Note that prior to having canonical shared function infos, this has
been a source of duplicate shared function infos.
R=bmeurer@chromium.org
BUG=chromium:504787
LOG=N
Review URL: https://codereview.chromium.org/1209383002
Cr-Commit-Position: refs/heads/master@{#29326}
This allows context-independent code generated by TurboFan to be cached
in the optimized code map and reused across native contexts. Note that
currently this cache is still flushed at GC time.
R=bmeurer@chromium.org,mvstanton@chromium.org
TEST=cctest/test-compiler/OptimizedCodeSharing
Review URL: https://codereview.chromium.org/1208013002
Cr-Commit-Position: refs/heads/master@{#29313}
This will enable tail call optimization even across inlining. Plus it
might enable some other interesting optimizations as well. In order to
avoid blowing up the generated code, we can still canonicalize the
epilogue in the CodeGenerator, similar to what fullcodegen does.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1215623002
Cr-Commit-Position: refs/heads/master@{#29311}
The issue is that Worker.prototype.terminate was deleting the C++ Worker
object, and then Worker.prototype.getMessage was trying to read messages from
the queue.
The simplest solution is to keep workers in a zombie state when they have been
terminated. They won't be reaped until Shell::CleanupWorkers is called.
I've also fixed some threading issues with Workers:
* Workers can be created by another Worker, so the Shell::workers_ variable
must be protected by a mutex.
* An individual Worker can typically only be accessed by the isolate that
created it, but the main thread can always terminate it, so the Worker::state_
must be accessed in a thread-safe way.
BUG=chromium:504136
R=jochen@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1208733002
Cr-Commit-Position: refs/heads/master@{#29306}
We need to do the ToName before the ToObject.
BUG=v8:4229
LOG=N
R=adamk
Review URL: https://codereview.chromium.org/1211663002
Cr-Commit-Position: refs/heads/master@{#29272}
If the replacer array contains a number wrapper we should use the
toString result and not valueOf.
BUG=v8:4228
LOG=N
R=adamk
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1207013002
Cr-Commit-Position: refs/heads/master@{#29270}
The i18n.js code was calling a lot of methods, which might have been
removed or replaced by user code.
Make sure we use the original functions.
BUG=v8:4220
LOG=N
R=adamk, littledan
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1199813004
Cr-Commit-Position: refs/heads/master@{#29268}
Shell::SerializeValue was using a HandleScope, but was also storing Handles in
an ObjectList. The ObjectList handles would persist after the function had
returned, but will have already been destroyed by the HandleScope, so there is
a use-after-free.
This change removes the HandleScope in Shell::SerializeValue and relies on the
caller's HandleScope.
BUG=chromium:503968
R=jochen@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1211433003
Cr-Commit-Position: refs/heads/master@{#29265}
If we do not clear next links during serialization, the
serializer would simply follow those links and serialize
arbitrary objects held by weak cells. This breaks the
invariant in the code serializer, which crashes if it
sees context-dependent objects.
R=ulan@chromium.org
BUG=chromium:503552
LOG=Y
Review URL: https://codereview.chromium.org/1203973002
Cr-Commit-Position: refs/heads/master@{#29255}
This fixes a slight inconsistency in the InstructionSelector that
basically disabled the optimization for things like ObjectIsSmi.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1206773002
Cr-Commit-Position: refs/heads/master@{#29250}
- Thread Type::FunctionType through stubs and the TF pipeline.
- Augment Typer to decorate parameter nodes with types from
a Type::FunctionType associated with interface descriptors.
- Factor interface descriptors into platform-specific and
platform-independent components so that all descriptors share
a common Type::FunctionType for all platforms.
Review URL: https://codereview.chromium.org/1197703002
Cr-Commit-Position: refs/heads/master@{#29248}
We used to call toString as a method which is not safe.
BUG=v8:4225
LOG=Y
R=adamk, littledan
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1200033003
Cr-Commit-Position: refs/heads/master@{#29242}
Speculative revert in the hopes of fixing serializer crashes seen in canary.
This reverts commit c166945083, as well as
followup change "Do not look for existing shared function info when compiling a new script."
(commit 7c43967bb7).
BUG=chromium:503552,v8:4132
TBR=yangguo@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1207583002
Cr-Commit-Position: refs/heads/master@{#29241}
Map: get, set, has, delete, clear
Set: add, has, delete, clear
All except clear are implemented as calls into collection.js.
Note that some of these shadow methods of v8::Object. It's unclear
how confusing that's going to be: on the one hand, it seems likely
that most operations you would want to do on a Map or Set are these.
On the other, generic code could get confused if it somehow gets
ahold of a variable that happens to be C++-typed as a v8::Map or v8::Set.
BUG=v8:3340
LOG=y
Review URL: https://codereview.chromium.org/1204623002
Cr-Commit-Position: refs/heads/master@{#29237}
This is a precursor to using specialized LoadIC and StoreIC stubs for
global variable access. It also removes the need to keep track of the
global object in the type system, hence freeing up one bit.
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1205473004
Cr-Commit-Position: refs/heads/master@{#29231}
ARM64's `fmin` and `fmax` instructions don't have the same behaviour as
TurboFan's Float(32|64)(Min|Max) functions.
BUG=4206
LOG=N
Review URL: https://codereview.chromium.org/1200123004
Cr-Commit-Position: refs/heads/master@{#29229}
This makes usage of the MachineOperatorBuilder more robust, as it will be
an error to request an unsupported operator.
Along the way, I noticed that all 7 platforms support Float32Abs and
Float64Abs. Should make them non-optional in another CL?
R=bmeurer@chromium.org
Review URL: https://codereview.chromium.org/1128133003
Cr-Commit-Position: refs/heads/master@{#29223}
Reason for revert:
Looks like this breaks Tests262.
Original issue's description:
> [turbofan] Run DeadCodeElimination together with the advanced reducers.
>
> This will immediately remove dead code from the graph once any of
> the advanced reducers inserts it. Also changes the GraphReducer to
> use the canonical Dead node for ReplaceWithValue.
>
> R=jarin@chromium.org
>
> Committed: https://crrev.com/88a40c5fb381924b1c0b2403dc582bceb2abe5da
> Cr-Commit-Position: refs/heads/master@{#29217}
TBR=jarin@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review URL: https://codereview.chromium.org/1200983004
Cr-Commit-Position: refs/heads/master@{#29220}
Lowering of stores need the vector and slot if --vector-stores is true.
BUG=
Review URL: https://codereview.chromium.org/1193313002
Cr-Commit-Position: refs/heads/master@{#29219}
This will immediately remove dead code from the graph once any of
the advanced reducers inserts it. Also changes the GraphReducer to
use the canonical Dead node for ReplaceWithValue.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1206533002
Cr-Commit-Position: refs/heads/master@{#29217}
This also threads through the parameter count and local count to the instruction selector. This will be later used to allow merging of various StateValues vector (and prepare for differential encoding which will not distinguish between parameters, locals and expression stack).
BUG=
Review URL: https://codereview.chromium.org/1191243003
Cr-Commit-Position: refs/heads/master@{#29214}
Turning the --harmony-array flag on has been delayed behind
unrelated test failures. Now that those tests are disabled,
land the changes.
This patch fixes WebKit tests based on the new change.
R=adamk
LOG=Y
BUG=v8:3578
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1199113003
Cr-Commit-Position: refs/heads/master@{#29209}
We were using both String.prototype.charCodeAt and
String.prototype.charAt.
BUG=v8:4224
LOG=N
R=adamk, littledan
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1204483003
Cr-Commit-Position: refs/heads/master@{#29208}
This test starts failing when the --harmony-array flag is turned on,
but the failure does not directly have to do with that flag. Disabling
the test in debug mode to unblock the release.
BUG=v8:4237
LOG=n
R=adamk,erikcorry
Review URL: https://codereview.chromium.org/1202523005
Cr-Commit-Position: refs/heads/master@{#29207}
Before this we were using String.prototype.replace. Now
we call the internal StringReplace instead.
BUG=v8:4221
LOG=N
R=adamk, littledan
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1199933005
Cr-Commit-Position: refs/heads/master@{#29206}
Before this we were using + which calls valueOf which is not correct
for these methods.
BUG=v8:4222
LOG=N
R=adamk, littledan
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
Review URL: https://codereview.chromium.org/1194173004
Cr-Commit-Position: refs/heads/master@{#29202}
This test appears to trigger some bug in either ASAN or V8 when
accompanied by an increase in JS code size. Disabling the test
on ASAN runs to unblock adding new JS code.
BUG=v8:4236
LOG=N
R=adamk
Review URL: https://codereview.chromium.org/1203523002
Cr-Commit-Position: refs/heads/master@{#29201}
This API closely matches the Worker API. The differences:
1) The argument to the Worker constructor is a function to run, not a script.
2) Receiving a message from a worker is a synchronous API (as there is no event
loop).
The serialization done here is not robust as the real DOM implementation. For
example, recursive data structures or otherwise duplicated objects are not
allowed.
BUG=chromium:497295
LOG=n
Review URL: https://codereview.chromium.org/1192923002
Cr-Commit-Position: refs/heads/master@{#29195}
We resurrect the VectorSlotPair in order to be able to separate the
feedback input for the compiler from the actual type feedback vector
that is required to meet the IC requirements at runtime. This will allow
us to for example use feedback from a different context or divide the
type feedback vector into two separate vectors, without having to touch
the compiler. It'll allow use to load the vector from the shared
function info at runtime, while still consuming feedback in the
compiler (i.e. we don't rely on the feedback vector node to be a heap
constant).
R=mvstanton@chromium.org
Review URL: https://codereview.chromium.org/1198983002
Cr-Commit-Position: refs/heads/master@{#29185}
This fixes a terrible interaction of code flushing and the clearing of
optimized code maps hanging off a SharedFunctionInfo. The following is
what happened:
1) Incremental marking cleared map in SharedFunctionInfo s, however it
was not enqueued as a flushing candidate because one JSFunction f1
still had optimized code.
2) Deoptimization of f1 made s eligible for code flushing.
3) Optimization of f2 added new entry to optimized code map of s.
4) The JSFunction f2 became unreachable and hence is never marked.
5) Incremental marking now visits f1, finds it eligible for flushing,
also s is eligible for flushing, both are enqueued.
6) Marking finishes, code flusher clears f1 and s, but the optimized
code map of s still contains an entry.
7) Boom!
R=ulan@chromium.org,hpayer@chromium.org
TEST=mjsunit/es6/generators-iteration
BUG=v8:3803
LOG=N
Review URL: https://codereview.chromium.org/1197713004
Cr-Commit-Position: refs/heads/master@{#29177}
Turbofan needs to pass vector slots around for named and keyed stores.
Also, the CL addresses a missing slot for ClassLiterals.
BUG=
Review URL: https://codereview.chromium.org/1178363002
Cr-Commit-Position: refs/heads/master@{#29173}
Object.setPrototypeOf() throws a TypeError if value would create a
cycle. Previously a plain Error was thrown rather than a TypeError.
BUG=v8:4197
R=mike@bocoup.com
LOG=N
Review URL: https://codereview.chromium.org/1198523002
Cr-Commit-Position: refs/heads/master@{#29169}
Reason:
Regressions in various benchmarks.
Revert "Revert of Revert of [strong] Implement strong mode restrictions on property access (patchset #1 id:1 of https://codereview.chromium.org/1189153002/)"
This reverts commit 41405c0470.
Revert "X87: Revert of Revert of [strong] Implement strong mode restrictions on property access."
This reverts commit 48de5f4d6b.
Revert "Fix overlapping KeyedLoadIC bitfield."
This reverts commit 4e6c956abf.
Revert "MIPS64: Fix 'Revert of Revert of [strong] Implement strong mode restrictions on property access'."
This reverts commit 74f97b0d2a.
BUG=
Review URL: https://codereview.chromium.org/1199493002
Cr-Commit-Position: refs/heads/master@{#29166}
Reason for revert:
Fails on V8 Linux - isolates (http://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20isolates/builds/4128)
Original issue's description:
> Add d8 API for spawning function on a new thread (Second try)
>
> This API closely matches the Worker API. The differences:
>
> 1) The argument to the Worker constructor is a function to run, not a script.
> 2) Receiving a message from a worker is a synchronous API (as there is no event
> loop).
>
> The serialization done here is not robust as the real DOM implementation. For
> example, recursive data structures or otherwise duplicated objects are not
> allowed.
>
> BUG=chromium:497295
> R=jochen@chromium.org
> LOG=n
>
> Review URL: https://codereview.chromium.org/1185643004
>
> Cr-Commit-Position: refs/heads/master@{#29126}
>
> Committed: https://crrev.com/ec2eaf712ecee6b4891c0458f2397e04a1f9b339
> Cr-Commit-Position: refs/heads/master@{#29158}
TBR=jochen@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:497295
Review URL: https://codereview.chromium.org/1191373005
Cr-Commit-Position: refs/heads/master@{#29161}
This API closely matches the Worker API. The differences:
1) The argument to the Worker constructor is a function to run, not a script.
2) Receiving a message from a worker is a synchronous API (as there is no event
loop).
The serialization done here is not robust as the real DOM implementation. For
example, recursive data structures or otherwise duplicated objects are not
allowed.
BUG=chromium:497295
R=jochen@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1185643004
Cr-Commit-Position: refs/heads/master@{#29126}
Review URL: https://codereview.chromium.org/1195613003
Cr-Commit-Position: refs/heads/master@{#29158}
Each Script object now keeps a WeakFixedArray of SharedFunctionInfo
objects created from this script.
This way, when compiling a function, we do not create duplicate shared
function info objects when recompiling with either compiler.
This fixes a class of issues in the debugger, where we set break points
on one shared function info, but functions from duplicate shared function
infos are not affected.
LOG=N
BUG=v8:4132
Review URL: https://codereview.chromium.org/1183733006
Cr-Commit-Position: refs/heads/master@{#29151}
The three different concerns that the ControlReducer used to deal with
are now properly separated into
a.) DeadCodeElimination, which is a regular AdvancedReducer, that
propagates Dead via control edges,
b.) CommonOperatorReducer, which does strength reduction on common
operators (i.e. Branch, Phi, and friends), and
c.) GraphTrimming, which removes dead->live edges from the graph.
This will make it possible to run the DeadCodeElimination together with
other passes that actually introduce Dead nodes, i.e. typed lowering;
and it opens the door for general inlining without two stage fix point
iteration.
To make the DeadCodeElimination easier and more uniform, we basically
reverted the introduction of DeadValue and DeadEffect, and changed the
Dead operator to produce control, value and effect. Note however that
this is not a requirement, but merely a way to make dead propagation
easier and more uniform. We could always go back and decide to have
different Dead operators if some other change requires that.
Note that there are several additional opportunities for cleanup now,
i.e. OSR deconstruction could be a regular reducer now, and we don't
need to use TheHole as dead value marker in the GraphReducer. And we can
actually run the dead code elimination together with the other passes
instead of using separate passes over the graph. We will do this in
follow up CLs.
R=jarin@chromium.org, mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/1193833002
Cr-Commit-Position: refs/heads/master@{#29146}
We block constant pool up to the call stub instruction, but the check for code size
includes the next instruction after the call instruction. That instruction can
emit constant pool.
BUG=chromium:500831
LOG=NO
TEST=mjsunit/regress/regress-500831
Review URL: https://codereview.chromium.org/1189123003
Cr-Commit-Position: refs/heads/master@{#29132}
This API closely matches the Worker API. The differences:
1) The argument to the Worker constructor is a function to run, not a script.
2) Receiving a message from a worker is a synchronous API (as there is no event
loop).
The serialization done here is not robust as the real DOM implementation. For
example, recursive data structures or otherwise duplicated objects are not
allowed.
BUG=none
R=jochen@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/1185643004
Cr-Commit-Position: refs/heads/master@{#29126}
RegExpExecStub pushes callee-saved registers without setting up a frame. This confuses the stack iterator.
Other architectures do not save these registers.
BUG=chromium:487981
LOG=NO
TEST=mjsunit/regress/regress-487981
Review URL: https://codereview.chromium.org/1183593005
Cr-Commit-Position: refs/heads/master@{#29120}
Implements the strong mode proposal's restrictions on property access.
To be fully explored in a followup: proxies, interceptors, access checks, load from super
BUG=v8:3956
LOG=N
Review URL: https://codereview.chromium.org/1168093002
Cr-Commit-Position: refs/heads/master@{#29109}
Currently, the desugaring of for loops of the form for
(let/const ...; bla; bla) causes them to always have a
completion value of 1, regardless of whether the loop body
is executed or not. This CL fixes this, realigning
initializer blocks as a more general purpose way to avoid
the completion value rewriter (since that's all they really
do anyway).
BUG=
Review URL: https://codereview.chromium.org/1177053006
Cr-Commit-Position: refs/heads/master@{#29108}
This turns the CommonOperatorReducer into an AdvancedReducer and makes
it independent of JSGraph (which was used only because it was convienent),
and let's the CommonOperatorReducer run together with the ControlReducer.
The ControlReducer is still not able to run together with other reducers,
but we're getting closer. The plan is to split the ControlReducer into
two parts: The dead code elimination part and the common operator
reduction part. This separation will help to avoid tricky bugs in the
future and should make testing a *lot* easier.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1192063002
Cr-Commit-Position: refs/heads/master@{#29105}
We never hit the phi case for DecideCondition in practice, since a more
general optimization is already performed by typing and constant
propagation.
R=jarin@chromium.org,mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/1186973005
Cr-Commit-Position: refs/heads/master@{#29102}
The condition of a Branch or Select can never be a NumberConstant,
because the resulting graph would be invalid, so we don't need to
optimize this case. It can only ever be a tagged boolean or an untagged
bit.
Drive-by-fix: Test the interesting cases in the unit tests instead.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1195443004
Cr-Commit-Position: refs/heads/master@{#29089}
Delayed tasks can be used to perform non-urgent clean up work.
BUG=chromium:490559
LOG=NO
Review URL: https://codereview.chromium.org/1179153002
Cr-Commit-Position: refs/heads/master@{#29084}
This fixes a bug where new-space GC could be triggered by non-folded allocations for some of the in-object properties, while the object was only partially initialized.
BUG=chromium:500497
LOG=y
R=ishell@chromium.org
Review URL: https://codereview.chromium.org/1182113007
Cr-Commit-Position: refs/heads/master@{#29079}
Up until now that was still mixed with control reduction in the
ControlReducer. This separation allows us to remove the horrible
Reducer::Finish hack and also do graph trimming at more appropriate
places in the pipeline (i.e. trim dead nodes after generic lowering,
which can also make nodes dead).
R=jarin@chromium.org,mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/1188433010
Cr-Commit-Position: refs/heads/master@{#29077}
The remaining uses need some non-mechanical work:
* non-standard-layout type, probably due to mixed access control
* extended field designators
Review URL: https://codereview.chromium.org/1173343006
Cr-Commit-Position: refs/heads/master@{#29071}
This optimization just duplicates part of the ToBoolean rule in the
Typer, and it doesn't make sense to have adhoc partial typing rules in
the ControlReducer anyway.
R=jarin@chromium.org
Review URL: https://codereview.chromium.org/1189963002
Cr-Commit-Position: refs/heads/master@{#29064}
This ensures there is a lazy bailout point at the entry of every
exception handler so that deoptimized code is not re-entered through
caught exceptions.
R=jarin@chromium.org
TEST=cctest/test-run-deopt/DeoptExceptionHandler
Review URL: https://codereview.chromium.org/1173253004
Cr-Commit-Position: refs/heads/master@{#29061}
According to the ES6 spec, the main methods and getters shouldn't
be properties of the individual TypedArray objects and prototypes
but instead on %TypedArray% and %TypedArray%.prototype. This
difference is observable through introspection. This patch moves
some methods and getters to the proper place, with the exception
of %TypedArray%.prototype.subarray and harmony methods. These will
be moved in follow-on patches.
BUG=v8:4085
LOG=Y
R=adamk
Review URL: https://codereview.chromium.org/1186733002
Cr-Commit-Position: refs/heads/master@{#29057}
This patch includes the following changes.
1, Enable the turbofan backend support for X87 platform. It depends on previous CL: 3fdfebd26.
2, Enable the test cases which are disabled because turbofan for X87 was not enabled.
BUG=v8:4135
LOG=N
Review URL: https://codereview.chromium.org/1179763004
Cr-Commit-Position: refs/heads/master@{#29049}
frame->GetExpression always returns the same function. We should iterate through expression stack when we use Function.call.apply for finding actual target.
LOG=N
BUG=chromium:499479
R=yurys@chromium.org,yangguo@chromium.org
Review URL: https://codereview.chromium.org/1182703003
Cr-Commit-Position: refs/heads/master@{#29048}
This invariant will save us some head ache.
The changes to test-debug/DebugStub is due to the fact that it abuses
the ability to set break points in code that has no debug break slots.
This is now no longer possible.
R=ulan@chromium.org
BUG=v8:4132
LOG=N
Review URL: https://codereview.chromium.org/1181013007
Cr-Commit-Position: refs/heads/master@{#29038}
This patch implements %_IsTypedArray in fullcodegen, Hydrogen and
Turbofan in order to implement fast type checks to enable ES6
TypedArray features and semantics efficiently.
R=adamk,titzer
LOG=Y
BUG=v8:4085
Review URL: https://codereview.chromium.org/1183213002
Cr-Commit-Position: refs/heads/master@{#29033}
In ES6, the TypedArray constructor can be called either with an
array-like object or an iterable. The code previously handled
only array-like objects. This patch switches to supporting
iterables while throwing in an optimization to make Arrays
get allocated the old way, without an extra copy.
BUG=v8:4090
LOG=Y
R=adamk
Review URL: https://codereview.chromium.org/1181903003
Cr-Commit-Position: refs/heads/master@{#29031}
Reasons:
- It is not used.
- It complicates code in GC.
BUG=chromium:499713
LOG=NO
Review URL: https://codereview.chromium.org/1184723002
Cr-Commit-Position: refs/heads/master@{#29027}
