Add "x <= 0 => x == 0" reduction when "x" is uint. This allows x64 to select shorter instructions:
Before:
REX.W cmpq r9,0x0
jna addr
After:
REX.W testq r9,r9
jz addr
This optimization is also ported to turboshaft.
Bug: v8:12783
Change-Id: I87dfd5879c047bb57d30e7a51a309106e3a519ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3967480
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Hao A Xu <hao.a.xu@intel.com>
Cr-Commit-Position: refs/heads/main@{#83994}
An Int32Constant might need to be tagged in Phi boundaries.
This exposes the Graph's smi constants to frames state
merger logic.
Bug: v8:7700, chromium:1378814, chromium:1379571
Change-Id: Ib373b44a76324eeb23cf9fef4483f70160cd54b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3993220
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83993}
Rolling v8/build: 9ce69a9..dad0f9c
Rolling v8/buildtools: c50c0de..74edfb8
Rolling v8/buildtools/linux64: git_revision:11dc0b1f438bd26380774e9d50fd4c63f346d41a..git_revision:a4d67be044b42963de801001e7146f9657c7fad4
Rolling v8/buildtools/third_party/libc++/trunk: 47b3117..37a5b4f
Rolling v8/buildtools/third_party/libc++abi/trunk: c7b6fcf..8dd4051
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/d2c6581..3ffa6b2
Rolling v8/third_party/fuchsia-sdk/sdk: version:10.20221027.2.1..version:10.20221028.1.1
Rolling v8/third_party/instrumented_libraries: 03ce9f0..7410f80
Rolling v8/third_party/jinja2: ee69aa0..4633bf4
Rolling v8/third_party/markupsafe: 1b882ef..13f4e8c
Change-Id: I5f96c730fd4222fb1ad5c64152f3d612aa4ac1e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3988968
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83988}
g++ versions <= 8 cannot use UNREACHABLE() in a
constexpr function. As a workaround a new macro is defined to
instead use `abort` if this feature is not properly handled by the
compiler.
Change-Id: Id6daf02b86c38daa12b7e6f42629091c9833f6fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3988005
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#83985}
... which is now an alias for V8_EXTERNAL_CODE_SPACE_BOOL.
Bug: v8:11880
Change-Id: I6fe3ee1ab7de7820671dc1543b233dbe18bd88d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3990752
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83982}
Extract out a concept of a DeoptFrame from DeoptInfo, which separates
the frame state (like bytecode offset and registers) from deopt
information (like reason and PC).
The DeoptFrame is additionally subclassed to a separate
InterpretedDeoptFrame (with some tagged union magic rather than 'proper'
subclassing so that in the future all DeoptFrames are the same size and
aren't truncated by casting). This way we can add different frames in
the future, in particular builtin continuation frames.
Also this cleans up parent walks, since we no longer walk the caller
state and compilation unit separately.
Bug: v8:7700
Change-Id: I1cecb3ae805c55235b6d74ec114d72de98d3751e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3985914
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83981}
Add types for Number, JSReceiver and Name, and use them to possibly
avoid Check<Type>/To<Type>. Avoid inserting info in the
known_node_aspects when the same info is already available statically
from the node opcode.
Bug: v8:7700
Change-Id: Ie15228e1094ebfc03c83da9f71b1be97806be54d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3986490
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83972}
With --shared-space incremental marking might happen even on pages
in the shared heap. This means that scavengers during incremental
marking might be able to discover shared space pointers that point
to an evacuation candidate.
This isn't possible with the shared isolate where no incremental
marking was supported.
Bug: v8:13267
Change-Id: I68d09fda6d3ec44a488f12f454db4a29b481e266
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3990563
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83971}
This reverts commit e7f6d34cfe.
Reason for revert: Regressions and clusterfuzz bugs
Original change's description:
> [ic] Remove SameValue optimisation for constant fields
>
> We would previously try to preserve field constness if field assignment
> was assigning the same value. It's unexpected that real-life code would
> be assigning the same value multiple times to an intentionally constant
> field, so this was additional bookkeeping with unclear value.
>
> Replace this with not doing it, and considering any write to a constant
> field to convert it to mutable. In particular, this means that stores to
> existing constant fields in TurboFan become unconditional deopts, rather
> than emitting additional code to check whether the value is the same.
>
> Locally, this deopt doesn't fire on our peak-performance benchmarks.
>
> Bug: v8:5495
> Change-Id: I12216c5f10a00f42be32c64ca3afe7cf59b4e7f3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3976516
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83955}
Bug: v8:5495
Change-Id: Ifeeceb773af04e9dd5e069821cd128a1cdbedcf5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3990683
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83970}
The following bots were removed or renamed:
v8_fuchsia_compile_rel
v8_linux64_gcc_compile_rel
v8_win_compile_dbg
v8_win64_msvc_compile_rel
v8_mac_arm64_compile_rel
v8_mac_arm64_compile_dbg
v8_mac_arm64_sim_compile_rel
v8_mac_arm64_sim_compile_dbg
v8_mac64_asan_compile_rel
They are all auto-generated as compilators.
Bug: chromium:890222
Change-Id: I893eb06497084976ed0b162ea2e252419c0884b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3988264
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Commit-Queue: Alexander Schulze <alexschulze@chromium.org>
Reviewed-by: Liviu Rau <liviurau@google.com>
Cr-Commit-Position: refs/heads/main@{#83967}
Rolling v8/build: 4e03165..9ce69a9
Rolling v8/buildtools: ddc9513..c50c0de
Rolling v8/buildtools/linux64: git_revision:3e98c606ed0dff59fa461fbba4892c0b6de1966e..git_revision:11dc0b1f438bd26380774e9d50fd4c63f346d41a
Rolling v8/buildtools/third_party/libc++/trunk: baa43f8..47b3117
Rolling v8/buildtools/third_party/libc++abi/trunk: 519e9ef..c7b6fcf
Rolling v8/buildtools/third_party/libunwind/trunk: 1f633d4..aabcd87
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/2f63d55..d2c6581
Rolling v8/third_party/fuchsia-sdk/sdk: version:10.20221026.0.1..version:10.20221027.2.1
Rolling v8/third_party/instrumented_libraries: f764ffc..03ce9f0
Rolling v8/tools/clang: 87d0b8c..38497db
Change-Id: I2b6f402b468a5607b3cbb347f015ac7634a5492f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3990203
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#83965}
Tests flagged as 'raw' need to run without the harness. The language/module-code/eval-gtbndng-indirect-faux-assertion test was failing only because it was running with the harness.
Bug: v8:10958
Change-Id: If00f3ec8abc697d9b3727691e12ae0da7ce8c785
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3984052
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83964}
V8's C++ API does not give a way to tell whether an ArrayBuffer has
been detached from the `v8::ArrayBuffer` class. In fact, as far as can
be told from the C++ API without running JS code, detached
ArrayBuffers behave the same as zero-sized ArrayBuffers and there is
no way to observe the difference. However, this difference can be
observed in JS because constructing a TypedArray from a detached
ArrayBuffer will throw.
This change adds a `WasDetached` method to the `v8::ArrayBuffer` class
to give embedders access to this information without having to run JS
code.
Bug: v8:13159
Change-Id: I2bb1e380cee1cecd31f6d48ec3d9f28c03a8a673
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810345
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83963}
During String::MakeThin, Heap::ClearRecordedSlotRange might be
invoked on a string in SHARED_SPACE. This can also happen outside
GCs.
Bug: v8:13267
Change-Id: I10d4d7f0b47589127e4a080ce49d69ca7486fc67
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3985911
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83962}
Since crrev.com/c/3973310 which renamed the isolate scopes, the unit and
cctests for the object-start bitmap and the conservative stack visitor
have broken.
Bug: v8:13257
Change-Id: If8a498827f2085108cf0740a9c5c994145424fc3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3980255
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83960}
The memory start and size are reloaded after a call in case the call
grows the memory. We should also reload them when the call throws.
We don't need to reload in the 'delegate' case since this will be
handled by the catch handler that it delegates to.
R=jkummerow@chromium.org
Bug: chromium:1377816
Change-Id: Ied1cdb6ed83c1de6a5992df21d776aca9ccf02e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3982115
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83959}
This reverts commit 57db447bf2.
This reland adds handling for Oddballs in Int64Add and Int64Sub in the
SLVerifier and updates the Verifier to check that Int32Constant and
Int64Constant are correctly typed with Type::Machine().
Original change's description:
> [turbofan] Optimize rab/gsab-backed TypedArrays and DataViews
>
> This CL adds TurboFan optimizations for length and element access
> of TypedArrays and DataViews that are rab/gsab-backed.
>
> To enable this optimization, this CL builds the necessary machinery
> required to allow machine operators at the front of the pipeline
> (before simplified lowering). Some key changes to allow this are:
> - Introduce Type::Machine() to allow the typer and the verifier to
> provide a type to those machine operators in parts of the pipeline
> that require nodes to be typed.
> - Add EnterMachineGraph and ExitMachineGraph operators that define
> the boundary between early machine graphs and the normal graph with
> JS semantics.
> - Give Branch operators a BranchSemantics parameter to distinguish
> between machine branches (condition is a machine level value) and
> JS branches (condition is a JS boolean value) and have phases that
> handle branches decide on the branch's semantics based on this
> parameter instead of the position in the pipeline.
> - Extend SimplifiedLowering and SimplifiedLoweringVerifier to handle
> machine graphs. In particular, constants required special handling,
> because they are cached in the graph but they may have uses in both
> a machine and the JS graph, which prevents consistent typing of
> them.
> - Moved lots of logic from JSCallReducerAssembler into
> [JS]GraphAssembler such that functionality can be shared between
> different phases (e.g. JSNativeContextSpecialization and
> JSCallReducer need to generate logic to compute a TypedArray's
> byte length). Extended assembler interface in general with
> additional TNode<> overloads.
>
>
> Bug: v8:11111, chromium:1358505
> Change-Id: Ife006b8c38a83045cd3b8558acbfdcb66408891f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3898690
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83881}
Bug: v8:11111, chromium:1358505, v8:13412, chromium:1378439, chromium:1378162
Change-Id: I89702c4be05e0e71cd6836dc50d2e26736a55429
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3980759
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83956}
We would previously try to preserve field constness if field assignment
was assigning the same value. It's unexpected that real-life code would
be assigning the same value multiple times to an intentionally constant
field, so this was additional bookkeeping with unclear value.
Replace this with not doing it, and considering any write to a constant
field to convert it to mutable. In particular, this means that stores to
existing constant fields in TurboFan become unconditional deopts, rather
than emitting additional code to check whether the value is the same.
Locally, this deopt doesn't fire on our peak-performance benchmarks.
Bug: v8:5495
Change-Id: I12216c5f10a00f42be32c64ca3afe7cf59b4e7f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3976516
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83955}
... so that we can add logic to them later for builtin continuation
deopts.
Bug: v8:7700
Change-Id: I03a616243efecb5d637d6ab7d078392a0c51abf4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3985907
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83953}
This is a follow-up to commit d1a11dd15a.
This reverts commit 9182c028c1.
Change-Id: I4555f329314955e6a4a40dd40e22dc12a570c89e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3986086
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83952}
kDontAdaptArgumentsSentinel is now always equal to zero.
Change-Id: I8f0a930b22cdc88279de66324c23800dd3a93bb4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3985725
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83951}
We can skip explicit null check for casts from any to a non-nullable
type as they have to perform an instance type check afterwards as part
of the cast and trap if they encounter a non-wasm object (null is not
a wasm object).
The same is true for type checks which fail on null.
Bug: v8:7748
Change-Id: I41ec225618a400feec5dab210fbf7c1bc2718c8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3981859
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83950}
The inlined version of Array.At was only checking the kind of the
maps, rather than the maps themselves. When the feedback was
containing an array map that "supports_fast_array_iteration", then its
kind was added to the list of supported kinds. If this Array.at was
later called with a non-array map with the same kind, then the object
would be wrongly treated as an array.
This is now fixed: inlining Array.at checks the maps directly rather
than only their kinds.
Fixed: chromium:1377775
Change-Id: I6669ffdc04df04a7c9d00d6b9f8bac82dc9cd235
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3981554
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83946}
The newly added cast instructions can cast from {any} type, resulting
in the cast instructions with a concrete type having to also check if
an object actually is a wasm object (and not e.g. a JS object) before
loading the WasmTypeInfo from its map.
Bug: v8:7748
Change-Id: Ia9c1d35fb9de016af4984883f1374fd5238ce6ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3981858
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83945}
