Commit Graph

882 Commits

Author SHA1 Message Date
bmeurer
d0c7775d7c [builtins] Introduce proper base::ieee754::log.
This switches Math.log to use an fdlibm based version of log, imported
as base::ieee754::log, and use that consistently everywhere, i.e. change
the Float64Log TurboFan operators on Intel to use the C++ implementation
as well (same for Crankshaft).

R=yangguo@chromium.org
BUG=v8:5065,v8:5086

Review-Url: https://codereview.chromium.org/2053893003
Cr-Commit-Position: refs/heads/master@{#36880}
2016-06-10 05:54:12 +00:00
bmeurer
c91c396112 [turbofan] Do strength reduction for ObjectIsSmi based on inputs.
Ideally we would have a dedicated MachineRepresentation for Smis during
representation selection and use that to properly optimize ObjectIsSmi
(and other ObjectIs<Type> predicates), but that will take some time to
get that done. So in the meantime we can just do simple (local) strength
reduction on ObjectIsSmi to avoid Smi checks in the simplest cases at
least.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2047213002
Cr-Commit-Position: refs/heads/master@{#36809}
2016-06-08 07:13:05 +00:00
neis
6ddd8314a5 [compiler] Deal with some old TODOs in the typer.
This is mostly about DCHECKs. Enabling some requires a few
changes to tests that were not careful about types.

BUG=

Review-Url: https://codereview.chromium.org/2033703002
Cr-Commit-Position: refs/heads/master@{#36734}
2016-06-06 09:18:30 +00:00
bbudge
39442cf714 Add FloatRegister names to RegisterConfiguration.
- Adds names for float registers to RegisterConfiguration and uses them
when we have the MachineRepresentation.

LOG=N
BUG=v8:4124

Review-Url: https://codereview.chromium.org/2030143002
Cr-Commit-Position: refs/heads/master@{#36712}
2016-06-03 13:02:13 +00:00
mstarzinger
28e6753acc [turbofan] Remove frame state input from speculative ops.
These speculative binary operators are simplified operators and should
not need a frame state themselves. These eager bailout points can by now
be found via checkpoints in the graph, whereas frame states attached to
nodes directly should always represent lazy bailout points.

R=jarin@chromium.org
BUG=v8:5021

Review-Url: https://codereview.chromium.org/2037673002
Cr-Commit-Position: refs/heads/master@{#36705}
2016-06-03 10:02:04 +00:00
bmeurer
f2da19fe39 [builtins] Migrate Math.log to TurboFan.
Introduce a dedicated Float64Log machine operator, that is either
implemented by a direct C call or by platform specific code, i.e.
using the FPU on x64 and ia32.

This operator is used to implement Math.log as a proper TurboFan
builtin on top of the CodeStubAssembler.

Also introduce a NumberLog simplified operator on top of Float64Log
and use that for the fast inline path of Math.log inside TurboFan
optimized code.

BUG=v8:5065

Review-Url: https://codereview.chromium.org/2029413005
Cr-Commit-Position: refs/heads/master@{#36703}
2016-06-03 09:48:25 +00:00
mstarzinger
bf7034bfed [turbofan] Remove eager frame state from property access.
This removes the frame state input representing the before-state from
nodes performing property accesses. These frame states can by now be
found via checkpoints in the graph.

R=jarin@chromium.org
BUG=v8:5021

Review-Url: https://codereview.chromium.org/2034673002
Cr-Commit-Position: refs/heads/master@{#36699}
2016-06-03 08:59:32 +00:00
jarin
216bcf9fb3 [turbofan] Initial version of number type feedback.
This introduces optimized number operations based on type feedback.

Summary of changes:

1. Typed lowering produces SpeculativeNumberAdd/Subtract for JSAdd/Subtract if
   there is suitable feedback. The speculative nodes are connected to both the
   effect chain and the control chain and they retain the eager frame state.

2. Simplified lowering now executes in three phases:
  a. Propagation phase computes truncations by traversing the graph from uses to
     definitions until checkpoint is reached. It also records type-check decisions
     for later typing phase, and computes representation.
  b. The typing phase computes more precise types base on the speculative types (and recomputes
     representation for affected nodes).
  c. The lowering phase performs lowering and inserts representation changes and/or checks.

3. Effect-control linearization lowers the checks to machine graphs.

Notes:

- SimplifiedLowering will be refactored to have handling of each operation one place and
  with clearer input/output protocol for each sub-phase. I would prefer to do this once
  we have more operations implemented, and the pattern is clearer.

- The check operations (Checked<A>To<B>) should have some flags that would affect
  the kind of truncations that they can handle. E.g., if we know that a node produces
  a number, we can omit the oddball check in the CheckedTaggedToFloat64 lowering.

- In future, we want the typer to reuse the logic from OperationTyper.

BUG=v8:4583
LOG=n

Review-Url: https://codereview.chromium.org/1921563002
Cr-Commit-Position: refs/heads/master@{#36674}
2016-06-02 09:23:13 +00:00
Benedikt Meurer
bea121aaa5 [turbofan] Eager frame state gone from JSCallFunction.
TBR=jarin@chromium.org

Review URL: https://codereview.chromium.org/2038463003 .

Cr-Commit-Position: refs/heads/master@{#36672}
2016-06-02 08:49:30 +00:00
mstarzinger
864b07e9eb [turbofan] Remove eager frame state from call nodes.
This removes the frame state input representing the before-state from
nodes having the {JSCallFunction} or {JSCallConstruct} operator. These
frame states can by now be found via checkpoints in the graph.

R=bmeurer@chromium.org
BUG=v8:5021

Review-Url: https://codereview.chromium.org/2025573003
Cr-Commit-Position: refs/heads/master@{#36669}
2016-06-02 08:04:29 +00:00
bmeurer
5a3a6dafae [turbofan] Add new StringFromCharCode simplified operator.
We use StringFromCharCode to optimize calls to String.fromCharCode with
a single Number argument for now. We will use it to also implement the
charAt method on the String prototype.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2037453003
Cr-Commit-Position: refs/heads/master@{#36668}
2016-06-02 08:01:48 +00:00
mstarzinger
d673d8908a [turbofan] Rename {CheckPoint} to {Checkpoint} everywhere.
R=bmeurer@chromium.org
BUG=v8:5021

Review-Url: https://codereview.chromium.org/2022033004
Cr-Commit-Position: refs/heads/master@{#36637}
2016-06-01 09:07:19 +00:00
mstarzinger
7ecf1a059b [turbofan] Implement simplistic checkpoint reducer.
This adds a very simplistic reduction of {CheckPoint} nodes via the new
{CheckpointElimination}, eliminating redundant check points that appear
in an effect chain of operations that are all {kNoWrite}. Such a chain
allows an arbitrary check point to be chosen. The current approach will
end up choosing the first one for all deopts in the chain.

R=bmeurer@chromium.org
TEST=unittests/CheckpointEliminationTest.CheckPointChain
BUG=v8:5021

Review-Url: https://codereview.chromium.org/2022913003
Cr-Commit-Position: refs/heads/master@{#36634}
2016-06-01 08:39:11 +00:00
pierre.langlois
27bd1747b4 [turbofan] ARM64: Match 64 bit compare with zero and branch
This patch enables the following transformations in the instruction
selector:

| Before           | After                  |
|------------------+------------------------|
| and x3, x1, #0x1 | tb{,n}z w1, #0, #+0x78 |
| cmp x3, #0x0     |                        |
| b.{eq,ne} #+0x80 |                        |
|------------------+------------------------|
| cmp x0, #0x0     | cb{,n}z x0, #+0x48     |
| b.{eq,ne} #+0x4c |                        |

I have not seen these patterns beeing generated by turbofan, however the
stubs hit these cases frequently. A particular reason is that we are
turning operations that check for a Smi into a single `tbz`.

As a concequence, the interpreter is affected thanks to inlining
turbofan stubs into it's bytecode handlers. I have noticed the size of
the interpreter was reduced by 200 instructions.

BUG=

Review-Url: https://codereview.chromium.org/2022073002
Cr-Commit-Position: refs/heads/master@{#36632}
2016-06-01 08:03:01 +00:00
bbudge
270a284fd0 Turbofan: Rename IsFloat -> IsFP
Rename some methods to reflect the fact that there are multiple FP
machine representations.

LOG=N
BUG=v8:4124

Review-Url: https://codereview.chromium.org/2013193002
Cr-Commit-Position: refs/heads/master@{#36552}
2016-05-27 17:44:41 +00:00
georgia.kouveli
612bad1d22 [arm] [arm64] Add optional operators Float32Neg and Float64Neg.
Adding optional operators for FNeg for WebAssembly, as the current implementation was significantly suboptimal for ARM.

Review-Url: https://codereview.chromium.org/2011303002
Cr-Commit-Position: refs/heads/master@{#36544}
2016-05-27 11:22:07 +00:00
bmeurer
dd609a5d3d [turbofan] Remove the EmptyFrameState caching on JSGraph.
Caching nodes with mutable inputs is a bad idea and already blew up
twice now, so in order to avoid further breakage, let's kill the
EmptyFrameState caching on JSGraph completely and only cache the empty
state values there.

We can remove the hacking from JSTypedLowering completely once we have
the PlainPrimitiveToNumber in action.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2006423003
Cr-Commit-Position: refs/heads/master@{#36511}
2016-05-25 11:05:13 +00:00
mstarzinger
7ca1f80d31 [runtime] Fix number of literals for builtin functions.
This fixes the SharedFunctionInfo::num_literals field for global builtin
functions (e.g. {Object} and friends) to be accurate. The field was not
being updated by Runtime_SetCode. It also removes the dangerous and by
now obsolete JSFunction::NumberOfLiterals accessor.

R=mvstanton@chromium.org

Review-Url: https://codereview.chromium.org/2007943002
Cr-Commit-Position: refs/heads/master@{#36480}
2016-05-24 15:12:58 +00:00
pierre.langlois
11b661f414 [turbofan] ARM: Support shifted indexes in loads and stores
This patch is a follow up to https://codereview.chromium.org/1972103002/
adding support for the `Operand_R_LSL_I` addressing mode to loads and
stores for ARM.

Just as the ARM64 implementation, the shift + load/store pattern is only
really relevant to the interpreter. For this reason, this patch does not
add support for the other addressing modes (`R_LSR_I`, `R_ASR_I` and
`R_ROR_I`) as I haven't seen those pattern being generated. Additionally,
the optimization is restricted 32 bit loads and stores.

kind = BYTECODE_HANDLER
name = Star
compiler = turbofan
Instructions (size = 40)
0x22a5f860     0  e2851001       add r1, r5, #1
0x22a5f864     4  e19610d1       ldrsb r1, [r6, +r1]
0x22a5f868     8  e1a0200b       mov r2, fp
0x22a5f86c    12  e7820101       str r0, [r2, +r1, lsl #2]
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^
0x22a5f870    16  e2855002       add r5, r5, #2
0x22a5f874    20  e7d61005       ldrb r1, [r6, +r5]
0x22a5f878    24  e7981101       ldr r1, [r8, +r1, lsl #2]
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^
0x22a5f87c    28  e12fff11       bx r1

BUG=

Review-Url: https://codereview.chromium.org/1974263002
Cr-Commit-Position: refs/heads/master@{#36381}
2016-05-19 19:18:25 +00:00
jacob.bramley
feeaac4061 [arm] Remove CpuFeature::MLS.
The MLS instruction is available in all ARMv7 devices, and in no ARMv6
devices, aside from the usual ARMv6T2 caveat. We don't need a separate
feature flag for it.

BUG=

Review-Url: https://codereview.chromium.org/1988133004
Cr-Commit-Position: refs/heads/master@{#36378}
2016-05-19 18:04:28 +00:00
neis
75140f39dd [compiler] Remove obsolete JSYield operator.
R=bmeurer@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/1981323002
Cr-Commit-Position: refs/heads/master@{#36312}
2016-05-18 08:55:33 +00:00
bmeurer
91a2ea815b [turbofan] We never use Int64Constant for branch/select conditions.
Remove dead code to optimize Int64Constants as branch/select conditions,
because we either have tagged booleans or bits represented as word32.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1994533002
Cr-Commit-Position: refs/heads/master@{#36308}
2016-05-18 07:20:19 +00:00
bmeurer
c5a71f029f [turbofan] Turn common Guard operator into simplified TypeGuard.
The type guard should never be used after the effect/control
linearization pass, so making it a simplified operator better
expresses the intended use. Also this way none of the common
operators actually has any dependency on the type system.

Drive-by-fix: Properly print the type parameter to a TypeGuard operator.

BUG=chromium:612142
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1994503002
Cr-Commit-Position: refs/heads/master@{#36304}
2016-05-18 06:19:30 +00:00
bmeurer
551e0aa11b [es6] Reintroduce the instanceof operator in the backends.
This adds back the instanceof operator support in the backends and
introduces a @@hasInstance protector cell on the isolate that guards the
fast path for the InstanceOfStub. This way we recover the ~10%
regression on Octane EarleyBoyer in Crankshaft and greatly improve
TurboFan and Ignition performance of instanceof.

R=ishell@chromium.org
TBR=hpayer@chromium.org,rossberg@chromium.org
BUG=chromium:597249, v8:4447
LOG=n

Review-Url: https://codereview.chromium.org/1980483003
Cr-Commit-Position: refs/heads/master@{#36275}
2016-05-17 11:25:59 +00:00
pierre.langlois
60fb6ea1b8 [turbofan] ARM64: Support shifted indexes in loads and stores
This patch adds support for the `Operand2_R_LSL_I` addressing mode to
loads and stores. This allows merging a shift instruction into a
MemoryOperand. Since the shift immediate is restricted to the log2 of
the operation width, the opportunities to hit this are slim. However,
Ignition's bytecode handlers hit this case all the time:

kind = BYTECODE_HANDLER
name = Star
compiler = turbofan
Instructions (size = 44)
0x23e67280     0  add x1, x19, #0x1 (1)
0x23e67284     4  ldrsb x1, [x20, x1]
0x23e67288     8  sxtw x1, w1
0x23e6728c    12  mov x2, fp
0x23e67290    16  str x0, [x2, x1, lsl #3]
                  ^^^^^^^^^^^^^^^^^^^^^
0x23e67294    20  add x19, x19, #0x2 (2)
0x23e67298    24  ldrb w1, [x20, x19]
0x23e6729c    28  ldr x1, [x21, x1, lsl #3]
                  ^^^^^^^^^^^^^^^^^^^^^
0x23e672a0    32  br x1

Additionally, I noticed the optimisation occurs once in both the
`StringPrototypeCharAt` and `StringPrototypeCharCodeAt` turbofan stubs.

BUG=

Review-Url: https://codereview.chromium.org/1972103002
Cr-Commit-Position: refs/heads/master@{#36227}
2016-05-13 07:58:59 +00:00
bmeurer
fa7460adbc [turbofan] Fix optimized lowering of Math.imul.
We eagerly inserted Int32Mul for Math.imul during builtin lowering and
messed up with the types, which confused the representation selection.
This adds a proper NumberImul operator, and fixes the builtin reducer to
do the right thing according to the spec.

R=mstarzinger@chromium.org
BUG=v8:5006
LOG=n

Review-Url: https://codereview.chromium.org/1971163002
Cr-Commit-Position: refs/heads/master@{#36219}
2016-05-12 18:43:32 +00:00
bmeurer
1270caeda4 [turbofan] Unify function prototype constant folding.
Up until now we had two places where we did the function prototype
folding, once in the Typer and once in JSTypedLowering. Put this logic
into JSNativeContextSpecialization instead.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1965293002
Cr-Commit-Position: refs/heads/master@{#36157}
2016-05-11 08:12:49 +00:00
bmeurer
2301473a88 [turbofan] Slighly improve JSCreateArguments lowering.
Make JSCreateArguments eliminatable, and remove the need for frame
states on JSCreateArguments nodes being lowered to (optimized) stub
calls. Only the runtime fallback needs a frame state, because in that
case we need to ask the deoptimizer for arguments to inlined functions.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1965013005
Cr-Commit-Position: refs/heads/master@{#36154}
2016-05-11 06:12:00 +00:00
bmeurer
b8229ec446 [turbofan] Initial version of allocation folding and write barrier elimination.
This adds a new pass MemoryOptimizer that walks over the effect chain
from Start and lowers all Allocate, LoadField, StoreField, LoadElement,
and StoreElement nodes, trying to fold allocations into allocation
groups and eliminate write barriers on StoreField and StoreElement if
possible (i.e. if the object belongs to the current allocation group and
that group allocates in new space).

R=hpayer@chromium.org, jarin@chromium.org
BUG=v8:4931, chromium:580959
LOG=n

Review-Url: https://codereview.chromium.org/1963583004
Cr-Commit-Position: refs/heads/master@{#36128}
2016-05-10 10:12:25 +00:00
jkummerow
148e7076ca Turn on -Wmissing-field-initializers on Linux.
Because not initializing fields can be, you know, dangerous.

Review-Url: https://codereview.chromium.org/1952703002
Cr-Commit-Position: refs/heads/master@{#36071}
2016-05-06 10:20:30 +00:00
bmeurer
8e5e6333cf [turbofan] Remove obsolete EffectSet common operator.
This operator was initially designed to handle arbitrary effect merging
for effect relaxation, but we don't do that (at least currently). So no
need to keep the dead operator around.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1954983002
Cr-Commit-Position: refs/heads/master@{#36063}
2016-05-06 07:46:44 +00:00
pierre.langlois
f07d2cdd6a ARM64: [turbofan] Avoid zero-extension after a 32-bit load
A load instruction will implicitely clear the top 32 bits when writing to a W
register. This patch avoids generating a `mov` instruction to zero-extend the
result in this case.

For example, this occurs in the generated code for dispatching to the next
bytecode in the interpreter:

  kind = BYTECODE_HANDLER
  name = LdaZero
  compiler = turbofan
  Instructions (size = 36)
  0x32e64c60     0  add x19, x19, #0x1 (1)
  0x32e64c64     4  ldrb w0, [x20, x19]
  0x32e64c68     8  mov w0, w0
                    ^^^^^^^^^^
  0x32e64c6c    12  lsl x0, x0, #3
  0x32e64c70    16  ldr x1, [x21, x0]
  0x32e64c74    20  movz x0, #0x0
  0x32e64c78    24  br x1

BUG=

Review-Url: https://codereview.chromium.org/1950013003
Cr-Commit-Position: refs/heads/master@{#36038}
2016-05-04 18:35:56 +00:00
bmeurer
ce38a8a92a [turbofan] Inline the allocation fast path.
Now that everything is properly wired to the effect chain when we get to
ChangeLowering, we can safely inline the allocation fast path and only
need to consule the slow path stub fallback when bump pointer allocation
fails.

R=jarin@chromium.org
BUG=v8:4931
LOG=n

Review-Url: https://codereview.chromium.org/1951853002
Cr-Commit-Position: refs/heads/master@{#36022}
2016-05-04 12:44:32 +00:00
martyn.capewell
0322c20d17 [turbofan] ARM64: Use zr to store immediate zero
When storing an immediate integer or floating point zero, use the zero register
as the source value. This avoids the need to sometimes allocate a new register.

BUG=

Review-Url: https://codereview.chromium.org/1945783002
Cr-Commit-Position: refs/heads/master@{#36013}
2016-05-04 10:19:48 +00:00
ahaas
b6db2255e6 [wasm] Mark all 64-bit instructions as supported on 32-bit platforms.
Additionally I removed some stale comments.

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/1941323002
Cr-Commit-Position: refs/heads/master@{#35976}
2016-05-03 11:47:59 +00:00
bmeurer
4aa02441da [turbofan] Remove left-over change bits from ChangeLowering.
Now ChangeLowering is only concerned with lowering memory access and
allocation operations, and all changes are consistently lowered during
the effect/control linearization pass. The next step is to move the
left over lowerings to a pass dedicated to eliminate redundant loads and
stores, eliminate write barriers, fold and inline allocations.

Drive-by-fix: Rename ChangeBitToBool to ChangeBitToTagged,
ChangeBoolToBit to ChangeTaggedToBit, and ChangeInt31ToTagged to
ChangeInt31ToTaggedSigned for consistency.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux64_tsan_rel

Committed: https://crrev.com/ceca5ae308bddda166651c654f96d71d74f617d0
Cr-Commit-Position: refs/heads/master@{#35924}

Review-Url: https://codereview.chromium.org/1941673002
Cr-Commit-Position: refs/heads/master@{#35929}
2016-05-02 10:23:43 +00:00
machenbach
b4c3864ba4 Revert of [turbofan] Remove left-over change bits from ChangeLowering. (patchset #2 id:20001 of https://codereview.chromium.org/1941673002/ )
Reason for revert:
[Sheriff] Breaks mac gc stress:
https://build.chromium.org/p/client.v8/builders/V8%20Mac%20GC%20Stress/builds/5821

Original issue's description:
> [turbofan] Remove left-over change bits from ChangeLowering.
>
> Now ChangeLowering is only concerned with lowering memory access and
> allocation operations, and all changes are consistently lowered during
> the effect/control linearization pass. The next step is to move the
> left over lowerings to a pass dedicated to eliminate redundant loads and
> stores, eliminate write barriers, fold and inline allocations.
>
> Also remove the atomic regions now that we wire everything into the
> effect chain properly. This is an important step towards allocation
> inlining.
>
> Drive-by-fix: Rename ChangeBitToBool to ChangeBitToTagged,
> ChangeBoolToBit to ChangeTaggedToBit, and ChangeInt31ToTagged to
> ChangeInt31ToTaggedSigned for consistency.
>
> CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux64_tsan_rel
>
> Committed: https://crrev.com/ceca5ae308bddda166651c654f96d71d74f617d0
> Cr-Commit-Position: refs/heads/master@{#35924}

TBR=ishell@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/1942733002
Cr-Commit-Position: refs/heads/master@{#35927}
2016-05-02 09:29:19 +00:00
bmeurer
ceca5ae308 [turbofan] Remove left-over change bits from ChangeLowering.
Now ChangeLowering is only concerned with lowering memory access and
allocation operations, and all changes are consistently lowered during
the effect/control linearization pass. The next step is to move the
left over lowerings to a pass dedicated to eliminate redundant loads and
stores, eliminate write barriers, fold and inline allocations.

Also remove the atomic regions now that we wire everything into the
effect chain properly. This is an important step towards allocation
inlining.

Drive-by-fix: Rename ChangeBitToBool to ChangeBitToTagged,
ChangeBoolToBit to ChangeTaggedToBit, and ChangeInt31ToTagged to
ChangeInt31ToTaggedSigned for consistency.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux64_tsan_rel

Review-Url: https://codereview.chromium.org/1941673002
Cr-Commit-Position: refs/heads/master@{#35924}
2016-05-02 08:42:03 +00:00
bbudge
d565ba8ff3 RegisterAllocator: Clean up before adding aliasing.
Remove some unused fields in RegisterAllocationData.
Move some DCHECKS about configuration constraints.
Rename kMaxDoubleRegisters -> kMaxFPRegisters

LOG=N
BUG=v8:4124

Review URL: https://codereview.chromium.org/1518573002

Cr-Commit-Position: refs/heads/master@{#35777}
2016-04-25 20:11:40 +00:00
bmeurer
dcf178fb29 [turbofan] Move ChangeTaggedToFoo lowerings to EffectControlLinearizer.
These also lower to subgraphs that have to be connected to the effect
and control chains, otherwise removing the atomic regions around heap
allocations would still be unsound.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1916763003

Cr-Commit-Position: refs/heads/master@{#35762}
2016-04-25 12:41:17 +00:00
jarin
692eec3969 [turbofan] Remove obsolete parts of change lowering.
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1917753002

Cr-Commit-Position: refs/heads/master@{#35756}
2016-04-25 09:27:18 +00:00
jarin
9cae24b8cc [turbofan] Wire in floating control during effect linearization phase.
Review URL: https://codereview.chromium.org/1921483002

Cr-Commit-Position: refs/heads/master@{#35747}
2016-04-25 04:29:23 +00:00
bmeurer
0231a7efa2 [turbofan] Introduce TruncateTaggedToWord32 simplified operator.
This allows us to get rid of the "push TruncateFloat64ToInt32 into Phi"
trick that was used in the MachineOperatorReducer to combine the
ChangeTaggedToFloat64 and TruncateFloat64ToInt32 operations. Instead of
doing that later, we can just introduce the proper operator during the
representation selection directly.

Also separate the TruncateFloat64ToInt32 machine operator, which had two
different meanings depending on a flag (either JavaScript truncation or
C++ style round to zero). Now there's a TruncateFloat64ToWord32 which
represents the JavaScript truncation (implemented via TruncateDoubleToI
macro + code stub) and the RoundFloat64ToInt32, which implements the C++
round towards zero operation (in the same style as the other WebAssembly
driven Round* machine operators).

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1919513002

Cr-Commit-Position: refs/heads/master@{#35743}
2016-04-24 11:41:20 +00:00
bmeurer
550c0f9f55 [turbofan] Move more type checks to the representation selector.
Get rid of further typing checks from ChangeLowering and put them into
the representation selection pass instead (encoding the information in
the operator instead).

Drive-by-change: Rename ChangeSmiToInt32 to ChangeTaggedSignedToInt32
for consistency about naming Tagged, TaggedSigned and TaggedPointer.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1909343002

Cr-Commit-Position: refs/heads/master@{#35723}
2016-04-22 11:03:17 +00:00
bmeurer
861295bf16 [turbofan] Optimize tagged conversion based on type.
If we have to convert a float64 value to tagged representation and we
already know that the value is either in Signed31/Signed32 or
Unsigned32 range, then we can just convert the float64 to word32 and
use the fast word32 to tagged conversion. Doing this in
ChangeLowering (or the effect linearization pass) would be unsound, as
the types on the nodes are no longer usable.

This removes all Type uses from effect linearization. There's still some
work to be done for ChangeLowering tho.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1908093002

Cr-Commit-Position: refs/heads/master@{#35713}
2016-04-22 08:40:05 +00:00
rmcilroy
623ad7de88 [Interpreter] Remove register file register and replace with LoadParentFramePointer.
Removes the register file machine register from the interpreter and
replaces it will loads from the parent frame pointer. As part of this
change the raw operand values for register values changes to enable the
interpreter to keep using the operand value as the offset from the
parent frame pointer.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1894063002

Cr-Commit-Position: refs/heads/master@{#35618}
2016-04-19 12:48:41 +00:00
jarin
b9e287c6d9 [turbofan] Effect linearization after representation inference.
This introduces a compiler pass that schedules the graph and re-wires effect chain according to the schedule. It also connects allocating representation changes to the effect chain, and removes the BeginRegion and EndRegion nodes - they should not be needed anymore because all effectful nodes should be already wired-in.

This is an intermediate CL - the next step is to move lowering of the Change*ToTaggedEffect nodes to StateEffectIntroduction so that we do not have to introduce the effectful versions of nodes.

Review URL: https://codereview.chromium.org/1849603002

Cr-Commit-Position: refs/heads/master@{#35565}
2016-04-18 08:29:51 +00:00
bmeurer
662caac9d2 [turbofan] JSTypeOf, JSStrictEqual, JSStrictNotEqual and JSToBoolean are pure.
These operators are really pure on the JavaScript level, and were only
part of the effect chain to make sure we don't accidentially schedule
them right after raw allocations, which is no longer an issue since we
now have the concept of atomic regions.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1893543004

Cr-Commit-Position: refs/heads/master@{#35552}
2016-04-16 19:28:12 +00:00
mstarzinger
43c7c76f1d [turbofan] Use inline allocation for closures.
This changes closure creation to lower to inline allocations when
possible instead of going through the FastNewClosureStub. It allows us
to leverage all advantages of inline allocations on closures. Note that
it is only safe to embed the raw entry point of the compile lazy stub
into the code, because that stub is immortal and immovable.

R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1573153002

Cr-Commit-Position: refs/heads/master@{#35499}
2016-04-14 15:19:17 +00:00
jarin
f5961f90b1 [turbofan] Change number operations to handle Undefined as well.
This allows us to remove the turbofan bailout that we introduced
as a response to crbug.com/589792.

BUG=chromium:589792
LOG=n

Review URL: https://codereview.chromium.org/1884713003

Cr-Commit-Position: refs/heads/master@{#35493}
2016-04-14 13:13:56 +00:00
bmeurer
5b99eec342 [turbofan] Remove unused PlainPrimitiveToNumber operator.
At some point we thought about using this instead of JSToNumber, but now
there doesn't seem to be any reason for this anymore.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1890763002

Cr-Commit-Position: refs/heads/master@{#35469}
2016-04-14 07:42:22 +00:00
jarin
03975befe3 [turbofan] Remove some clever-but-wrong bits from select lowering.
BUG=chromium:600593
LOG=n
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1870763003

Cr-Commit-Position: refs/heads/master@{#35347}
2016-04-08 08:26:13 +00:00
jacob.bramley
141324cfdc [arm] Implement Float(32|64)(Min|Max) using vsel.
BUG=

Review URL: https://codereview.chromium.org/1862993002

Cr-Commit-Position: refs/heads/master@{#35292}
2016-04-06 10:17:57 +00:00
jarin
4142bc6bc1 [turbofan] Restrict types in load elimination.
In simplified numbering, we make sanity checks based on types (e.g.,
NumberSubtract should take numbers as inputs), but this can be
violated if optimization passes make types less precise.

In this CL, we fix load elimination to make sure that types are
smaller in the store -> load elimination by taking an intersection
of the load's type with the store value's type and inserting a guard
with that type. Note that the load type comes from type feedback, so
it can be disjoint from the stored value type (in that case, this
must be dead code because the map chack for the load should prevent
us from using the stored value).

BUG=chromium:599412
LOG=n

Review URL: https://codereview.chromium.org/1857133003

Cr-Commit-Position: refs/heads/master@{#35259}
2016-04-05 12:30:14 +00:00
titzer
45d75bca5c [turbofan] Handle dead diamonds in scheduling and add a test.
The background here is that graphs generated from WASM are not trimmed.
That means there can be some floating control diamonds that are not
reachable from end. An assertion in the scheduler for phis from floating
diamonds checks that the use edge in this situation is the control edge,
but in general, any edge could cause this.

Scheduling still works without this assertion. The longer term fix
is to either trim the graphs (more compile time overhead for WASM)
or improve the scheduler's handling of dead code in the graph. Currently
it does not schedule dead code but the potential use positions of
dead code are used in the computation of the common dominator of uses. We could
recognize dead nodes in PrepareUses() and check in GetBlockForUse()
as per TODO.

R=bradnelson@chromium.org, mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1846933002

Cr-Commit-Position: refs/heads/master@{#35245}
2016-04-04 17:45:59 +00:00
bmeurer
eaa92feb9a [builtins] Migrate Math.clz32 to a TurboFan builtin.
This allows us to remove the troublesome %_MathClz32 intrinsic and also
allows us to utilize the functionality that is already available in
TurboFan. Also introduce a proper NumberClz32 operator so we don't need
to introduce a machine operator at the JS level.

R=epertoso@chromium.org

Review URL: https://codereview.chromium.org/1852553003

Cr-Commit-Position: refs/heads/master@{#35208}
2016-04-01 14:36:32 +00:00
jochen
cb7aa79b12 Expose a lower bound of malloc'd memory via heap statistics
We expect that the majority of malloc'd memory held by V8 is allocated
in Zone objects. Introduce an Allocator class that is used by Zones to
manage memory, and allows for querying the current usage.

BUG=none
R=titzer@chromium.org,bmeurer@chromium.org,jarin@chromium.org
LOG=n
TBR=rossberg@chromium.org

Review URL: https://codereview.chromium.org/1847543002

Cr-Commit-Position: refs/heads/master@{#35196}
2016-04-01 10:01:56 +00:00
ahaas
bd4fb28ecd [wasm] Int64Lowering of Word64Ror and Word64Rol.
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1843123002

Cr-Commit-Position: refs/heads/master@{#35173}
2016-03-31 17:05:43 +00:00
ahaas
40bdbef975 [wasm] Int64Lowering of Int64Mul on ia32 and arm.
Int64Mul is lowered to a new turbofan operator, Int32MulPair. The new
operator takes 4 inputs an generates 2 outputs. The inputs are the low
word of the left input, high word of the left input, the low word of the
right input, and high word of the right input. The ouputs are the low
and high word of the result of the multiplication.

R=titzer@chromium.org, v8-arm-ports@googlegroups.com

Review URL: https://codereview.chromium.org/1807273002

Cr-Commit-Position: refs/heads/master@{#35131}
2016-03-30 10:40:06 +00:00
ahaas
682df6dd33 [wasm] New attempt to implement the Int64Lowering of phis.
The new implementation deals with cycles in the TF graph in two steps:
1) The lowering of phis is delayed to avoid cyclic dependencies.
2) The replacement nodes of phis are created already when the phi is
   pushed onto the stack so that other nodes can use these replacements
   for their lowering.

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1844553002

Cr-Commit-Position: refs/heads/master@{#35126}
2016-03-30 08:14:35 +00:00
bmeurer
36ead519c8 [builtins] Provide Math.floor as TurboFan builtin.
This way we avoid the second deoptimization for the Math.floor and
Math.ceil builtins when -0 is involved. We still deoptimize the inlined
Crankshaft version in various cases, that's a separate issue.

The algorithm used for implement CodeStubAssembler::Float64Floor is
vaguely based on the fast math version used in the libm of various BSDs,
but had to be reengineered to match the EcmaScript specification.

R=epertoso@chromium.org
BUG=v8:2890, v8:4059
LOG=n

Review URL: https://codereview.chromium.org/1828253002

Cr-Commit-Position: refs/heads/master@{#35083}
2016-03-28 17:31:43 +00:00
bmeurer
43fe7d6854 [builtins] Add support for JS builtins written in TurboFan.
This CL adds support for builtins with JavaScript linkage written using
the TurboFan CodeStubAssembler, but with a JSCall descriptor (which was
already supported thanks to a previous patch by Ben Smith). As a first
example, we convert the Math.sqrt builtin and thereby get rid of the
%_MathSqrt intrinsic, which causes trouble for the representation
selection pass in the JavaScript pipeline.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1824993002

Cr-Commit-Position: refs/heads/master@{#34989}
2016-03-22 13:25:54 +00:00
jarin
e1bd9af173 [turbofan] Add more sanity checks to representation inference.
The CL also add guard nodes to places where we assume that certain
values are numbers.

Review URL: https://codereview.chromium.org/1821133002

Cr-Commit-Position: refs/heads/master@{#34977}
2016-03-22 06:50:52 +00:00
mvstanton
992ae64de0 Provide optimized support for the %GetOrdinaryHasInstance intrinsic.
This new intrinsic is used by the desugared ES6 instanceof implementation for
the cases when the F[@@hasInstance] property is null or undefined.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1809993002

Cr-Commit-Position: refs/heads/master@{#34866}
2016-03-17 15:46:59 +00:00
ahaas
7f19628a5b [wasm] Int64Lowering of Word64Ctz.
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1806593003

Cr-Commit-Position: refs/heads/master@{#34811}
2016-03-16 12:16:00 +00:00
ahaas
5c16cac96d [wasm] Int64Lowering of Word64Clz.
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1810473002

Cr-Commit-Position: refs/heads/master@{#34809}
2016-03-16 11:03:07 +00:00
ahaas
33c08596e1 [wasm] Int64Lowering of Int64Sub on ia32 and arm.
Int64Sub is lowered to a new turbofan operator, Int32SubPair. The new
operator takes 4 inputs an generates 2 outputs. The inputs are the low
word of the left input, high word of the left input, the low word of the
right input, and high word of the right input. The ouputs are the low
and high word of the result of the subtraction.

The implementation is very similar to the implementation of Int64Add.

@v8-arm-ports: please take a careful look at the implementation of sbc
in the simulator.

R=titzer@chromium.org, v8-arm-ports@googlegroups.com

Review URL: https://codereview.chromium.org/1778893005

Cr-Commit-Position: refs/heads/master@{#34808}
2016-03-16 10:58:05 +00:00
jyan
3b5e84ab0e S390: Initial test changes and files checkin.
R=danno@chromium.org,jkummerow@chromium.org,jochen@chromium.org,joransiu@ca.ibm.com,michael_dawson@ca.ibm.com,mbrandy@us.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1805533002

Cr-Commit-Position: refs/heads/master@{#34795}
2016-03-15 18:09:36 +00:00
jyan
6b503884ae S390: Check in OWNER file on to s390 directory
R=danno@chromium.org,jkummerow@chromium.org,jochen@chromium.org,joransiu@ca.ibm.com,michael_dawson@ca.ibm.com,mbrandy@us.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1802343002

Cr-Commit-Position: refs/heads/master@{#34789}
2016-03-15 14:25:38 +00:00
ahaas
ccbf004293 [wasm] Int64Lowering of F64ReinterpretI64.
The implementation is done by storing to and then loading from memory.

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1801013002

Cr-Commit-Position: refs/heads/master@{#34785}
2016-03-15 12:46:51 +00:00
ahaas
b484cc12f3 [wasm] Int64Lowering of I64ReinterpretF64.
The implementation is done by storing to and loading from memory.

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1804953002

Cr-Commit-Position: refs/heads/master@{#34784}
2016-03-15 12:18:12 +00:00
ahaas
2e6f3e8607 [wasm] Int64Lowering of Word64Popcnt.
Word64Popcnt is lowered to Word32Popcnt(low-word) + Word32Popcnt(high_word).
Since the optional Word64Popcnt operator does not exist on 32 bit platforms,
I introduced a new operator "Word64PopcntPlaceholder" which is generated
in the WasmCompiler and then lowered in the Int64Lowering.

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1803453003

Cr-Commit-Position: refs/heads/master@{#34777}
2016-03-15 10:42:08 +00:00
ahaas
c4c34eba30 [wasm] Int64Lowering: changing to DFS.
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1798993002

Cr-Commit-Position: refs/heads/master@{#34767}
2016-03-15 06:27:00 +00:00
ahaas
1b23079936 [wasm] Int64Lowering of Int64Add on ia32 and arm.
Int64Add is lowered to a new turbofan operator, Int32AddPair. The new
operator takes 4 inputs an generates 2 outputs. The inputs are the low
word of the left input, high word of the left input, the low word of the
right input, and high word of the right input. The ouputs are the low
and high word of the result of the addition.

R=titzer@chromium.org, v8-arm-ports@googlegroups.com

Review URL: https://codereview.chromium.org/1778493004

Cr-Commit-Position: refs/heads/master@{#34747}
2016-03-14 15:34:19 +00:00
rossberg
4614c7caaf [strong] Remove all remainders of strong mode
R=mstarzinger@chromium.org,bmeurer@chromium.org,adamk@chromium.org
BUG=v8:3956
LOG=Y

Review URL: https://codereview.chromium.org/1773653002

Cr-Commit-Position: refs/heads/master@{#34669}
2016-03-10 12:45:42 +00:00
ahaas
240b7db9c7 [wasm] Int64Lowering of I64ShrU and I64ShrS on ia32.
I implemented I64ShrU and I64ShrS the same as I64Shl in https://codereview.chromium.org/1756863002

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1768233002

Cr-Commit-Position: refs/heads/master@{#34630}
2016-03-09 16:38:43 +00:00
ahaas
d7ddd35c29 [wasm] Int64Lowering of I64XConvertI32.
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1776613002

Cr-Commit-Position: refs/heads/master@{#34629}
2016-03-09 16:21:08 +00:00
verwaest
7736102034 Add GetProperty/GetElement to JSReceiver and use it where possible
Also move GetProperty with string-name to JSReceiver

BUG=

Review URL: https://codereview.chromium.org/1775973002

Cr-Commit-Position: refs/heads/master@{#34596}
2016-03-08 17:30:42 +00:00
ahaas
7634d1aac1 [wasm] Some cleanup in the Int64Lowering.
I removed some stale comments and added a missing unit test.

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1772843003

Cr-Commit-Position: refs/heads/master@{#34586}
2016-03-08 14:12:40 +00:00
ahaas
4122df2615 [wasm] Use MachineOperatorBuilder::word() instead of kPointerSize to determine the word size.
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1770333002

Cr-Commit-Position: refs/heads/master@{#34581}
2016-03-08 12:42:38 +00:00
ahaas
ddc626e1cf [wasm] Int64Lowering of I64Shl on ia32.
I64Shl is lowered to a new turbofan operator, WasmWord64Shl. The new
operator takes 3 inputs, the low-word input, the high-word input, and
the shift, and produces 2 output, the low-word output and the high-word
output.

At the moment I implemented the lowering only for ia32, but I think the
CL is already big enough. I will add the other platforms in separate
CLs.

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1756863002

Cr-Commit-Position: refs/heads/master@{#34546}
2016-03-07 15:19:44 +00:00
ahaas
fab253109d [wasm] I added comparison operators to the Int64Lowering.
Comparison operators are lowered using to a lexicographic ordering, e.g.
(a,b) <= (c,d) <<>> (a < c) | (a == c) & (b <= d).

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1729263002

Cr-Commit-Position: refs/heads/master@{#34287}
2016-02-25 12:15:54 +00:00
ahaas
18d9da0dcf [wasm] I added I64Eq to the Int64Lowering.
(a EQ b) is lowered to ((low(a) XOR low(b)) OR (high(a) XOR high(b))) EQ 0

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1729493002

Cr-Commit-Position: refs/heads/master@{#34249}
2016-02-24 12:09:34 +00:00
ahaas
a8d5d17659 [wasm] Added I64Xor to the Int64Lowering.
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1723613002

Cr-Commit-Position: refs/heads/master@{#34241}
2016-02-24 09:52:52 +00:00
ahaas
cadc1e7780 [wasm] Added I64Ior to the Int64Lowering.
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1716243002

Cr-Commit-Position: refs/heads/master@{#34219}
2016-02-23 16:30:42 +00:00
ahaas
4ddf252e85 [wasm] Unittest for Int64Lowering.
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1714793003

Cr-Commit-Position: refs/heads/master@{#34213}
2016-02-23 15:33:13 +00:00
jarin
2ae5894da6 Revert of [turbofan] Connect ObjectIsNumber to effect and control chains. (patchset #1 id:1 of https://codereview.chromium.org/1709093002/ )
Reason for revert:
Tanks benchmarks (e.g., Octane box2d TF).

Original issue's description:
> [turbofan] Connect ObjectIsNumber to effect and control chains.
>
> In theory, we could connect the nodes when doing
> the schedule-in-the-middle pass, but that would require creating two
> versions of the operator (effectful and pure). I believe we do not
> lose anything by wiring the node up eagerly.
>
> Committed: https://crrev.com/2894e80a0a4a51a0d72e72aa48fcd01968f7949f
> Cr-Commit-Position: refs/heads/master@{#34141}

TBR=bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1718483002

Cr-Commit-Position: refs/heads/master@{#34147}
2016-02-19 10:13:56 +00:00
jarin
2894e80a0a [turbofan] Connect ObjectIsNumber to effect and control chains.
In theory, we could connect the nodes when doing
the schedule-in-the-middle pass, but that would require creating two
versions of the operator (effectful and pure). I believe we do not
lose anything by wiring the node up eagerly.

Review URL: https://codereview.chromium.org/1709093002

Cr-Commit-Position: refs/heads/master@{#34141}
2016-02-19 08:03:34 +00:00
bmeurer
8a7186b87a [turbofan] Remove the JSContextRelaxation reducer.
This reducer doesn't really add value, because:

 (a) it is only concerned with JSCallFunction and JSToNumber, but when
     we get to it, all JSCallFunction nodes will have been replaced by
     Call nodes, and in the not so far future, we will also have
     replaced almost all JSToNumber nodes with better code,
 (b) and the reducer tries to be smart and use one of the outermost
     contexts, but that might not be beneficial always; actually it
     might even create longer live ranges and lead to more spilling
     in some cases.

But most importantly, the JSContextRelaxation currently blocks inlining
based on SharedFunctionInfo, because it requires the inliner to check
the native context, which in turn requires JSFunction knowledge. So I'm
removing this reducer for now to unblock the more important inliner
changes.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1715633002

Cr-Commit-Position: refs/heads/master@{#34139}
2016-02-19 07:55:48 +00:00
mstarzinger
ef5ee8e1fd [turbofan] Remove language mode from JSCall operator.
This removes the language mode parameter from all JSCall operators. The
information is no longer used anywhere and is not threaded through the
interpreter bytecode. We should only thread it through the bytecode if
it has a semantic impact on the compilation.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1709493002

Cr-Commit-Position: refs/heads/master@{#34073}
2016-02-17 12:04:27 +00:00
mstarzinger
305a36e0d4 Remove strong mode support from property loads.
R=rossberg@chromium.org,bmeurer@chromium.org,verwaest@chromium.org
BUG=v8:3956
LOG=n

Review URL: https://codereview.chromium.org/1700993002

Cr-Commit-Position: refs/heads/master@{#34067}
2016-02-17 10:30:47 +00:00
bmeurer
0d595bb001 [intrinsics] Remove the %_IsDate intrinsic.
It's fine to only have the runtime call here, as it's only used in the
debug mirror.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1699133002

Cr-Commit-Position: refs/heads/master@{#34056}
2016-02-17 07:27:01 +00:00
bmeurer
8f87c0acb7 [builtins] Move the Boolean constructor to C++.
Drive-by-fix: Remove the (now) unused %_SetValueOf and %_JSValueGetValue
intrinsics from the various compilers and the runtime.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1698343002

Cr-Commit-Position: refs/heads/master@{#34037}
2016-02-16 14:03:07 +00:00
mstarzinger
1150092b29 Remove strong mode support from binary operations.
R=bmeurer@chromium.org
BUG=v8:3956
LOG=n

Review URL: https://codereview.chromium.org/1693833002

Cr-Commit-Position: refs/heads/master@{#34036}
2016-02-16 13:55:29 +00:00
martyn.capewell
14a5c18cc3 [turbofan] ARM: Use SBFX in instruction selector.
Support SBFX in the instruction selector for sign-extension patterns like
Sar(Shl(x, a), b), where a and b are immediate values.

BUG=

Review URL: https://codereview.chromium.org/1695293002

Cr-Commit-Position: refs/heads/master@{#34029}
2016-02-16 11:29:48 +00:00
titzer
e2f3003f2c [turbofan] Enforce that C calls do not use floating point params.
Passing floating point params to/from C has never quite worked correctly,
but we've never enforced the restriction early in the CallDescriptor
creation process because of unittests. Fix unittests to make their own
simple call descriptors and not rely on the C ones.

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1701593003

Cr-Commit-Position: refs/heads/master@{#33993}
2016-02-15 13:25:23 +00:00
martyn.capewell
357e014329 Reland of [turbofan] ARM: Improve AND instruction selection
Improve instruction selector for mask and shift operations by using cheaper
instructions where possible, in preference to UBFX.

Reverted because it was suspected of causing a couple of flaky tests to fail,
but investigation suggests this is unlikely.

Original review: https://codereview.chromium.org/1677023002

BUG=

Review URL: https://codereview.chromium.org/1684073006

Cr-Commit-Position: refs/heads/master@{#33988}
2016-02-15 11:10:12 +00:00
bmeurer
052dc9e019 [turbofan] Lower object and array literals in JSCreateLowering.
This adds initial support for inline allocation of object and array
literals to the JSCreateLowering pass. It's basically identical to
what Crankshaft does.

This also unstages the TurboFan escape analysis, as the lowering seems
to trigger a bunch of bugs in it; those bugs will be fixed separately,
and we will re-enable escape analysis afterwards.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1698783002

Cr-Commit-Position: refs/heads/master@{#33972}
2016-02-15 06:43:10 +00:00
titzer
d8122dc73e Move RPO unittests into their own file.
R=jarin@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1691373002

Cr-Commit-Position: refs/heads/master@{#33966}
2016-02-14 11:27:46 +00:00
epertoso
61a4c528b7 [turbofan] Fix a bug in the RawMachineAssembler
This was causing code like:

REX.W cmpq r9,r8
setzl r8l
movzxbl r8,r8
REX.W cmpq r8,0x0
jz 185

(note the cmpq instead of cmpl above) on x64 instead of:

REX.W cmpq r9,r8
jnz 149

http://crrev.com/1677503002 is now obsolete and has been reverted.

Review URL: https://codereview.chromium.org/1685183003

Cr-Commit-Position: refs/heads/master@{#33934}
2016-02-12 10:03:14 +00:00
bmeurer
09d8453547 [runtime] Introduce FastNewStrictArgumentsStub to optimize strict arguments.
The FastNewStrictArgumentsStub is very similar to the recently added
FastNewRestParameterStub, it's actually almost a copy of it, except that
it doesn't have the fast case we have for the empty rest parameter. This
patch improves strict arguments in TurboFan and fullcodegen by up to 10x
compared to the previous version.

Also introduce proper JSSloppyArgumentsObject and JSStrictArgumentsObject
for the in-object properties instead of having them as constants in the
Heap class.

Drive-by-fix: Use this stub and the FastNewRestParameterStub in the
interpreter to avoid the runtime call overhead for strict arguments
and rest parameter creation.

R=jarin@chromium.org
TBR=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1693513002

Cr-Commit-Position: refs/heads/master@{#33925}
2016-02-12 05:11:03 +00:00
rmcilroy
d1c28849c7 [Interpreter] Make InterpreterAssembler a subclass of CodeStubAssembler.
Moves InterpreterAssembler out of the compiler directory and into the
interpreter directory. Makes InterpreterAssembler as subclass of
CodeStubAssembler.

As part of this change, the special bytecode dispatch linkage type
is removed and instead we use a InterfaceDispatchDescriptor and
a normal CodeStub linkage type.

Removes a bunch of duplicated logic in InterpreterAssembler and
instead uses the CodeStubAssembler logic. Refactors Interpreter
with these changes.

Modifies CodeStubAssembler to add the extra operations required
by the Interpreter (extra call types, raw memory access and some extra
binary ops). Also adds the ability for subclasses to add extra
prologue and epilogue operations around calls, which is required
for the Interpreter.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1673333004

Cr-Commit-Position: refs/heads/master@{#33873}
2016-02-10 16:39:32 +00:00
martyn.capewell
5ac796b553 Revert of [turbofan] ARM: Improve AND instruction selection (patchset #1 id:1 of https://codereview.chromium.org/1677023002/ )
Reason for revert:
Possibly causing Mozilla test failures - will investigate.

Original issue's description:
> [turbofan] ARM: Improve AND instruction selection
>
> Improve instruction selector for mask and shift operations by using cheaper
> instructions where possible, in preference to UBFX.
>
> BUG=
>
> Committed: https://crrev.com/53d9c12977f07f55b6f2a72128b8d02c4c857845
> Cr-Commit-Position: refs/heads/master@{#33843}

TBR=bmeurer@chromium.org,jarin@chromium.org,danno@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1681953003

Cr-Commit-Position: refs/heads/master@{#33850}
2016-02-09 15:12:00 +00:00
martyn.capewell
53d9c12977 [turbofan] ARM: Improve AND instruction selection
Improve instruction selector for mask and shift operations by using cheaper
instructions where possible, in preference to UBFX.

BUG=

Review URL: https://codereview.chromium.org/1677023002

Cr-Commit-Position: refs/heads/master@{#33843}
2016-02-09 11:14:24 +00:00
bmeurer
07e9921f5a [turbofan] Introduce JSCreateLowering for optimizing JSCreate nodes.
This moves the JSCreate related functionality from JSTypedLowering into
a dedicated JSCreateLowering reducer. This is in preparation of landing
the support for optimized literals in TurboFan, which would blow up
JSTypedLowering quite seriously otherwise.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1678833002

Cr-Commit-Position: refs/heads/master@{#33813}
2016-02-08 12:33:59 +00:00
bmeurer
3ef573e9f1 [runtime] Optimize and unify rest parameters.
Replace the somewhat awkward RestParamAccessStub, which would always
call into the runtime anyway with a proper FastNewRestParameterStub,
which is basically based on the code that was already there for strict
arguments object materialization. But for rest parameters we could
optimize even further (leading to 8-10x improvements for functions with
rest parameters), by fixing the internal formal parameter count:

Every SharedFunctionInfo has a formal_parameter_count field, which
specifies the number of formal parameters, and is used to decide whether
we need to create an arguments adaptor frame when calling a function
(i.e. if there's a mismatch between the actual and expected parameters).
Previously the formal_parameter_count included the rest parameter, which
was sort of unfortunate, as that meant that calling a function with only
the non-rest parameters still required an arguments adaptor (plus some
other oddities). Now with this CL we fix, so that we do no longer
include the rest parameter in that count. Thereby checking for rest
parameters is very efficient, as we only need to check whether there is
an arguments adaptor frame, and if not create an empty array, otherwise
check whether the arguments adaptor frame has more parameters than
specified by the formal_parameter_count.

The FastNewRestParameterStub is written in a way that it can be directly
used by Ignition as well, and with some tweaks to the TurboFan backends
and the CodeStubAssembler, we should be able to rewrite it as
TurboFanCodeStub in the near future.

Drive-by-fix: Refactor and unify the CreateArgumentsType which was
different in TurboFan and Ignition; now we have a single enum class
which is used in both TurboFan and Ignition.

R=jarin@chromium.org, rmcilroy@chromium.org
TBR=rossberg@chromium.org
BUG=v8:2159
LOG=n

Review URL: https://codereview.chromium.org/1676883002

Cr-Commit-Position: refs/heads/master@{#33809}
2016-02-08 10:08:50 +00:00
mvstanton
3f36e658c8 Revert of Type Feedback Vector lives in the closure (patchset #2 id:40001 of https://codereview.chromium.org/1668103002/ )
Reason for revert:
Must revert for now due to chromium api natives issues.

Original issue's description:
> Type Feedback Vector lives in the closure
>
> (RELAND: the problem before was a missing write barrier for adding the code
> entry to the new closure. It's been addressed with a new macro instruction
> and test. The only change to this CL is the addition of two calls to
> __ RecordWriteCodeEntryField() in the platform CompileLazy builtin.)
>
> We get less "pollution" of type feedback if we have one vector per native
> context, rather than one for the whole system. This CL moves the vector
> appropriately.
>
> We rely more heavily on the Optimized Code Map in the SharedFunctionInfo. The
> vector actually lives in the first slot of the literals array (indeed there is
> great commonality between those arrays, they can be thought of as the same
> thing). So we make greater effort to ensure there is a valid literals array
> after compilation.
>
> This meant, for performance reasons, that we needed to extend
> FastNewClosureStub to support creating closures with literals. And ultimately,
> it drove us to move the optimized code map lookup out of FastNewClosureStub
> and into the compile lazy builtin.
>
> The heap change is trivial so I TBR Hannes for it...
> Also, Yang has had a look at the debugger changes already and approved 'em. So he is TBR style too.
> And Benedikt reviewed it as well.
>
> TBR=hpayer@chromium.org, yangguo@chromium.org, bmeurer@chromium.org
>
> BUG=
>
> Committed: https://crrev.com/bb31db3ad6de16f86a61f6c7bbfd3274e3d957b5
> Cr-Commit-Position: refs/heads/master@{#33741}

TBR=bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1670813005

Cr-Commit-Position: refs/heads/master@{#33766}
2016-02-05 10:48:35 +00:00
mvstanton
bb31db3ad6 Type Feedback Vector lives in the closure
(RELAND: the problem before was a missing write barrier for adding the code
entry to the new closure. It's been addressed with a new macro instruction
and test. The only change to this CL is the addition of two calls to
__ RecordWriteCodeEntryField() in the platform CompileLazy builtin.)

We get less "pollution" of type feedback if we have one vector per native
context, rather than one for the whole system. This CL moves the vector
appropriately.

We rely more heavily on the Optimized Code Map in the SharedFunctionInfo. The
vector actually lives in the first slot of the literals array (indeed there is
great commonality between those arrays, they can be thought of as the same
thing). So we make greater effort to ensure there is a valid literals array
after compilation.

This meant, for performance reasons, that we needed to extend
FastNewClosureStub to support creating closures with literals. And ultimately,
it drove us to move the optimized code map lookup out of FastNewClosureStub
and into the compile lazy builtin.

The heap change is trivial so I TBR Hannes for it...
Also, Yang has had a look at the debugger changes already and approved 'em. So he is TBR style too.
And Benedikt reviewed it as well.

TBR=hpayer@chromium.org, yangguo@chromium.org, bmeurer@chromium.org

BUG=

Review URL: https://codereview.chromium.org/1668103002

Cr-Commit-Position: refs/heads/master@{#33741}
2016-02-04 15:41:23 +00:00
mtrofin
1ecf58f409 [turbofan] fine grained in-block move optimization
So far, we've been moving down gaps wholesale. This change moves
individual move operations instead. This improves some benchmarks,
and should overall reduce code size, because it improves the chance of
reducing the number of moves.

For example, there are improvements on x64 in Emscripten (Bullet, in
particular) , JetStream geomean, Embenchen (zlib).

In the process of making this change, I noticed we can separate the
tasks performed by the move optimizer, as follows:

- group gaps into 1
- push gaps down, jumping instructions (these 2 were together before)
- merge blocks (and then push gaps down)
- finalize

We can do without a finalization list. This avoids duplicating storage -
we already have the list of instructions; it also simplifies the logic, since,
with this change, we may process an instruction's gap twice.

Compile time doesn't regress much (see pathological cases), but we
may want to avoid the allocations of the few sets used in the new code.
I'll do that in a subsequent change.

BUG=

Review URL: https://codereview.chromium.org/1634093002

Cr-Commit-Position: refs/heads/master@{#33715}
2016-02-04 06:30:34 +00:00
bmeurer
7be5829971 [turbofan] Move creation stub fallbacks to JSGenericLowering.
Move all the code that deals with falling back to object creation via
stubs to JSGenericLowering, where we can already deal well with stub
calls. This includes JSCreateLiteralArray, JSCreateLiteralObject,
JSCreateClosure, JSCreateFunctionContext and JSCreateArray.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1653353002

Cr-Commit-Position: refs/heads/master@{#33682}
2016-02-02 13:34:02 +00:00
bmeurer
6b2001b6b7 [turbofan] Introduce proper ObjectIsReceiver operator.
Avoid the hacking in JSIntrinsicLowering and provide a proper simplified
operator ObjectIsReceiver instead that is used to implement %_IsJSReceiver
which is used by our JavaScript builtins and the JSInliner.

R=jarin@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1657863004

Cr-Commit-Position: refs/heads/master@{#33675}
2016-02-02 11:43:02 +00:00
bmeurer
8c04a35c83 [intrinsics] Remove %_IsFunction inline intrinsic.
There's no point in having %_IsFunction as inline intrinsic, as it
is only used in non performance critical code, which is already full
of runtime calls anyway, so %IsFunction will do the trick as well.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1658123002

Cr-Commit-Position: refs/heads/master@{#33660}
2016-02-02 09:14:07 +00:00
jarin
ef35f11c43 Remove the template magic from types.(h|cc), remove types-inl.h.
This CL removes the Config templatization from the types. It is not
necessary anymore, after the HeapTypes have been removed.

The CL also changes the type hierarchy - the specific type kinds are
not inner classes of the Type class and they do not inherit from Type.
This is partly because it seems impossible to make this work without
templates. Instead, a new TypeBase class is introduced and all the
structural (i.e., non-bitset) types inherit from it.

The bitset type still requires the bit-munging hack and some nasty
reinterpret-casts to pretend bitsets are of type Type*. Additionally,
there is now the same hack for TypeBase - all pointers to the sub-types
of TypeBase are reinterpret-casted to Type*. This is to keep the type
constructors in inline method definitions (although it is unclear how
much that actually buys us).

In future, we would like to move to a model where we encapsulate Type*
into a class (or possibly use Type where we used to use Type*). This
would loosen the coupling between bitset size and pointer size, and
eventually we would be able to have more bits.

TBR=bradnelson@chromium.org

Review URL: https://codereview.chromium.org/1655833002

Cr-Commit-Position: refs/heads/master@{#33656}
2016-02-02 07:26:06 +00:00
ahaas
645880373b [turbofan] Add the StackSlot operator to turbofan.
The StackSlot operator allows to allocate a spill slot on the stack. We
are going to use this operator to pass floats through pointers to c
functions, which we need for floating point rounding in the case where
the architecture does not provide rounding instructions.

R=titzer@chromium.org, v8-arm-ports@googlegroups.com, v8-ppc-ports@googlegroups.com, v8-mips-ports@googlegroups.com

Committed: https://crrev.com/7a693437787090d62d937b862e29521debcc5223
Cr-Commit-Position: refs/heads/master@{#33600}

Review URL: https://codereview.chromium.org/1645653002

Cr-Commit-Position: refs/heads/master@{#33606}
2016-01-29 09:43:54 +00:00
ahaas
11f7c2e63c Revert of [turbofan] Add the StackSlot operator to turbofan. (patchset #4 id:60001 of https://codereview.chromium.org/1645653002/ )
Reason for revert:
problems on Mac64

Original issue's description:
> [turbofan] Add the StackSlot operator to turbofan.
>
> The StackSlot operator allows to allocate a spill slot on the stack. We
> are going to use this operator to pass floats through pointers to c
> functions, which we need for floating point rounding in the case where
> the architecture does not provide rounding instructions.
>
> R=titzer@chromium.org, v8-arm-ports@googlegroups.com, v8-ppc-ports@googlegroups.com, v8-mips-ports@googlegroups.com
>
> Committed: https://crrev.com/7a693437787090d62d937b862e29521debcc5223
> Cr-Commit-Position: refs/heads/master@{#33600}

TBR=titzer@chromium.org,v8-arm-ports@googlegroups.com,v8-mips-ports@googlegroups.com,v8-ppc-ports@googlegroups.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1644283002

Cr-Commit-Position: refs/heads/master@{#33601}
2016-01-29 08:19:06 +00:00
ahaas
7a69343778 [turbofan] Add the StackSlot operator to turbofan.
The StackSlot operator allows to allocate a spill slot on the stack. We
are going to use this operator to pass floats through pointers to c
functions, which we need for floating point rounding in the case where
the architecture does not provide rounding instructions.

R=titzer@chromium.org, v8-arm-ports@googlegroups.com, v8-ppc-ports@googlegroups.com, v8-mips-ports@googlegroups.com

Review URL: https://codereview.chromium.org/1645653002

Cr-Commit-Position: refs/heads/master@{#33600}
2016-01-29 08:08:22 +00:00
mvstanton
a702785156 Revert of Type Feedback Vector lives in the closure (patchset #2 id:20001 of https://codereview.chromium.org/1642613002/ )
Reason for revert:
Bug: failing to use write barrier when writing code entry into closure.

Original issue's description:
> Reland of Type Feedback Vector lives in the closure
>
> (Fixed a bug found by nosnap builds.)
>
> We get less "pollution" of type feedback if we have one vector per native
> context, rather than one for the whole system. This CL moves the vector
> appropriately.
>
> We rely more heavily on the Optimized Code Map in the SharedFunctionInfo. The
> vector actually lives in the first slot of the literals array (indeed there is
> great commonality between those arrays, they can be thought of as the same
> thing). So we make greater effort to ensure there is a valid literals array
> after compilation.
>
> This meant, for performance reasons, that we needed to extend
> FastNewClosureStub to support creating closures with literals. And ultimately,
> it drove us to move the optimized code map lookup out of FastNewClosureStub
> and into the compile lazy builtin.
>
> The heap change is trivial so I TBR Hannes for it...
>
> TBR=hpayer@chromium.org
> BUG=
>
> Committed: https://crrev.com/d984b3b0ce91e55800f5323b4bb32a06f8a5aab1
> Cr-Commit-Position: refs/heads/master@{#33548}

TBR=bmeurer@chromium.org,yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1643533003

Cr-Commit-Position: refs/heads/master@{#33556}
2016-01-27 15:05:38 +00:00
mvstanton
d984b3b0ce Reland of Type Feedback Vector lives in the closure
(Fixed a bug found by nosnap builds.)

We get less "pollution" of type feedback if we have one vector per native
context, rather than one for the whole system. This CL moves the vector
appropriately.

We rely more heavily on the Optimized Code Map in the SharedFunctionInfo. The
vector actually lives in the first slot of the literals array (indeed there is
great commonality between those arrays, they can be thought of as the same
thing). So we make greater effort to ensure there is a valid literals array
after compilation.

This meant, for performance reasons, that we needed to extend
FastNewClosureStub to support creating closures with literals. And ultimately,
it drove us to move the optimized code map lookup out of FastNewClosureStub
and into the compile lazy builtin.

The heap change is trivial so I TBR Hannes for it...

TBR=hpayer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1642613002

Cr-Commit-Position: refs/heads/master@{#33548}
2016-01-27 12:53:42 +00:00
oth
95bec7e7b1 [interpreter] Reduce move operations for wide register support.
Introduces the concept of transfer direction to register operands. This
enables the register translator to emit exactly the moves that a
bytecode having it's register operands translated needs.

BUG=v8:4280,v8:4675
LOG=N

Review URL: https://codereview.chromium.org/1633153002

Cr-Commit-Position: refs/heads/master@{#33544}
2016-01-27 11:15:56 +00:00
mvstanton
e2e7dc32ef Revert of Type Feedback Vector lives in the closure (patchset #12 id:260001 of https://codereview.chromium.org/1563213002/ )
Reason for revert:
FAilure on win32 bot, need to investigate webkit failures.

Original issue's description:
> Type Feedback Vector lives in the closure
>
> We get less "pollution" of type feedback if we have one vector per native
> context, rather than one for the whole system. This CL moves the vector
> appropriately.
>
> We rely more heavily on the Optimized Code Map in the SharedFunctionInfo. The
> vector actually lives in the first slot of the literals array (indeed there is
> great commonality between those arrays, they can be thought of as the same
> thing). So we make greater effort to ensure there is a valid literals array
> after compilation.
>
> This meant, for performance reasons, that we needed to extend
> FastNewClosureStub to support creating closures with literals. And ultimately,
> it drove us to move the optimized code map lookup out of FastNewClosureStub
> and into the compile lazy builtin.
>
> The heap change is trivial so I TBR Hannes for it...
>
> TBR=hpayer@chromium.org
>
> BUG=
>
> Committed: https://crrev.com/a5200f7ed4d11c6b882fa667da7a1864226544b4
> Cr-Commit-Position: refs/heads/master@{#33518}

TBR=bmeurer@chromium.org,akos.palfi@imgtec.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1632993003

Cr-Commit-Position: refs/heads/master@{#33520}
2016-01-26 15:02:29 +00:00
mvstanton
a5200f7ed4 Type Feedback Vector lives in the closure
We get less "pollution" of type feedback if we have one vector per native
context, rather than one for the whole system. This CL moves the vector
appropriately.

We rely more heavily on the Optimized Code Map in the SharedFunctionInfo. The
vector actually lives in the first slot of the literals array (indeed there is
great commonality between those arrays, they can be thought of as the same
thing). So we make greater effort to ensure there is a valid literals array
after compilation.

This meant, for performance reasons, that we needed to extend
FastNewClosureStub to support creating closures with literals. And ultimately,
it drove us to move the optimized code map lookup out of FastNewClosureStub
and into the compile lazy builtin.

The heap change is trivial so I TBR Hannes for it...

TBR=hpayer@chromium.org

BUG=

Review URL: https://codereview.chromium.org/1563213002

Cr-Commit-Position: refs/heads/master@{#33518}
2016-01-26 14:21:08 +00:00
sigurds
2b84cb4f56 [turbofan] Minor performance tweaks in escape analysis
* Add caching to handling of dangling loads
* Add two unittests for load elimination on escaped objects

BUG=v8:4586
LOG=n

Review URL: https://codereview.chromium.org/1619103004

Cr-Commit-Position: refs/heads/master@{#33498}
2016-01-25 17:31:17 +00:00
mtrofin
78b55f2ebc If all the predecessors of a node have, at the last gap, the exact same
moves, we move those to the node, and remove them from the
predecessors ("merge" them to the common node).

If only some of the moves are common, we don't do anything. This is
what this change addresses.

The bug linked below should be addressed by this change. The only
difference in codegen before/after the change that introduced the bug
was un-merged moves.

BUG=chromium:549262
LOG=N

Review URL: https://codereview.chromium.org/1527203002

Cr-Commit-Position: refs/heads/master@{#33481}
2016-01-25 06:33:14 +00:00
rmcilroy
677e54e244 [Interpreter] Always store current context in the frames context slot.
Change the interpreter to always store the current context in the frame's
context slot instead of the function context. This makes it possible to
restore the correct context during deopt.

BUG=v8:4678,v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1604923002

Cr-Commit-Position: refs/heads/master@{#33477}
2016-01-23 00:07:49 +00:00
sigurds
4efbeac115 [turbofan] Improve escape analysis.
* Treat Select nodes as escaping
* Correctly void virtual field information
  after a store to a non-const index
* Add a shortcut if all allocates escape
* Add a shortcut if no allocates are discovered
* Only reduce FrameState/StateValues nodes if they
  have virtual allocates as input (transitively)
* Fix bug in FrameState/StateValues duplication
* Add check to verifier: First 3 inputs of FrameState
  must be StateValues

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n

Review URL: https://codereview.chromium.org/1583213003

Cr-Commit-Position: refs/heads/master@{#33406}
2016-01-20 13:26:31 +00:00
oth
68654b6476 [Interpreter] Preparation for wide registers.
o Adds wide variants of bytecodes that have operands describing ranges
  of registers. The upcoming wide register support does not suppport
  re-mapping ranges.
o Adds kRegPair16 and kRegTriple16 operands required for new wide
  bytecodes and renames Count8/Count16 operands to RegCount8/RegCount16.
o Removes Exchange bytecodes

BUG=v8:4675
LOG=NO

Review URL: https://codereview.chromium.org/1595103006

Cr-Commit-Position: refs/heads/master@{#33389}
2016-01-19 16:07:00 +00:00
rmcilroy
1ea0b91a83 [Interpreter] Make ForInPrepare take a kRegTriple8 and ForInNext take kRegPair8 for cache state
Make ForInPrepare take a kRegTriple8 operand and ForInNext take kRegPair8
operand for cache state. This is to ensure that the cache state output of
ForInPrepare is in consecutive registers to allow us to deopt the
ForInPrepare node from TF->Ignition (to be done in a followup CL).

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1584813002

Cr-Commit-Position: refs/heads/master@{#33357}
2016-01-18 12:40:22 +00:00
sigurds
fc9a73e8a6 [turbofan] Various performance enhancements for escape analysis
This bug improves performance of escape analysis.

* A allocation discovery phase  (EscapeAnalysis::AssignAliases)
  ensures compact representation of virtual state
* Node revisiting in EscapeStatusAnalysis has been improved
* Escape analysis no longer requires a trimmed graph

BUG=v8:4586
LOG=n

Review URL: https://codereview.chromium.org/1559123003

Cr-Commit-Position: refs/heads/master@{#33267}
2016-01-13 15:30:48 +00:00
rmcilroy
1a063d944d [Interpreter] Add support for calling runtime functions which return a pair.
Adds support for calling runtime functions which return a pair of
values. Adds the bytecode CallRuntimePair. Also adds support to TurboFan
for calling stubs which return multiple values.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1568493002

Cr-Commit-Position: refs/heads/master@{#33181}
2016-01-08 15:16:28 +00:00
sigurds
3b473d7aad [turbofan] Deopt support for escape analysis
Deopt support is added on two levels. On the IR level,
a new ObjectState node is added, which represenents an
object to be materialized. ObjectState nodes appear as
inputs of FrameState and StateValues nodes. On the
instruction select/code-generation level, the
FrameStateDescriptor class handles the nesting
introduced by ObjectState, and ensures that deopt code
with CAPTURED_OBJECT/DUPLICATED_OBJECT entries are
generated similarly to what crankshaft's escape
analysis does.

Two unittests test correctness of the IR level implementation.

Correctness for instruction selection / code generation
is tested by mjsunit tests.

R=jarin@chromium.org,mstarzinger@chromium.org
BUG=v8:4586
LOG=n

Review URL: https://codereview.chromium.org/1485183002

Cr-Commit-Position: refs/heads/master@{#33115}
2016-01-05 13:31:02 +00:00
mvstanton
c89ddbb7bc Optimized TurboFan support for rest args.
R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1557883002

Cr-Commit-Position: refs/heads/master@{#33105}
2016-01-05 09:40:41 +00:00
oth
c958c98c4f [Interpreter] Bytecodes for exchanging registers.
New bytecodes for making registers with indicies wider than 1-byte
accessible.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1555713002

Cr-Commit-Position: refs/heads/master@{#33091}
2016-01-04 17:38:26 +00:00
bmeurer
97def8070c [runtime] Introduce dedicated JSBoundFunction to represent bound functions.
According to the ES2015 specification, bound functions are exotic
objects, and thus don't need to be implemented as JSFunctions. So
we introduce a new JSBoundFunction type to represent bound functions
and make them optimizable. This already improves the performance of
calling or constructing bound functions by 10-100x depending on the
use case because we avoid the crazy dance between JavaScript and C++
that was implemented in v8natives.js previously.

There's still room for improvement in the performance of actually
creating bound functions, which is also relevant in practice, but
we already have a plan how to accomplish that later.

The mips/mips64 ports were contributed by akos.palfi@imgtec.com.

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
BUG=chromium:535408, chromium:571299, v8:4629
LOG=n

Committed: https://crrev.com/ca8623eaa468cba65a5adafcdfb4615966f43ce2
Cr-Commit-Position: refs/heads/master@{#33042}

Review URL: https://codereview.chromium.org/1542963002

Cr-Commit-Position: refs/heads/master@{#33044}
2015-12-27 06:31:44 +00:00
bmeurer
1cf8b105d6 Revert of [runtime] Introduce dedicated JSBoundFunction to represent bound functions. (patchset #14 id:260001 of https://codereview.chromium.org/1542963002/ )
Reason for revert:
Breaks arm64 sim nosnap: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug/builds/805/steps/Check/logs/function-bind

Original issue's description:
> [runtime] Introduce dedicated JSBoundFunction to represent bound functions.
>
> According to the ES2015 specification, bound functions are exotic
> objects, and thus don't need to be implemented as JSFunctions. So
> we introduce a new JSBoundFunction type to represent bound functions
> and make them optimizable. This already improves the performance of
> calling or constructing bound functions by 10-100x depending on the
> use case because we avoid the crazy dance between JavaScript and C++
> that was implemented in v8natives.js previously.
>
> There's still room for improvement in the performance of actually
> creating bound functions, which is also relevant in practice, but
> we already have a plan how to accomplish that later.
>
> The mips/mips64 ports were contributed by akos.palfi@imgtec.com.
>
> CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
> BUG=chromium:535408, chromium:571299, v8:4629
> LOG=n
>
> Committed: https://crrev.com/ca8623eaa468cba65a5adafcdfb4615966f43ce2
> Cr-Commit-Position: refs/heads/master@{#33042}

TBR=cbruni@chromium.org,hpayer@chromium.org,yangguo@chromium.org,akos.palfi@imgtec.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:535408, chromium:571299, v8:4629

Review URL: https://codereview.chromium.org/1552473002

Cr-Commit-Position: refs/heads/master@{#33043}
2015-12-27 04:42:13 +00:00
bmeurer
ca8623eaa4 [runtime] Introduce dedicated JSBoundFunction to represent bound functions.
According to the ES2015 specification, bound functions are exotic
objects, and thus don't need to be implemented as JSFunctions. So
we introduce a new JSBoundFunction type to represent bound functions
and make them optimizable. This already improves the performance of
calling or constructing bound functions by 10-100x depending on the
use case because we avoid the crazy dance between JavaScript and C++
that was implemented in v8natives.js previously.

There's still room for improvement in the performance of actually
creating bound functions, which is also relevant in practice, but
we already have a plan how to accomplish that later.

The mips/mips64 ports were contributed by akos.palfi@imgtec.com.

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
BUG=chromium:535408, chromium:571299, v8:4629
LOG=n

Review URL: https://codereview.chromium.org/1542963002

Cr-Commit-Position: refs/heads/master@{#33042}
2015-12-26 20:28:17 +00:00
dusan.m.milosavljevic
7bc8fac472 MIPS: [turbofan] Optimize Float32 to Int32 rep. changes with Float32 round ops.
TEST=unittests/InstructionSelectorTest.CombineChangeFloat32ToInt32WithRoundFloat32,
     ChangeFloat64ToInt32OfChangeFloat32ToFloat64, TruncateFloat64ToFloat32OfChangeInt32ToFloat64
BUG=

Review URL: https://codereview.chromium.org/1520503002

Cr-Commit-Position: refs/heads/master@{#32969}
2015-12-18 16:12:51 +00:00
paul.lind
a0c7e25f99 Update MIPS owners.
Add Ivica B.

NOTRY=true

Review URL: https://codereview.chromium.org/1525413003

Cr-Commit-Position: refs/heads/master@{#32933}
2015-12-17 09:07:00 +00:00
sigurds
4390514154 [turbofan] Escape Analysis improvements
Move replacements out of virtual object. Replacements are
global to the graph and are not dependent on the virtual
state (after they are discovered).

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n

Review URL: https://codereview.chromium.org/1527533002

Cr-Commit-Position: refs/heads/master@{#32838}
2015-12-14 14:13:31 +00:00
danno
bf24486b22 [tubofan] Remove .dot output of --trace-turbo
Review URL: https://codereview.chromium.org/1514323002

Cr-Commit-Position: refs/heads/master@{#32813}
2015-12-11 16:58:31 +00:00
jarin
56673804e0 [turbofan] Store nodes use only MachineRepresentation, not MachineType.
Review URL: https://codereview.chromium.org/1513383003

Cr-Commit-Position: refs/heads/master@{#32803}
2015-12-11 15:34:16 +00:00
bmeurer
7e5ff19ee2 [turbofan] Some more cleanup on the intrinsics.
Remove unused obsolete %_StringGetStringLength intrinsic, and properly
optimize the %_SubString, %_RegExpExec, %_RegExpFlags, %_RegExpSource
and %_RegExpConstructResult intrinsics.

Review URL: https://codereview.chromium.org/1516753006

Cr-Commit-Position: refs/heads/master@{#32782}
2015-12-11 09:12:12 +00:00
rmcilroy
42718a4c88 Remove dummy control / effect edges from RMA Load / Store / Div nodes.
Review URL: https://codereview.chromium.org/1510173004

Cr-Commit-Position: refs/heads/master@{#32762}
2015-12-10 17:07:41 +00:00
rmcilroy
c4745aa187 Remove dummy control / effect edges from RMA Call nodes.
Removes the dummy control and effect edges from the RMA Call nodes. This
requires a change to the node matchers to allow them to cope with nodes
which don't have control or effect matchers.

Review URL: https://codereview.chromium.org/1518673002

Cr-Commit-Position: refs/heads/master@{#32752}
2015-12-10 13:36:28 +00:00
jarin
9c87bd4b82 [turbofan] Get rid of truncation by store.
Nowadays, representation inference and simplified lowering can insert the
right truncations based on the use.

Review URL: https://codereview.chromium.org/1512243002

Cr-Commit-Position: refs/heads/master@{#32747}
2015-12-10 11:23:55 +00:00
jarin
bb2a830deb [turbofan] Make MachineType a pair of enums.
MachineType is now a class with two enum fields:
- MachineRepresentation
- MachineSemantic

Both enums are usable on their own, and this change switches some places from using MachineType to use just MachineRepresentation. Most notably:
- register allocator now uses just the representation.
- Phi and Select nodes only refer to representations.

Review URL: https://codereview.chromium.org/1513543003

Cr-Commit-Position: refs/heads/master@{#32738}
2015-12-10 09:03:53 +00:00
bmeurer
6a1328452a [turbofan] The JSCreateWithContext operator doesn't need a frame state.
Creating a with context cannot lazy/eager deoptimize, so we don't need
to pass a frame state.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1508373002

Cr-Commit-Position: refs/heads/master@{#32711}
2015-12-09 12:00:26 +00:00
bmeurer
82fd004745 [turbofan] Also lower JSCreateCatchContext in typed lowering.
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1515513002

Cr-Commit-Position: refs/heads/master@{#32709}
2015-12-09 11:52:22 +00:00
dusan.m.milosavljevic
0d4f8a913d MIPS: [turbofan] Combine ChangeFloat64ToInt32 with Float64Round ops.
TEST=unittests/InstructionSlectorTest.CombineChangeFloat64ToInt32WithRoundFloat64
BUG=

Review URL: https://codereview.chromium.org/1510493002

Cr-Commit-Position: refs/heads/master@{#32668}
2015-12-07 23:36:30 +00:00
dusan.m.milosavljevic
472e2ba9b9 MIPS:[turbofan] Match shift left and bitwise And with mask when possible.
TEST=unittests/InstructionSelectorTest.Word(32|64)ShlWithWord(32|64)And
BUG=

Review URL: https://codereview.chromium.org/1496013003

Cr-Commit-Position: refs/heads/master@{#32612}
2015-12-04 13:13:04 +00:00
bmeurer
9298b43029 [turbofan] Introduce ToBooleanHints on ToBoolean operators.
Extract ToBoolean hints from the fullcodegen code object and put them
into the ToBoolean nodes created by the AstGraphBuilder.  We currently
do not yet consume this feedback, that will be done in a followup CL.

R=mstarzinger@chromium.org
BUG=v8:4583
LOG=n

Review URL: https://codereview.chromium.org/1494973002

Cr-Commit-Position: refs/heads/master@{#32576}
2015-12-03 16:48:19 +00:00
titzer
27433918f5 Move machine-type.h from src/compiler to src/.
R=bmeurer@chromium.org,jarin@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1498833002

Cr-Commit-Position: refs/heads/master@{#32564}
2015-12-03 13:34:02 +00:00
mstarzinger
33142c120d [turbofan] Make RawMachineAssembler handle the end node.
This moves the proper handling for the end node withing the constructed
graph into the RawMachineAssembler. This simplifies all assemblers and
makes the handling of {Start} and {End} symmetrical.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1493963003

Cr-Commit-Position: refs/heads/master@{#32563}
2015-12-03 13:30:06 +00:00
bmeurer
411c5b7fb0 [turbofan] Desugar JSUnaryNot(x) to Select(x, false, true).
Also remove the ResultMode from ToBooleanStub and always return true or
false and use the same mechanism in fullcodegen.  This is in preparation
for adding ToBoolean hints to TurboFan.

Drive-by-fix: We can use the power of the ToBooleanIC in TurboFan now
that the ResultMode is gone (and the runtime always returns true or
false from the miss handler).

R=mstarzinger@chromium.org
BUG=v8:4583
LOG=n

Review URL: https://codereview.chromium.org/1491223002

Cr-Commit-Position: refs/heads/master@{#32524}
2015-12-02 15:22:13 +00:00
sigurds
6095d0af30 [turbofan] Refactor escape analysis to only expose one class.
R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n

Review URL: https://codereview.chromium.org/1491903002

Cr-Commit-Position: refs/heads/master@{#32523}
2015-12-02 15:21:21 +00:00
bmeurer
ddb9f461f1 [turbofan] Optimize %_IsJSReceiver based on input type.
We can constant fold %_IsJSReceiver(x) based on whether x is always a
receiver or can never be a receiver.  This is important as
%_IsJSReceiver is inserted by the JSInliner.

R=jarin@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1486383003

Cr-Commit-Position: refs/heads/master@{#32519}
2015-12-02 14:35:54 +00:00
sigurds
aa0ddf7db4 [turbofan] Initial support for escape analysis.
This is the first part of escape analysis for turbofan.
At the moment, there is no deopt support, and support
for loops is partial (only binary Phis are handled).

The CL includes 4 unittests.

There are also 8 new mjsunit tests, some of which are
skiped as they require features not yet implemented.

BUG=v8:4586
LOG=n

Review URL: https://codereview.chromium.org/1457683003

Cr-Commit-Position: refs/heads/master@{#32498}
2015-12-02 10:53:50 +00:00
dusan.m.milosavljevic
2d0e9abebf MIPS:[turbofan] Use Ins, Dins to clear bits instead of And with inverted immediate.
TEST=unittests/InstructionSelectorTest.Word(32|64)AndToClearBits
BUG=

Review URL: https://codereview.chromium.org/1485023004

Cr-Commit-Position: refs/heads/master@{#32479}
2015-12-01 22:16:48 +00:00
dusan.m.milosavljevic
6b11cc830b MIPS:[turbofan] Use Nor instruction for bit negation instead of xori.
Xori instruction can only have unisgned 16-bit immediates for right input,
as such it is not suitable for bit negation on mips.

TEST=unittests/InstructionSecetorTest.Word(32|64)XorMinusOneWithParameter
BUG=

Review URL: https://codereview.chromium.org/1485833003

Cr-Commit-Position: refs/heads/master@{#32478}
2015-12-01 21:58:43 +00:00
bmeurer
5af6017d4b [turbofan] Add binary operation hints for javascript operators.
This is the initial support for binary operation hints on javascript
binary operators, i.e. JSAdd, JSSubtract and so on. The hints are
extracted from the fullcodegen code object before graph building and the
AstGraphBuilder puts those hints on the operators if available.

R=jarin@chromium.org
BUG=v8:4583
LOG=n

Review URL: https://codereview.chromium.org/1487973002

Cr-Commit-Position: refs/heads/master@{#32443}
2015-12-01 09:03:32 +00:00
mythria
b587aa2bc7 [Interpreter] Add support for cast operators to bytecode graph builder and
an optomization to remove redundant cast operations.

1. Adds an optimization to remove redundant ToBoolean and ToName operations.
2. Adds implementation and tests for cast operatorts to bytecode graph builder.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1468003002

Cr-Commit-Position: refs/heads/master@{#32408}
2015-11-30 13:50:20 +00:00
neis
9334308a12 Rename %_IsSpecObject to %_IsJSReceiver.
This depends on issue 1476403004.

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1479293002

Cr-Commit-Position: refs/heads/master@{#32401}
2015-11-30 11:56:45 +00:00
vogelheim
d3ba9afee2 Move RMA::Label out of the class, so it can be forward declared.
R=bmeurer@chromium.org, mstarzinger@chromium.org
BUG=chromium:508898
LOG=Y

Review URL: https://codereview.chromium.org/1477413002

Cr-Commit-Position: refs/heads/master@{#32400}
2015-11-30 11:29:23 +00:00
bmeurer
f7226a798a [turbofan] Support for typed lowering of "prototype" load from functions.
Add initial support to optimize certain "prototype" loads from known
JSFunctions which have a prototype. This includes an appropriate typing
rule plus a matching rule for typed lowering.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1482213002

Cr-Commit-Position: refs/heads/master@{#32390}
2015-11-30 08:42:11 +00:00
bmeurer
47502a238b [runtime] Replace global object link with native context link in all contexts.
Previously all contexts had a link to the global object, but what is
required in most cases (except for the global load, store and delete
case) is the native context.

This also removes the second dummy global object that was still linked
to every native context. We will add a different mechanism to ensure
that builtins do not pollute the actual global object during
bootstrapping.

Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=yangguo@chromium.org,mstarzinger@chromium.org

Committed: https://crrev.com/d290f204938295bfecc5c8e645ccfcff6e80ddb8
Cr-Commit-Position: refs/heads/master@{#32375}

Review URL: https://codereview.chromium.org/1480003002

Cr-Commit-Position: refs/heads/master@{#32381}
2015-11-27 17:00:11 +00:00
machenbach
673108d000 Revert of [runtime] Replace global object link with native context link in all contexts. (patchset #3 id:40001 of https://codereview.chromium.org/1480003002/ )
Reason for revert:
[Sheriff] Breaks:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosnap/builds/5472

Original issue's description:
> [runtime] Replace global object link with native context link in all contexts.
>
> Previously all contexts had a link to the global object, but what is
> required in most cases (except for the global load, store and delete
> case) is the native context.
>
> This also removes the second dummy global object that was still linked
> to every native context. We will add a different mechanism to ensure
> that builtins do not pollute the actual global object during
> bootstrapping.
>
> Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.
>
> R=yangguo@chromium.org
>
> Committed: https://crrev.com/d290f204938295bfecc5c8e645ccfcff6e80ddb8
> Cr-Commit-Position: refs/heads/master@{#32375}

TBR=yangguo@chromium.org,mstarzinger@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1478303002

Cr-Commit-Position: refs/heads/master@{#32377}
2015-11-27 14:30:23 +00:00
bmeurer
d290f20493 [runtime] Replace global object link with native context link in all contexts.
Previously all contexts had a link to the global object, but what is
required in most cases (except for the global load, store and delete
case) is the native context.

This also removes the second dummy global object that was still linked
to every native context. We will add a different mechanism to ensure
that builtins do not pollute the actual global object during
bootstrapping.

Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1480003002

Cr-Commit-Position: refs/heads/master@{#32375}
2015-11-27 13:32:20 +00:00
bmeurer
e3ecfdfecc [turbofan] Properly wire effects for JSLoadContext and JSStoreContext.
The effect chain should be respected for context loads and stores.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1479793003

Cr-Commit-Position: refs/heads/master@{#32363}
2015-11-27 09:22:56 +00:00
bmeurer
e3a46bc766 [compiler] Decouple ToObject from CreateWithContext.
Decouple the implicit ToObject for with statements from the actual
creation of the with context. This way we can handle/optimize those
constructs separately.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1481753003

Cr-Commit-Position: refs/heads/master@{#32341}
2015-11-26 14:30:22 +00:00
oth
c0bc19fc7f [Interpreter] Deprecate bytecode-graph-builder-unittest.
Removing bytecode graph builder tests as they are high maintenance and
have limited use, ie they track changes in the implementation rather
than behaviour.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1477783003

Cr-Commit-Position: refs/heads/master@{#32333}
2015-11-26 11:50:20 +00:00
bmeurer
5d18e93bd6 Revert of binary-operator-reducer: reduce mul+div(shift) (patchset #11 id:200001 of https://codereview.chromium.org/1350223006/ )
Reason for revert:
This is also unsound for the reasons outlined in
https://codereview.chromium.org/1473073004/
Will help Fedor to implement a solution based on simplified operators.

Original issue's description:
> binary-operator-reducer: reduce mul+div(shift)
>
> Reduction Input:
>
>     ChangeInt32ToFloat64=>          TruncateFloat64ToInt32
>                          Float64Mul=>
>     ChangeInt32ToFloat64=>          Float64Div=>TruncateFloat64ToInt32
>
> Output:
>
>          =>  TruncateInt64ToInt32
> Int64Mul
>          =>  Int64Shr => TruncateInt64ToInt32
>
> Test code:
>
>     function mul(a, b) {
>       var l = a & 0x3ffffff;
>       var h = b & 0x3ffffff;
>       var m = l * h;
>
>       var rl = m & 0x3ffffff;
>       var rh = (m / 0x4000000) | 0;
>
>       return rl | rh;
>     }
>
>     mul(1, 2);
>     var a0 = mul(0x3ffffff, 0x3ffffff);
>     mul(0x0, 0x0);
>     %OptimizeFunctionOnNextCall(mul);
>     var a1 = mul(0x3ffffff, 0x3ffffff);
>
>     print(a0 + ' == ' + a1);
>
> BUG=
> R=mstarzinger@chromium.org
>
> Committed: https://crrev.com/461e5b49d022335a7fc4e9d172397a4bd48b93d4
> Cr-Commit-Position: refs/heads/master@{#31899}

TBR=mstarzinger@chromium.org,danno@chromium.org,titzer@chromium.org,fedor@indutny.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1478923002

Cr-Commit-Position: refs/heads/master@{#32313}
2015-11-26 06:16:01 +00:00
bmeurer
dc55405992 Revert of [machine-operator-reducer] fix float truncation (patchset #8 id:140001 of https://codereview.chromium.org/1433353006/ )
Reason for revert:
This is also unsound for the reasons outlined in
https://codereview.chromium.org/1473073004/
Will reland the mjsunit test separately and help Fedor to implement a solution based on simplified operators.

Original issue's description:
> [machine-operator-reducer] fix float truncation
>
> Don't replace `TruncateFloat64ToInt32(RoundInt64ToFloat64(value))` with
> `value`. Generally, `value` may have a range bigger than the one that
> could fit into Int32. Replace it with `TruncateInt64ToInt32(value)`
> instead, and only if the `value` fits into Float64 without precision
> loss.
>
> Add missing mjsunit test for 52bit multiplication/division optimization
> that has landed in refs/heads/master@{#31899}.
>
> BUG=
> R=titzer@google.com
>
> Committed: https://crrev.com/64efa2a904773816968992628f0bf0f1b7ae82be
> Cr-Commit-Position: refs/heads/master@{#32227}

TBR=titzer@chromium.org,fedor@indutny.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1468313009

Cr-Commit-Position: refs/heads/master@{#32312}
2015-11-26 06:12:22 +00:00
bmeurer
b0c179daf6 Revert of [compiler] merge binary-operator-reducer (patchset #2 id:20001 of https://codereview.chromium.org/1473073004/ )
Reason for revert:
Unsound use of types in the MachineOperatorReducer. Will work on a sound solution with Fedor.

Original issue's description:
> [compiler] merge binary-operator-reducer
>
> Merge BinaryOperatorReducer into the MachineOperatorReducer class.
> It does not need `Revisit()` calls, because the newly inserted nodes are
> visited anyway, and there are no other methods that need AdvancedReducer
> there.
>
> BUG=
> R=titzer@chromium.org
>
> Committed: https://crrev.com/993ba9d2529a6401b3040b9263f8d06db7dbb4f1
> Cr-Commit-Position: refs/heads/master@{#32298}

TBR=titzer@chromium.org,fedor@indutny.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1476763006

Cr-Commit-Position: refs/heads/master@{#32310}
2015-11-26 03:52:30 +00:00
fedor
993ba9d252 [compiler] merge binary-operator-reducer
Merge BinaryOperatorReducer into the MachineOperatorReducer class.
It does not need `Revisit()` calls, because the newly inserted nodes are
visited anyway, and there are no other methods that need AdvancedReducer
there.

BUG=
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1473073004

Cr-Commit-Position: refs/heads/master@{#32298}
2015-11-25 19:25:17 +00:00
machenbach
b9d5126930 Revert of Reland "[Interpreter] Add CreateClosure to BytecodeGraphBuilder." (patchset #1 id:1 of https://codereview.chromium.org/1475793003/ )
Reason for revert:
[Sheriff] Breaks cfi:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20cfi/builds/1209

Original issue's description:
> Reland "[Interpreter] Add CreateClosure to BytecodeGraphBuilder."
>
> Original issue's description:
> > [Interpreter] Add CreateClosure to BytecodeGraphBuilder.
> >
> > Adds code and tests to support CreateClosure bytecode when building
> > graphs.
> >
> > Committed: https://crrev.com/4cceb11b0929abcbc82bf0854554a9b66003335d
> > Cr-Commit-Position: refs/heads/master@{#32224}
>
> BUG=v8:4280
> LOG=N
>
> Committed: https://crrev.com/6a8db006e1f0a08a43446b62765bba39fdc6af10
> Cr-Commit-Position: refs/heads/master@{#32257}

TBR=bmeurer@chromium.org,oth@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4280

Review URL: https://codereview.chromium.org/1469303006

Cr-Commit-Position: refs/heads/master@{#32260}
2015-11-25 11:04:34 +00:00
oth
6a8db006e1 Reland "[Interpreter] Add CreateClosure to BytecodeGraphBuilder."
Original issue's description:
> [Interpreter] Add CreateClosure to BytecodeGraphBuilder.
>
> Adds code and tests to support CreateClosure bytecode when building
> graphs.
>
> Committed: https://crrev.com/4cceb11b0929abcbc82bf0854554a9b66003335d
> Cr-Commit-Position: refs/heads/master@{#32224}

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1475793003

Cr-Commit-Position: refs/heads/master@{#32257}
2015-11-25 09:51:49 +00:00
fedor
64efa2a904 [machine-operator-reducer] fix float truncation
Don't replace `TruncateFloat64ToInt32(RoundInt64ToFloat64(value))` with
`value`. Generally, `value` may have a range bigger than the one that
could fit into Int32. Replace it with `TruncateInt64ToInt32(value)`
instead, and only if the `value` fits into Float64 without precision
loss.

Add missing mjsunit test for 52bit multiplication/division optimization
that has landed in refs/heads/master@{#31899}.

BUG=
R=titzer@google.com

Review URL: https://codereview.chromium.org/1433353006

Cr-Commit-Position: refs/heads/master@{#32227}
2015-11-24 20:25:40 +00:00
oth
daf185b243 Revert of [Interpreter] Add CreateClosure to BytecodeGraphBuilder. (patchset #8 id:140001 of https://codereview.chromium.org/1458603012/ )
Reason for revert:
Build break.

Original issue's description:
> [Interpreter] Add CreateClosure to BytecodeGraphBuilder.
>
> Adds code and tests to support CreateClosure bytecode when building
> graphs.
>
> BUG=v8:4280
> LOG=N
>
> Committed: https://crrev.com/4cceb11b0929abcbc82bf0854554a9b66003335d
> Cr-Commit-Position: refs/heads/master@{#32224}

TBR=bmeurer@chromium.org,mythria@chromium.org,mstarzinger@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4280

Review URL: https://codereview.chromium.org/1471913004

Cr-Commit-Position: refs/heads/master@{#32225}
2015-11-24 18:11:00 +00:00
oth
4cceb11b09 [Interpreter] Add CreateClosure to BytecodeGraphBuilder.
Adds code and tests to support CreateClosure bytecode when building
graphs.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1458603012

Cr-Commit-Position: refs/heads/master@{#32224}
2015-11-24 17:51:54 +00:00
verwaest
8e28e851ee Install ConstructNonConstructable as construct stub for non-constructables.
BUG=

Review URL: https://codereview.chromium.org/1467473002

Cr-Commit-Position: refs/heads/master@{#32223}
2015-11-24 17:17:00 +00:00
bmeurer
1b1db13549 [runtime] Pass closure to %CreateArrayLiteral and %CreateObjectLiteral.
Change the runtime entries and their associated code stubs for object
and array literal creation to take the closure instead of the raw
literals pointer. This is way easier to deal with (and cleaner) in
TurboFan.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1469833005

Cr-Commit-Position: refs/heads/master@{#32220}
2015-11-24 16:05:49 +00:00
bmeurer
68ce906134 [turbofan] Introduce proper CreateLiteralParameters.
Put the constant parts of the CreateLiteralArray and CreateLiteralObject
operators into CreateLiteralParameters and properly use them everywhere.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1475613002

Cr-Commit-Position: refs/heads/master@{#32207}
2015-11-24 13:42:30 +00:00
danno
c6d310da4d [turbofan]: Implement tail calls with more callee than caller parameters
* Adds a PrepareForTailCall instruction that bumps the stack in the case that
  the number of parameters passed to the callee causes the stack to exceed the
  calleer's frame size.
* Uses the gap resolver to move the saved caller return address and frame
  pointer to the approprate location in the tail-called frame.

BUG=v8:4076
LOG=n

Review URL: https://codereview.chromium.org/1455833004

Cr-Commit-Position: refs/heads/master@{#32151}
2015-11-20 15:04:30 +00:00
dusan.m.milosavljevic
40a501a26a MIPS: [turbofan] Add matching rule to use Nor instruction.
TEST=unittests/InstructionSelectorTest.Word32XorMinusOneWithWord32Or,
     Word64XorMinusOneWithWord64Or
BUG=

Review URL: https://codereview.chromium.org/1459723002

Cr-Commit-Position: refs/heads/master@{#32149}
2015-11-20 14:00:29 +00:00
oth
8cfa73ac38 [Interpreter] Add New, CallRuntime and CallJSRuntime support to BytecodeGraphBuilder.
Adds support for the New, CallRuntime and CallJSRuntime bytecodes in
BytecodeGraphBuilder. Also adds BuildLoadObjectField,
BuildLoadGlobalObject and BuildLoadNativeContextField helpers.

Landed on behalf of rmcilroy.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1456483002

Cr-Commit-Position: refs/heads/master@{#32136}
2015-11-20 09:25:41 +00:00
mythria
4bb6e7c8c0 [Interpreter] Add support for keyed load / store ICs and named store IC to
bytecode graph builder

Adds implementation and tests for KeyedLoadIC, KeyedStoreIC and StoreIC to
bytecode graph builder.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1448913002

Cr-Commit-Position: refs/heads/master@{#32116}
2015-11-19 14:16:53 +00:00
mstarzinger
0227857d26 [turbofan] Make new.target explicit in JSCallDescriptor.
This adds an explicit parameter to the call descriptor having kind
kJSCallFunction representing the new.target value. Note that for now
this parameter is not yet passed in and hence cannot be used yet. Also
contains some refactoring of how parameter index value are calculated,
establishing Linkage as the central point for such index computations.

This is a preparatory CL to allows us passing new.target in a register
instead of via a side-channel through the construct stub frame.

R=bmeurer@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1461973002

Cr-Commit-Position: refs/heads/master@{#32112}
2015-11-19 12:48:25 +00:00
mythria
a8e86c49ec [Interpreter] Add support for unary operators to bytecode graph builder.
Adds implementation and tests for LogicalNot, TypeOf and Delete operators
to bytecode graph builder.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1459543003

Cr-Commit-Position: refs/heads/master@{#32104}
2015-11-19 09:39:11 +00:00
mstarzinger
8a57c81b3a [turbofan] Fix CFI failures in BytecodeGraphBuilder unit test.
This fixes undefined behavior with the OpParameter helper in some of our
node matchers. There was a constness mismatch of the template parameter.

R=oth@chromium.org,mythria@chromium.org

Review URL: https://codereview.chromium.org/1453973004

Cr-Commit-Position: refs/heads/master@{#32087}
2015-11-18 14:16:10 +00:00
dusan.m.milosavljevic
74145470dd MIPS: Enable logical shift right and bitwise And matching to Ext, Dext.
TEST=unittests/InstructionSelectorTest/Word32ShrWithWord32AndWithImmediate,
     Word32AndWithImmediateWithWord32Shr, Word64AndWithImmediateWithWord64Shr,
     Word64AndWithImmediateWithWord64Shr
BUG=

Review URL: https://codereview.chromium.org/1457523002

Cr-Commit-Position: refs/heads/master@{#32062}
2015-11-17 23:10:59 +00:00
dusan.m.milosavljevic
5d843f26a9 MIPS64: [turbofan] Combine untagging shifts with Mul, Div and Mod.
TEST=unittests/InstructionSelectorTest.CombineShiftsWithMul,
     InstructionSelectorTest.CombineShiftsWithDivMod
BUG=

Review URL: https://codereview.chromium.org/1444423002

Cr-Commit-Position: refs/heads/master@{#32061}
2015-11-17 22:52:54 +00:00
oth
519df935a3 [Interpreter] Add support for global loads / stores / calls to BytecodeGraphBuilder.
Adds support for the LdaGlobal and StaGlobal bytecodes to the
BytecodeGraphBuilder. Also fixes a bug in the context node's parameter
index and start node inputs.

Landed on behalf of rmcilroy.

TBR=bmeuer@chromium.org,mythria@chromium.org
BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1449373002

Cr-Commit-Position: refs/heads/master@{#32049}
2015-11-17 15:07:15 +00:00
oth
e8ae8b34a5 [Interpreter] Add support for Call bytecode to bytecode graph builder.
Adds support for visiting the Call bytecode to the bytecode graph builder.
This change also adds the call type feedback slot to the Call bytecode.
This is not currently used by the interpreter, but is used by the
graph builder.

Also adds a CallWide varient of the Call bytecode, and adds the kCount16
operand type.

Landed on behalf of rmcilroy.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1456453002

Cr-Commit-Position: refs/heads/master@{#32033}
2015-11-17 12:18:53 +00:00
mythria
2acc2bc2a1 [Interpreter] Adds implementation of bytecode graph builder for LoadICSloppy/Strict.
Adds implementation and tests for following operators in bytecode graph builder:
-VisitLoadICSloppy
-VisitLoadICStrict
-VisitLoadICSloppyWide
-VisitLoadICStrictWide

The current implementation introduces empty frame states for frame state inputs expected by these operations.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1419373007

Cr-Commit-Position: refs/heads/master@{#32026}
2015-11-17 09:06:17 +00:00
danno
ff283f7ded [turbofan] Better and more sane support for tail calls
* Limit triggering of tail calls to explicit use of a new inline runtime
  function %_TailCall. %_TailCall works just like %_Call except for using
  tail-calling mechanics (currently only in TF).
* Remove hack that recognized some specific usages of %_Call and converted them
  into tail calls.
* Support tail calls for all calls where the number of callee stack parameters
  is less than or equal to the number of caller stack parameters.
* Use the gap resolver to swizzle parameters and registers to tail calls.

BUG=v8:4076
LOG=n

Review URL: https://codereview.chromium.org/1439613003

Cr-Commit-Position: refs/heads/master@{#31987}
2015-11-13 16:08:30 +00:00
mstarzinger
83e9ea1e49 [turbofan] Ensure inlined constructor calls still throw.
This makes sure that inlining a constructor call to a function which
cannot be used as a constructor (e.g. strong mode function) still does
throw correctly when the implicit receiver is created.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-inline-strong-as-construct
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1447443002

Cr-Commit-Position: refs/heads/master@{#31982}
2015-11-13 14:05:48 +00:00
jarin
95cb324adb [turbofan] Move simplified alloc, load and store lowering to change lowering.
This is necessary to allow more optimizations to take place between
the representation inference and change lowering. Perhaps we want
to rename SimplifiedLowering -> RepresentationInference and
ChangeLowering -> SimplifiedLowering.

Review URL: https://codereview.chromium.org/1439473003

Cr-Commit-Position: refs/heads/master@{#31976}
2015-11-13 08:12:14 +00:00
bmeurer
c55161bf16 [turbofan] Add support for %_IsSpecObject intrinsic lowering.
Now JSIntrinsicLowering can also lower %_IsSpecObject intrinsics to a
diamond.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1436943005

Cr-Commit-Position: refs/heads/master@{#31960}
2015-11-12 14:05:49 +00:00
bmeurer
c4e19c7d8d [turbofan] Lower JSCreate to an inline allocation in JSTypedLowering.
This adds initial support for fast inline allocations of JSObject
instances. It currently has exactly the same limitations as Crankshaft.

R=mstarzinger@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1441573004

Cr-Commit-Position: refs/heads/master@{#31957}
2015-11-12 12:57:32 +00:00
mstarzinger
bae4492a3e [turbofan] Pass new target to JSCreate nodes.
This passes both, the actual constructor and the original constructor,
to nodes having the {JSCreate} operator. This is required for allocating
properly subclassed implicit receiver objects.

R=verwaest@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1434873004

Cr-Commit-Position: refs/heads/master@{#31955}
2015-11-12 09:33:37 +00:00
mstarzinger
11d5d09ce1 [turbofan] Initial support for constructor call inlining.
This implements a first version of support for constructor call inlining
in the inlining machinery. For now we can only inline calls where the
actual constructor and the original constructor coincide (i.e. no super
constructor calls). Note that the target of a super constructor call is
loaded with a runtime call, so there is no way for it to be constant
promoted at the moment.

R=bmeurer@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1435873002

Cr-Commit-Position: refs/heads/master@{#31954}
2015-11-12 08:51:28 +00:00