This doesn't support "lookup after interceptor", but that should be unnecessary by now since we have non-masking interceptors.
BUG=
Change-Id: I8650a47ab2ce6fa314de25d0c4775b5c165df179
Reviewed-on: https://chromium-review.googlesource.com/453376
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43766}
I plan to change the constructor field of maps, and instead of patching
the intrinsics all over the place, just fall back to the runtime.
R=bmeurer@chromium.org
BUG=v8:6084
Change-Id: Ie294b74ab615fd794d7fc47488e2e30e2b49b4db
Reviewed-on: https://chromium-review.googlesource.com/454616
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43765}
As the code isn't used, but would have to be ported from hand-written
assembly to CodeStubAssembler anyways, I propose to remove it and
restore it if we decide that we actually need it.
R=vogelheim@chromium.org
BUG=
Change-Id: Iffd7fc6ec534b1dd7a9144da900424355c8a7a02
Reviewed-on: https://chromium-review.googlesource.com/453461
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43763}
This is basically the minimum viable signal handler for Wasm bounds checks.
It includes the TLS check and the fine grained instructions checks. These
two checks provide most of the safety for the signal handler. Future CLs will
add code range and data range checks for more robustness.
The trap handling code and data structures are all in src/trap-handler, with
the code that actually runs in the signal handler confined to
src/trap-handler/signal-handler.cc.
This changes adds a new V8 API that the embedder should call from a signal
handler that will give V8 the chance to handle the fault first. For hosts that
do not want to implement their own signal handler, we include the option to
install a simple one. This simple handler is also used for the tests.
When a Wasm module is instantiated, information about each function is passed
to the trap handler, which is used to classify faults. These are removed during
the instance finalizer.
Several future enhancements are planned before turning this on by default.
Obviously, the additional checks will be added to MaybeHandleFault. We are
also planning to add a two-level CodeObjectData table that is grouped by
isolates to make cleanup easier and also reduce potential for contending on
a single data structure.
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5277
Review-Url: https://codereview.chromium.org/2371833007
Cr-Original-Original-Commit-Position: refs/heads/master@{#43523}
Committed: a5af7fe9ee
Review-Url: https://codereview.chromium.org/2371833007
Cr-Original-Commit-Position: refs/heads/master@{#43755}
Committed: 338622d7ca
Review-Url: https://codereview.chromium.org/2371833007
Cr-Commit-Position: refs/heads/master@{#43759}
This reverts the previous revert, commit
5a04f4fd68.
Previously reverted changes:
> Revert "[SAB] Move Atomics builtins to C++"
>
> This reverts commit 2b9840d86f.
>
> Revert "[SAB] Remove unreachable Uint8Clamped atomics paths"
>
> This reverts commit d1160fb14f.
>
> Revert "Remove tiny unit test for MinSimple/MaxSimple"
>
> This reverts commit 837760ecb7.
>
> Revert "Remove infrastructure for experimental JS natives"
>
> This reverts commit 8cfe45b6f1.
These changes were reverted to improve a perf regression on a Chrome
bot. Since then, the regression has reappeared, then disappeared again
all from seemingly unrelated changes.
BUG=v8:6033
TBR=adamk@chromium.org,hpayer@chromium.org,yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2732213005
Cr-Commit-Position: refs/heads/master@{#43758}
Reason for revert:
ASAN breakage, such as https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20ASAN/builds/19111/steps/Check/logs/grow-memory
Original issue's description:
> [wasm] Initial signal handler
>
> This is basically the minimum viable signal handler for Wasm bounds checks.
> It includes the TLS check and the fine grained instructions checks. These
> two checks provide most of the safety for the signal handler. Future CLs will
> add code range and data range checks for more robustness.
>
> The trap handling code and data structures are all in src/trap-handler, with
> the code that actually runs in the signal handler confined to
> src/trap-handler/signal-handler.cc.
>
> This changes adds a new V8 API that the embedder should call from a signal
> handler that will give V8 the chance to handle the fault first. For hosts that
> do not want to implement their own signal handler, we include the option to
> install a simple one. This simple handler is also used for the tests.
>
> When a Wasm module is instantiated, information about each function is passed
> to the trap handler, which is used to classify faults. These are removed during
> the instance finalizer.
>
> Several future enhancements are planned before turning this on by default.
> Obviously, the additional checks will be added to MaybeHandleFault. We are
> also planning to add a two-level CodeObjectData table that is grouped by
> isolates to make cleanup easier and also reduce potential for contending on
> a single data structure.
>
> BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5277
>
> Review-Url: https://codereview.chromium.org/2371833007
> Cr-Original-Commit-Position: refs/heads/master@{#43523}
> Committed: a5af7fe9ee
> Review-Url: https://codereview.chromium.org/2371833007
> Cr-Commit-Position: refs/heads/master@{#43755}
> Committed: 338622d7caTBR=ahaas@chromium.org,bradnelson@google.com,hpayer@chromium.org,jochen@chromium.org,mark@chromium.org,mseaborn@chromium.org,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5277
Review-Url: https://codereview.chromium.org/2744383002
Cr-Commit-Position: refs/heads/master@{#43757}
This is basically the minimum viable signal handler for Wasm bounds checks.
It includes the TLS check and the fine grained instructions checks. These
two checks provide most of the safety for the signal handler. Future CLs will
add code range and data range checks for more robustness.
The trap handling code and data structures are all in src/trap-handler, with
the code that actually runs in the signal handler confined to
src/trap-handler/signal-handler.cc.
This changes adds a new V8 API that the embedder should call from a signal
handler that will give V8 the chance to handle the fault first. For hosts that
do not want to implement their own signal handler, we include the option to
install a simple one. This simple handler is also used for the tests.
When a Wasm module is instantiated, information about each function is passed
to the trap handler, which is used to classify faults. These are removed during
the instance finalizer.
Several future enhancements are planned before turning this on by default.
Obviously, the additional checks will be added to MaybeHandleFault. We are
also planning to add a two-level CodeObjectData table that is grouped by
isolates to make cleanup easier and also reduce potential for contending on
a single data structure.
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5277
Review-Url: https://codereview.chromium.org/2371833007
Cr-Original-Commit-Position: refs/heads/master@{#43523}
Committed: a5af7fe9ee
Review-Url: https://codereview.chromium.org/2371833007
Cr-Commit-Position: refs/heads/master@{#43755}
We emulate break by callling breakProgramCallback function in debugger context, we can just use HandleDebugBreak.
It allows us to move all stepping logic to debug.cc later and remove one usage of debugger context.
+ two minor issues fixed, see tests.
BUG=v8:5510
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2738503006
Cr-Commit-Position: refs/heads/master@{#43750}
A couple infrastructure changes went into this patch:
- test262 changed from expecting $ to $262
- upstream-local-tests.sh gets a command-line parameter for ease of use
- Fixed up the FAIL_SLOPPY infrastructure, which seems to have bit-rotted
- Inserted a terrible hack to get around test262 tests with a $ in the name
Drive-by fix for the length of Intl.DateTimeFormat.prototype.format
R=adamk
Review-Url: https://codereview.chromium.org/2733843002
Cr-Commit-Position: refs/heads/master@{#43749}
This makes it possible to directly request testing noturbofan_stress on the command line.
BUG=chromium:682617
TBR=mstarzinger@chromium.org,mvstanton@chromium.org,rmcilroy@chromium.org
NOTRY=true
Change-Id: I6ba9a022c4ef24fb5abe6878d3f2f972e8461eb8
Reviewed-on: https://chromium-review.googlesource.com/453180
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43748}
Part of the performance and refactoring work to move the TypedArray
constructors into CSA. This CL moves ConstructByArrayBuffer from JS
to CSA.
BUG=v8:5977
Change-Id: I0a200e6b3f6261ea2372ea9c3d3ca98e313cf2c5
Reviewed-on: https://chromium-review.googlesource.com/451620
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43747}
Test regress-694088.js is adapted for execution on big endian platforms.
TEST=test/mjsunit/compiler/regress-694088.js
BUG=
Review-Url: https://codereview.chromium.org/2739403002
Cr-Commit-Position: refs/heads/master@{#43746}
In the process, re-factor the implementation of Array.prototype.forEach so that
the bulk of the implementation can be re-used, since much of the spec is
identical. The refactor should also make it more straight-forward to implement
map and filter. The re-factored version only have a single slow path for processing
elements which is used for both the overall slow path and for the bailout from the
FAST_ELEMENTS case.
Review-Url: https://codereview.chromium.org/2709773002
Cr-Commit-Position: refs/heads/master@{#43745}
The switch statement itself is part of the switch block.
However, the source position of the statement is outside of
the block. This leads to confusion for the debugger, if the
switch block pushes a block context: the current context is
a block context, but the scope analysis based on the current
source position tells the debugger that we should be outside
the scope, so we should have the function context.
R=marja@chromium.org
BUG=v8:6085
Review-Url: https://codereview.chromium.org/2744213003
Cr-Commit-Position: refs/heads/master@{#43744}
Reason for revert:
Tanks Octane/Mandreel and Octane/MandreelLatency.
Original issue's description:
> [turbofan] Less aggressively insert SOFT deopts for property access.
>
> Sometimes TurboFan is able to extract receiver maps from the surrounding
> graph and thus is able to generate reasonable code for property accesses,
> even if those haven't been executed in the baseline tier yet. So, only
> stick in an SOFT deoptimization exit, if ExtractReceiverMaps failed to
> infer proper receiver maps.
>
> R=yangguo@chromium.org
> BUG=v8:5267
>
> Review-Url: https://codereview.chromium.org/2746013002
> Cr-Commit-Position: refs/heads/master@{#43736}
> Committed: b8453628c9TBR=yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2748663002
Cr-Commit-Position: refs/heads/master@{#43743}
Add a mechanic to set these Builtin exception predictions per-Isolate
rather than per-Context in the Bootstrapper.
Also add Debugger tests which would fail without these prediction
modes set.
Does not yet test for AsyncFromSyncIteratorPrototypeReturn, as this
requires AsyncGenerators and `yield*` to be hit.
BUG=chromium:691875
R=yangguo@chromium.org, jgruber@chromium.org, gsathya@chromium.org
Change-Id: Ic2d2aba3870cce2f7321080f4278875edf253c76
Reviewed-on: https://chromium-review.googlesource.com/451967
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#43742}
- Remove TypedArrayIndexOf in src/js/typedarray.js
- Implement it to C++ using the IndexOfValue in ElementsAccessor
- Add buffer neutering check also for %TypedArray%.prototype.includes
BUG=v8:5929
Review-Url: https://codereview.chromium.org/2733193002
Cr-Commit-Position: refs/heads/master@{#43741}
With this change, on ia32 and x64, a load from memory into a register can be replaced by a memory operand for integer binops if it makes sense.
BUG=
Review-Url: https://codereview.chromium.org/2728533003
Cr-Commit-Position: refs/heads/master@{#43739}
Sometimes TurboFan is able to extract receiver maps from the surrounding
graph and thus is able to generate reasonable code for property accesses,
even if those haven't been executed in the baseline tier yet. So, only
stick in an SOFT deoptimization exit, if ExtractReceiverMaps failed to
infer proper receiver maps.
R=yangguo@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2746013002
Cr-Commit-Position: refs/heads/master@{#43736}
These operations don't need the context, so no need to pass the context
to them. Also avoids the loading of context in the interpreter bytecode
handlers for StrictEqual and Typeof.
BUG=v8:5268,v8:5269
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2744173002
Cr-Commit-Position: refs/heads/master@{#43733}
To speed up Date.prototype.toString(), this patch adds a cache in
the DateCache for the string short name representing the time zone.
Because time zones in a particular location just have two short names
(for DST and standard time), and the DateCache already understands
whether a time is in DST or not, it is possible to keep the result
of OS::LocalTimezone around and select between the two based on
whether the time is DST or not.
In local microbenchmarks (calling Date.prototype.toString() in a
loop), I observed a 6-10% speedup with this patch. In the browser,
the speedup may be even greater as the system call needs to do
some extra work to break out of the sandbox. I don't think the
microbenchmark is extremely unrealistic; in any real program which
calls Date.prototype.toString() multiple times, the cache should
hit almost all of the time, as time zone changes are rare.
The proximate motivation for this patch was to enable ICU as a
backend for timezone information, which is drafted at
https://codereview.chromium.org/2724373002/
The ICU implementation of OS::LocalTimezone is even slower than
the system call one, but this patch makes their performance
indistinguishable on the microbenchmark.
In the tz database, many timezones actually do have a number of different
historical names. For example, America/Anchorage went through a number of
changes, from AST to AHST to YST to AKST. However, both ICU and the
Linux OS interfaces just report the modern timezone name in tests
for the appropriate timezone name, even for historical times. I can
see why this would be:
- For ICU, CLDR only has two short names in the data file: the one for
dst and non-dst
- For Linux, the timezone names do seem to make it into the
/etc/localtime file. However, glibc assumes there are only two relevant
names and selects between them, as you can see in its implementation
of localtime_r:
http://bazaar.launchpad.net/~vcs-imports/glibc/master/view/head:/time/tzset.c#L573
So, this cache should be valid until we switch to a more accurate source
of short timezone names.
BUG=v8:6031
Review-Url: https://codereview.chromium.org/2726253002
Cr-Commit-Position: refs/heads/master@{#43730}
There is no guarantee that Map::GetConstructor() returns a JSFunction.
Specifically, detached global proxies return the |null| sentinel. So
we have to check the object type before casting to JSFunction.
BUG=chromium:694141
Review-Url: https://codereview.chromium.org/2739303003
Cr-Commit-Position: refs/heads/master@{#43727}
Note that this changes the sampling interval from milliseconds to
microseconds -- this shouldn't cause issues except for tools that use
'profiler,"begin",<interval>' somehow.
Change-Id: I20222de91f7820e26eb3fc505a4752b0bc7e1642
Reviewed-on: https://chromium-review.googlesource.com/451658
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43726}
This fixes the catch predictions for the following builtins --
AsyncFunctionAwaitCaught
AsyncFunctionAwaitUncaught
PromiseResolveClosure
ResolvePromise
PromiseResolve
Added tests for each.
Added whitelist for builtins behind a flag.
BUG=chromium:691875
Change-Id: I816cafdb69f0c9f1eefc440a0a44c36713d0b7dc
Reviewed-on: https://chromium-review.googlesource.com/450894
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43725}
AllocateRawAligned called into AllocateRawUnaligned, which expected
the address of the pointer to the top of the stack, not the pointer
itself. Instead, the pointer itself was passed, causing segfaults
if this code is actually run.
Also do some drive-by clean up of the branching/labels and unused
vars etc. in AllocateRawAligned.
BUG=v8:6075
Change-Id: If71db4b61d777b6543e5246e92bb5b9e6c02c81f
Reviewed-on: https://chromium-review.googlesource.com/452374
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43722}
