The motivation is to avoid bugs such as the one fixed in
https://chromium-review.googlesource.com/c/v8/v8/+/800270.
Bug: v8:7109
Change-Id: I82a55f4a78d289d00ae7bafe78b45d92bab07a6b
Reviewed-on: https://chromium-review.googlesource.com/800291
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49829}
Add support for matching '(x & mask) == mask' when mask has a single bit set,
and translate this into a tbnz instruction. This patch only does this for 32-bit
operations, we can port it to 64-bit operations as a follow-up if we find
matches.
This transformation mostly touches the snapshot where we get ~120 hits. This pattern can
also show up in JavaScript when introduced by the EffectControlLinearizer pass.
Bug:
Change-Id: Ib37c6e0bd3831b7c17709357b00ca53735621605
Reviewed-on: https://chromium-review.googlesource.com/803272
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#49822}
This patch normalizes the casing of hexadecimal digits in escape
sequences of the form `\xNN` and integer literals of the form
`0xNNNN`.
Previously, the V8 code base used an inconsistent mixture of uppercase
and lowercase.
Google’s C++ style guide uses uppercase in its examples:
https://google.github.io/styleguide/cppguide.html#Non-ASCII_Characters
Moreover, uppercase letters more clearly stand out from the lowercase
`x` (or `u`) characters at the start, as well as lowercase letters
elsewhere in strings.
BUG=v8:7109
TBR=marja@chromium.org,titzer@chromium.org,mtrofin@chromium.org,mstarzinger@chromium.org,rossberg@chromium.org,yangguo@chromium.org,mlippautz@chromium.org
NOPRESUBMIT=true
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I790e21c25d96ad5d95c8229724eb45d2aa9e22d6
Reviewed-on: https://chromium-review.googlesource.com/804294
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49810}
Some uses use uint64_t instead of int64_t to avoid compiler warnings
about illegal narrowing of values with the MSB set.
R=tebbi@chromium.org,mlippautz@chromium.org
Bug: v8:7109
Change-Id: I6e861f48828bd931c451ef336672a260c13ae042
Reviewed-on: https://chromium-review.googlesource.com/803275
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49797}
V8_INT64_C will be cleaned up in a follow-up CL.
R=tebbi@chromium.org,mlippautz@chromium.org
Bug: v8:7109
Change-Id: I6af97e7266039eb443896b404b77b8e2b5de5adb
Reviewed-on: https://chromium-review.googlesource.com/803294
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49790}
Strings are immutable in JavaScript land (contrast with the runtime,
where we can truncate strings that haven't escaped to JavaScript yet),
so the length of a String is immutable. Thus loading the length of a
String is a pure operation and should be expressed as such (i.e. doesn't
depend on control or effect). The StringLength operator does exactly
this and is hooked up to the effect chain in the EffectControlLinearizer.
This will eventually allow us to simplify the optimization of string
concatention and other operations that are a bit cumbersome in TurboFan
currently, and it will also allow us to optimize string operations
across effectful operations, for example combining multiple invocations
to String#slice with the same inputs.
Bug: v8:5269, v8:6936, v8:7109, v8:7137
Change-Id: Iffcccbb0c7fc4cfe1281c10e7af24b40eba4c987
Reviewed-on: https://chromium-review.googlesource.com/799690
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49731}
The ToBooleanHints were used to represent the ToBoolean feedback
collected by Fullcodegen. But Ignition doesn't collect this feedback
and also TurboFan doesn't make use of the hints, so we should remove
this for now.
Bug: v8:7101
Change-Id: Ifc97d3ebb7494029b33ad79fc8bafdf3c08fb871
Reviewed-on: https://chromium-review.googlesource.com/778163
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49470}
Reland of https://chromium-review.googlesource.com/c/v8/v8/+/727893
The crashes should be fixed by https://chromium-review.googlesource.com/c/v8/v8/+/763531
Original change's description:
> Revert "Reland^5 "[turbofan] eagerly prune None types and deadness from the graph""
>
> This reverts commit ac0661b358.
>
> Reason for revert: Clusterfuzz unhappy: chromium:783019 chromium:783035
>
> Original change's description:
> > Reland^5 "[turbofan] eagerly prune None types and deadness from the graph"
> >
> > This gives up on earlier attempts to interpret DeadValue as a signal of
> > unreachable code. This does not work because free-floating dead value
> > nodes, and even pure branch nodes that use them, can get scheduled so
> > early that they get reachable. Instead, we now eagerly remove branches
> > that use DeadValue in DeadCodeElimination and replace DeadValue inputs
> > to value phi nodes with dummy values.
> >
> > Reland of https://chromium-review.googlesource.com/715716
> >
> > Bug: chromium:741225 chromium:776256
> > Change-Id: I251efd507c967d4a8882ad8fd2fd96c4185781fe
> > Reviewed-on: https://chromium-review.googlesource.com/727893
> > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#49188}
>
> TBR=jarin@chromium.org,tebbi@chromium.org
>
> Bug: chromium:741225 chromium:776256 chromium:783019 chromium:783035
> Change-Id: I6a8fa3a08ce2824a858ae01817688e63ed1f442e
> Reviewed-on: https://chromium-review.googlesource.com/758770
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49262}
TBR=jarin@chromium.org,tebbi@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: chromium:741225 chromium:776256 chromium:783019 chromium:783035
Change-Id: I6c02b4beb02997ec34015ed2f6791a93c70f5e36
Reviewed-on: https://chromium-review.googlesource.com/772150
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49429}
Removes Isolate from compilation info and instead threads isolate through
function calls. This ensures that we can't access the isolate from
background thread compilations.
BUG=v8:5203
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I9a4e1cd67c4736e36f609360b996fb55166a1c50
Reviewed-on: https://chromium-review.googlesource.com/751745
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49386}
This reverts commit f010b28fbe.
Reason for revert: Introduces a clusterfuzz issue and CAnary crash
Original change's description:
> [TurboFan] Diagnostic code to track down bug in representation selection
>
> We need to characterize the types of dead (IrOpcode::kDead) nodes
> introduced in compilation phases prior to representation selection.
> Normally, a dead node isn't expected at the start of this phase. The
> question is, which phase introduced the dead node and failed to
> deal with it properly?
>
> Bug: chromium:780658
> Change-Id: Ief5b45480bb7d704a2d09dafd60b5d389e0fd42e
> Reviewed-on: https://chromium-review.googlesource.com/765968
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Commit-Queue: Michael Stanton <mvstanton@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49328}
TBR=mvstanton@chromium.org,mstarzinger@chromium.org
Change-Id: I5d628eb1de630ce4a353b6ef0f80fd74ad740f17
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:780658
Reviewed-on: https://chromium-review.googlesource.com/768747
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49347}
We need to characterize the types of dead (IrOpcode::kDead) nodes
introduced in compilation phases prior to representation selection.
Normally, a dead node isn't expected at the start of this phase. The
question is, which phase introduced the dead node and failed to
deal with it properly?
Bug: chromium:780658
Change-Id: Ief5b45480bb7d704a2d09dafd60b5d389e0fd42e
Reviewed-on: https://chromium-review.googlesource.com/765968
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49328}
Turn cases where we are multiplying with a power of two into a left shift. We
hit this optimisation roughly 500 times in the snapshot.
Bug:
Change-Id: Ibd3104a3dbe49f247a2d84db94891f6e3a897026
Reviewed-on: https://chromium-review.googlesource.com/763229
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#49306}
MIPS team has recently migrated to @mips.com e-mail address.
Dusan Simicic is no longer part of MIPS V8 team, therefore
his name is removed from OWNERS.
TBR=mstarzinger@chromium.org
NOTRY=true
Bug:
Change-Id: I67fde24a5b9214fa3fca05c0399888b8d18fc699
Reviewed-on: https://chromium-review.googlesource.com/758639
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49299}
This reverts commit ac0661b358.
Reason for revert: Clusterfuzz unhappy: chromium:783019 chromium:783035
Original change's description:
> Reland^5 "[turbofan] eagerly prune None types and deadness from the graph"
>
> This gives up on earlier attempts to interpret DeadValue as a signal of
> unreachable code. This does not work because free-floating dead value
> nodes, and even pure branch nodes that use them, can get scheduled so
> early that they get reachable. Instead, we now eagerly remove branches
> that use DeadValue in DeadCodeElimination and replace DeadValue inputs
> to value phi nodes with dummy values.
>
> Reland of https://chromium-review.googlesource.com/715716
>
> Bug: chromium:741225 chromium:776256
> Change-Id: I251efd507c967d4a8882ad8fd2fd96c4185781fe
> Reviewed-on: https://chromium-review.googlesource.com/727893
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49188}
TBR=jarin@chromium.org,tebbi@chromium.org
Bug: chromium:741225 chromium:776256 chromium:783019 chromium:783035
Change-Id: I6a8fa3a08ce2824a858ae01817688e63ed1f442e
Reviewed-on: https://chromium-review.googlesource.com/758770
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49262}
This gives up on earlier attempts to interpret DeadValue as a signal of
unreachable code. This does not work because free-floating dead value
nodes, and even pure branch nodes that use them, can get scheduled so
early that they get reachable. Instead, we now eagerly remove branches
that use DeadValue in DeadCodeElimination and replace DeadValue inputs
to value phi nodes with dummy values.
Reland of https://chromium-review.googlesource.com/715716
Bug: chromium:741225 chromium:776256
Change-Id: I251efd507c967d4a8882ad8fd2fd96c4185781fe
Reviewed-on: https://chromium-review.googlesource.com/727893
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49188}
This adds a new InstanceOfIC where the TestInstanceOf bytecode collects
constant feedback about the right-hand side of instanceof operators,
including both JSFunction and JSBoundFunction instances. TurboFan then
uses the feedback to optimize instanceof in places where the right-hand
side is not a known constant (known to TurboFan).
This addresses the odd performance cliff that we see with instanceof in
functions with multiple closures. It was discovered as one of the main
bottlenecks on the uglify-es test in the web-tooling-benchmark. The
uglify-es test (run in separation) is ~18% faster with this change.
On the micro-benchmark in the tracking bug we go from
instanceofSingleClosure_Const: 69 ms.
instanceofSingleClosure_Class: 246 ms.
instanceofMultiClosure: 246 ms.
instanceofParameter: 246 ms.
to
instanceofSingleClosure_Const: 70 ms.
instanceofSingleClosure_Class: 75 ms.
instanceofMultiClosure: 76 ms.
instanceofParameter: 73 ms.
boosting performance by roughly 3.6x and thus effectively removing the
performance cliff around instanceof.
Bug: v8:6936, v8:6971
Change-Id: Ib88dbb9eaef9cafa4a0e260fbbde73427a54046e
Reviewed-on: https://chromium-review.googlesource.com/730686
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48820}
JSClassOf may lower to a call to a builtin, and needs to be
modeled in a way that the effect chain can be maintained.
Bug: v8:6929
Change-Id: Ida332e6d85e2eb8b33fcad810d195ef3e897ccb0
Reviewed-on: https://chromium-review.googlesource.com/727204
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48786}
This also changes modulo to be more like others, e.g., Pow:
- have an inline Modulo
- have a modulo_double_double that we can use as FUNCTION_ADDR in assembler.cc
Bug:
Change-Id: Id360e4adcde5712ffc5ac22abd3bbaab6aec09f5
Reviewed-on: https://chromium-review.googlesource.com/728027
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48747}
Because the toboolean operator may lower to a builtin call (which is
effectful in turbofan parlance after effect control linearization),
it really should be encoded as a simplified operator, which can
be optimized with respect for the effect chain in linearization.
No new functionality here, rather a furniture rearrangement in
the TurboFan node structure.
Bug: v8:6929
Change-Id: I371fd22941397d5c28d13bded2738161d8da8275
Reviewed-on: https://chromium-review.googlesource.com/725721
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48727}
This makes the function constexpr and implements it for arbitrary
unsigned integer types (up to 64 bits, but this can be extended if
needed).
R=mstarzinger@chromium.org
Bug: v8:6600, v8:6921
Change-Id: I86d427238fadd55abb5a27f31ed648d4b02fc358
Reviewed-on: https://chromium-review.googlesource.com/718457
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48696}
We didn't correctly maintain the effect chain between the load of
the map and the load of the instance type from the map.
Bug: v8:6929
Change-Id: I970709fe74483c5cdef3d0cea36bb9e1dc98b40e
Reviewed-on: https://chromium-review.googlesource.com/725424
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48690}
Because the typeof operator may lower to a builtin call (which is
effectful in turbofan parlance after effect control linearization),
it really should be encoded as a simplified operator, which can
be optimized with respect for the effect chain in linearization.
No new functionality here, rather a furniture rearrangement in
the TurboFan node structure.
BUG=v8:6929
Change-Id: I38593e10956ebd57cecdd606c35f3f73efb1327e
Reviewed-on: https://chromium-review.googlesource.com/718745
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48613}
The WasmContext struct introduced in this CL is used to store the
mem_size and mem_start address of the wasm memory. These variables can
be accessed at C++ level at graph build time (e.g., initialized during
instance building). When the GrowMemory runtime is invoked, the context
variables can be changed in the WasmContext at C++ level so that the
generated code will load the correct values.
This requires to insert a relocatable pointer only in the
JSToWasmWrapper (and in the other wasm entry points), the value is then
passed from function to function as an automatically added additional
parameter. The WasmContext is then dropped when creating an Interpreter
Entry or when invoking a JavaScript function. This removes the need of
patching the generated code at runtime (i.e., when the memory grows)
with respect to WASM_MEMORY_REFERENCE and WASM_MEMORY_SIZE_REFERENCE.
However, we still need to patch the code at instance build time to patch
the JSToWasmWrappers; in fact the address of the WasmContext is not
known during compilation, but only when the instance is built.
The WasmContext address is passed as the first parameter. This has the
advantage of not having to move the WasmContext around if the function
does not use many registers. This CL also changes the wasm calling
convention so that the first parameter register is different from the
return value register. The WasmContext is attached to every
WasmMemoryObject, to share the same context with multiple instances
sharing the same memory. Moreover, the nodes representing the
WasmContext variables are cached in the SSA environment, similarly to
other local variables that might change during execution. The nodes are
created when initializing the SSA environment and refreshed every time a
grow_memory or a function call happens, so that we are sure that they
always represent the correct mem_size and mem_start variables.
This CL also removes the WasmMemorySize runtime (since it's now possible
to directly retrieve mem_size from the context) and simplifies the
GrowMemory runtime (since every instance now has a memory_object).
R=ahaas@chromium.org,clemensh@chromium.org
CC=gdeepti@chromium.org
Change-Id: I3f058e641284f5a1bbbfc35a64c88da6ff08e240
Reviewed-on: https://chromium-review.googlesource.com/671008
Commit-Queue: Enrico Bacis <enricobacis@google.com>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48209}
When inlining based on SharedFunctionInfo rather than based on concrete
JSFunction, we weren't able to properly optimize array, object and
regexp literals inside the inlinee, because we didn't know the concrete
FeedbackVector for the inlinee inside JSCreateLowering. This was because
JSCreateLowering wasn't properly updated after the literals moved to the
FeedbackVector. Now with this CL we also have the VectorSlotPair on the
literal creation operators, just like we do for property accesses and
calls, and are thus able to always access the appropriate FeedbackVector
and optimize the literal creation.
The impact is illustrated by the micro-benchmark on the tracking bug,
which goes from
createEmptyArrayLiteral: 1846 ms.
createShallowArrayLiteral: 1868 ms.
createShallowObjectLiteral: 2246 ms.
to
createEmptyArrayLiteral: 1175 ms.
createShallowArrayLiteral: 1187 ms.
createShallowObjectLiteral: 1195 ms.
with this CL, so up to 2x faster now.
Drive-by-fix: Also remove the unused CreateEmptyObjectLiteral builtin
and cleanup the names of the other builtins to be consistent with the
names of the TurboFan operators and Ignition bytecodes.
Bug: v8:6856
Change-Id: I453828d019b27c9aa1344edac0dd84e91a457097
Reviewed-on: https://chromium-review.googlesource.com/680656
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48140}
Use the (D)CHECK_{EQ,NE,GT,...} macros instead of (D)CHECK with an
embedded comparison. This gives better error messages and also does the
right comparison for signed/unsigned mismatches.
This will allow us to reenable the readability/check cpplint check.
R=jarin@chromium.org
Bug: v8:6837
Change-Id: I712580c2a4326e06ee3d6d0eb4ff8c7d24f5fdb9
Reviewed-on: https://chromium-review.googlesource.com/671227
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48135}
Contributed by kanghua.yu@intel.com.
Bug: None
Change-Id: I5651ef38eb0c08deb97770a5eaa985dba2dab9a9
Reviewed-on: https://chromium-review.googlesource.com/604648
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Pan Deng <pan.deng@intel.com>
Cr-Commit-Position: refs/heads/master@{#47968}
This speeds up the baseline performance of Object by 20%.
With this change, the callViaObject when run with --noopt
goes from 10718ms to 8577ms on the benchmark from:
http://benediktmeurer.de/2017/08/31/object-constructor-calls-in-webpack-bundles
Bug: v8:6772
Change-Id: Id0e54ba44204a1700885185ec360e1c56834fb73
Reviewed-on: https://chromium-review.googlesource.com/654900
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47888}
We emitted rotation by 24 bits with bitwise and, but that is wrong
because the low 8 bits can wrap around and "leak" into the result.
Bug: chromium:739902
Change-Id: Id49251e89405afb1581b8c60cde808c2d8bf693d
Reviewed-on: https://chromium-review.googlesource.com/645848
Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47746}
There's no need to have the StringLengthProtector as a PropertyCell,
since it's only used to guard against deoptimization loops. This also
allows us to remove the use of the CompilationDependencies from the
JSTypedLowering.
R=jarin@chromium.org
Bug: v8:6759
Change-Id: I54a37be6b8064ca3475e3b321f928b6a9903f209
Tbr: mstarzinger@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/637303
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47633}
The accumulator should never be alive when jumping back to a loop
header, or jumping out of a loop. This means that as far as far as
TurboFan is concerned, we never need to create Phis or LoopExitValues
for the accumulator, as its value should not escape the loop.
For safety, this also augments the IsLivenessValid DCHECK in the
liveness analysis to check that the accumulator is not live in these
cases, and amends the bytecode analysis tests to kill the accumulator
where necessary to ensure this.
As a drive-by, added some comments to the more complex bytecode analysis
tests, since figuring out what they were for and how to fix them took a
non-trivial amount of time.
Change-Id: Idecf76a36681d724134c59768650c23cc6b0e9ef
Reviewed-on: https://chromium-review.googlesource.com/615168
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47388}
These operators were only used by the old asm.js pipeline (with
fullcodegen and the AstGraphBuilder). When going through the new
pipeline, accesses to TypedArrays are handled by the native
context specialization during inlining.
Bug: v8:6409
Change-Id: Ib9b888c0b96f297a335580ee42dfa951bde566be
Reviewed-on: https://chromium-review.googlesource.com/612347
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47322}
Deletes AstGraphBuilder and associated classes now that it is
unreachable. The following classes are also removed:
- ControlBuilders
- JSFrameSpecialization
- AstLoopAssignmentAnalysis
Also removes flags from compilation-info which are no longer used, and removes
the no-deoptimization paths from TypedOptimization, JsTypedLowering,
JSIntrinsicLowering and JSBuiltinLowering.
BUG=v8:6409
Change-Id: I63986e8e3497bf63c4a27ea8ae827b8a633d4a26
Reviewed-on: https://chromium-review.googlesource.com/583652
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47284}
This avoid introduction of {TypeGuard} nodes during load elimination.
Such type guard could lead to contradicting type information where a
constant {NumberConstant} node was guarded to have {ExternalPointer}
type, which would lead to an impossible constraint on representation
selection.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-752826
BUG=chromium:752826
Change-Id: Ida3815af24ccc8a48474b8d66117b9718f61adda
Reviewed-on: https://chromium-review.googlesource.com/605547
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47218}
Currently only A test operators had output, but since ABReducer and BCReducer
perform in-place replacement of A nodes into B nodes, and then sometimes into
C nodes, we need B and C nodes to have as many outputs. Otherwise, we run into
a situation where a node {x} has a use {y}, but its operators has 0 outputs,
which is inconsistent.
Bug:
Change-Id: I0f73b83d2115dfeda3c9cbc97b9a2fc168f4c31b
Reviewed-on: https://chromium-review.googlesource.com/603716
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Alexandre Talon <alexandret@google.com>
Cr-Commit-Position: refs/heads/master@{#47202}
For determining whether unaligned memory accessed is allowed, it is
actually sufficient to pass the MachineRepresentation instead of the
MachineType.
As the MachineRepresentation is an enum, this allows to store the set
of unsupported types as an EnumSet instead of std::vector.
R=mstarzinger@chromium.org
Change-Id: Ibe44717bae3a6034bae683057e80bd40d92e70ae
Reviewed-on: https://chromium-review.googlesource.com/598790
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47123}
The {alignment} parameter in {UnalignedLoadSupported} and
{UnalignedStoreSupported} is never being used.
This CL removes it from several interfaces and users.
R=mstarzinger@chromium.org
Change-Id: Iad5a638b7ed358beeed42f0ea7308dc04f1ed23e
Reviewed-on: https://chromium-review.googlesource.com/598788
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47115}
This removes the obsolete {Crankshaft} factory method as it returns the
same configuration as the {Turbofan} factory by now. We now consistently
use {RegisterConfiguration::Default} everywhere.
R=jkummerow@chromium.org
BUG=v8:6408
Change-Id: I6be25774aa6714ef4dc1ef6856bb6dbc95593a29
Reviewed-on: https://chromium-review.googlesource.com/597858
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47109}
