Currently the backing store and elements kind might not aligned aka
backing store can be dictionary where elements kind is frozen/sealed
element kinds or the other way around. The reason is that
Object.preventExtensions change elements kind to DICTIONARY while
Object.seal/freeze change elements kind to SEALED/FROZEN element kind.
Apply both these operations can lead to that problem as in
chromium:992914
To solve this issue, we avoid Object.preventExtensions to change backing
store to dictionary by introducing new nonextensible elements kind.
These new nonextensible elements kind are handled similar to frozen,
sealed element kinds. This change not only fixes the problem but also
optimize the performance of nonextensible objects.
Change-Id: Iffc7f14eb48223c11abf3c577f305d2d072eb65b
Bug: chromium:992914, v8:6831
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1760976
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63432}
This change allows the KeyAccumulator to throw a range error if there
are too many properties to be enumerated.
This CL introduces extensive checks during key enumeration in the run-time,
and might introduce regressions. If so, feel free to revert.
Bug: chromium:918301
Change-Id: I6166c0b15f1a05eac7116a979f12ba4833d1d1b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545902
Auto-Submit: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63430}
in order to find out if that is the failing CHECK in a chrome crash
report...
Bug: chromium:996819
Change-Id: Ifdebbc88b0525e61a5b3f83caa0ce4279a8efb75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1774718
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63428}
This partially reverts commit 763f63fff6.
Reason for the revert is that the breaking at stack overflow does not
introduce improvement of usability, but rather exposes many issues
caused by the fact that V8 cannot perform a lot of functionality close
to the stack limit.
We keep the test, slightly modified, and use a better way to
detect stack overflow.
Bug: chromium:997469
Change-Id: I32bdf96767812b19f138310cc2dbd6a818fbf031
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771792
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63426}
This fixes an invalid assumption when emitting code for matching '^'
(start of line) in multiline regexps and '\b', '\B' in general.
What we used to do: if the current trace's cp_offset (the offset from
the current position) was non-zero, we assumed that we were looking at
subject string index 1 or greater (i.e.: not at the start of the string
or before).
This is no longer valid since cp_offsets can now be negative.
This CL changes the logic to omit start- and bounds-checks only for
strictly positive cp_offsets, where the above assumption still holds.
Bug: chromium:996391
Change-Id: I79be4fc295c6f0b63e41c13d1e91fdd00f2f2b42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771794
Commit-Queue: Erik Corry <erikcorry@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Erik Corry <erikcorry@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63424}
Instead of fully reverting the CL that introduced the old-to-new
invalidated set, simply do not filter recorded slots yet.
Bug: v8:9454
Change-Id: I2b880f64f29e319056ad49e2284dca26eb8770f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773252
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63423}
The previous pseudo-smi storage scheme for caching call target
addresses in a struct without requiring a custom visitor only
works on uncompressed 64-bit platforms. This patch fixes other
platforms (natural or compressed 32-bit) by boxing the address
in a Foreign.
Change-Id: I3c182c1d9ccae4858cac2757fc3daa40d1520998
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771780
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63422}
Remove unnecessary call to Serialize.
Change a Handle cast to a Ref cast.
Add a CHECK to JSHeapBroker::SetFeedback that the source is valid.
Bug: v8:7790
Change-Id: I6a2f10d45456c6b128beff009016009457dc109c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773248
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63421}
Doing some refactoring to perfetto build files. Rolling to
ensure that we are not breaking embedders in the process.
Cq-Include-Trybots: luci.v8.try:v8_linux64_perfetto_dbg_ng
Bug: v8:8339
Change-Id: I5c603680cf6dd295e9d11a4eba70785e6dc512ba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773244
Auto-Submit: Primiano Tucci <primiano@chromium.org>
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63420}
At the moment we only run the js-api spec tests of the core API on our
try bots. With the new staging process we want to introduce for
WebAssembly language features, see
https://docs.google.com/document/d/1hB8mpWmzmtaxZ8PuJEkAWLwFqXTjrw7mJ3Ge9W1dB4E,
we also want to run the js-api spec tests of proposals for which we
already staged the implementation. With this CL I do the following
changes:
1) The tools/wasm/update-wasm-spec-tests.sh now copies the js-api spec
tests of the main spec and of the proposals to test/wasm-js/tests,
and then uploads this directory to google cloud storage. The main
spec tests are in test/wasm-js/tests, the proposal tests are in
test/wasm-js/tests/proposals/PROPOSAL_NAME/.
2) Adjust the test-runner in test/wasm-js to run tests in
tests/* instead of data/test/js-api/*. Thereby it also runs the
proposal tests in test/wasm-js/tests/proposals/PROPOSAL_NAME/.
For the proposal tests, the test runner now also adds d8 flags.
3) Remove the dependency to https://github.com/WebAssembly/spec from
DEPS.
4) Cleanup .gitignore and wasm-js.status
5) Disable spec tests we don't pass with the new proposal.
R=tmrts@chromium.org
Bug: v8:9653
Change-Id: Ib3420871f17cb146d6cc7868f5613942a7f79d84
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768372
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63419}
Launching nullish behind a flag resulted in a small performance
regression in the adwords parsing benchmark. From local tests, doing a
little manual PGO seemed to improve performance slightly.
Parse.duration on this benchmark dropped from 1,639.188 ms to 1,535.312 ms
Bug: chromium:997652
Change-Id: I537985793cdf310a0dda5a69ded9f0ea2c0a7fb0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1773098
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63417}
This writes 0 to all trimmed slots and thus ensures that the invariant
that all recorded slots in the trimmed area are valid, which will allow
us to simplify invalidated slots tracking.
Specifically:
1) Arrays are never inserted into the invalidated objects set.
2) The recorded slots outside an invalidated object are valid.
Bug: v8:9454
Change-Id: Ifbef3752d52b5b47f2b694bd2b6c0a4c122abb7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771793
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63416}
Previously variations of #constructor can be parsed when they are
static. This patch throws early errors for them always.
Bug: v8:8330
Change-Id: I51ab9b83f713c70d0896c0e8cab3282ef9a105f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1770332
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#63413}
InvalidatedSlotsCleanup::Free assumed that the size of invalidated
objects was updated after sweeping a page and before allowing
allocations again. This is now not the case anymore, so remove
those CHECKs.
Bug: chromium:997901
Change-Id: Ic9af7136bb336464b8cc023c7c1022a233f4e887
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771786
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63412}
Prior to this CL, collected shared function infos with identical
source ranges were sorted non-deterministically during coverage
collection. This lead to non-deterministically incorrectly-reported
coverage due to an optimization which depended on the sort order later
on.
With this CL, we now sort shared function infos by the source range
*and* call count.
Bug: v8:6000,v8:9212
Change-Id: If8bf900727591e71dbd0df621e472a4303f3a353
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771776
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63411}
Since we use Word32Equal with a (truncating) ReinterpretCast for pointer
compressed TaggedEqual, we also have to allow it in the machine
verifier.
Change-Id: Ic16af837f03ebc51dde5bdc7f0c574b2aaf11909
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771784
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63410}
Using the tool again, the previous iteration accidentally ignored
Node/TNode behind a typedef. Automatic replacement of types with
manual cleanup/addition of CASTs where necessary.
Bug: v8:9396
Change-Id: I33b6d229669cb80586d5d8e82c04542df671f0b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768367
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63409}
This makes sure that all encodings of a table index are based upon a
single implementation in the {TableIndexImmediate} class. It also fixes
one encoding that wasn't extended to support u32v yet.
R=ahaas@chromium.org
TEST=unittests/WasmOpcodeLengthTest.VariableLength
Change-Id: If24b6dc5e303d2d9e1e91cb2640c7c13eac40198
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768375
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63408}
This off-by-1 error surfaces when the load/store opcodes take up 2
bytes, which is the case for v128.load and v128.store SIMD operations.
Bug: v8:9015
Change-Id: Ife17375ed3450a95399b326bc6415dbc3ed3773b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769480
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63405}
By marking maps detached from the transition tree as prototypes, we'll
automatically stop tracking transitions from those detached fast maps. That
allows us to quickly check whether a map is detached (or the initial map
anyway); and saves memory. We can use this information to ignore sibling type
feedback when parsing a JSON array with many distinctly shaped json objects.
Bug: chromium:993980
Change-Id: I86d493ac2cabec2c31c6e322ad5c5a7ace059dfc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771778
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63403}
For stores with Double feedback, StoreIC needs to check that the
representation is still Double before doing the store, in case it
accidentally tries to write to an object or worse, mutate a non-mutable
HeapNumber.
Bug: v8:9606
Bug: chromium:997485
Change-Id: I51e0953b40f752648c5e86b8644c23baf636367e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768373
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63402}
This CL adds a new class WasmModuleSourceMap for source map support of WasmModule,
which maps C/C++ source code to WASM bytecode. Via this support, V8 can build a
direct map of source code and JITted code and inform profilers of it, thus the
source-code-level profiling information is presented.
Change-Id: I346f6216809ce4f3bf8b27f1e839dd4efdb00ead
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708029
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Zhiguo Zhou <zhiguo.zhou@intel.com>
Cr-Commit-Position: refs/heads/master@{#63401}
Host info used to be stored on the global reference underlying a Ref;
now it is stored in a JSWeakMap and hence tied to the lifetime of the
actual object on V8's heap.
Additionally, the internal metadata needed for C-API functions is now
stored on the SharedFunctionInfo and no longer overlaps with the host
info mechanism.
Bonus content:
Roll 6db391e: Remove a few more leftover uses of _enum types
Change-Id: Ibb1fa4b0dd5157fef15c030bac705a11aa3beaea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768368
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63400}
Forbid using LoadRoot in CSA (with a bailout via CodeAssembler), so that
users are forced to use helper macros for roots, which have statically
known types. Convert all current uses of LoadRoot to use these macros,
introducing new ones where necessary.
Bug: v8:9396
Change-Id: I91214fca6e5ace7554d79605706a8a60117468fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762526
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63398}
Introduce list of invalidated objects for old-to-new slots. Objects
are registered as invalidated in NotifyObjectLayoutChange, however
no slots are filtered right now. Slots are still deleted, so all
recorded slots are valid.
Always treat old-to-new slots in free space as valid. With
old-to-new slots, invalid ones are still cleared.
Bug: v8:9454
Change-Id: I18c65fdaccdb651f4124d36861105ce4e8af0fad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768357
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63396}
Changes in the reland: Rebased and added a check that JavaScript-linkage
builtins use JSAny in parameters and return type, plus the necessary
cleanups for this test to pass.
Design Doc: https://docs.google.com/document/d/1z6j0pWHnNIfId0v00uWN2HBrGRDJxJfYuCr5K7Kr1xA
This reverts commit 4418a7b96a.
Original change's description:
> Revert "[torque] introduce JSAny type for user-accessible JavaScript values"
>
> This reverts commit 79b00555ea.
>
> Reason for revert: needs more discussion
>
> Original change's description:
> > [torque] introduce JSAny type for user-accessible JavaScript values
> >
> > This CL introduces a JSAny type for user-exposed JavaScript values and
> > a few new types to define it. Especially, it splits Symbol into
> > PrivateSymbol (not exposed) and PublicSymbol (JavaScript exposed
> > symbols).
> >
> > The change is mostly mechanical, but a few things are interesting:
> > - PropertyKey and JSPrimitive were designed to coincide with the spec
> > notions of IsPropertyKey() and primitive value, respectively.
> > - Since Name is an open type, we define AnyName to be the known
> > subtypes of Name. This is not too elegant, but by using AnyName
> > instead of Name, typeswitch can properly conclude something if a
> > subtype of Name is excluded.
> >
> > Small drive-by changes, which were necessary:
> > - Allow subtyping on label parameters.
> > - Fix the formatting of typeswitch, it was broken with union types
> > in case types.
> >
> > Bug: v8:7793
> > Change-Id: I14b10507f8cf316ad85e048fe8d53d1df5e0bb13
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1735322
> > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#63114}
>
> TBR=neis@chromium.org,jgruber@chromium.org,tebbi@chromium.org
>
> Change-Id: Ifde7881d74afe407628f40047997339d54cb2424
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: v8:7793
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741652
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63115}
TBR=neis@chromium.org,jgruber@chromium.org,tebbi@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:7793
Change-Id: Icca34e3824f55009b984d9348fd21884400f0081
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769316
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63395}
The generation of TFJ declarations for non-vararg JavaScript-linkage
builtins was very broken. Now it works as it should: the explicit
parameters correspond to normal JavaScript parameters.
Bug: v8:7793
Change-Id: I9fa0bdd45f8c4b678d4f0436af3e9b53cba69475
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769317
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63394}
Wrap the obj and method registers in BuildGetIterator in a register
allocation scope, so that they don't get materialised before the
JumpIfJSReceiver jump if they don't have to.
Bug: v8:9649
Change-Id: I8dfdd06a23c396124c495b5cb83c078080f1a7c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768583
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63393}
This reverts commit 604b0e1e13.
Reason for revert: Clusterfuzz found an issue.
Original change's description:
> [heap] Introduce old-to-new invalidation set
>
> Introduce list of invalidated objects for old-to-new slots. Objects
> are registered as invalidated in NotifyObjectLayoutChange, however
> no slots are filtered right now. Slots are still deleted, so all
> recorded slots are valid.
>
> Bug: v8:9454
> Change-Id: Ic0ea15283c4075f4051fae6a5b148721265339f7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1765528
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63367}
TBR=ulan@chromium.org,dinfuehr@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:9454
Change-Id: Ic898db38f297824aa54744123f85cd75df957159
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1770676
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63390}
ChangeTaggedSignedToInt32(ChangeCompressedSignedToTaggedSigned((x)) ->
ChangeCompressedSignedToInt32(x)
This pattern shows up in the Octane Richards benchmark (on arm64):
sxtw x11, w10
asr w11, w11, #1
This patch will remove the sxtw.
ChangeCompressedSignedToInt32(CheckedInt32ToCompressedSigned(x)) -> x
This pattern shows up in the Octane Richards benchmark (on arm64):
adds w10, w10, w10
b.vs #+0x1118
asr w11, w10, #1
stur w10, [x6, #19]
cmp w11, #0x1a
This patch will remove the asr, and produce:
adds w11, w10, w10
b.vs #+0x1108
stur w11, [x6, #19]
cmp w10, #0x1a
Bug: v8:7703
Change-Id: I5843e0a4f723b202857ee86130f835cd048d7e31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763529
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Rodolph Perfetta <rodolph.perfetta@arm.com>
Cr-Commit-Position: refs/heads/master@{#63389}
- Rename FunctionLiteral::FunctionType to FunctionSyntaxKind.
- Re-express IsWrappedBit, IsDeclarationBit, IsAnonymousExpressionBit,
and IsNamedExpressionBit in SFI::flags as FunctionSyntaxKind. This
frees up 1 bit in SFI::flags.
- Re-express the analogous bits in ParseInfo as FunctionSyntaxKind.
- Simplifies some logic in the back-and-forth passing of this info
between SFI and ParseInfo.
- Drive-by fix parsing class member initializations as kAccessorOrMethod.
Bug: v8:9644
Change-Id: I6c165d5016d968f5057a32136385ddcdc4a46ef1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1767263
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63388}
This reverts commit 9460101cdb.
Reason for revert: Causes confusion on Blink side, as it introduces
an object with >=2 internal fields that is not a wrapper (see bug).
Bug: chromium:996681
Change-Id: I275b5a064a4ee8c73c05f97be322924a3bc5370e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769148
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63386}
Even when a field is marked const, we may emit multiple consecutive in-literal stores to that field. That is, in 'JSNativeContextSpecialization::BuildPropertyStore', when the access mode is 'kStoreInLiteral' and we are accessing a const field, we may produce a StoreField node, even though another StoreField (that stores something other than 'Uninitialized') to the same const field dominates it. This appears to be sound, since earlier stores to literals cannot be observed anyways.
Unfortunately this behavior conflicts with the double const store invariant in load elimination: Roughly speaking, we assume that load elimination may never observe two consecutive const stores to the same field on the same object.
The apparent solution would be to treat 'kStoreInLiteral' accesses like regular 'kStore' accesses: For consecutive stores to const properties we don't emit StoreField, but instead emit code that checks whether the value about to be written is equivalent to the previously written one, and otherwise deopt ('DeoptimizeReason::kWrongValue'). Unfortunately this turns out impractical, since for 'kStoreInLiteral' accesses we can't easily decide whether we're dealing with the first such store or one of the consecutive ones. Also see this abandoned CL: https://chromium-review.googlesource.com/c/v8/v8/+/1762020.
This CL instead adds an exception to the invariant in load elimination. We track whether a store arose from a 'kStoreInLiteral' access, and use this information when visiting StoreField nodes in load elimination.
R=neis@chromium.org, tebbi@chromium.org
Bug: chromium:987205
Change-Id: I8829752aa0637e9599677d20aad2d706d40d7fe6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763535
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#63385}
This reverts commit dc1cc2232b.
Reason for revert: This was already reverted in https://crrev.com/c/1768897, but the revert did not work.
Original change's description:
> [regexp] Only append to JSRegExpResult's initial map if we add descriptor
>
> Before this cl, we always added slack to JSRegExpResult's initial_map.
> However, this is incorrect. Now we only add slack to JSRegExpResult's initial map
> if we intend to actually append the indices descriptor.
>
> Bug: chromium:996099
> Change-Id: Iac23e92415a9b60409915ff1de9634326ed109c5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763064
> Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63297}
TBR=jgruber@chromium.org,joshualitt@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: chromium:996099
Change-Id: I0c5df2165a3613f72bbcf674337f6f22f4506d90
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768585
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63383}
