Implicit parameters for builtins with JavaScript linkage are now separate, using
the keyword "js-implicit". They have to be one of:
- context: Context
- receiver: Object (this in JS)
- target: JSFunction (arguments.callee in JS)
- newTarget: Object (new.target in JS)
Bug: v8:9120 v8:7793
Change-Id: I916f60971bb53d5046b6006725d0ce39291ca55e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658159
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62174}
- Lower LoadObjectField to LoadFromObject
- Mark LoadFromObject and StoreToObject as non-allocating
- Use optimizable BitcastTaggedSignedToWord in TaggedIsNotSmi check
R=jarin@chromium.org, tebbi@chromium.org
Change-Id: I42992d46597be795aee3702018f7efd93fcc6ebf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657926
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62173}
The CL https://crrev.com/c/1646846 changed column numbers for Wasm
frames in Error.stack traces. Instead of using the offset relative to
the beginning of the function, the absolute offset inside the module
is displayed as hex.
This CL propagates that change to the StackTrace C++ API, so
StackFrame::GetColumn() also returns the absolute offset. Note that the
StackFrame API historically uses "0" to signal "no information", so the
line and column numbers for Wasm frames are also adjusted to 1-based,
even though they signify function index and absolute offset
into the module.
This CL does not touch Script::PositionInfo.column. That field still
contains the offset relative to the function start.
Bug: v8:8742
Change-Id: If4fd37fa681c7ebd0823ce0d95eccc1335c35272
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655300
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62171}
This changes Generate_ContinueToBuiltinHelper to generate code to load
the builtin address directly from the builtins table rather than going
via the executable code in the trampoline's code object.
The set up for Generate_ContinueToBuiltinHelper is changed so that the
builtin index is stored on the stack in place of the builtin Code
object which is no longer needed.
Bug: v8:9338
Change-Id: I83f66af99fb27f131fc39ff426fdca4b1d674b70
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648155
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62170}
Func::type() was broken for functions created with Func::make().
Change-Id: I2867bcf00d9e5c1488165a804598c9ca8081ff25
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655648
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62167}
I removed the following entries:
.d8_history - afaict, this does not exist anymore. If it exists, it
would be in the out/ directory and thereby ignored anyways.
/hydrogen.cfg - hydrogen is no more.
/obj - this is now also in the out/ directory.
d8_g - I think this does not exist anymore, or would be in the out/
directory.
shell - If it still exists, it would be in the out/ directory.
shell_g - same here.
NOTRY=true
R=jkummerow@chromium.org
Bug: v8:9183
Change-Id: Iadb8d2533bfdda1190ec3a31a9ca9c199e087fd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1660468
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62166}
When iterating over the holdings inside the cleanup callback,
we could potentially unregister the weakref which is next or
prev on the key list causing these checks to be incorrect.
Bug: v8:9360, v8:8179
Change-Id: I53ea12346eb4882b16a82677b64ba2c756d23a1c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658161
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62165}
This CL introduces two usage counters for two CallSite functions in
sloppy mode:
- getFunction()
- getThis()
Chromium CL: https://crrev.com/c/1657902
Bug: v8:8742
Change-Id: I81e8fec48534f5932a72de86d9d21f3b370c66a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657919
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62164}
Port ea4206556https://crrev.com/c/1651470
Original Commit Message:
API calls made via the CallApiCallback builtin, which is used from the
ICs and optimized code, are currently misattributed to the wrong counter
InvokeFunctionCallback instead of FunctionCallback. In addition we don't
use the C trampoline when only runtime call stats are enabled, but the
Chrome DevTools profiler is not active, which means that these calls
will not be attrituted properly at all, and that had to be worked around
using all kinds of tricks (i.e. disabling fast-paths in ICs when RCS is
active and not inlining calls/property accesses into optimized code
depending on the state of RCS).
All of this was really brittle and only due to the fact that the central
builtin didn't properly check for RCS (in addition to checking for the
CDT profiler). With this fix it's now handled in a central place and
attributed to the correct category, so user code doesn't need to worry
about RCS anymore and can just call straight into the fast-path.
core hand-written native code with the API callback logic.
Change-Id: I6bcc8c4d7f4642381803a8b6c8282ceb8f3d056c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1659988
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62163}
Zircon VMOs are now created non-resizeable by default. This family of
flags is now a no-op and they will soon be removed.
Bug: chromium:973981
Change-Id: I99b5a18b9744e32ebb3f33f1a848ee9b5c51eb0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1659568
Commit-Queue: Fabrice de Gans-Riberi <fdegans@chromium.org>
Commit-Queue: Wez <wez@chromium.org>
Auto-Submit: Fabrice de Gans-Riberi <fdegans@chromium.org>
Reviewed-by: Wez <wez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62159}
Disable bytecode flushing for test as it messes up lazy source
positions and the flags aren't representative anyway.
Bug: v8:8510
Change-Id: I6d5bc8dcd174a9bfc48f682518e6c62d79acb691
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658152
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62155}
This is a reland of 811bfbbc56
Original change's description:
> [regexp] Move AST-to-Node code to a dedicated file
>
> Prior to this CL, jsregexp contains a bunch of things that are slightly
> related but would be cleaner in separate files, including: AST-to-Node
> transformations, the compiler implementation, and a debugging printer.
>
> This CL extracts AST-to-Node transformations.
>
> Bug: v8:9359
> Change-Id: I030cfca5c40cfd72e3a7abe2188e4654cfe2277c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655303
> Auto-Submit: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62148}
Tbr: yangguo@chromium.org
Bug: v8:9359
Change-Id: I68a16086dc56c9a059547033ca8bc1e9de1080db
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658568
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62154}
Include API-instantiated functions in the definition of Callable so
that PromiseReactionJobTask::handler can verify correctly. Also make
Callable verification stricter regarding JSProxy instances: they must
have the callable bit set.
Also update test-weak-references to use a different object type, since
FeedbackVector::optimized_code_weak_or_smi should never point to a
FixedArray.
Bug: v8:9311
Change-Id: I4242df993e381a75f5b53302fee8fd2b12e96d34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1650563
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62153}
The store element handlers don't check if the array length is writable
before updating the length. Since this is not expected to be a common
case no need of handling this in the element handlers. Just moving to
megamorphic would be sufficient.
Bug: chromium:967104
Change-Id: I7a7f9ea768266b9ffd6289328d61d2297d455619
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658154
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62152}
Since TurboAssembler::CallBuiltinPointer actually takes the
builtin_index as input, rename the function to CallBuiltinByIndex.
Bug: v8:9183
Change-Id: I4958d96f18a48a2ec91525d80d597a35e45d5989
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657915
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62151}
With this flag enabled, some statistics about the oldspace's freelists
(and free/used spaced in general) are printed before and after each
major garbage collection.
It is useful to get some intuition about fragmentation and debug
freelists. (This flag helped me track down the issues fixed by CLs
1647162 and 1648476)
Additionally, the verbose version (FLAG_trace_gc_freelists_verbose)
prints the freelists of each page of old_space.
Bug: v8:9329
Change-Id: Ifa80426bf9d97ac9950459154507a585b039326d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655302
Commit-Queue: Darius Mercadier <dmercadier@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62150}
This reverts commit 811bfbbc56.
Reason for revert: Breaks noi18n build (https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20noi18n%20-%20debug/27201)
Original change's description:
> [regexp] Move AST-to-Node code to a dedicated file
>
> Prior to this CL, jsregexp contains a bunch of things that are slightly
> related but would be cleaner in separate files, including: AST-to-Node
> transformations, the compiler implementation, and a debugging printer.
>
> This CL extracts AST-to-Node transformations.
>
> Bug: v8:9359
> Change-Id: I030cfca5c40cfd72e3a7abe2188e4654cfe2277c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655303
> Auto-Submit: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62148}
TBR=yangguo@chromium.org,jgruber@chromium.org,petermarshall@chromium.org
Change-Id: I079e15b02d73d81aef806992f324f08d7008e367
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9359
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658160
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62149}
Prior to this CL, jsregexp contains a bunch of things that are slightly
related but would be cleaner in separate files, including: AST-to-Node
transformations, the compiler implementation, and a debugging printer.
This CL extracts AST-to-Node transformations.
Bug: v8:9359
Change-Id: I030cfca5c40cfd72e3a7abe2188e4654cfe2277c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655303
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62148}
This is a first step in eliminating heap access from a bevy of promise
reductions in js-call-reducer.cc. We begin by recognizing calls to
the affected builtins at serialization time, then serializing what
data is necessary.
Bug: v8:7790
Change-Id: Iaa1581eee730e8d3610a97c71eed635f77029455
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657921
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62146}
Previously, the handle's location was used as a proxy for the heap
object, i.e, we put the handle into the constant pool, to avoid the
need for GC visiting the constant pool entries during code generation.
The handle locations are replaced by the corresponding heap object
when the code is copied to the heap.
This CL changes the handling in the assembler: Instead of putting
in the handle location (which is a machine word) we put in a small
index number into a table. This will be useful for putting 32bit
constants into the constant pool.
This new approach also has the advantage that ordering the
constant pool entries by value produces a deterministic order
after this change.
Change-Id: Id47d56d487a0b64d1d1504a47937c8779ee02b13
Bug: v8:7703
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1648094
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62144}
Refactor-only, this moves interrupt scopes and stack guard code into
their own dedicated files.
Change-Id: I5723a04786a04bba31a0da54622f3cd0b926ef07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655288
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62141}
{V8 Linux 64 - pointer compression} builder uploads dchecks enabled builds.
This CL creates a new builder that compiles V8 without dchecks enabled.
This CL uses the inverted naming predicate {without dchecks} to avoid renaming
the existing builder to {with dchecks} to avoid doing renames over multiple
repositories for a temporary builder that we'll remove after the ptr compression
merge to master.
R=sergiyb@chromium.orgCC=machenbach@chromium.org
Bug: v8:9345
Change-Id: I9e8cc1a9eb59325fd8eecc8fdcd2778b4da005c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657922
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Sergiy Belozorov <sergiyb@chromium.org>
Auto-Submit: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Sergiy Belozorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62140}
As shown in the commit description of https://crrev.com/c/1619763, the JSON
format was supposed to refer to a list of "spaces" and not "pages", this was a
typo.
Bug: v8:9186
Change-Id: I1a674dac8af4b27b7ee46041e8c7a533bad8e68b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657917
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#62139}
This check shouldn't have been there. Even with lazy feedback allocation
we still transition to pre-monomorphic from uninitialized. We could
remove pre-monomorphic states with lazy-feedback allocation but that
requires changes at several other places.
Change-Id: I8f878a83f0fe3200eb530a34a74811639dcdc153
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1634920
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62138}
Swap bits between bitfield2 and bitfield3 so that bitfield2 doesn't change
across named property transitions. This will allow us to share bf1/bf2 through
the descriptor array.
Change-Id: I3579ae89189ae0729cd492db1afb29cf90981f6a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1657908
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62134}
This is a reland of 823795fc2b, the reason
for the revert was flushing out a bug that was now fixed independently in
https://chromium-review.googlesource.com/c/v8/v8/+/1655307
Drive-by-fix: Correct wrong offset in CloneObjectIC fast-path.
Original change's description:
> [ic] Fix typo in Runtime_CloneObjectIC_Miss.
>
> https://chromium-review.googlesource.com/1649554 introduced a typo into
> Runtime_CloneObjectIC_Miss, where it wouldn't update the IC state UNLESS
> the source map is deprecated, which is the wrong way around of course.
>
> Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343
> Change-Id: I7d6e0709e66ce4aaaf4a628d64ab801b84c8993c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655291
> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62106}
Bug: chromium:973045, v8:7611, v8:9114, v8:9183, v8:9343
Change-Id: I763d9eeab95043bed3bc4849fc3ddcda7787169a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1655651
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62133}
StackGuard::HandleInterrupts used to take a lock for testing and
clearing each individual interrupt bit. This CL changes that to a
single read up front.
Slight behavioral changes:
1. A TERMINATE_EXECUTION interrupt is now handled first; we
immediately exit and preserve all other interrupts (in case V8 is
later resumed).
2. Since interrupts are read once, it is no longer possible to request
an interrupt *within* HandleInterrupts that will later be processed
within the same HandleInterrupts call.
3. Stack limits are reset immediately after reading the interrupt
bits, and prior to actually processing the interrupts.
Bug: v8:9328
Change-Id: I3048bb413213d11307df49e0014b64a2b43444e0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1653115
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62132}