port 7798548a8f (r28260)
original commit message:
typeof was implemented as a runtime function. Calling it in
optimized code with a non-constant input becomes burdensome.
BUG=
Review URL: https://codereview.chromium.org/1124263005
Cr-Commit-Position: refs/heads/master@{#28279}
port 06a792b7cc (r28263).
original commit message:
Make the parser handle references to "this" as unresolved variables, so the
same logic as for the rest of function parameters is used for the receiver.
Minor additions to the code generation handle copying the receiver to the
context, along with the rest of the function parameters.
Based on work by Adrian Perez de Castro <aperez@igalia.com>
BUG=
Review URL: https://codereview.chromium.org/1124393002
Cr-Commit-Position: refs/heads/master@{#28278}
The Hydrogen representation for binops was never changed to care about the
language mode. We thought this was ok, but it turns out we need to keep track
of it to make sure inlining doesn't mess with the "strongness" of binops.
Also added more rigorous inlining testing.
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1123043002
Cr-Commit-Position: refs/heads/master@{#28253}
port cf53fed972 (r28242).
original commit message:
ArgumentsAdaptorStub for derived constructor (the one that needs
new.target) works in this way:
- If the constructor is invoked via the Construct stub, we know that
actual arguments always include new.target. ``arguments`` object
however should not include a new.target, therefore we remove it.
We achieve this by decrementing the argument count.
- If the constructor is invoked as a call, we do not care for a correct
``arguments`` array since the constructor will immediately throw on
entrance.
The bug is that the call could actually pass 0 actual arguments, but I
decrement unconditionally :(. The fix is to detect this case and avoid
decrementing. ``arguments`` is bogus, but it is ok as constructor
throws.
Long-term we should just remove mucking about with arguments for
new.target and just get it from the stack.
BUG=
Review URL: https://codereview.chromium.org/1124063002
Cr-Commit-Position: refs/heads/master@{#28246}
When comparing a symbol to istself using <, <=, > or >= we need to
throw a TypeError. This is correctly handled in the runtime function
so if we are comparing a symbol fall back to use the runtime.
BUG=v8:4073
LOG=Y
R=rossberg@chromium.org
Review URL: https://codereview.chromium.org/1125783002
Cr-Commit-Position: refs/heads/master@{#28226}
port 83a0af5500 (r28165).
original commit message:
VectorICs: built-in function apply should use an IC.
Handled a TODO that sent builtin function apply to the runtime on property get.
BUG=
Review URL: https://codereview.chromium.org/1119263002
Cr-Commit-Position: refs/heads/master@{#28189}
Just give internal ones an ArrayBuffer with a NULL backing store. This
simplifies the access checks a lot.
BUG=v8:3996
R=hpayer@chromium.org,verwaest@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1109353003
Cr-Commit-Position: refs/heads/master@{#28168}
An initial 'code age' state that will turn into a 'pre-aging' code age only after it was executed the first time.
BUG=470930
LOG=Y
Review URL: https://codereview.chromium.org/1107233004
Cr-Commit-Position: refs/heads/master@{#28162}
port caeb9004f0 (r28056)
original commit message:
If the array's map is the initial FastHoley array map, and the array prototype
chain is undisturbed and empty of elements, then keyed loads can convert the
load of a hole to undefined.
BUG=
Review URL: https://codereview.chromium.org/1104073003
Cr-Commit-Position: refs/heads/master@{#28128}
Implements the strong mode proposal's restrictions on
implicit conversions for binary arithmetic operations, not
including the + special case. Adds some infrastructure
for future implementation of the restrictions for other
operators.
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1092353002
Cr-Commit-Position: refs/heads/master@{#28045}
port 13459c1ae3 (r27857)
original commit message:
Array() in optimized code can create with wrong ElementsKind in corner cases.
Calling new Array(JSObject::kInitialMaxFastElementArray) in optimized code
makes a stub call that bails out due to the length. Currently, the bailout
code a) doesn't have the allocation site, and b) wouldn't use it if it did
because the length is perceived to be too high.
This CL passes the allocation site to the stub call (rather than undefined),
and alters the bailout code to utilize the feedback.
BUG=
Review URL: https://codereview.chromium.org/1088423002
Cr-Commit-Position: refs/heads/master@{#27875}
This adds a missing bailout id to a ForInStatement for when retrieving
and filtering a property name deoptimizes. This can happen with proxies
that have a getPropertyDescriptor trap.
R=jarin@chromium.org
TEST=mjsunit/for-in-opt
Review URL: https://codereview.chromium.org/1086083002
Cr-Commit-Position: refs/heads/master@{#27846}
port e0844a24d3 (r27793).
original commit message:
These options were added for a hydrogen code stub version of
the VectorIC dispatcher, which was discontinued.
BUG=
Review URL: https://codereview.chromium.org/1087573003
Cr-Commit-Position: refs/heads/master@{#27802}
The assembler code generated by the DeoptimizeIf(...) function under X87 is larger
and the distance between the link point and the bind point which has two DeoptimizeIf()
is larger then near link distance (127) for labels.
BUG=
Review URL: https://codereview.chromium.org/1065893003
Cr-Commit-Position: refs/heads/master@{#27801}
port 2d281e71ac (r27633)
original commit message:
Make --always-opt also optimize top-level code.
This enables eager optimization of top-level code with TurboFan and
extends test coverage by triggering it with the --always-opt flag.
Script contexts are now also properly allocated in TurboFan.
BUG=
Review URL: https://codereview.chromium.org/1077523002
Cr-Commit-Position: refs/heads/master@{#27693}
Reason for revert:
Revert the revert as this commit cannot be the cause for the closed tree.
Original issue's description:
> Revert of X87: Reimplement Maps and Sets in JS (patchset #1 id:1 of https://codereview.chromium.org/1066373002/)
>
> Reason for revert:
> Reverting as it resulted in a closed waterfall.
>
> Original issue's description:
> > X87: Reimplement Maps and Sets in JS
> >
> > port 909500aa1d (r27605)
> >
> > original commit message:
> > Previously, the only optimized code path for Maps and Sets was for String keys.
> > This was achieved through an implementation of various complex operations
> > in Hydrogen. This approach was neither scalable nor forward-compatible.
> >
> > This patch adds the necessary intrinsics to implement Maps and Sets almost entirely
> > in JS. The added intrinsics are:
> >
> > %_FixedArrayGet
> > %_FixedArraySet
> > %_TheHole
> > %_JSCollectionGetTable
> > %_StringGetRawHashField
> >
> > With these additions, as well as a few changes to what's exposed as runtime functions,
> > most of the C++ code backing Maps and Sets is gone (including both runtime code in
> > objects.cc and Crankshaft in hydrogen.cc).
> >
> > BUG=
> >
> > Committed: https://crrev.com/56600a35a49ffa5abcba66b14839089de3589ad9
> > Cr-Commit-Position: refs/heads/master@{#27681}
>
> TBR=weiliang.lin@intel.com,chunyang.dai@intel.com
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=
>
> Committed: https://crrev.com/a0486f128109443ed07802fb463c267e53533d81
> Cr-Commit-Position: refs/heads/master@{#27682}
TBR=weiliang.lin@intel.com,chunyang.dai@intel.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review URL: https://codereview.chromium.org/1077543002
Cr-Commit-Position: refs/heads/master@{#27685}
port 146598f44a (r27614)
original commit message:
Optimistically pushing a lot of arguments can run into the stack limit of the
process, at least on operating systems where this limit is close to the limit
that V8 sets for itself.
BUG=
Review URL: https://codereview.chromium.org/1069283002
Cr-Commit-Position: refs/heads/master@{#27684}
Reason for revert:
Reverting as it resulted in a closed waterfall.
Original issue's description:
> X87: Reimplement Maps and Sets in JS
>
> port 909500aa1d (r27605)
>
> original commit message:
> Previously, the only optimized code path for Maps and Sets was for String keys.
> This was achieved through an implementation of various complex operations
> in Hydrogen. This approach was neither scalable nor forward-compatible.
>
> This patch adds the necessary intrinsics to implement Maps and Sets almost entirely
> in JS. The added intrinsics are:
>
> %_FixedArrayGet
> %_FixedArraySet
> %_TheHole
> %_JSCollectionGetTable
> %_StringGetRawHashField
>
> With these additions, as well as a few changes to what's exposed as runtime functions,
> most of the C++ code backing Maps and Sets is gone (including both runtime code in
> objects.cc and Crankshaft in hydrogen.cc).
>
> BUG=
>
> Committed: https://crrev.com/56600a35a49ffa5abcba66b14839089de3589ad9
> Cr-Commit-Position: refs/heads/master@{#27681}
TBR=weiliang.lin@intel.com,chunyang.dai@intel.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review URL: https://codereview.chromium.org/1073723002
Cr-Commit-Position: refs/heads/master@{#27682}
port 909500aa1d (r27605)
original commit message:
Previously, the only optimized code path for Maps and Sets was for String keys.
This was achieved through an implementation of various complex operations
in Hydrogen. This approach was neither scalable nor forward-compatible.
This patch adds the necessary intrinsics to implement Maps and Sets almost entirely
in JS. The added intrinsics are:
%_FixedArrayGet
%_FixedArraySet
%_TheHole
%_JSCollectionGetTable
%_StringGetRawHashField
With these additions, as well as a few changes to what's exposed as runtime functions,
most of the C++ code backing Maps and Sets is gone (including both runtime code in
objects.cc and Crankshaft in hydrogen.cc).
BUG=
Review URL: https://codereview.chromium.org/1066373002
Cr-Commit-Position: refs/heads/master@{#27681}
port 16ee55097a (r27536)
original commit message:
Generate common StoreFastElementStubs ahead of time
BUG=
Review URL: https://codereview.chromium.org/1052413002
Cr-Commit-Position: refs/heads/master@{#27597}
port 7c347c545e (r27511)
original commit message:
A bug allows JSObject literals with elements to have the elements in the
boilerplate modified.
BUG=
Review URL: https://codereview.chromium.org/1057883004
Cr-Commit-Position: refs/heads/master@{#27595}
The original code will not update the IC info if one of parameter is SMI. It Can not handle Number + Smi.
BUG=
Review URL: https://codereview.chromium.org/1056663005
Cr-Commit-Position: refs/heads/master@{#27583}
port 38a719f965 (r27440)
original commit message:
This switches full-codegen to no longer push and pop StackHandler
markers onto the operand stack, but relies on a range-based handler
table instead. We only use StackHandlers in JSEntryStubs to mark the
transition from C to JS code.
Note that this makes deoptimization and OSR from within any try-block
work out of the box, makes the non-exception paths faster and should
overall be neutral on the memory footprint (pros).
On the other hand it makes the exception paths slower and actually
throwing and exception more expensive (cons).
BUG=
Review URL: https://codereview.chromium.org/1030283003
Cr-Commit-Position: refs/heads/master@{#27478}
port 6689cc27eb (r27377)
original commit message:
Handlers should be in charge of this work. The change uncovered a bug in
vector-ics related to keyed loads into strings. It's important for
StringCharCodeAtGenerator, a helper used in full code and in
LoadIndexedStringStub (a handler) to protect the vector and slot registers
when it makes a runtime call to convert a HeapNumber to a Smi.
It's still possible for the handler to MISS after this call, perhaps due
to out of bounds access. In that case, the vector and slot registers need
to be delivered safely to the MISS handler.
BUG=
Review URL: https://codereview.chromium.org/1033733005
Cr-Commit-Position: refs/heads/master@{#27461}
port e18e3cd4d8 (r27305)
original commit message:
[stubs] Add missing interface descriptor for the CompareIC.
BUG=
Review URL: https://codereview.chromium.org/1024553007
Cr-Commit-Position: refs/heads/master@{#27397}
port 16c8485a35 (r27269).
original commit message:
Replaces StoreGlobalCell / LoadGlobalCell with NamedField variants that use write barriers.
BUG=
Review URL: https://codereview.chromium.org/1013543004
Cr-Commit-Position: refs/heads/master@{#27395}
port 34a1a76ddf (r27235)
original commit message:
A hydrogen code stub is not the best approach because it builds a frame
and doesn't have the technology to discard roots at tail call exits.
Platform-specific stubs provide much better performance at this point.
BUG=
Review URL: https://codereview.chromium.org/1025073005
Cr-Commit-Position: refs/heads/master@{#27394}
port 15f8213809 (r27263)
original commit message:
This relands commit 96f79568a9.
This makes the Isolate::Throw logic not depend on a prediction of
whether an exception is caught or uncaught. Such a prediction is
inherently undecidable because a finally block can decide between
consuming or re-throwing an exception depending on arbitray control
flow.
There still is a conservative prediction mechanism in place that
components like the debugger or tracing can use for reporting.
With this change we can get rid of the StackHandler::kind field, a
pre-requisite to do table-based lookups of exception handlers.
BUG=
Review URL: https://codereview.chromium.org/1027413002
Cr-Commit-Position: refs/heads/master@{#27385}
