ToName conversion, i.e., ToPropertykey() is the
identify for strings and symbols.
BUG=v8:5623
Review-Url: https://codereview.chromium.org/2494073002
Cr-Commit-Position: refs/heads/master@{#40924}
This adds a new ExternalPointer type, which is an Internal type that is
used for ExternalReferences and other pointer values, like the pointers
into the asm.js heap. It also adds a PointerConstant operator, which we
use to represents these raw constants (we can probably remove that
particular operator again once WebAssembly ships with the validator).
R=mvstanton@chromium.org
BUG=v8:5267,v8:5270
Review-Url: https://codereview.chromium.org/2494753003
Cr-Commit-Position: refs/heads/master@{#40923}
According to the spec data segments are allowed even if the memory size
is zero. However, if one of the data segments has a length greater than
0, then module instantiation should fail.
I also changed the exception type in LoadDataSegments to TypeError,
because that's the exception type for all exceptions which can happen
during instantiation.
R=titzer@chromium.org, rossberg@chromium.org
TEST=cctest/test-run-wasm-module/EmptyMemoryEmptyDataSegment, cctest/test-run-wasm-module/EmptyMemoryNonEmptyDataSegment
Review-Url: https://codereview.chromium.org/2483053005
Cr-Commit-Position: refs/heads/master@{#40922}
A SmiUntag() was missing when loading the old backing store's length.
BUG=chromium:664469
Review-Url: https://codereview.chromium.org/2492783004
Cr-Commit-Position: refs/heads/master@{#40921}
Fixes incorrect checks for handle validity when checking the compiled
code, as well as incorrect uses of tst in arm and ppc flag checking
code. Also adds a test that the tier-up works correctly.
Review-Url: https://codereview.chromium.org/2478323002
Cr-Commit-Position: refs/heads/master@{#40915}
This CL moves all heap-allocated WASM data structures, both ones
that are bonafide JSObjects and ones that are FixedArrays only, into a
consistent place with consistent layout. Note that not all accessors are complete, and I haven't fully spread the new static typing goodness
to all places in the code.
R=ahaas@chromium.org,rossberg@chromium.org
CC=gdeepti@chromium.org,mtrofin@chromium.org,clemensh@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2490663002
Cr-Commit-Position: refs/heads/master@{#40913}
And decouple hydrogen-instructions.h from code-stubs.h. This avoids
all of Crankshaft being recompiled when code-stub-assembler.h changes.
Review-Url: https://codereview.chromium.org/2498563002
Cr-Commit-Position: refs/heads/master@{#40912}
This enables the on-stack replacement mechanism from Ignition bytecode
to TurboFan optimized code by default. The runtime profiler is now
allowed to arm OSR points in bytecode.
R=rmcilroy@chromium.org
Review-Url: https://codereview.chromium.org/2432413004
Cr-Commit-Position: refs/heads/master@{#40911}
Fast case the monomorphic case, by marking the additional checks as deferred
blocks. This increases the code size by about 50 bytes, but the monmorphic
case requires one fewer jump and the all the code is contiguous, so may help
caching.
Also cleanup call and new bytecode handlers by changing some of the Branches
to GotoIf/Unless for better readability.
BUG=v8:4280
Review-Url: https://codereview.chromium.org/2487573005
Cr-Commit-Position: refs/heads/master@{#40910}
Utilize the string length protector to deoptimize if the resulting
string length for string addition overflows. This way we generate
less code here and avoid holding on to the lazy frame state, and
thus potentially reduce the number live ranges.
BUG=v8:5267,v8:5404
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2491943004
Cr-Commit-Position: refs/heads/master@{#40909}
The contract for TurboFan is that we use NumberConstants for any kind
of number value until the representation selection picks concrete
representations, i.e. Int32Constant or Float64Constant. We will soon
be able to also guard this contract with DCHECKs.
BUG=v8:5267
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2499573002
Cr-Commit-Position: refs/heads/master@{#40908}
Record feedback for moved pages. Aligns the behavior of the copying and moving
evacuator.
BUG=chromium:651354
Review-Url: https://codereview.chromium.org/2494723002
Cr-Commit-Position: refs/heads/master@{#40905}
- A new runtime function (%create_resolving_functions) is installed to
call the CreateResolvingFunctions builtin from JS.
- Three new builtins are created - resolve and reject functions and a
third function that creates a new JSFunctions from these
resolve/reject builtins.
- The promise reject function is installed on the context temporarily
as internal_promise_reject. This should go away once we remove
PromiseSet.
BUG=v8:5343
Review-Url: https://codereview.chromium.org/2459283004
Cr-Commit-Position: refs/heads/master@{#40903}
According to the spec, import wrappers are only generated for JavaScript
functions, not for WebAssembly function. If an imported WebAssembly
function does not have the expected type, then a type error is thrown.
R=titzer@chromium.org, rossberg@chromium.org
TEST=mjsunit/wasm/test-import-export-wrapper
Review-Url: https://codereview.chromium.org/2486943005
Cr-Commit-Position: refs/heads/master@{#40901}
Port 93c6595200
Original commit message:
This changes {FrameState} nodes modeling "after" states to use bytecode
offsets pointing to the deoptimizing bytecode. This is in sync with the
normal execution, as the bytecode offset is advanced after operations
complete in regular bytecode handlers.
The change is necessary to ensure lazy deoptimized frames contain an
accurate bytecode offset while they are on the stack. Such frames can be
inspected by various stack walks. The continuation builtin will advance
the bytecode offset upon return.
R=mstarzinger@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N
Review-Url: https://codereview.chromium.org/2486393005
Cr-Commit-Position: refs/heads/master@{#40898}
This is mostly a performance experiment. If it provides no speedup,
it can be reverted to keep IC miss events in timeline plots.
Otherwise, the RuntimeCallStats system is the replacement tool for
investigating performance issues related to IC misses.
This effectively reverts 1f8adc15 / r21736.
Review-Url: https://codereview.chromium.org/2480343002
Cr-Commit-Position: refs/heads/master@{#40893}
FullCodeGen does not include CallICs in the total ic count. Fix it by
making calls to CallIC to go through CallIC function, which keeps track
of the total number of ICs.
BUG=
Review-Url: https://codereview.chromium.org/2451703002
Cr-Commit-Position: refs/heads/master@{#40889}
Ignition does not collect information about lhs and rhs types. It collects
information about the combined type of lhs, rhs and result types. Since ignition
combines the feedback, sometimes we may collect less precise information than
FCG. This impacts performance of some benchmarks like audio-beat-detection. This
cl tries to mitigate this affect by passing only full-codegen feedback when the
combined FCG feedback is same as the feedback collected by ignition.
BUG=
Review-Url: https://codereview.chromium.org/2488983002
Cr-Commit-Position: refs/heads/master@{#40888}
This changes {FrameState} nodes modeling "after" states to use bytecode
offsets pointing to the deoptimizing bytecode. This is in sync with the
normal execution, as the bytecode offset is advanced after operations
complete in regular bytecode handlers.
The change is necessary to ensure lazy deoptimized frames contain an
accurate bytecode offset while they are on the stack. Such frames can be
inspected by various stack walks. The continuation builtin will advance
the bytecode offset upon return.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-660379
BUG=chromium:660379
Review-Url: https://codereview.chromium.org/2487173002
Cr-Commit-Position: refs/heads/master@{#40887}
TurboFan can create ConsStrings with empty first parts (for history on
this decision, see da27e0c886). Add a
fast-path for such cases in String::SlowFlatten.
BUG=
Review-Url: https://codereview.chromium.org/2489273002
Cr-Commit-Position: refs/heads/master@{#40885}
We are removing use of the debugger context. When the debugger triggers
compilation, we may not have a context from which to create a JSArray.
R=ishell@chromium.org
Review-Url: https://codereview.chromium.org/2479123002
Cr-Commit-Position: refs/heads/master@{#40884}
We seem to get some small wins from avoiding the Ldr bytecodes, probably due
to reduced icache pressure since there are less bytecode handlers. Replace
the Ldr bytecodes with Star lookahead inlined into the Lda versions.
Also fixes IsAccumulatorLoadWithoutEffects to include LdaContextSlot and
LdaCurrentContextSlot
BUG=v8:4280
Review-Url: https://codereview.chromium.org/2489513005
Cr-Commit-Position: refs/heads/master@{#40883}
With this CL, the bytecode graph builder no longer translates module
loads/stores as runtime calls but in terms of two new JS operators. These are
lowered in typed-lowering to a sequence of LoadField's.
R=bmeurer@chromium.orgCC=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2489863003
Cr-Commit-Position: refs/heads/master@{#40881}
Also remove the flag scavenge_reclaim_unmodified_objects which has been
defaulted to true for quite some time now.
BUG=chromium:651354
Review-Url: https://codereview.chromium.org/2486173002
Cr-Commit-Position: refs/heads/master@{#40878}
line_ends is either undefined (if uninitialized) or a fixed array (after
Script::InitLineEnds). All accesses from JS have been removed, therefore
we can skip assigning a COW map and remove the accessor.
Review-Url: https://codereview.chromium.org/2490903002
Cr-Commit-Position: refs/heads/master@{#40876}
This adds information about an exception's caught/uncaught status to the
Runtime.paused event in the data parameter:
{
"method": "Debugger.paused",
"params": {
"callFrames": [
[...]
],
"data": {
"description": "666",
"type": "number",
"uncaught": true, <---
"value": 666
},
"hitBreakpoints": [],
"reason": "exception"
}
}
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2488733003
Cr-Commit-Position: refs/heads/master@{#40875}
Previously we created a duplicate map because we couldn't set the
correct ElementsKind when we created the function. This patch updates
the ElementsKind field of the existing map directly instead of
creating a new one.
This patch also correctly sets the instance_size when we create the
map the first time.
Review-Url: https://codereview.chromium.org/2486193003
Cr-Commit-Position: refs/heads/master@{#40872}
When we use unique_ptr on tracing controller and release it to platform,
unique_ptr will crash when we try to start tracing with trace config, this patch
replaces it with raw pointer and delete it explicitly at the end when needed.
TBR=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2488003002
Cr-Commit-Position: refs/heads/master@{#40871}
- Track representations of virtual registers in InstructionSequence.
- Skip extra aliasing work when no floats or SIMD registers are used.
LOG=N
BUG=v8:4124
Review-Url: https://codereview.chromium.org/2468233004
Cr-Commit-Position: refs/heads/master@{#40870}
... and make them applicable outside of CSA.
Nice bonus is that the assert condition instructions will now appear inside [Assert / ]Assert brackets.
BUG=
Review-Url: https://codereview.chromium.org/2489743002
Cr-Commit-Position: refs/heads/master@{#40869}
Adds an IsInterpreted() function to both SharedFunctionInfo and JSFunction.
This is used to fix the test-heap code-aging tests since Ignition doesn't
age code.
BUG=v8:4680
Review-Url: https://codereview.chromium.org/2481433002
Cr-Commit-Position: refs/heads/master@{#40868}
In tracing we collect runtime statistics data based on top level trace events,
in this patch we force to clear the whole runtime statistics stack when we
enter top level trace events.
Review-Url: https://codereview.chromium.org/2483583002
Cr-Commit-Position: refs/heads/master@{#40867}
With the very same SMIs making up a big chunk
of the parser zone (especially for asm.js) it
makes sense to cache the AstValues for them.
This is not ideal yet, but already saves
hundreds (sic!) MBs of memory for Unity games.
Review-Url: https://codereview.chromium.org/2485423002
Cr-Commit-Position: refs/heads/master@{#40866}
Currently function like "() => 239" contains offset 3 as begin of function and 8 as end of function.
This CL changes this to 6 and 9 respectively.
BUG=chromium:566801
R=yangguo@chromium.org,dgozman@chromium.org
TBR=adamk@chromium.org
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel
Review-Url: https://codereview.chromium.org/2488493003
Cr-Commit-Position: refs/heads/master@{#40864}
Test InstructionSequenceTest has been initialized with a testing RegisterConfiguration
instance defined in instruction-sequence-unittest.h, whereas class ExplicitOperand which
is being tested used RegisterConfiguration from instruction.cc. In case these two
instances are different, the tests would fail. The issue is fixed by using the same
instance of RegisterConfiguration both for test code and code under test.
Additionally, the tests in register-allocator-unittest.cc use hardcoded values
for register and begin failing is the hardcoded register is not available for
allocation. Fix by forcing the use of allocatable registers only.
TEST=unittests.MoveOptimizerTest.RemovesRedundantExplicit,unittests.RegisterAllocatorTest.SpillPhi
BUG=
Review-Url: https://codereview.chromium.org/2433093002
Cr-Commit-Position: refs/heads/master@{#40862}
This adds a new NumberToUint8Clamped simplified operator that does the
round ties to even + clamping necessary to store to Uint8ClampedArrays.
BUG=v8:4470,v8:5267,v8:5615
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2489563004
Cr-Commit-Position: refs/heads/master@{#40861}
The Ldr[Named/Keyed]Property bytecodes are problematic for the deoptimizer when
inlining accessors in TurboFan. Remove them and replace with a Star lookahead
in the bytecode handlers for Lda[Named/Keyed]Property.
BUG=v8:4280
Review-Url: https://codereview.chromium.org/2485383002
Cr-Commit-Position: refs/heads/master@{#40860}
This stages escape analysis by implying --turbo-escape by the --turbo
flag. It broadens the exposure of the optimization in question.
R=jarin@chromium.org
BUG=v8:4586,v8:5267
Review-Url: https://codereview.chromium.org/1992913005
Cr-Commit-Position: refs/heads/master@{#40859}
We cannot generate debug events if JS execution is disallowed since
vital debugging logic is still implemented in JS. Return early from
Debug::OnException if that is the case.
BUG=chromium:662674
Review-Url: https://codereview.chromium.org/2491443002
Cr-Commit-Position: refs/heads/master@{#40858}
This fixes a race between the sweeper and the array buffer tracker
that causes the sweeper to skip unswept pages.
The scenario:
1. Mark-compact GC adds page p to the sweeping_list_ of the sweeper.
2. GC finishes, the main thread starts executinng JS.
3. The main thread takes p->mutex to unregister an array buffer.
4. A sweeper thread removes p from the sweeping_list_ and tries to
take p->mutex. The try fails. The sweeper drops p and continues
to the next page.
5. During selection of evacuation candidate in the next GC we hit
page->SweepingDone() assert.
BUG=chromium:650314
Review-Url: https://codereview.chromium.org/2484153004
Cr-Commit-Position: refs/heads/master@{#40857}
The bounds check in LoadDataSegment was off by one. I also improved the
error message, and fixed an issue where data was initialized even if
the bounds check failed.
In InstantiateModuleForTesting I allow instantiation of modules without
exports. This check was legacy code from the time where instantiation
and execution was still combined in a single function.
R=titzer@chromium.org, rossberg@chromium.org
TEST=cctest/test-run-wasm-module/InitDataAtTheUpperLimit
Review-Url: https://codereview.chromium.org/2486183002
Cr-Commit-Position: refs/heads/master@{#40856}
The problem is that writes to nested objects do not lead to a copy of a referencing VirtualObject, and that each VirtualObjects maintains a cache of an ObjectState node. Together, this leads to inappropriate reuse of ObjectState nodes.
This fix simply always copies all virtual objects when a new VirtualState is created. This is clearly not optimal to avoid clones, but determining precisely which virtual objects are affected by a write is a transitive closure computation on the virtual objects of a virtual state. Alternatively, one could change the semantics of the node cache.
BUG=v8:5611
Review-Url: https://codereview.chromium.org/2488713002
Cr-Commit-Position: refs/heads/master@{#40854}
The spec defines that indirect calls in WebAssembly code should cause a
validation error if no function table exists.
The CL contains the following changes:
1) Throw a validation error for indirect calls if the function table
not exist.
2) Do not create TF nodes to throw a runtime error for indirect calls
if the function table does not exist.
3) Fix existing unit tests by creating a dummy function table.
4) Add new a new test which tests that indirect calls without function
table cause a validation error.
R=rossberg@chromium.orgCC=titzer@chromium.org
TEST=unittests/AstDecoderTest.IndirectCallsWithoutTableCrash
Review-Url: https://codereview.chromium.org/2484623002
Cr-Commit-Position: refs/heads/master@{#40852}
If an exception is thrown when there is a Promise being created, the Promise
catch prediction code would call into a part implemented in JavaScript to see if
the Promise has a catch handler. If it is not possible to call back into JS,
e.g., due to a stack overflow, then this would lead to a crash. This patch
"speculates" that, if it's impossible to call back into JavaScript, then the
error is unhandled, avoding the issue. In a future patch, the catch prediction
logic should be entirely written in C++, but this patch adds a minimal fix to
be more friendly to backports.
BUG=chromium:662935
R=jgruber
Review-Url: https://codereview.chromium.org/2487833002
Cr-Commit-Position: refs/heads/master@{#40851}
We recently allowed global constants in asm.js validated code.
When used in a return statement, these need to be of an allowed type.
BUG=660813
R=jpp@chromium.org,aseemgarg@chromium.org
Review-Url: https://codereview.chromium.org/2481103002
Cr-Commit-Position: refs/heads/master@{#40850}
Don't rely on carry flags you didn't set yourself.
BUG=chromium:663402
Review-Url: https://codereview.chromium.org/2484283002
Cr-Commit-Position: refs/heads/master@{#40848}
It looks like waiting for 4 ticks before optimizing from interpreted
code is hurting performance in sunspider after turning on Ignition
for all TurboFan code. Set it back to 2 ticks.
BUG=chromium:661556
Review-Url: https://codereview.chromium.org/2488703002
Cr-Commit-Position: refs/heads/master@{#40845}
We handle this case specially because otherwise we would have to do
complicated overflow detection.
R=titzer@chromium.org
TEST=cctest/test-run-wasm/RunWasmCompiled_LoadMaxUint32Offset
Review-Url: https://codereview.chromium.org/2490533003
Cr-Commit-Position: refs/heads/master@{#40844}
Workes by accident when using the JSObject descriptor as it also implements
strong semantics.
BUG=chromium:651354
Review-Url: https://codereview.chromium.org/2485163003
Cr-Commit-Position: refs/heads/master@{#40842}
With this CL, we set the is_source_positions_enabled flag on CompilationInfo when
- a command line flag is enabled that requires Turbofan to preserve source position
information (e.g. --trace-deopt), and
- when profiling is enabled.
This also removes the --turbo-source-positions flag.
The goal is to eventually only track source position information when needed.
R=mstarzinger@chromium.org
BUG=v8:5439
Review-Url: https://codereview.chromium.org/2484163003
Cr-Commit-Position: refs/heads/master@{#40836}
The set of operands are really small, so STL set performs really poorly.
In Octane/TypeScript, I see move optimization going from >300ms to <100ms.
Review-Url: https://codereview.chromium.org/2481853002
Cr-Commit-Position: refs/heads/master@{#40835}
This is an experiment to check whether the heuristics is still useful.
BUG=
Review-Url: https://codereview.chromium.org/2482163002
Cr-Commit-Position: refs/heads/master@{#40833}
This adds a new TypedObjectState operator, which is a version of
ObjectState that carries along MachineTypes for the inputs, so we
can tell the deoptimizer how to interpret the inputs, instead of
having to force everything to Tagged.
Drive-by-fix: Remove the unused id parameter from ObjectState.
R=tebbi@chromium.org
BUG=v8:5609
Review-Url: https://codereview.chromium.org/2488623002
Cr-Commit-Position: refs/heads/master@{#40832}
The access check is generated as a:
- Equality check of an execution-time and a compile-time native contexts
for primitive receivers.
- Equality check of an execution-time and a compile-time native contexts
or equality check of a respective security tokens for global proxy receivers.
- No-op for other kinds of receivers.
BUG=v8:5561
Review-Url: https://codereview.chromium.org/2482913002
Cr-Commit-Position: refs/heads/master@{#40829}
We really should deopt before the for-in index increment.
BUG=chromium:662904
Review-Url: https://codereview.chromium.org/2476423003
Cr-Commit-Position: refs/heads/master@{#40828}
This introduces two new bytecodes LdaModuleVariable and StaModuleVariable,
replacing the corresponding runtime calls.
Support in the bytecode graph builder exists only in the form of runtime calls.
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2471033004
Cr-Commit-Position: refs/heads/master@{#40825}
The memory leak is fixed by calling the GC at the end of the tests. The GC collects the WasmModuleWrapper objects, which deallocates WasmModule c++ object. For the mjsunit tests the GC is already called because of the --invoke_weak_callbacks flag.
BUG=chromium:662388
Review-Url: https://codereview.chromium.org/2476643003
Cr-Commit-Position: refs/heads/master@{#40822}
- When module bytes have a memory maximum defined, compiled module object should set maximum memory
- Exported memory objects should set maximum value on the memory objects
- Update tests to use declared maximum values.
R=ahaas@chromium.org
Review-Url: https://codereview.chromium.org/2474333003
Cr-Commit-Position: refs/heads/master@{#40820}
This patch is a follow-up patch to enable gc statistics to use
TracingCategoryObserver.
Previously we need to pass --track_gc_object_stats to v8 if we want to enable
gc statistics in tracing. In this patch, we introducce an integer flag
FLAG_gc_stats, and FLAG_track_gc_object_stats and FLAG_trace_gc_object_stats
will set it to 0x01, tracing will set it to 0x10 when we start tracing and
reset the bit when we stop tracing.
BUG=v8:5590
Review-Url: https://codereview.chromium.org/2459903003
Cr-Commit-Position: refs/heads/master@{#40817}
Note: This CL might regress code that relies on such arguments access.
In that case, we could still optimize the access if it accesses at
constant index (and the argument at that index is not context-allocated).
If any code relies on a general access to context-allocated arguments,
we would need to analyze the function for assignment to the arguments - this
might be quite tricky.
BUG=chromium:662845
Review-Url: https://codereview.chromium.org/2484723002
Cr-Commit-Position: refs/heads/master@{#40813}
In the lightweight mode it only maintains pseudo stack and does not
collect timing information. It can be used in the sampling mode.
BUG=chromium:660428
Review-Url: https://codereview.chromium.org/2472193002
Cr-Commit-Position: refs/heads/master@{#40812}
Reason for revert:
Speculative revert for blocking roll:
https://codereview.chromium.org/2479233002/
Original issue's description:
> [wasm] Indirect calls without function table cause validation errors.
>
> The spec defines that indirect calls in WebAssembly code should cause a
> validation error if no function table exists.
>
> The CL contains the following changes:
> 1) Throw a validation error for indirect calls if the function table
> not exist.
> 2) Do not create TF nodes to throw a runtime error for indirect calls
> if the function table does not exist.
> 3) Fix existing unit tests by creating a dummy function table.
> 4) Add new a new test which tests that indirect calls without function
> table cause a validation error.
>
> R=rossberg@chromium.org
> CC=titzer@chromium.org
>
> TEST=unittests/AstDecoderTest.IndirectCallsWithoutTableCrash
TBR=rossberg@chromium.org,titzer@chromium.org,ahaas@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2479283002
Cr-Commit-Position: refs/heads/master@{#40811}
The existing Load/StoreContextElement operations take the index as an int. This
CL adds versions that take the index as a Node. These already existed in the
interpreter-assembler, from which they are now removed.
R=mstarzinger@chromium.org, rmcilroy@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2473003004
Cr-Commit-Position: refs/heads/master@{#40810}
Otherwise we could in theory abort preparsing to the preparser and preparse again before aborting again... We shouldn't have this mess; so only set up mode_ in the parser in the first place.
BUG=
Review-Url: https://codereview.chromium.org/2479213002
Cr-Commit-Position: refs/heads/master@{#40809}
This makes use of the newly introduced cell indices to speed up variable
accesses. Imports and local exports are now directly stored in (separate)
arrays. In the future, we may merge the two arrays into a single one, or
even into the module context.
This CL also replaces the LoadImport and LoadExport runtime functions with
a single LoadVariable taking a variable index as argument (rather than a
name).
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2465283004
Cr-Commit-Position: refs/heads/master@{#40808}
This
- removes the ParserRecorder base class,
- devirtualizes the LogFunction and LogMessage functions,
- reuses the SingletonLogger for all preparser calls
In a subsequent step the preparser should probably log directly to the CompleteParserRecorder rather than indirectly through the singleton logger...
BUG=
Review-Url: https://codereview.chromium.org/2474393003
Cr-Commit-Position: refs/heads/master@{#40803}
The spec defines that indirect calls in WebAssembly code should cause a
validation error if no function table exists.
The CL contains the following changes:
1) Throw a validation error for indirect calls if the function table
not exist.
2) Do not create TF nodes to throw a runtime error for indirect calls
if the function table does not exist.
3) Fix existing unit tests by creating a dummy function table.
4) Add new a new test which tests that indirect calls without function
table cause a validation error.
R=rossberg@chromium.orgCC=titzer@chromium.org
TEST=unittests/AstDecoderTest.IndirectCallsWithoutTableCrash
Review-Url: https://codereview.chromium.org/2484623002
Cr-Commit-Position: refs/heads/master@{#40802}
The maximum memory size is a user-defined upper limit for the size of
the memory of a WebAssembly instance. The actual limit is the minimum of
the user-defined limit and the V8 limit. With this CL we allow the
user-defined limit to be greater than the V8 limit, which is required by
the spec.
R=titzer@chromium.orgCC=gdeepti@chromium.org
TEST=unittests/WasmModuleVerifyTest.MaxMaximumMemorySize
Review-Url: https://codereview.chromium.org/2484643002
Cr-Commit-Position: refs/heads/master@{#40801}
When we hit an unspported field store, only flush the state of
potentially aliasing objects, but don't flush the full state table.
R=jarin@chromium.org
BUG=v8:5608
Review-Url: https://codereview.chromium.org/2476213002
Cr-Commit-Position: refs/heads/master@{#40799}
LiveObjectIterator sometimes runs concurrently to the main thread. In this
scenarios we are not allowed to access memory of live objects in non-atomic
ways. Use synchronized reads where needed.
Correctness (already ok in current state):
- Reading a larger size is fine per definition.
- Reading a smaller size is fine since are guaranteed that one word fillers will
follow.
BUG=v8:5583
R=ulan@chromium.org,hpayer@chromium.org
Review-Url: https://codereview.chromium.org/2477823003
Cr-Commit-Position: refs/heads/master@{#40798}
Drive-by-fix 1: be more precise in machine representations for
AllocateNameDictionary to make --turbo_verify_machine_graph happy.
Drive-by-fix 2: Improve graph verifier output by printing input
representation.
BUG=
Review-Url: https://codereview.chromium.org/2475913002
Cr-Commit-Position: refs/heads/master@{#40797}
We need to rename the receiver on CheckHeapObject, because we
don't canonicalize numbers in SignedSmall range, and thus we
the representation selection can hand out TaggedSigned values
for receiver uses, even though we checked for TaggedPointerness
first.
Note that this is rather hacky and just intended to fix the bug
ASAP. We need to think about how to deal with representations in
earlier compilation stages.
BUG=chromium:662410
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2485563002
Cr-Commit-Position: refs/heads/master@{#40792}
Using _exit on windows may cause race conditions in threads.
BUG=chromium:603131
Review-Url: https://codereview.chromium.org/2478473003
Cr-Commit-Position: refs/heads/master@{#40789}
This adds support to track Float64 fields on 64-bit platforms, which is
necessary to properly deal with unboxed double fields there.
Drive-by-fix: Crash if we see Simd128 representation here.
R=jarin@chromium.org
BUG=v8:5608
Review-Url: https://codereview.chromium.org/2485543002
Cr-Commit-Position: refs/heads/master@{#40788}
In Crankshaft we unconditionally assume that accesses to arguments[i] will
be in-bounds and don't take into account IC feedback that would eventually
teach us about out-of-bounds accesses that have happened in the past, so
there's no real guard to protect the bounds check in optimized code.
TEST=mjsunit/compiler/deopt-arguments-oob
R=jarin@chromium.org
BUG=v8:5606
Review-Url: https://codereview.chromium.org/2481053002
Cr-Commit-Position: refs/heads/master@{#40787}
Reason for revert:
Speculative revert for blocking roll:
https://codereview.chromium.org/2473003006/
E.g.:
https://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_rel_ng/builds/331898
Original issue's description:
> [Tracing] Use TracingCategoryObserver in gc statistics
>
> This patch is a follow-up patch to enable gc statistics to use
> TracingCategoryObserver.
>
> Previously we need to pass --track_gc_object_stats to v8 if we want to enable
> gc statistics in tracing. In this patch, we introducce an integer flag
> FLAG_gc_stats, and FLAG_track_gc_object_stats and FLAG_trace_gc_object_stats
> will set it to 0x01, tracing will set it to 0x10 when we start tracing and
> reset the bit when we stop tracing.
>
> BUG=v8:5590
TBR=fmeawad@chromium.org,mlippautz@chromium.org,lpy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5590
Review-Url: https://codereview.chromium.org/2477143002
Cr-Commit-Position: refs/heads/master@{#40785}
This method iterates through all shared function info which are related to passed script, compiles debug code for SFI in range if needed and returns possible break locations.
BUG=chromium:566801
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel
Review-Url: https://codereview.chromium.org/2465553003
Cr-Commit-Position: refs/heads/master@{#40783}
This patch fixes two bugs in V8 to allow the global object to have a frozen proto:
- The immutable prototype map check is done on the map of the "real receiver",
the one that's found after the hidden prototype traversal, rather than
the object that SetPrototype is called on.
- The immutable prototype bit from the ObjectTemplate used to instantiate
the global object, as passed to Context::New, is respected when instantiating
the global object.
R=adamk
BUG=v8:5149
Review-Url: https://codereview.chromium.org/2474843003
Cr-Commit-Position: refs/heads/master@{#40778}
This patch is a follow-up patch to enable gc statistics to use
TracingCategoryObserver.
Previously we need to pass --track_gc_object_stats to v8 if we want to enable
gc statistics in tracing. In this patch, we introducce an integer flag
FLAG_gc_stats, and FLAG_track_gc_object_stats and FLAG_trace_gc_object_stats
will set it to 0x01, tracing will set it to 0x10 when we start tracing and
reset the bit when we stop tracing.
BUG=v8:5590
Review-Url: https://codereview.chromium.org/2459903003
Cr-Commit-Position: refs/heads/master@{#40777}
This removes the deprecated flag in question which has been enabled by
default a while ago. All components can by now deal with activations of
a single function being mixed between Ignition and other compilers. The
maintenance overhead to support a mode that clears bytecode is no longer
warranted.
R=rmcilroy@chromium.org
BUG=v8:4280
Review-Url: https://codereview.chromium.org/2475203003
Cr-Commit-Position: refs/heads/master@{#40776}
Compatible with the current (unshipped) Blink implementation.
BUG=chromium:148757
Review-Url: https://codereview.chromium.org/2471923002
Cr-Commit-Position: refs/heads/master@{#40775}
If a HeapObject field is 8 bytes long and 8 bytes aligned, but we use only four bytes of it
on little endian architectures we will access to lower 4 bytes of the field using the same
base address as accessing the whole eight bytes
On big-endian architectures however we use base address to access the full 8 bytes, but base
address + 4 to access to lower 4 bytes. For this reason, the assert in OffsetForFieldAccess
fails on MIPS64 big endian.
We fix the issue by removing the assert that checks that offset is pointer size aligned.
TEST=mjsunit/regress/regress-crbug-648737
BUG=
Review-Url: https://codereview.chromium.org/2453333002
Cr-Commit-Position: refs/heads/master@{#40772}
Parameters of a lazily parsed function used to be parsed eagerly, and parameter
handling was split between Parser::ParseFunctionLiteral and
ParseEagerFunctionBody, leading to inconsistencies.
After this CL, we preparse (lazy parse) the parameters of lazily parsed
functions.
(For arrow functions, we cannot do that ofc.)
This is needed for later features (PreParser with scope analysis).
-- CL adapted from marja's https://codereview.chromium.org/2411793003/
BUG=
Review-Url: https://codereview.chromium.org/2472063002
Cr-Commit-Position: refs/heads/master@{#40771}
- Remove (one version of) InterpreterAssembler::LoadContextSlot in favor of the
identical CodeStubAssembler::LoadContextElement.
- Use CodeStubAssembler::LoadNativeContext instead of doing the load manually.
R=rmcilroy@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2470253003
Cr-Commit-Position: refs/heads/master@{#40766}
Some accessors requires little to no computation at all, its result can be
cached in a private property, avoiding the call overhead.
Calls to the getter are translated into a cheap property load.
Follow-on to crrev.com/2347523003, from peterssen@google.com
BUG=chromium:634276, v8:5548
Review-Url: https://codereview.chromium.org/2405213002
Cr-Commit-Position: refs/heads/master@{#40765}
Fix 4447405b17
A typo in the patch caused failures on MIPS64. There were no failures on MIPS32,
but I guess the same patch needs to be applied there as well.
BUG=
Review-Url: https://codereview.chromium.org/2473343002
Cr-Commit-Position: refs/heads/master@{#40763}
When checking for marking a function for optimization, we had a check if
the function is already optimized to return early. This works in non-OSR
cases. For Turbofan OSR even when the current execution of the function
has already been optimized, the function itself will not be replaced
with optimized code. Hence, we may end up checking a function that is
already marked for optimization again. A check for the frame being optimized
avoids these checks.
BUG=
Review-Url: https://codereview.chromium.org/2450233002
Cr-Commit-Position: refs/heads/master@{#40760}
Port f07d2cdd6a
Original commit message:
A load instruction will implicitely clear the top 32 bits when writing to a W
register. This patch avoids generating a `mov` instruction to zero-extend the
result in this case.
For example, this occurs in the generated code for dispatching to the next
bytecode in the interpreter:
kind = BYTECODE_HANDLER
name = LdaZero
compiler = turbofan
Instructions (size = 36)
0x32e64c60 0 add x19, x19, #0x1 (1)
0x32e64c64 4 ldrb w0, [x20, x19]
0x32e64c68 8 mov w0, w0
^^^^^^^^^^
0x32e64c6c 12 lsl x0, x0, #3
0x32e64c70 16 ldr x1, [x21, x0]
0x32e64c74 20 movz x0, #0x0
0x32e64c78 24 br x1
Review-Url: https://codereview.chromium.org/2469253002
Cr-Commit-Position: refs/heads/master@{#40758}
The value numbering reducer has collision checks for nodes that mutated,
but kept the same hash, and are now equivalent to another node. However,
it can also accidentally hit itself, if it mutated, changed hash, but
ran over the location it was previously in.
After this patch, it checks to see if it is comparing against itself,
and skips over itself. Additionally, if this check is at the end of the
collisions, it opportunistically removes the duplicate entry and reduces
the size pressure on the list. We can do the same opportunistic clean up
if we happen to find a colliding equivalent entry, since we move it from
its original position to a new one.
Drive-by change: Ensure that the collision replacement checks types in
the same way that normal replacement does.
Review-Url: https://codereview.chromium.org/2475653002
Cr-Commit-Position: refs/heads/master@{#40757}
Instead of having a MODULE variable's index be 0 or 1, let it be the index of
its cell. In this CL, we assign the indices but we continue to only use them to
distinguish imports from exports. Actually using them to directly access the
cells will be done in a later CL.
R=adamk@chromium.org
BUG=v8:1569
Review-Url: https://codereview.chromium.org/2460233003
Cr-Commit-Position: refs/heads/master@{#40752}
This patch is a follow-up patch to enable runtime statistics to use
TracingCategoryObserver.
BUG=v8:5590
Review-Url: https://codereview.chromium.org/2460973003
Cr-Commit-Position: refs/heads/master@{#40745}
Reason for revert:
Static-Initializers failed on Ubuntu-12.04
Original issue's description:
> [Tracing] Use TracingCategoryObserver in runtime statistics
>
> This patch is a follow-up patch to enable runtime statistics to use
> TracingCategoryObserver.
>
> BUG=v8:5590
TBR=cbruni@chromium.org,fmeawad@chromium.org,alph@chromium.org,bmeurer@chromium.org,mlippautz@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5590
Review-Url: https://codereview.chromium.org/2469403005
Cr-Commit-Position: refs/heads/master@{#40743}
This patch is a follow-up patch to enable runtime statistics to use
TracingCategoryObserver.
BUG=v8:5590
Review-Url: https://codereview.chromium.org/2460973003
Cr-Commit-Position: refs/heads/master@{#40742}
Use HeapConstant for string_iterator_map rather than loading it
manually. This avoids unnecessary map checks.
BUG= v8:3822,v8:5267
Review-Url: https://codereview.chromium.org/2479563003
Cr-Commit-Position: refs/heads/master@{#40741}
During instruction selection, match the pattern
Float64LessThan(#0.0, Float64Abs(x))
which TurboFan generates for NumberToBoolean in the general case,
and which evaluates to false if x is 0, -0 or NaN, and compile this
to a simple (v)ucomisd using not_equal flags condition, which avoids
the costly Float64Abs.
Also consistently generate this pattern in TurboFan and the code
stubs/interpreter for ToBoolean.
R=mstarzinger@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2473923003
Cr-Commit-Position: refs/heads/master@{#40740}
This patch removes TracingCategoryObserver API and moves the creation of
observer inside platform initialization, by assuming that either
Platform::AddTraceStateObserver is implemented correctly to add observer to
tracing controller that implemented by embedders, or default tracing controller
has already been set up and attached to platform before
v8::V8::InitializePlatform is called.
BUG=v8:5590
Review-Url: https://codereview.chromium.org/2471583004
Cr-Commit-Position: refs/heads/master@{#40739}
Since all possible data-encoded prototype chain checks are supported by LoadIC
we can remove this extra iteration.
LoadGlobalIC does not support data handlers yet.
BUG=v8:5561
Review-Url: https://codereview.chromium.org/2479523002
Cr-Commit-Position: refs/heads/master@{#40738}
Reason for revert:
Speculative revert to see impact on crbug.com/659531
Original issue's description:
> [heap] Add a guard for restarting the memory reducer after mark-compact.
>
> Currently it is possible to get into a cycle of
> mark-compact -> memory reducer -> mark-compact -> memory reducer ...
> where the memory reducer does not free memory.
>
> This patch ensures that the memory reducer restarts only if the
> committed memory increased by sufficient amount after the last run.
>
> BUG=
TBR=hpayer@chromium.org,davidroutier17@gmail.com
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=
Review-Url: https://codereview.chromium.org/2472053003
Cr-Commit-Position: refs/heads/master@{#40737}
Exchanged the ZoneList for a ZoneChunkList to avoid
unnecessary growing.
Review-Url: https://codereview.chromium.org/2468183004
Cr-Commit-Position: refs/heads/master@{#40736}
Changes the ValueNumberingReducer to grow when at 80% capacity, rather
than at 50% capacity. This matches the behaviour of base/hashmap.
Review-Url: https://codereview.chromium.org/2474873003
Cr-Commit-Position: refs/heads/master@{#40734}
Load the correct 32-bit word to determine if the buffer is shared by
using kBitFieldOffset instead of kBitFieldSlot.
R=ishell@chromium.org,mstarzinger@chromium.org,jkummerow@chromium.org
BUG=
LOG=N
Review-Url: https://codereview.chromium.org/2470023003
Cr-Commit-Position: refs/heads/master@{#40730}
If a WebAssembly function is exported, its js-to-wasm wrapper has a
field which contains a reference to the WebAssembly function.
Originally this reference was an index into the export table, which
then contains an index into the function table, which then contains
the metadata of the WebAssembly function.
With this CL we use the index into the function table directly as
the reference to the WebAssembly function.
TEST=mjsunit/wasm/test-import-export-wrapper
R=rossberg@chromium.org, mtrofin@chromium.orgCC=titzer@chromium.org
Review-Url: https://codereview.chromium.org/2472103002
Cr-Commit-Position: refs/heads/master@{#40729}
With an instance of CodeStubArguments, builtin stub generators can generate code
that accesses the receiver passed to the builtin, as well as access and iterate
over the variable number of arguments that are passed in.
Review-Url: https://codereview.chromium.org/2469273003
Cr-Commit-Position: refs/heads/master@{#40726}
For lowering CheckHeapObject, always report TaggedPointer representation
and let the RepresentationChanger come up with a reasonable conversion from
whatever input representation to TaggedPointer. This way we no longer insert
the useless ChangeSomethingToTagged and then check the result for HeapObject,
i.e. mostly reduces the amount of useless code being generated.
Note there are now two operators ChangeFloat64ToTaggedPointer and the old
ChangeFloat64ToTagged, because their semantics different wrt. the strength
reduction in the SimplifiedOperatorReducer.
Also set the output MachineRepresentation::kTaggedPointer properly in
SimplifiedLowering whenever we know that we produce a HeapObject.
R=jarin@chromium.org
BUG=v8:5267
Review-Url: https://codereview.chromium.org/2476593002
Cr-Commit-Position: refs/heads/master@{#40725}
Removed a wrong condition test in TwoByteExternalBufferedStream. This changed fixes errors that may occur under some conditions.
Review-Url: https://codereview.chromium.org/2469723002
Cr-Commit-Position: refs/heads/master@{#40722}
This disables the usage of the {maybe_assigned} flag that the variable
resolution computes for each variable on non-asm.js code. Note that the
analysis is fundamentally broken for destructuring and top-level lexical
variables. Also note that this still uses the analysis for asm.js code
even though it is not validated. One can still trigger the bug by using
invalid constructs within a function marked with "use asm". The fix is
intentionally minimal so that it can be merged to release branches.
R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-659915
BUG=chromium:659915
Review-Url: https://codereview.chromium.org/2471523005
Cr-Commit-Position: refs/heads/master@{#40716}
This removes the first stack check in inlined functions in the bytecode
graph builder, to match the behaviour of the AST graph builder.
I measure a ~1% statistically significant (p < 0.01) improvement on
Mandreel with --ignition-staging --turbo (on my x64 machine, YMMV).
Review-Url: https://codereview.chromium.org/2392333002
Cr-Commit-Position: refs/heads/master@{#40715}
This turns the ZoneList with minimum 6 words overhead into a linked list through variables, using 2 words for the empty list. Additionally the average number of pointers per entry goes down to the optimal 1 per variable that's in a list.
This does introduce 1 pointer unnecessary overhead for dynamic variables. If that becomes a problem we could distinguish between variables in lists and variables not in lists. We can distinguish them at construction-time.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2475433002
Cr-Commit-Position: refs/heads/master@{#40714}
Reason for revert:
Performance regression on Octane and V8 runtime stats.
Original issue's description:
> [heap] Invoke incremental marking step before allocation.
>
> This ensures that the newly allocated object immediatly precedes the
> linear allocation area, which is needed for allocation folding.
>
> For more info see:
> https://bugs.chromium.org/p/chromium/issues/detail?id=659165#c13
>
> BUG=chromium:659165
TBR=hpayer@chromium.org,mlippautz@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:659165
Review-Url: https://codereview.chromium.org/2472043002
Cr-Commit-Position: refs/heads/master@{#40713}
Make RuntimeCallTimer::parent_ and RuntimeCallStats::current_timer_
fields atomic as they are accessed from the signal handler.
BUG=chromium:660428
Review-Url: https://codereview.chromium.org/2464973002
Cr-Commit-Position: refs/heads/master@{#40709}
The wasm interpreter crashed because it interpreted the table of
br_table as a table of uint8, but according to the spec it is a table of
varint32. Therefore the wasm interpreter misinterpreted 0x80 0x00 as 128
and not as 0, which caused a crash.
R=tizer@chromium.org
BUG=chromium:660262
TEST=cctest/test-run-wasm/RunWasmInterpreted_Regression_660262
Review-Url: https://codereview.chromium.org/2463063002
Cr-Commit-Position: refs/heads/master@{#40708}
Apparently the previous clean up has regressed performance in some
cases. This is an attempt to recover these regressions.
R=ulan@chromium.org
BUG=chromium:661567
Review-Url: https://codereview.chromium.org/2471493003
Cr-Commit-Position: refs/heads/master@{#40707}
This reduces per-scope overhead from minimally 6 words to 2 words, with one additional pointer per entry, rather than an average of 2 per entry for larger-than-4 element lists. For temp zone parsed functions it additionally makes the declaration-list actually freeable.
This introduces ThreadedList to implement the details of dealing with such a list.
BUG=v8:5209
Review-Url: https://codereview.chromium.org/2457393003
Cr-Commit-Position: refs/heads/master@{#40703}
To enable the global object prototype chain to be frozen, all objects
in the chain need to be marked as immutable prototype exotic objects.
However, a bug in the previous implementation of immutable prototype
exotic objects left the check in place when initially setting up the
object, which made it impossible to allow inheritance chains. This
patch removes that mistaken check.
BUG=v8:5149
Review-Url: https://codereview.chromium.org/2449163004
Cr-Commit-Position: refs/heads/master@{#40702}
Reason for revert:
Causes performance regressions (up to 10% on the "IC" bucket). :-(
Original issue's description:
> [ic] Experiment: disable map-specific handler cache.
>
> IC data handlers support most of the hot cases nowdays. Let's see if
> the map-specific code cache still help us to improve things.
>
> BUG=v8:5561
TBR=ishell@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5561
Review-Url: https://codereview.chromium.org/2474653002
Cr-Commit-Position: refs/heads/master@{#40701}
In the process, add a more general mechanism for passing around
and amending list of CodeStubAssembler Variables. That change
makes it possible to more easily add Variables to loops that are
generated by utility functions, e.g. BuildFastLoop.
LOG=N
Review-Url: https://codereview.chromium.org/2461363002
Cr-Commit-Position: refs/heads/master@{#40700}
This is preparation for using TF to create builtins that handle variable number of
arguments and have to remove these arguments dynamically from the stack upon
return.
The gist of the changes:
- Added a second argument to the Return node which specifies the number of stack
slots to pop upon return in addition to those specified by the Linkage of the
compiled function.
- Removed Tail -> Non-Tail fallback in the instruction selector. Since TF now should
handles all tail-call cases except where the return value type differs, this fallback
was not really useful and in fact caused unexpected behavior with variable
sized argument popping, since it wasn't possible to materialize a Return node
with the right pop count from the TailCall without additional context.
- Modified existing Return generation to pass a constant zero as the additional
pop argument since the variable pop functionality
LOG=N
Review-Url: https://codereview.chromium.org/2446543002
Cr-Commit-Position: refs/heads/master@{#40699}
Delayed chunks in the unmapper are chunks that should be unmapped but could
potentially still be accessed by the sweeper (page header), hence their
unmapping is delayed.
During TearDown, however, we need to properly unmap those pages, i.e., check
that they can now be unmapped (should always hold) and properly unmap them.
BUG=chromium:656537
R=ulan@chromium.org
Review-Url: https://codereview.chromium.org/2472573003
Cr-Commit-Position: refs/heads/master@{#40698}
Only ARM should have fixed live range arrays for float / simd128.
LOG=N
BUG=v8:4124
Review-Url: https://codereview.chromium.org/2471533002
Cr-Commit-Position: refs/heads/master@{#40696}
port 5ef1bddf80 (r40690)
original commit message:
All vector ICs use the TypeFeedbackVector::ComputeCounts method now,
while the remaining patching ICs still use the traditional way of
counting on the TypeFeedbackInfo hanging off the fullcodegen code
object. This fixes the problem that counts were sometimes off.
BUG=
Drive-by-fix: Move FullCodeGenerator::CallIC to fullcodegen.cc.
Review-Url: https://codereview.chromium.org/2470063002
Cr-Commit-Position: refs/heads/master@{#40692}
Reason for revert:
Seems to break arm64 sim debug and blocks roll:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20debug/builds/3294
Original issue's description:
> [turbofan] Support variable size argument removal in TF-generated functions
>
> This is preparation for using TF to create builtins that handle variable number of
> arguments and have to remove these arguments dynamically from the stack upon
> return.
>
> The gist of the changes:
> - Added a second argument to the Return node which specifies the number of stack
> slots to pop upon return in addition to those specified by the Linkage of the
> compiled function.
> - Removed Tail -> Non-Tail fallback in the instruction selector. Since TF now should
> handles all tail-call cases except where the return value type differs, this fallback
> was not really useful and in fact caused unexpected behavior with variable
> sized argument popping, since it wasn't possible to materialize a Return node
> with the right pop count from the TailCall without additional context.
> - Modified existing Return generation to pass a constant zero as the additional
> pop argument since the variable pop functionality
>
> LOG=N
TBR=bmeurer@chromium.org,mstarzinger@chromium.org,epertoso@chromium.org,danno@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
NOPRESUBMIT=true
Review-Url: https://codereview.chromium.org/2473643002
Cr-Commit-Position: refs/heads/master@{#40691}
All vector ICs use the TypeFeedbackVector::ComputeCounts method now,
while the remaining patching ICs still use the traditional way of
counting on the TypeFeedbackInfo hanging off the fullcodegen code
object. This fixes the problem that counts were sometimes off.
Drive-by-fix: Move FullCodeGenerator::CallIC to fullcodegen.cc.
R=yangguo@chromium.org
Review-Url: https://codereview.chromium.org/2472653002
Cr-Commit-Position: refs/heads/master@{#40690}
IC data handlers support most of the hot cases nowdays. Let's see if
the map-specific code cache still help us to improve things.
BUG=v8:5561
Review-Url: https://codereview.chromium.org/2462973003
Cr-Commit-Position: refs/heads/master@{#40685}
port 5319b50c85 (r40678)
original commit message:
This is preparation for using TF to create builtins that handle variable number of
arguments and have to remove these arguments dynamically from the stack upon
return.
The gist of the changes:
- Added a second argument to the Return node which specifies the number of stack
slots to pop upon return in addition to those specified by the Linkage of the
compiled function.
- Removed Tail -> Non-Tail fallback in the instruction selector. Since TF now should
handles all tail-call cases except where the return value type differs, this fallback
was not really useful and in fact caused unexpected behavior with variable
sized argument popping, since it wasn't possible to materialize a Return node
with the right pop count from the TailCall without additional context.
- Modified existing Return generation to pass a constant zero as the additional
pop argument since the variable pop functionality
BUG=
Review-Url: https://codereview.chromium.org/2469623002
Cr-Commit-Position: refs/heads/master@{#40684}
Both --harmony-object-values-entries and --harmony-object-own-property-descriptors
are on by default in v8 5.4, which has now shipped to
stable as Chrome 54.
R=caitp@igalia.com
Review-Url: https://codereview.chromium.org/2464733003
Cr-Commit-Position: refs/heads/master@{#40683}
Port 5319b50c85
Original commit message:
This is preparation for using TF to create builtins that handle variable number of
arguments and have to remove these arguments dynamically from the stack upon
return.
The gist of the changes:
- Added a second argument to the Return node which specifies the number of stack
slots to pop upon return in addition to those specified by the Linkage of the
compiled function.
- Removed Tail -> Non-Tail fallback in the instruction selector. Since TF now should
handles all tail-call cases except where the return value type differs, this fallback
was not really useful and in fact caused unexpected behavior with variable
sized argument popping, since it wasn't possible to materialize a Return node
with the right pop count from the TailCall without additional context.
- Modified existing Return generation to pass a constant zero as the additional
pop argument since the variable pop functionality
R=danno@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com
BUG=
LOG=N
Review-Url: https://codereview.chromium.org/2462173002
Cr-Commit-Position: refs/heads/master@{#40682}
We only need included categories list, excluded categories list will only work
if we use regular expression in categories list, which is not supported in V8.
TBR=jochen@chromium.org
Review-Url: https://codereview.chromium.org/2462143002
Cr-Commit-Position: refs/heads/master@{#40681}
This is preparation for using TF to create builtins that handle variable number of
arguments and have to remove these arguments dynamically from the stack upon
return.
The gist of the changes:
- Added a second argument to the Return node which specifies the number of stack
slots to pop upon return in addition to those specified by the Linkage of the
compiled function.
- Removed Tail -> Non-Tail fallback in the instruction selector. Since TF now should
handles all tail-call cases except where the return value type differs, this fallback
was not really useful and in fact caused unexpected behavior with variable
sized argument popping, since it wasn't possible to materialize a Return node
with the right pop count from the TailCall without additional context.
- Modified existing Return generation to pass a constant zero as the additional
pop argument since the variable pop functionality
LOG=N
Review-Url: https://codereview.chromium.org/2446543002
Cr-Commit-Position: refs/heads/master@{#40678}
This function is implemented in other JavaScript shells
BUG=None
R=titzer
Review-Url: https://codereview.chromium.org/2458963003
Cr-Commit-Position: refs/heads/master@{#40677}
While this seems like it should be true, the array buffer is not actually
neutered until the end of cloning. This is so that, if an exception is thrown
during serialization, the original array buffer is not left neutered. As a
result, Blink will not have neutered the buffer.
This fixes some DCHECK failures during layout tests.
BUG=chromium:148757
Review-Url: https://codereview.chromium.org/2466563002
Cr-Commit-Position: refs/heads/master@{#40675}
This CL adds support for primitive maps to
1) PrototypeIterator,
2) PropertyHandlerCompiler::CheckPrototypes(),
3) Map::GetOrCreatePrototypeChainValidityCell(),
4) Prototype checks in data-driven ICs.
BUG=v8:5561
Review-Url: https://codereview.chromium.org/2466553002
Cr-Commit-Position: refs/heads/master@{#40673}
This exposes a couple of broken tests that used to silently throw within
the listener. Mark these as failing for now
BUG=v8:5330, v8:5581
Review-Url: https://codereview.chromium.org/2460833002
Cr-Commit-Position: refs/heads/master@{#40672}
Using a global proxy (e.g. 'window.f', 'w.f' or 'this.f') is considerably slower than evaluating just 'f'. This CL aims to perform the necessary checks at compile time and inline the accesses.
This is a follow-on CL to crrev.com/2369933005:
- The initial upload is crrev.com/2369933005 + a rebase.
- The remaining issues are the fixes requested by the reviewers on that CL.
BUG=chromium:634276, chromium:654716, chromium:656959
Committed: https://crrev.com/8f43d748272536117008aa6a1b53ea52126261c1
Committed: https://crrev.com/041314524952a3c1bc71bd3beafbbb37319f1d22
Review-Url: https://codereview.chromium.org/2403003002
Cr-Original-Original-Commit-Position: refs/heads/master@{#40153}
Cr-Original-Commit-Position: refs/heads/master@{#40365}
Cr-Commit-Position: refs/heads/master@{#40671}
ZeroConstant is a NumberConstant, so does not get matched
in IntMatchers, which results in missing some opportunities
in instruction selection. Use IntPtrConstant instead, which
generates an Int32Constant or an Int64Constant depending on
the word size.
BUG=
Review-Url: https://codereview.chromium.org/2467473002
Cr-Commit-Position: refs/heads/master@{#40669}
Similar to what crankshaft does, we introduce a mapcheck if necessary and a call to the CallApiCallbackStub.
BUG=
Review-Url: https://codereview.chromium.org/2458643002
Cr-Commit-Position: refs/heads/master@{#40664}
This enables Ignition unconditionally for all code that is destined for
optimization with TurboFan. This ensures all optimization attempts will
go through the BytecodeGraphBuilder and that the AstGraphBuilder pipe is
dried out in practice.
patch from issue 2427953002 at patchset 120001 (http://crrev.com/2427953002#ps120001)
R=mvstanton@chromium.org,rmcilroy@chromium.org
Review-Url: https://codereview.chromium.org/2453973004
Cr-Commit-Position: refs/heads/master@{#40663}
Conflicting type feedback on Load/StoreICs can lead to out-of-bounds
field access, which is essentially dead code, but EscapeAnalysis was
confused about those. For now, mark the objects as escaping in these
cases, middle-term we want to deal better with this kind of compile-
time known dead code.
BUG=chromium:658185,v8:4586
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2459273002
Cr-Commit-Position: refs/heads/master@{#40662}
This patch implements TracingCategoryObserver to set global flag when a V8
specific category is enabled. Previously, we set a global flag each time when we
encounter a top level trace event, and use it as a global check. With this
patch, we can set a group of flags when tracing is enabled; besides, we make
V8 tracing feature use V8 flags instead of defining its own flag in a messy way.
With this patch, whatever V8 flag we want to imply in tracing, we define another
integer flag, and the original V8 flag will set it to 0x01 when passing by
commandline, tracing will set it to 0x10 when we start tracing and reset the bit
when we stop tracing.
Review-Url: https://codereview.chromium.org/2436273002
Cr-Commit-Position: refs/heads/master@{#40659}
These are added to the sampler stack trace when RCS are
enabled.
Resource name for a RCS frame is reported as "V8Runtime".
Counter names match ones from src/counters.h
BUG=chromium:660428
Review-Url: https://codereview.chromium.org/2461003002
Cr-Commit-Position: refs/heads/master@{#40658}
When Chromium and V8 use the same version of inspector_protocol, any protocol change takes at least 4 patches and 3 waiting for rolls.
To simplify this process we need to have two diffrent versions of inspector_protocol in Chromium and V8. Current state of inspector_protocol was extracted into separate repository [1]. This CL puts last version of inspector_protocol into third_party/inspector_protocol and removes dependency on inspector_protocol in Webkit.
[1] https://chromium.googlesource.com/deps/inspector_protocol/
BUG=chromium:637032
R=dgozman@chromium.org
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel
Review-Url: https://codereview.chromium.org/2447323002
Cr-Commit-Position: refs/heads/master@{#40655}
Previously we reset runtime counters and dump them when we enter, exit top level
trace events respectively. However, there is gap between two top level trace
events and runtime counters may be activated, resetting the counters makes the
accumulated time inaccurate, and we may end up with negative time due to the
nature of how we accumulate time.
This patch fixes this problem by only resetting counters when there's no
counters active, and before dump counters, we traverse current active counters
to calculate their time, and then restart their timer.
BUG=chromium:658145
Review-Url: https://codereview.chromium.org/2457523002
Cr-Commit-Position: refs/heads/master@{#40653}
Reason for revert:
Seems to block rolling:
https://codereview.chromium.org/2447393005/
Original issue's description:
> [heap] Concurrent store buffer processing.
>
> BUG=chromium:648973, chromium:648568
TBR=ulan@chromium.org,mlippautz@chromium.org,hpayer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:648973, chromium:648568
Review-Url: https://codereview.chromium.org/2449853010
Cr-Commit-Position: refs/heads/master@{#40650}
This is useful for things that don't ever change, but we don't want to
eagerly compute the result.
Doing this from the embedder is difficult, using DefineOwnProperty would
read the property to get the property descriptor, creating an endless
recursion.
R=verwaest@chromium.org,haraken@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2449783006
Cr-Commit-Position: refs/heads/master@{#40648}
The order is important for DEFINE_IMPLICATION to ensure transitive
implication: predictable => single_threaded => !concurrent_sweeping.
BUG=5580
Review-Url: https://codereview.chromium.org/2456323002
Cr-Commit-Position: refs/heads/master@{#40644}
The majority of context slot accesses are to the local context (current context
register and depth 0), so this adds bytecodes to optimise for that case.
This cuts down bytecode size by roughly 1% (measured on Octane and Top25).
Review-Url: https://codereview.chromium.org/2459513002
Cr-Commit-Position: refs/heads/master@{#40641}
... because the latter unlike the former records meaningful position.
BUG=
Review-Url: https://codereview.chromium.org/2456193005
Cr-Commit-Position: refs/heads/master@{#40640}
This flag is on by default for now. Whenever heuristics in the compiler
pipeline decide to use Ignition+TurboFan, then {BytecodeGraphBuilder} is
active. Removing the flag reduces maintenance overhead.
R=mvstanton@chromium.org
Review-Url: https://codereview.chromium.org/2437103002
Cr-Commit-Position: refs/heads/master@{#40639}
This CL adds simple implementation of break and stepping-related functionality
as required by the debug-step.js test. This includes
* stepOver, stepInto, stepOut
* setBreakPoint
* clearBreakPoint
* evaluate
Some of these, e.g. setBreakPoint are not fully implemented for all cases but
only for the ones we need right now.
One interesting result of this is that using the inspector protocol is roughly
14x slower for debug-step.js (14s instead of 0.5s). One cause of this seems to
be iteration over all object properties in toProtocolValue, which is used to
serialize JS objects before being sent over the wire (e.g. FrameMirrors). This
is something that should be fixed at some point. In the meantime, the test now
runs 100 instead of 1000 iterations.
BUG=v8:5530
Review-Url: https://codereview.chromium.org/2447073007
Cr-Commit-Position: refs/heads/master@{#40636}
In the asm.js to wasm pipeline, we generate an entry function with
BUILTIN code, but still attached to a TYPE_NORMAL script.
This fix avoids trying to set a breakpoint there, resulting in a crash
on DCHECK(shared->HasDebugInfo()).
Also add two inspector tests to track regressions.
BUG=v8:5568
R=titzer@chromium.org,mstarzinger@chromium.org
Review-Url: https://codereview.chromium.org/2457433002
Cr-Commit-Position: refs/heads/master@{#40633}
port 7d383be9da (r40608)
original commit message:
For inputs to truncating binary operations like <<, | or >>>, support
all Oddballs not just undefined, true and false. This unifies treatment
of these truncations in Crankshaft and TurboFan, and is very easy
nowadays, since the memory layout of Oddball and HeapNumber is
compatible.
BUG=
Review-Url: https://codereview.chromium.org/2450093007
Cr-Commit-Position: refs/heads/master@{#40632}
