@chromium.org
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Bug: v8:6425
Change-Id: I5eba5fe43ad31c5c781ffcc8c604cd9c98baa57e
Reviewed-on: https://chromium-review.googlesource.com/565907
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46542}
This Cl fixes a fundamental misunderstanding when Wasm memory
histograms were added. They were added using
HISTOGRAM_MEMORY_LIST(). This macro implements aggregating memory
histograms that handle cases memory cases that are not module
specific.
The fixed memory histograms are all module specific, and are simple
histograms.
In addition, it removes field is_sync from ModuleCompiler and
WasmCompilationUnit, since the field is no longer needed to make the
fixed memory histograms synchronous.
Bug: v8:6361
Change-Id: I696109b4fd1a4aadc87a6bdbbc4b7daefd58ea51
Reviewed-on: https://chromium-review.googlesource.com/565349
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Commit-Queue: Karl Schimpf <kschimpf@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46541}
Adds missing opcodes for exception handling for the function body decoder.
Also adds error messages if the exception handling construct is not yet
functional.
Note that the previous prototype for catch and throw have been marked
as not yet functional. This was done because it doesn't model
exceptions the way the proposal suggests. Rather, they implement a
hard-coded (c++ model) of exceptions.
Bug: v8:6577
Change-Id: Ife170b9f0cb2be91b11082e43c4795ce81a427dc
Reviewed-on: https://chromium-review.googlesource.com/564138
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Karl Schimpf <kschimpf@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46540}
Modifies V8 to be able to parse the exception section (defining
exception types), when the experimental_wasm_eh flag is true.
Bug: v8:6577
Change-Id: I5d8b3fddaf5b0dec6b14ddd0992f9fb883e8dc90
Reviewed-on: https://chromium-review.googlesource.com/561757
Commit-Queue: Karl Schimpf <kschimpf@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46539}
This improves the general Array constructor call performance (w/o
usable AllocationSite feedback) in TurboFan by ~2x, i.e. for example
invoking the Array constructor like this
var a = Array.call(undefined, n);
instead of
var a = Array(n);
such that the CallIC doesn't know that it's eventually calling the
Array constructor.
It also thus changes the single argument Array constructor to always
return holey arrays. Previously the single argument case for the Array
constructor was somehow trying to dynamically detect 0 and in that case
returned a packed array instead of a holey one. That adds quite a lot
of churn, and doesn't seem to be very useful, especially since this
might lead to unnecessary feedback pollution later.
R=mvstanton@chromium.org
Bug: v8:2229, v8:5269, v8:6399
Change-Id: I3d7cb9bd975ec0e491e3cdbcf1230185cfd1e3de
Reviewed-on: https://chromium-review.googlesource.com/565721
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46538}
It's already skipped (for slowness) in debug, asan, and msan builds.
TBR=machenbach@chromium.org
Change-Id: I1d7cb38d88e621f6d14344426bc5f931b1d6ffcd
Reviewed-on: https://chromium-review.googlesource.com/565741
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46537}
In https://chromium-review.googlesource.com/c/472247/, I avoided
running DesugarLexicalBindingsInForStatement() if there were no lexical
loop variables, the function was not resumable, and the variables are
not captured by eval or a function declaration.
I think it's now possible to limit this further, and only do the more
extensive desugaring if there's a function declaration / eval() call
in the loop body. `yield` and `await` are not an issue as those loop
variables are written to the register file and not lost.
This change just removes the `is_resumable()` condition. If it passes
tests, I think it's safe.
BUG=v8:4762, v8:5460, v8:6579
Change-Id: I92d0308ad9401c1338411bc9ae9021f978803d3a
Reviewed-on: https://chromium-review.googlesource.com/563587
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46536}
concurrent marking.
The function should use relaxed store similar to other JSObject setters.
BUG=chromium:694255
Change-Id: I032f0763a5f2420d120bce976533aa0007868b97
Reviewed-on: https://chromium-review.googlesource.com/565573
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46535}
The use of double variables to store bit patterns may lead to bit flips
when the stored bit pattern is a signaling NaN (sNaN). Operations on a
sNaN variable (even just returning the variable from a function) may
turn it into a quiet NaN (qNaN), flipping the signaling bit and
affecting the information stored in the variable.
We observed this behaviour on ia32 architectures and therefore in the
simulator builds for other platforms. The use of the wrapper class
Double should prevent this behaviour.
R=ahaas@chromium.org
Change-Id: Ibd1119924a59db771fd4c250689ad9c2a35fff75
Reviewed-on: https://chromium-review.googlesource.com/562771
Reviewed-by: Jaideep Bajwa <bjaideep@ca.ibm.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Enrico Bacis <enricobacis@google.com>
Cr-Commit-Position: refs/heads/master@{#46533}
This unconditional check caused a lot of canary crashes and recently stable merges while not being necessary for security. For code health and maintenance of Turbofan, it should be sufficient if this is only triggered in Clusterfuzz.
Bug: chromium:726638
Change-Id: Ib58d9c18f89939164cae19223fda490addbce007
Reviewed-on: https://chromium-review.googlesource.com/557867
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46532}
That is, change to use TimedHistogram (which functions properly on
background threads).
Bug: v8:6361
Change-Id: I821fb0afea97be422786778d576683f67667c31b
Reviewed-on: https://chromium-review.googlesource.com/559769
Commit-Queue: Karl Schimpf <kschimpf@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46529}
This will allow for passing more than one variable. This is
particularly interesting for calling a method on each type in a
parameter pack, as in:
template<typename... T>
void foo(T&&... ts) {
USE(do_something(ts)...);
}
Drive-by fix: Allow to pass arbitrary types to USE, including
references. This might prevent a copy for pass-by-value.
R=ishell@chromium.org
Change-Id: I8f894d730bbcd195ed83705f98771994b4bc906f
Reviewed-on: https://chromium-review.googlesource.com/565561
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46527}
It doesn't actually matter if we have arguments to the call, we just ignore
them.
BUG=chromium:740037
Change-Id: I50600c3ee5902e7de6ac558833e3ed9cd1a9a28f
Reviewed-on: https://chromium-review.googlesource.com/565509
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46526}
Port 040fa06fb3
Port 659e8f7b5c
Bug:
Change-Id: Ie08d65ff6647f8a15127a065e7224b5b5cec09a4
Reviewed-on: https://chromium-review.googlesource.com/558294
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46525}
Pass --gerrit explicitly to be resiliant to possible rollbacks of the Gerrit
switch.
This'll also enforce using Gerrit on older release branches when using
the release tools for cherry-picking.
NOTRY=true
TBR=hablich@chromium.org
Bug: chromium:685318
Change-Id: If60784b4c804f38ca36649ac4b2e62209d7cf729
Reviewed-on: https://chromium-review.googlesource.com/565415
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46523}
The CL introducing optimizations in memory load/store helper,
https://chromium-review.googlesource.com/c/552119/, caused several
failures on r6 builders. The problem was in Sdc1 macro instruction where
address in at register was overwritten before being used. Also in debug
mode a DCHECK was failing because an incorrect type was used.
BUG=
Change-Id: If38f9dfbbe2e72dfce05c24f7b6019060ef28334
Reviewed-on: https://chromium-review.googlesource.com/565297
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Commit-Queue: Miran Karić <Miran.Karic@imgtec.com>
Cr-Commit-Position: refs/heads/master@{#46521}
