The race can happen if:
1) Fixed array A is right before object B in new space
2) A slot in object C located in old space points to object B (old to new remembered set entry is created)
3) Object C becomes unreachable which held the only reference to object B which also becomes unreachable
4) Fixed array A gets right trimmed
5) The sweeper will sweep the last word of object A and object B. It will write the free space map into the last word of object A and a size field in the first word of object B.
6) Pointer updating may observe the size field now because the recored slot points to the start of object B and will confuse it with a forwarding pointer.
Note a similar race may happen with left trimming. Array A points to its backing store, the backing store gets left trimmed by 1 element, and array A dies.
BUG=
Review-Url: https://codereview.chromium.org/2416563002
Cr-Commit-Position: refs/heads/master@{#40218}
This should restore the codeload regression when FLAG_lazy_inner_functions is turned off
BUG=v8:5501
Review-Url: https://codereview.chromium.org/2412483005
Cr-Commit-Position: refs/heads/master@{#40217}
Because of the planned improvements of IC system it does not make sense to
keep the old platform version of the stub around.
Review-Url: https://codereview.chromium.org/2413653003
Cr-Commit-Position: refs/heads/master@{#40216}
If we're parsing a script or based on a SharedFunctionInfo marked as toplevel, we can implicitly set it. Only manually set in the background parsing task where we manually set up ParseInfo.
BUG=v8:5501
Review-Url: https://codereview.chromium.org/2405263003
Cr-Commit-Position: refs/heads/master@{#40215}
This is allocating registers in the function for all inner contexts that can be active in that function, so that nested blocks always have O(1) access to all outer contexts. However, currently it's always walking into nested functions, overallocating the number of registers, causing additional register pressure.
BUG=v8:5484
Review-Url: https://codereview.chromium.org/2408303003
Cr-Commit-Position: refs/heads/master@{#40214}
This CL also introduces a NoBarrierAtomicValue with NoBarrier accessors.
BUG=chromium:648568
Review-Url: https://codereview.chromium.org/2408233004
Cr-Commit-Position: refs/heads/master@{#40213}
Because of the planned improvements of IC system it does not make sense to
keep the old platform version of the stub around.
Review-Url: https://codereview.chromium.org/2418513002
Cr-Commit-Position: refs/heads/master@{#40211}
WordIsSmi, by itself, is not that descriptive, as it just ands a word with the heap object tag. With this change, the MachineGraphVerifier can check that the input to TaggedIsSmi actually has a tagged representation.
This CL also introduces a few bitcast operators in the Smi* macros in the CodeStubAssembler.
R=bmeurer@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2407303002
Cr-Commit-Position: refs/heads/master@{#40209}
The only way to get a minus zero result from subtraction is
(-0) - (+0) = -0, hence checking for minus zero on the RHS is
redundant. This is causing some unnecessary deoptimisations
in Box2D from Octane on 32-bit platforms.
BUG=
Review-Url: https://codereview.chromium.org/2410883003
Cr-Commit-Position: refs/heads/master@{#40207}
This is the next step to unify the Call/Construct feedback collection
and prepare it to be able to collect SharedFunctionInfo feedback. This
also reduces the CallICStub overhead quite a bit since we only need one
stub per mode (and tail call mode), not also one per call arity.
R=mvstanton@chromium.org
BUG=v8:2206
NOTRY=true
Review-Url: https://codereview.chromium.org/2412453005
Cr-Commit-Position: refs/heads/master@{#40206}
For the asm.js to WASM pipeline, the current stack traces only show
low-level WASM information.
This CL maps this back to asm.js source positions.
It does so by attaching the asm.js source Script to the compiled WASM
module, and emitting a delta-encoded table which maps from WASM byte
offsets to positions within that Script. As asm.js code does not throw
exceptions, we only store a mapping for call instructions.
The new AsmJsWasmStackFrame implementation inherits from
WasmStackFrame, but contains the logic to provide the source script and
the position inside of it.
What is still missing is the JSFunction object returned by
CallSite.getFunction(). We currently return null.
R=jgruber@chromium.org, titzer@chromium.org
BUG=v8:4203
Review-Url: https://codereview.chromium.org/2404253002
Cr-Commit-Position: refs/heads/master@{#40205}
If passing <nullptr, 0> to the decoder and trying to decode something,
it correctly detects the error and sets an error message, but still
returns true on ok(), and returns a valid result.
I triggered this error by passing a null Vector, returned by FindSection(), to
the decoder.
R=titzer@chromium.org
Review-Url: https://codereview.chromium.org/2410913002
Cr-Commit-Position: refs/heads/master@{#40204}
We accidently dropped the effect on the floor that we have for the
polymorphic map check in case of array elements access.
BUG=chromium:655004
R=jarin@chromium.org
Review-Url: https://codereview.chromium.org/2411273002
Cr-Commit-Position: refs/heads/master@{#40201}
port 001926cdec (r40163)
original commit message:
In fullcodegen we used to count CallICs as patching ICs, and thus the
heuristics are currently off by the number of calls in a code object.
BUG=
Review-Url: https://codereview.chromium.org/2406373004
Cr-Commit-Position: refs/heads/master@{#40199}
Our minifier (tools/jsmin.py) shortens variable names it comes across.
It generally tries to avoid name conflicts caused by renamed variables,
but cannot handle lambda function syntax.
This is what happens here. Both lambda function parameters 'x' and 'y'
are not recognized as identifiers by the minifier and it thus potentially
causes naming conflicts.
BUG=v8:5505
Review-Url: https://codereview.chromium.org/2412533002
Cr-Commit-Position: refs/heads/master@{#40198}
port 9192db2037 (r40162)
original commit message:
Remove the special side channel from the CallICStub to the
ArrayConstructorStub and make the CallICStub always use the
general entry point.
BUG=
Review-Url: https://codereview.chromium.org/2410083004
Cr-Commit-Position: refs/heads/master@{#40197}
For ConsString, the left hand side must be either sequential or external
if the right hand side is empty.
R=jarin@chromium.org
BUG=chromium:654723
NOTRY=true
Review-Url: https://codereview.chromium.org/2410893003
Cr-Commit-Position: refs/heads/master@{#40192}
The bot currently doesn't work with shared libraries. This
temporarily works around the problem to get the bot green.
BUG=v8:5412
NOTRY=true
TBR=jochen, zhengxing.li, jgruber
Review-Url: https://codereview.chromium.org/2405243002
Cr-Commit-Position: refs/heads/master@{#40191}
This is a re-land of https://codereview.chromium.org/2393303002/ with
an additional call to DisposeModuleEmbedderData() added to fix lsan failures.
Unifies the approaches used for storing the specifier -> module mapping
and the module -> directory mapping, using std::unordered_maps for both
and storing them per-Context.
This requires adding a method to the v8::Module API to get a hash code
for a Module, but allows slimming down the API in return: gone are
SetEmbedderData/GetEmbedderData, along with the fourth argument
to ResolveModuleCallback.
Besides a simpler API, this allows d8 to get closer to the HTML loader,
which requires each Realm to have a persistent module map (though this
capability is not yet exercised by any tests).
BUG=v8:1569
TBR=neis@chromium.org,jochen@chromium.org
Review-Url: https://codereview.chromium.org/2405313002
Cr-Commit-Position: refs/heads/master@{#40186}
Treat allocation of splintered ranges differently, by optimizing for move
counts (i.e. try to have less move counts), rather than optimizing for
quality of moves (which is what normal allocation does).
We can see reductions in code size in the benchmarks that measure it
(e.g. Unity)
BUG=
Review-Url: https://codereview.chromium.org/2347563004
Cr-Commit-Position: refs/heads/master@{#40178}
We'll take expressions like typeof 'hello' and reduce it to 'string'.
Neat! This CL moves the optimization to an explicit reduction
in typed lowering that inserts a constant string, instead of
relying on type matching.
BUG=
Review-Url: https://codereview.chromium.org/2411703002
Cr-Commit-Position: refs/heads/master@{#40175}
We'll stop storing string data in Type objects. At the moment, we have
optimizations that read that string data in typed lowering. Instead,
look at nodes for this data.
R=bmeurer@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2406243002
Cr-Commit-Position: refs/heads/master@{#40173}
The android_arm config is deprecated. We only use the v8 arch
strings.
NOTRY=true
TBR=adamk, caitp
Review-Url: https://codereview.chromium.org/2412513002
Cr-Commit-Position: refs/heads/master@{#40172}
Reason for revert:
Blocks roll:
https://codereview.chromium.org/2406213002/
Original issue's description:
> Speedup access to global_proxy.* attributes/accessors.
>
> Using a global proxy (e.g. 'window.f', 'w.f' or 'this.f') is considerably slower than evaluating just 'f'. This CL aims to perform the necessary checks at compile time and inline the accesses.
>
> This is a follow-on CL to crrev.com/2369933005:
> - The initial upload is crrev.com/2369933005 + a rebase.
> - The remaining issues are the fixes requested by the reviewers on that CL.
>
> BUG=chromium:634276
>
> Committed: https://crrev.com/8f43d748272536117008aa6a1b53ea52126261c1
> Cr-Commit-Position: refs/heads/master@{#40153}
TBR=jochen@chromium.org,verwaest@chromium.org,vogelheim@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:634276
Review-Url: https://codereview.chromium.org/2408133002
Cr-Commit-Position: refs/heads/master@{#40171}
Also include feedback about Oddballs when collecting the type feedback.
For now, Number and NumberOrOddball are collected separately
because crankshaft does not handle NumberOrOddballs consistently.
This should change once we fix crankshaft.
BUG=v8:4280, v8:5400
LOG=N
Committed: https://crrev.com/d5d283b27d406486e2f8d7b44c6d2b3db4f98458
Review-Url: https://codereview.chromium.org/2406843002
Cr-Original-Commit-Position: refs/heads/master@{#40124}
Cr-Commit-Position: refs/heads/master@{#40170}
