This is exactly what it looks like. A temporary hack that ensures we
can make forward progress with the JSInliner despite other components
have a hard time picking the correct zone. This hack is a hack!
R=bmeurer@chromium.org,jarin@chromium.org
Review URL: https://codereview.chromium.org/1410963003
Cr-Commit-Position: refs/heads/master@{#31380}
Separately collect element keys from property keys to avoid slow
corner-cases. Partly deal with keys generated by Proxies.
BUG=chromium:536790
LOG=N
Review URL: https://codereview.chromium.org/1397063002
Cr-Commit-Position: refs/heads/master@{#31378}
This adds a test case that ensures calling Debug.scripts without any
listener attached fails gracefully. For now we are throwing the string
"illegal access", this might change in the future to be a dedicated
exception.
R=yangguo@chromium.org
TEST=mjsunit/debug-scripts-throw
Review URL: https://codereview.chromium.org/1411193002
Cr-Commit-Position: refs/heads/master@{#31377}
This fixes a small inconsistency when the accessor is on a prototype,
because the property access has to respect the holder (and not always go
to the receiver unconditionally).
R=jarin@chromium.org
BUG=v8:4470
LOG=n
Review URL: https://codereview.chromium.org/1409273005
Cr-Commit-Position: refs/heads/master@{#31375}
Reason for revert:
[Sheriff] Breaks vector stores:
http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20debug%20-%20vector%20stores/builds/536
Original issue's description:
> Always give class literals a block scope
>
> Class methods always have the class scope on their scope chain in order
> to implement strong mode checks. Previously, that scope wasn't attached
> to the ClassLiteral for anonymous classes (since the scope contained
> no bindings).
>
> This patch simply puts that same scope on the ClassLiteral, anonymous
> or not, which simplifies other code that needs to reason about the scope
> of a class and its methods.
>
> Committed: https://crrev.com/cf13dda1ba25e8293ea143f33c6c5f6233a39c86
> Cr-Commit-Position: refs/heads/master@{#31371}
TBR=mstarzinger@chromium.org,adamk@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1416583002
Cr-Commit-Position: refs/heads/master@{#31373}
Class methods always have the class scope on their scope chain in order
to implement strong mode checks. Previously, that scope wasn't attached
to the ClassLiteral for anonymous classes (since the scope contained
no bindings).
This patch simply puts that same scope on the ClassLiteral, anonymous
or not, which simplifies other code that needs to reason about the scope
of a class and its methods.
Review URL: https://codereview.chromium.org/1413903002
Cr-Commit-Position: refs/heads/master@{#31371}
This adds support to also optimize loads from special JSObject field
accessors, like String::length and JSArray::length.
R=jarin@chromium.org
BUG=v8:4470
LOG=n
Review URL: https://codereview.chromium.org/1417503002
Cr-Commit-Position: refs/heads/master@{#31365}
The test suite is ran in 60% of the bots anyway and the
step is very short. For swarming, it's better to run this
together in one step as each step triggers a different bot.
BUG=chromium:535160
LOG=n
NOTRY=true
Review URL: https://codereview.chromium.org/1413023002
Cr-Commit-Position: refs/heads/master@{#31360}
Use %_ToLength for TO_LENGTH, implemented via a ToLengthStub
that supports a fast path for small integers. Everything else is still
handled in the runtime.
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
BUG=v8:4494
LOG=n
Review URL: https://codereview.chromium.org/1412963002
Cr-Commit-Position: refs/heads/master@{#31358}
This removes all locally constructed SimplifiedOperatorBuilder instances
and uses the one passed along the JSGraph. It ensures that the correct
zone is used to allocate operators, no matter where the reducer is used.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1410003002
Cr-Commit-Position: refs/heads/master@{#31355}
The typer can infer true/false for ObjectIsSmi if the argument has a
fixed/known representation (i.e. is either known to be smi or heap
object).
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1412673003
Cr-Commit-Position: refs/heads/master@{#31354}
This introduces an explicit lazy bailout. It is wrapped in the call
node, mostly because the lazy deoptimization processing is married
to the call processing in the instruction selector and the code generator.
It is still a terrible hack.
R=bmeurer@chromium.org,mstarzinger@chromium.org
BUG=chromium:543994,v8:4195
LOG=n
Review URL: https://codereview.chromium.org/1412443003
Cr-Commit-Position: refs/heads/master@{#31353}
Native context specialization now lowers monomorphic and
polymorphic accesses to data and constant data properties on
object and/or prototype chain. We don't deal with accessors
yet, and we also completely ignore proxies (which is compatible
with what Crankshaft does).
The code is more or less the straightforward implementation. We
will need to refactor that and extract common patterns once the
remaining bits for full load/store support is in.
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=jarin@chromium.org
BUG=v8:4470
LOG=n
Committed: https://crrev.com/3a0bf860b7177f7abef01ff308a53603389d958e
Cr-Commit-Position: refs/heads/master@{#31340}
Review URL: https://codereview.chromium.org/1396333010
Cr-Commit-Position: refs/heads/master@{#31352}
Removes a branch that checks for a condition that has been checked on dominators of the branch.
This introduces a new reducer that propagates the list of checked conditions (and their boolean values) through the control flow graph. If it encounters a branch checking a condition with a known value, the branch is eliminated.
The analysis relies on loops being reducible: if a condition has been checked on all paths to loop entry, then it is checked in the loop (regardless what of the conditions checked inside the loop).
The implementation is fairly naive and could be improved:
- all the operation on the condition lists could be made allocation-free when revisited.
- we could try to use a map structure rather than a linked list (to make
lookups faster).
- the merging of control flow could be changed to take into account
conditions from non-dominating paths (as long as all paths check
the condition).
Review URL: https://codereview.chromium.org/1376293005
Cr-Commit-Position: refs/heads/master@{#31347}
Adds support for local context loads and stores. Also adds support for
creation of new block contexts (e.g., for let variables) and initializing
const / let variables with the hole appropriately.
Also adds some checks to ensure BytecodeArrayBuilder::context_count is set
appropriately and fixes tests to do so.
Adds the bytecode StaContextSlot.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1403943004
Cr-Commit-Position: refs/heads/master@{#31343}
Adds basic support for iterating interpreter stack frames for GC. Currently
InterpreterStackFrames are treated just like JavaScriptStackFrames since the
JavaScriptFrame::IterateExpressions() will correctly iterate over all the
local / temp interpeter Registers, and will iterate over the
interpreter_entry_trampoline pc address. There is no need to explicitly
iterate over the BytecodeArray object since that is held in a machine
register in the bytecode handler which is marked as kMachTaggedAny by
TurboFan, and so will get iterated appropriately when iterating the
bytecode handler stub's stack frame.
BUG=v8:4280
LOG=N
Review URL: https://codereview.chromium.org/1407513003
Cr-Commit-Position: refs/heads/master@{#31342}
Reason for revert:
Waterfall redness.
Original issue's description:
> [turbofan] Initial support for monomorphic/polymorphic property loads.
>
> Native context specialization now lowers monomorphic and
> polymorphic accesses to data and constant data properties on
> object and/or prototype chain. We don't deal with accessors
> yet, and we also completely ignore proxies (which is compatible
> with what Crankshaft does).
>
> The code is more or less the straightforward implementation. We
> will need to refactor that and extract common patterns once the
> remaining bits for full load/store support is in.
>
> CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
> R=jarin@chromium.org
> BUG=v8:4470
> LOG=n
>
> Committed: https://crrev.com/3a0bf860b7177f7abef01ff308a53603389d958e
> Cr-Commit-Position: refs/heads/master@{#31340}
TBR=bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4470
Review URL: https://codereview.chromium.org/1408123002
Cr-Commit-Position: refs/heads/master@{#31341}
Native context specialization now lowers monomorphic and
polymorphic accesses to data and constant data properties on
object and/or prototype chain. We don't deal with accessors
yet, and we also completely ignore proxies (which is compatible
with what Crankshaft does).
The code is more or less the straightforward implementation. We
will need to refactor that and extract common patterns once the
remaining bits for full load/store support is in.
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=jarin@chromium.org
BUG=v8:4470
LOG=n
Review URL: https://codereview.chromium.org/1396333010
Cr-Commit-Position: refs/heads/master@{#31340}
This fixes the lifetime of nodes created by JSGlobalSpecialization that
contain a simplified operator. In the case where this reducer runs as
part of the inliner, the SimplifiedOperatorBuilder was instantiated with
the wrong zone. This led to use-after-free of simplified operators.
To avoid such situations in the future, we decided to move this operator
builder into the JSGraph and make the situation uniform with all other
operator builders.
R=bmeurer@chromium.org
BUG=chromium:543528
LOG=n
Review URL: https://codereview.chromium.org/1409993002
Cr-Commit-Position: refs/heads/master@{#31334}
To be useful for narrowing down bugs, --hydrogen-filter shouldn't prevent any
inlining that the function(s) being allowed to get optimized want(s) to do.
Free bonus content in this CL: support FLAG_stop_at in lithium-codegen-arm64,
copied from full-codegen-arm64.
Review URL: https://codereview.chromium.org/1407043004
Cr-Commit-Position: refs/heads/master@{#31333}
Reason for revert:
Failing: https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/2115
Original issue's description:
> Reland of "[heap] Divide available memory upon compaction tasks"
>
> This reverts commit ec1046f9f8.
>
> Original message:
>
> [heap] Divide available memory upon compaction tasks
> - Fairly (round-robin) divide available memory upon compaction tasks.
> - Ensure an upper limit (of memory) since dividing is O(n) for n free-space
> nodes.
> - Refill from free lists managed by sweeper once a compaction space becomes
> empty.
>
> Assumption for dividing memory: Memory in the free lists is sparse upon starting
> compaction (which means that only few nodes are available), except for memory
> reducer GCs, which happen in idle time though (so it's less of a problem).
>
> BUG=chromium:524425
> LOG=N
>
> Committed: https://crrev.com/a805be73f6f97645450124f75c0f7417ec7b3e70
> Cr-Commit-Position: refs/heads/master@{#31329}
TBR=hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425
Review URL: https://codereview.chromium.org/1412643002
Cr-Commit-Position: refs/heads/master@{#31332}