Currently we avoid checking for the hole value after array loads, if the
result is only used by instructions that definitely deoptimize in case
of the hole value (HChange instructions).
This change performs the same procedure for loading from deleteable/read-only
global variable where we can also avoid the check in the same cases.
Review URL: http://codereview.chromium.org/8054008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9453 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
It's not safe to use an immediate heap object in generated unless we take
pains to ensure it's not in new space. Continue using the caller's context
for inlined functions on all platforms except IA32.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9427 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In some special (but probably very common) cases we can do better than loading
from a global cell for these global properties by emitting the corresponding
constant directly. This opens up opportunities for further improvements, coming
in a separate CL...
Review URL: http://codereview.chromium.org/7992002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9409 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We have to check for uninitialized uses before phi-elimination. Otherwise we
may miss such a use and result in using the hole value instead. This
causes a NULL-dereference or assertion failure.
BUG=96989
TEST=mjsunit/compiler/regress-96989.js
Review URL: http://codereview.chromium.org/7974009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9337 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Although this patch is not small, most parts of it are rather mechanical:
* First of all, the concept of a 'nil-like' value is introduced, which can be
null or undefined. They are treated symmetrically regarding comparisons, so
it makes sense to handle them in a uniform manner. It is a mystery why
JavaScript defines two of those beasts, when even *one* is a design wart...
* Extended and renamed a few things which now handle undefined in addition to
null.
* Made the parts of the full code generator and the hydrogen generation which
deal with comparisons a bit more similar regarding their handling of special
cases.
* Refactored the syntactical detection of special cases for comparisons,
hopefully making them a bit more readable and less copy-n-paste-oriented.
Things like this should really be a one-liner in any sane programming
language... :-P
* Cut down the length of the argument lists of a few functions to something
less insane, making them more easily understandable locally. This involves
minor code duplication, but this was a good tradeoff and can be remedied
later if necessary.
* Replaced some boolean arguments with more readable enums.
* Fixed a TODO: Values which are definitely a Smi or unboxed can never be equal
to null or undefined.
Review URL: http://codereview.chromium.org/7918012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9323 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The Great Master Plan is to move the recognition of special cases for
comparisons further down the compilation pipeline where more information is
available. This is a first step into this direction: The special handling of
equality comparisons involving null is pushed from the parser to the code
generators, removing the need for a special AST node. (There are rumors from
usually well-informed sources that this node type is actually a relic of ancient
crankshaft days...)
The next steps will be the unification of null/undefined handling and pushing
the special case handling in crankshaft even further down the pipeline, enabling
the recognition of cases like "var foo=null; if (foo === bar) ...", but these
will be in separate CLs.
Review URL: http://codereview.chromium.org/7887037
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9293 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Removed an unneeded check for phis: There are never HValues in the work list
which are not convertible to integer and are not a phi. (But even if they were,
ignoring IsConvertibleToInteger() then looks like the wrong thing to do.)
Review URL: http://codereview.chromium.org/7857033
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9225 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Refactor Context::Lookup so it is more obvious. Change the comment in
contexts.h so it no longer indicates that it can return an arguments
object (it can't) and clean up the call sites that had leftover dead code.
BUG=
TEST=
Review URL: http://codereview.chromium.org/7782030
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9223 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When we propagate the information that a value is not convertible to integer,
there is no need for a separate fixed-point computation, we can do things the
"Millikin way" (tm), folding as much computation as possible into a single pass:
;-) We already have the phi node reachability information, so we can easily
propagate this while doing the representation histogram computation.
Review URL: http://codereview.chromium.org/7754010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9212 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The use-def relation between phis is mainly "forwards" (i.e. from phis with
smaller IDs to ones with larger IDs), so the fixed point computation terminates
faster when iterate through the phis in a "backwards" manner. This is quite
visible in complex Mandreel-generated code, where a few hundred phis with
non-trivial use-def chains are generated.
Review URL: http://codereview.chromium.org/7848012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9185 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The changes to scopes and parser introduce a VariableProxy
wrapping the function-name variable for function literals.
It seems the easiest way to get an AST id for the HSimulate
after context-slot stores in declarations.
Review URL: http://codereview.chromium.org/7826009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9112 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
We have to emit code for declarations later into the body block
(and not into the start block) so that the environment contains
the correct values.
In order to capture the environment effect of the declarations
that generate code (function declarations) I inserted a separate
AST id and a HSimulate after the declarations are visited.
Also fixes handling deopt in named function expressions:
BUG=v8:1647
TEST=test/mjsunit/regress/regress-fundecl.js, test/mjsunit/regress/regress-1647.js
Review URL: http://codereview.chromium.org/7776009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9083 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Changes GetGlobalReceiver() to GetDefaultReceiver(func) that returns undefined
for strict and native functions, and the function's context's global proxy
for "normal" functions.
BUG=v8:1547
TEST=cctest/api-test/ForeignFunctionReceiver
Review URL: http://codereview.chromium.org/7741042
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9030 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This eliminate redundant HChange instructions and allows range information of
converted values propagated across control-flow splits.
It fixes the performance regression on code like:
if (x > 1) {
y = x - 1;
}
where we should eliminate the overflow check on the sub inside the if-statement.
Review URL: http://codereview.chromium.org/7709025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8997 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This improves our static type information by calculating the result type
of conversions (HChange) during range analysis. It allows e.g. to eliminate
the write barrier in the following example where it was not possible before:
function f(x) {
var y = x + 1;
if (y > 0 && y < 100) {
a[0] = y;
}
}
* Fix bug in Range::Copy. The minus-zero flags has to be preserved by default.
Review URL: http://codereview.chromium.org/7634022
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8994 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Some AST nodes (Property, Call, etc.) store either a list of receiver
types or a monomorphic receiver type. This patch merges the two fields
using a small pointer list. GetMonomorphicReceiverType() is now a
purely convenience function returning the first and only recorded
type.
This saves about 500K (of about 39M) on average when compiling V8
benchmark as measured by a simple patch adding a zone allocation
counter (https://gist.github.com/1149397).
R=kmillikin@chromium.org
Review URL: http://codereview.chromium.org/7655017
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8993 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Remove the try/finally used for with and catch. Instead of using
try/finally to handle break and continue from with or catch,
statically track nesting dept and clean up when compiling break or
continue.
And instead of using try/finally to handle throw to handler in a frame
whose pc is inside a with or catch, store the context that the handler
should run in in the handler itself.
BUG=
TEST=
Review URL: http://codereview.chromium.org/7618007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8922 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
HGraphBuilder::TryArgumentsAccess does not emit any uses for receiver and will generate incorrect code when receiver for a property access is defined by a phi that returns either arguments object or something else.
BUG=v8:1582
TEST=test/mjsunit/regress/regress-1582.js
Review URL: http://codereview.chromium.org/7553006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8774 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
* src/hydrogen.cc (HInferRepresentation::Analyze): Fix iterative loop
over phis; the shortcutting behavior of || appears to be accidental
here, causing O(n^2) convergence. Not that it matters much, but hey!
While I'm at it, a minor comment fix:
* src/hydrogen-instructions.h (EnsureAndPropagateNotMinusZero): Fix a
comment about the kinds of instructions that propagate to multiple
inputs.
BUG=
TEST=passes tools/test.py
Review URL: http://codereview.chromium.org/7350019
Patch from Andy Wingo <wingo@igalia.com>.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8645 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The debugger can be entered from the deferred stack check in optimized code. This can cause both lazy deoptimization and debugger deoptimization (setting the first break point and inspecting the stack for optimized code respectively). This required deoptimization support from the deferred stack check.
The lazy deoptimiztion call is inserted when the deferred code is done including restoring the registers. The bailout to the full code is the begining of the loop body as that is where the stack check is sitting in the optimized code. The bailout is not to the stack check in the full code as that is sitting at the end of the loop.
R=kmillikin@chromium.org
BUG=none
TEST=none
Review URL: http://codereview.chromium.org//7212025
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8535 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Eliminates the enum flag RESTORE_CONTEXT and CONTEXT_ADJUSTED, and adds a context HValue and LOperand to many hydrogen and lithium instructions.
Context is still used from the stack from in CallKnownFunction (this seems safe), and in CallRuntimeFromDeferred in lithium-codegen-ia32.cc, which needs to be fixed.
BUG=
TEST=
Review URL: http://codereview.chromium.org/7132002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8529 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Optimized frames are now handled by the debugger. When discovering optimized frames during stack inspection in the debugger they are "deoptimized" using the normal deoptimization code and the deoptimizer output information is used to provide frame information to the debugger.
Before this change the debugger reported each optimized frame as one frame no matter the number of inlined functuions that might have been called inside of it. Also all locals where reported as undefined. Locals can still be reposted as undefined when their value is not "known" by the optimized frame.
As the structures used to calculate the output frames when deoptimizing are not GC safe the information for the debugger is copied to another structure (DeoptimizedFrameInfo) which is registered with the global deoptimizer data and processed during GC.
R=fschneider@chromium.org
BUG=v8:1140
TEST=test/mjsunit/debug-evaluate-locals-optimized*
Review URL: http://codereview.chromium.org//7230045
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8464 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
* src/hydrogen.cc (HEnvironment::CopyForInlining): As the code for both
the ::HYDROGEN and ::LITHIUM compilation phases is the same, just use
one code path and remove the arg.
* src/hydrogen.h (HEnvironment): Remove now-unused CompilationPhase
enum type and arg to CopyForInlining.
* src/arm/lithium-arm.cc (LChunkBuilder::DoEnterInlined):
* src/ia32/lithium-ia32.cc (LChunkBuilder::DoEnterInlined):
* src/x64/lithium-x64.cc (LChunkBuilder::DoEnterInlined): Adapt
callers.
* AUTHORS: Add Igalia.
BUG=
TEST=I ran tools/test.py.
Review URL: http://codereview.chromium.org/7272002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8442 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The hydrogen stack check instruction is now added to each loop and the stack check handling on the back edge has been removed.
This change causes regression on small tight loops as the stack check is now at the top of the loop instead of at the bottom, and that requires one additional unconditional jump per loop iteration. However the reason for this change is to avoid worse regressions for upcoming changes to correctly support debugger break in optimized code.
R=fschneider@chromium.org
BUG=none
TEST=none
Review URL: http://codereview.chromium.org//7216009
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8428 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Detect the pattern in both, the full compiler and crankshaft and generate direct pointer
comparisons. Along the way I cleaned up 'typeof <expression> == <string literal>' comparisons
as well by lifting platform independent code and checking the symmetric case.
BUG=v8:1440
TEST=cctest/test-api.cc
Review URL: http://codereview.chromium.org/7216008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8420 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
* AST Expression nodes get a separate testing ID to record type info in
ToBooleanStub later. This is necessary to avoid clashes with other uses of
already existing IDs.
* In order to avoid threading the condition expression through tons of places,
TestContexts carry it now with them. Note that we will probably only need the
testing ID of the expression, but having the whole thing at hand makes
debugging easier. Probably we will change this later...
Review URL: http://codereview.chromium.org/7046073
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8274 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change makes the number of successors of a control instruction
configurable with a template parameter and changes the existing instructions
to use it.
To iterate over all successors I added an iterator instead of always calling
First- and SecondSuccessor.
Review URL: http://codereview.chromium.org/7114004
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8262 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Introduce separate maps for function and with contexts. Use the function
context map for testing whether a context is a function context (global
contexts are no longer function contexts).
Split the paths for allocating with and catch contexts.
Rename some functions. Generally refactor code to make it simpler.
R=ager@chromium.org
BUG=
TEST=
Review URL: http://codereview.chromium.org/7003058
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8231 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If type-feedback indicates that an expression was never executed in
the non-optimized code, we insert a forced deoptimization right away
to enable re-optimization if we ever hit this path.
With this change we still continue to build the graph. As a next step, we
should remove the dead code after the deoptimize.
I had to remove one assert about the optimization status in a test since
we now immediately deoptimize after exiting the loop that triggers OSR.
Also remove a restriction that control-flow from an inlined function in a
test context always reaches both true- and false-target.
Review URL: http://codereview.chromium.org/7105015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8140 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
- Introduce a class JSReceiver, that is a common superclass of JSObject and
JSProxy. Use JSReceiver where appropriate (probably lots of places that we
still have to migrate, but we will find those later with proxy test suite).
- Move appropriate methods to JSReceiver class (SetProperty,
GetPropertyAttribute, Get/SetPrototype, Lookup, and so on).
- Introduce new JSFunctionProxy subclass of JSProxy. Currently only a stub.
- Overhaul enum InstanceType:
* Introduce FIRST/LAST_SPEC_OBJECT_TYPE that ranges over all types that
represent JS objects, and use that consistently to check language types.
* Rename FIRST/LAST_JS_OBJECT_TYPE and FIRST/LAST_FUNCTION_CLASS_TYPE
to FIRST/LAST_[NON]CALLABLE_SPEC_OBJECT_TYPE for clarity.
* Eliminate the overlap over JS_REGEXP_TYPE.
* Also replace FIRST_JS_OBJECT with FIRST_JS_RECEIVER, but only use it where
we exclusively talk about the internal representation type.
* Insert JS_PROXY and JS_FUNCTION_PROXY in the appropriate places.
- Fix all checks concerning classification, especially for functions, to
use the CALLABLE_SPEC_OBJECT range (that includes funciton proxies).
- Handle proxies in SetProperty (that was the easiest part :) ).
- A few simple test cases.
R=kmillikin@chromium.org
Review URL: http://codereview.chromium.org/6992072
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8126 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Almost all uses were below Expression already, only a single use in IfStatement
had to be handled explicitly (probably an oversight from earlier changes?). This
is a small step towards a less ad-hoc handling of IDs in the front end.
Review URL: http://codereview.chromium.org/7054034
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8118 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The approach is to handle the common case in the optimizing
compiler and to bailout for the rare corner cases.
This is done by initializing all local const-variables with
the hole value and disallowing any use of the hole value statically.
Review URL: http://codereview.chromium.org/6026006
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8104 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Only IA32 version for now. I'll start porting.
Strict mode functions are to get 'undefined' as the receiver when
called with an implicit receiver. Modes are bad! It forces us to have
checks on all function calls.
This change attempts to limit the cost by passing information about
whether or not a call is with an implicit or explicit receiver in ecx
as part of the calling convention. The cost is setting ecx on all
calls and checking ecx on entry to strict mode functions.
Implicit/explicit receiver state has to be maintained by ICs. Various
stubs have to not clobber ecx or save and restore it.
CallFunction stub needs to check if the receiver is implicit when it
doesn't know from the context.
Review URL: http://codereview.chromium.org/7039036
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@8040 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When descending the dominator tree we used to collect side effects from all blocks between the dominator and the dominated blocks in the block ordering. This could include blocks that do not appear on paths from the dominator to the dominated and unnecessarily removed available values from the GVN map.
Review URL: http://codereview.chromium.org/7036010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7943 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If a HDeoptimize does not cut away parts of the control-flow-graph
we don't need to insert uses to correctly elimiate dead phis since
the full function is visible to the optimizing compiler.
This is a small improvement of the change r7221 which fixed a problem
when deoptimizing on never executed case-clauses.
Review URL: http://codereview.chromium.org/7012010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7877 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This allows us to get rid of totally fake LAST_STRING_TYPE and makes
it possible to test for symbols.
I considered splitting HCheckInstanceType into two instructions, but
it seems nice to be able to hide the instance type implementation
details from the hydrogen level.
Review URL: http://codereview.chromium.org/6964011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7840 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
onto a sinlge 30" screen. A lot of times, the AST visitor stops a bit too early,
so we have to do the rest of the dispatch by hand. This is caused by the fact
that the kind of the AST nodes are a bit too coarse for some traversals (e.g. a
single node type for all binary ops), perhaps one could try to refine this a
little bit more.
Review URL: http://codereview.chromium.org/6963008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7839 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Use a special slot for HContext, and fetch the value from there each time it is used. Allocate space for special slots in every HEnvironment. Fill them with constant undefined. Do not copy them to LEnvironment.
BUG=
TEST=
Review URL: http://codereview.chromium.org/6929066
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7807 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Until now we conservatively chose a double representation if
at least one use occurs in a double operation. This causes performance
degradation in many cases where there are mixes uses (integer and double)
e.g.:
for (int i = 0; i < 10; i++) {
var t = i / 3.5;
a[i] = t;
}
where the use in i/3 requires a double, where as the keyed store requires i
as an integer.
For these cases we want to have i as an integer and convert it only before the
double division.
In order to avoid unconditional deoptimization in some rare cases, we check
phis if there is any conversion that will always fail when converting a
heap-number constant to int32.
Review URL: http://codereview.chromium.org/6905166
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7757 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Rather than representing a use as a pointer to an HValue and then searching
for the specific (ambiguous) operand, we now represent a use as a pair of an
HValue and the input operand index. Additionally, use a linked list instead
of a growable array list since we never use random access.
This allows us to remove a bunch of similarly named and subtly different
functions from the HValue API. The cost in extra zone allocation per use is
partially offset by reusing use list nodes when replacing a use of one value
with another.
R=danno@chromium.org,fschneider@chromium.org
Review URL: http://codereview.chromium.org/6881044
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7674 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When inlining a polymorphic variant, the inlined function indicates we
should bailout of the entire compilation by setting the stack overflow flag
on the visitor. We need to check this flag and bailout if a call to
TryInline succeeds and it is not in tail position in a graph builder
function.
R=fschneider@chromium.org
Review URL: http://codereview.chromium.org/6840012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7604 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
- mutual inlining strict and non-strict functions in crankshaft.
- assignment to undefined variable with eval in scope.
- propagation of strict mode through lazy compilation.
BUG=
TEST=test/mjsunit/strict-mode.js test/mjsunit/strict-mode-opt.js
Review URL: http://codereview.chromium.org/6814012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7561 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
In the cases where a global property cell cannot be used in the optimized code
use standard load ic to get the property instead of bailing out.
This is re-committing r7212 and r7215 which where reverted in r7239 with the addition of recoring the source position in the hydrogen code for the LoadGlobalCell instruction. To record that position an optional position field has been added to the variable proxy AST node.
Review URL: http://codereview.chromium.org/6758007
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7474 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Fix %NewObjectFromBound to correctly handle optimized frames (including those with inlined functions).
Fix %_IsConstructCall handling in hydrogen: when called from inlined function return false constant directly instead of emiting HIsConstructCall.
Fix success case in TraceInline.
BUG=v8:1229
TEST=test/mjsunit/regress/regress-1229.js
Review URL: http://codereview.chromium.org/6740023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7472 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This commit adds current working versions of assembler, macro-assembler,
disassembler, and simulator.
All other mips arch files are replaced with stubbed-out versions that
will build.
Arch independent files are updated as needed to support building and
running mips.
The only test is cctest/test-assembler-mips, and this passes on the
simulator and on mips hardware.
TEST=none
BUG=none
Patch by Paul Lind from MIPS.
Review URL: http://codereview.chromium.org/6730029/
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7388 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This change adds a new IR instruction for polymorphic loads. It performs
map compares and loads in one IR instruction instead of splitting each
load into a graph of map-compares and field loads.
The advantage is a smaller IR and less basic blocks, plus it allows to
do GVN on polymorphic loads.
Review URL: http://codereview.chromium.org/6708085
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7336 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This allows fast calls and inlining of functions like:
var o = {f: function() { return "foo"; }}
o.f();
Object literals that contain function literals are initially created a dictionary mode
object and only transformed to fast properties once all properties are computed and
added. This allows us to create constant function properties for functions declared
inside the object literal. Function literals inside object literals are marked for
pretenuring so that they work as contant function properties.
Object literals without functions should just function as before.
Review URL: http://codereview.chromium.org/6240012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7283 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Worth mentioning:
- Specialized versions of pixel array and store/loads inside the generic stubs have been removed, since to have parity for all external arrays, 8 different versions would have to be inlined/checked.
- There's a new constant in v8.h for external arrays with pixel array elements.
Review URL: http://codereview.chromium.org/6546036
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7106 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Refactor construction of switch statements so it doesn't use class
HSubgraph.
There are also a few improvements. We do not use an auxiliary list of
comparisons because they're embedded as a linked list in the graph
under construction. We share a common break block for all breaks from
the same switch. We do not insert empty blocks unless necessary to
maintain edge-split form.
There is also a bug fix. The entry to a clause body is a potential
join and must have a join ID set, otherwise deoptimization within the
body can go to an unpredictable place in the unoptimized code.
Review URL: http://codereview.chromium.org/6650021
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7099 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Instead of allocating fresh temporary lists for every instruction, reuse
the same instance and reset it between instructions.
This reduces the amount of zone memory used for inserting the HChange
instructions roughly by half.
Review URL: http://codereview.chromium.org/6628079
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7094 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Move strict mode flag from TemporaryScope to Scope so that it can be accessed from variable binding code.
Arguments do not alias in strict mode (ia32, x64 and arm, codegen and full codegen).
Hydrogen tolerates null arguments_shadow().
In codegen-<arch> arguments object is allocated eagerly to capture values before they get modified.
Review URL: http://codereview.chromium.org/6625048/
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7083 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Change the way we construct the graph for polymorphic loads to match that of
polymorphic stores.
Introduce a stack-allocated helper for saving and restoring all the
function-specific graph builder state that needs to change when we begin
translating an inlined function. Make this class authoritative by moving
redundant state out of the builder and deferring to the current function's
state.
Ensure that we always print a tracing message when abandoning an inlining
attempt.
Review URL: http://codereview.chromium.org/6628012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7074 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Before we would compute the flag by iterating over all uses. The truncating
flag is always determined at construction time since we already computed
the flag for all other instructions before inserting HChange instructions.
Review URL: http://codereview.chromium.org/6615012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7047 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Do not use subgraphs to implement the translation of simple branching
control flow, for the function body entry, or for labeled blocks.
Combine all the loop construction functions into a single one.
Resolve a possible problem with duplicate AST IDs used both for joined loop
break blocks, the normal loop exit, and for their common successor, by never
introducing the extra (successor) block and instead making the normal loop
exit a predecessor of the break join block. There is a similar issue with
joined continue blocks.
Remove a (never needed) two-element zone list per each time we replace one
hydrogen value with another.
Review URL: http://codereview.chromium.org/6604002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@7027 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When deoptimizing from the key subexpression of a keyed arguments access,
the unoptimized code expects to find the value of the receiver on the
expression stack. The environment of the optimizing compiler did not
contain this value during evaluation of the key subexpression.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6981 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Resubmit of patch for issue 1145 with a few additions:
- Now also clears exceptions when calling Runtime_LazyRecompile.
- Sets function where parsing fails to not be optimizable.
BUG=v8:1145
TEST=test/mjsunit/regress/regress-1145.js
Review URL: http://codereview.chromium.org/6469050
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6945 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The main issue was due to multiple recompilations of functions. Now
code objects are grouped by function using SFI object address.
JSFunction objects are no longer tracked, instead we track SFI object
moves. To pick a correct code version, we now sample return addresses
instead of JSFunction addresses.
tools/{linux|mac|windows}-tickprocessor scripts differentiate
between code optimization states for the same function
(using * and ~ prefixes introduced earlier).
DevTools CPU profiler treats all variants of function code as
a single function.
ll_prof treats each optimized variant as a separate entry, because
it can disassemble each one of them.
tickprocessor.py not updated -- it is deprecated and will be removed.
BUG=v8/1087,b/3178160
TEST=all existing tests pass, including Chromium layout tests
Review URL: http://codereview.chromium.org/6551011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6902 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Change the interface to the Hydrogen graph builder to appear like it
directly holds a current basic block and a current environment.
Remove some direct accesses to the current subgraph, and remove
subgraph accessors that simply forwarded to the exit block.
Review URL: http://codereview.chromium.org/6532088
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6887 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Before, the live ranges of the arguments extended to the call itself, and
they were pushed immediately before the call. Now, they are spilled eagerly
as soon as their value is available and they are spilled to the right place.
The inlined runtime calls in the optimized backend are changed to work as in
all the other backends: they get their arguments untranslated and can choose
their own custom evaluation order.
Review URL: http://codereview.chromium.org/6526047
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6876 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The baseline compiler does not materialize a value for expressions of
the form !expr in an effect context so the graph translation should
not produce such an environment, otherwise we risk targeting it by
deoptimization.
BUG=v8:1167
Review URL: http://codereview.chromium.org/6537018
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6833 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When deoptimizing to after an expression of the form (expr0 || expr1)
or (expr0 && expr1) in an effect context, the unoptimized code could
incorrectly see the value of the expression.
Handle the short-circuit binary operators specially in effect contexts.
This fixes the issue and will generate better code when the left
subexpression is boolean-valued.
BUG=v8:1166
Review URL: http://codereview.chromium.org/6519046
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6831 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Rather than passing in a pair of unequal-length lists, pass the default
subgraph separately. Construct the typecase from the top down rather than
the bottom up, so it doesn't need an intermediate zone list.
Also, change a basic block's 'last' instruction field to really be its last
instruction by correctly updating it when inserting and removing
instructions.
Review URL: http://codereview.chromium.org/6516016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6783 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Before, Hydrogen call instructions had uses of the PushArgument instructions
for their arguments. These operands were unneeded, bloated the IR, and
caused calls to be the only Hydrogen instructions with an unpredictable
number of operands.
Now, PushArgument is a pure side-effecting instruction that has no uses.
Review URL: http://codereview.chromium.org/6480030
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6749 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Before, an attempt to delete a parameter in a function that used the
arguments object in any way would succeed with true and delete both
the parameter and the corresponding arguments object property.
Now, an attempt to delete such a parameter does not delete and
evaluates to false.
Parameters can be deleted, as before, from functions that use the
arguments object, by deleting the corresponding arguments object
property (this is a spec violation).
BUG=fixes v8:1136
Review URL: http://codereview.chromium.org/6484023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6745 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Make esi available to the register allocator rather than dedicating it
permanently to the context.
The context is still passed in register esi to JavaScript and to the runtime
as part of the calling convention. Because some stubs might end up calling
JS or the runtime, it is also conservatively passed to stubs.
Roughly half the calls have been modified to use the context as an input
value in fixed register esi. The other half are marked as calls or deferred
code so esi is spilled and can be explicitly set.
It is no longer necessary to restore the context to esi after a call that
might change it.
Review URL: http://codereview.chromium.org/6452001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6713 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When constructing stack traces we interpret the deoptimization data for
optimized frames to find the receiver value. This value could sometimes be
eliminated from the deoptimization data if we though it was unused.
BUG=v8:1118
Review URL: http://codereview.chromium.org/6465023
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6694 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Record a safepoint with a deoptimization id for throw in optimized code. We
don't seem to much care what the AST ID is because we will not be using it
for lazy deoptimization (throw doesn't return to the point of throw). For
hygiene we use the actual ID of the throw expression. Throw is no longer a
control-flow instruction, but it's followed by an unconditional abnormal
exit. This is required to insert a simulate between the throw and the exit.
Make our optimized treatment of Function.prototype.apply act like a call and
have side effects. This ensures that it will get a lazy deoptimization
environment. Use that deoptimization ID in the safepoint for the call.
Deleting a property was also missing a deoptimization ID, though there was a
deoptimization environment assigned to the instruction. Record the
environment and use the deoptimization ID at the safepoint.
Review URL: http://codereview.chromium.org/6250105
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
1. The placement of checks for negative zero has to be computed after
all conversion instructions have been inserted. I separated the code
into its own phase.
2. GVN need to take instruction flags into account when comparing
instructions for redundancy.
Review URL: http://codereview.chromium.org/6260035
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6534 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Deletion of global properties puts 'the hole' in the global property
cell and updates the property details in the property dictionary with
the information that the property has been deleted. When setting
global properties that have been deleted in generated code we just
store the new value in the global property cell. This does not update
the property details in the property dictionary. Therefore, it looks
like the property is not there eventhough it was just reintroduced.
Perform 'the hole' checks in generated code for global property stores
and bail out of ICs and optimized code if storing to a property cell
that contains 'the hole'.
Review URL: http://codereview.chromium.org/6306014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6508 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Before, we disabled code motion for check instructions on the final
optimization attempt. It is unsafe to prevent movement of check
instructions but to allow movement of instructions that assume the checks
were performed.
Review URL: http://codereview.chromium.org/6378012
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6485 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
To avoid deopts a few extra changes were needed:
o Enable megamorphic state for special property loads on
primitives. We used to flip between monomorphic stubs.
o Extract pure string (no string wrapper support) version of the
string length stub.
Review URL: http://codereview.chromium.org/6334015
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6472 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Rename HBranch (the instruction that coerces an arbitrary HValue to
control flow) to HTest to free up the term Branch to refer to any
control instruction with two successors.
Change the virtual FirstSuccessor and SecondSuccessor functions on
control instructions to a pair of data members.
Review URL: http://codereview.chromium.org/6366002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6417 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This patch adds H- and L-variants of StringCharCodeAt and StringLength.
StringCharCodeAt is used to inline a constant function call of
String.prototype.charCodeAt and to implement the corresponding inline
runtime function. It does not yet use the recently introduced extra IC
state. (We can specialize on string encoding and avoid deopts because
of out of bounds accesses.)
StringLength needs more work because the stub version of it also
supports strings wrappers and it matters in some cases. (We have to
separate the string only case.)
Review URL: http://codereview.chromium.org/6243008
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6408 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This instruction only depends on the prototype and the holder and can
completely ignore the receiver and its map.
This change also fixes a small bug on arm where a cell was loaded
instead of the prototype from new space.
Review URL: http://codereview.chromium.org/6094020
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6290 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Each LInstruction is now a subclass of LTemplateInstruction<R, I, T>
where R is number of outputs, I number of inputs and T number of temps.
This change only actually uses the parameter I for input operands.
Since the parameter T for temps is 0, it incurs no extra cost.
A separate change will introduce using the temps parameter.
Review URL: http://codereview.chromium.org/6215002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6275 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
For polymorphic calls (also loads and stores) we construct a type switch
graph that has a basic block merging all the variants. There is an
environment simulation before the goto at the end of all the predecessor
blocks. This simulation is used to define the environment on entry to the
successor block, and captures the return value of the call. In effect
contexts, this value should not be present in the environment.
The fix is to use the AST context to decide whether to have this value in
the join node's environment at all.
BUG=1014
Review URL: http://codereview.chromium.org/6065014
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6189 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
If the instance of is performed against what is beliwed to be a constant global function inline the instance of check and have the call to the instanceof stub in deferred code. The inlined check will be patched by the instanceof stub when called from deferred code. This is indicated by the lithium instruction LInstanceOfKnownGlobal.
To help the patching the delta from the return address to the patch site is placed just below the return address in the edi slot of the pushad/popad ares. This is safe because the edi register (which is pushed last) is a temporary for the lithium instruction.
As the instanceof stub can call other JavaScript an additional marking for saving all double registers have been added.
Also tweaked the instanceof stub to produce true/false objects instead of 0/1 for the case with deferred code.
Review URL: http://codereview.chromium.org/5990005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6173 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The function HEnvironment::SetExpressionStackAt did not update the
environment's history. This function is used to patch the bailout
environment for count operations and global function calls.
Reorganize class HEnvironment to make it fit V8's style a bit better
and to try to add some sanity to which C++ functions are intended to
be inlined.
Remove the flag --trace-environment which merely duplicated data in
the hydrogen.cfg file except without enough context to be useful.
BUG=1004
Review URL: http://codereview.chromium.org/5992011
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6137 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
1. Separating out the instance-type check from the array-length operation.
2. I also changed the bounds-check on keyed loads to use the length property
for JS arrays (like we do for array stores).
The new pattern should use less registers and allow more checks to be eliminated.
Review URL: http://codereview.chromium.org/5961016
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6125 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This prevents code motion from hoisting map-checks across such stores
which may result in unnecessary deoptimizations.
In the following example program we would move a map-check from the inner loop out before the outer loop which is not desirable:
function f() {
var o = {};
var j = 0;
o.a = 1;
do {
o.b = 6; // Map transition
for (var i=0; i<10; i++) {
o.a = o.b + i;
}
} while(++j < 1) {}
}
for (var i = 0; i < 1000000; i++) f();
Review URL: http://codereview.chromium.org/5991001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6071 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When running with 10 stress runs we get polymorphic stores. This revealed
an incorrect bailout ID for the state following a polymorphic store. The ID
should be the internal ID of the assignment side-effect, not the ID of the
end of the expression.
Review URL: http://codereview.chromium.org/5885003
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6051 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
Before, when we deoptimized after a branch we jumped to before the branch
was taken in the unoptimized code with a token value that indicated when
edge to take. There was a lot of machinery to track this value through the
short-circuit logical operations and logical negation, and to handle it
properly at inline function return sites. There was also machinery to
prevent incorrectly seeing this environment with the extra value never
actually materialized in the unoptimized code.
Instead, now we deoptimize directly to one of the targets of the branch.
Much but not yet all of the extra machinery has been removed or simplified.
The cost is that branching control structures (the looping statements, if
statements, conditional expressions, and the short-circuit binary logical
operations) need extra AST IDs to identify the branch targets.
Review URL: http://codereview.chromium.org/5908001
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6049 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
The issue is caused when deoptimizing to an internal AST ID in a
postfix increment or decrement operation on variable. This could
happen for a global variable. In that case, the optimized code was
not properly simulating an extra stack slot in the unoptimized code to
hold the original value.
Review URL: http://codereview.chromium.org/5871002
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@6025 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
This fixes V8 issue 989.
Before, assignments used the AST ID of the assignment expression to
mark the side effect of the store, which became a target for
deoptimization bailout for code after the assignment. In effect
contexts this environment included the value of the assignment, which
was unexpected by the unoptimized code.
Now we introduce a new assignment ID for AST node types that include
an assignment (Assignment, CountOperation, and ForInStatement) and use
it for the side effect of the store.
Review URL: http://codereview.chromium.org/5682010
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5990 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
When falling off the end of a function inlined in a test context, we cannot
constant fold the test of undefined away. The graph builder assumes that
control flow always reaches both branches of a test.
Instead, explicitly test and branch on "undefined". Introduce a pair of
empty blocks to hold the necessary LeaveInlined instructions.
Review URL: http://codereview.chromium.org/5566005
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@5927 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
