Commit Graph

34 Commits

Author SHA1 Message Date
mvstanton@chromium.org
cec8548d0e Correct handling of arrays with callbacks in the prototype chain.
Our generic KeyedStoreIC doesn't handle the case when a callback is
set on array elements in the prototype chain of the object, nor do
we recognize that we need to avoid the monomorphic case if these
callbacks exist.

This CL addresses the issue by looking for dictionary elements in
the prototype chain on IC misses and crankshaft element store
instructions. When found, the generic IC is used. The generic IC is
changed to go to the runtime in this case too.

In general, keyed loads are immune from this problem because they
won't return the hole: discovery of the hole goes to the runtime where
the callback will be found in the prototype chain. Double array loads
in crankshaft can return the hole but only if the prototype chain is
unaltered (we will catch such alterations).

Includes the following patch as well (already reviewed by bmeurer):
Performance regression found in test regress-2185-2.js. The problem was
that the bailout method for TransitionAndStoreStub was not performing
the appropriate transition.

(Review URL for the ElementsTransitionAndStoreIC_Miss change:
https://codereview.chromium.org/26911007)

R=danno@chromium.org

Review URL: https://codereview.chromium.org/35413006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17525 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-11-06 15:45:43 +00:00
mstarzinger@chromium.org
3e0f828b8f Revert "TransitionAndStoreStub bailout needs to transition (and store)."
This reverts commit r17216 breaking fast/js/cross-frame-bad-time.html test.

R=mvstanton@chromium.org
TEST=webkit:fast/js/cross-frame-bad-time.html

Review URL: https://codereview.chromium.org/27516002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17241 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-16 14:17:31 +00:00
mvstanton@chromium.org
8f9f192f6e AllocationSites for all literals
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/24250005


Review URL: https://codereview.chromium.org/27366003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17228 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-16 08:10:36 +00:00
mvstanton@chromium.org
f4edc076d8 Revert "AllocationSites for all literals"
This reverts commit r17219 due to WebKit failures.

R=mstarzinger@chromium.org
TBR=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/26539010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17222 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-15 15:35:23 +00:00
mvstanton@chromium.org
362c0cfbca AllocationSites for all literals
BUG=
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/24250005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17219 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-15 14:52:58 +00:00
mvstanton@chromium.org
3769a2d24d TransitionAndStoreStub bailout needs to transition (and store).
Performance regression found in test regress-2185-2.js. The problem was
that the bailout method for TransitionAndStoreStub was not performing
the appropriate transition.

BUG=
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/26911007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@17216 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-10-15 12:42:03 +00:00
mvstanton@chromium.org
53194b44ba Allocation site tests aren't compatible with GcStress mode.
They make assumptions about elementskind of arrays based on allocation site
feedback. This feedback is highly dependent on mementos, unrooted objects
placed behind arrays in the heap meant to live until the next scavenge.

GcStress does many more gcs than normal, and wrecks havoc with this kind
of test.

BUG=
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/23449042

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16832 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-09-19 13:32:00 +00:00
mvstanton@chromium.org
59c32b6481 Transitions from DOUBLE to FAST were not checking for allocation site info.
This creates a confusing result. It's better to let allocation sites
transition to their end state than artificially stop tracking at the
double/fast boundary.

BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/22868004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@16820 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-09-19 09:48:50 +00:00
yangguo@chromium.org
cd41cb9b6d Turn on parallel recompilation for tests that assert optimization status.
R=mvstanton@chromium.org
BUG=

Review URL: https://codereview.chromium.org/19807002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15793 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-07-22 09:16:33 +00:00
mvstanton@chromium.org
10615aef7b AllocationSites: when updating allocation site transition information,
be careful to merge feedback appropriately. For example, one array may
have gone holey, and then another allocated at the same place instead
went DOUBLE but remained packed. In this case the ElementsKind
ultimately stored in the AllocationSite should be HOLEY_DOUBLE.

BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/18531007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15629 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-07-11 13:08:36 +00:00
mvstanton@chromium.org
b61dfd4a82 A bug in AllocationSite::GetMode(from, to) meant that we didn't update
boilerplates for SMI to SMI_HOLEY transitions.

BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/18917003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15617 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-07-11 09:39:22 +00:00
mvstanton@chromium.org
c1e19bfc35 Bugfix: The general array constructor stub did not handle the case
properly when it is called with a function pointer in the type cell,
instead assuming that an AllocationSite object should be present. The
case where this can happen is if the cell is uninitialized, then the
first constructor call made is to the Array function of a different
context. In that case, we'll store the function pointer in the cell,
and then go ahead and call the array constructor stub too. The bug is
fixed by checking for the AllocationSite object map. If not found, the
constructor stub goes forward with a default ElementsKind, just as in
several other cases.

A test in allocation-site-info.js was beefed up to make sure the state
chain described above is traversed.

BUG=
R=hpayer@chromium.org, hpayer@google.com

Review URL: https://codereview.chromium.org/18277006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15555 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-07-08 14:41:54 +00:00
mvstanton@chromium.org
faaa90d13c Allocation-site-info test, removed TODOs.
Some code was commented out earlier as a todo. Now the code can be reenabled,
because allocation site feedback is working there again.

BUG=
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/18753005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15543 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-07-08 09:11:56 +00:00
mvstanton@chromium.org
83519ec87a Hydrogen array constructor cleanup and improvements
* Cleanup of LCallNewArray::PrintDataTo() method
* Created HCallNewArray::PrintDataTo()
* Created many more tests in array-constructor-feedback.js
* Removed redundant instructions in
  GenerateRecordCallTarget
* Bugfix in CreateArrayDispatchOneArgument: on a call to
  new Array(0), we'd like to set the type feedback cell to
  a packed elements kind, but we shouldn't do it if the
  cell contains the megamorphic sentinel.
* When used from crankshaft, ArrayConstructorStubs can
  avoid verifying that the function being called is the
  array function from the current native context, relying
  instead on the fact that crankshaft issues an
  HCheckFunction to protect the constructor call. (this
  new minor key is used in LCodeGen::DoCallNewArray(), and
  influences code generation in
  CodeStubGraphBuilderBase::BuildArrayConstructor()).
* Optimization: the array constructor specialized for
  FAST_SMI_ELEMENTS can save some instructions by looking
  up the correct map on the passed in constructor, rather
  than indexing into the array of cached maps per element
  kind.

BUG=
R=danno@chromium.org

Review URL: https://codereview.chromium.org/17091002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15383 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-28 13:16:14 +00:00
mvstanton@chromium.org
081134ecd1 Removed flag optimize-constructed-arrays.
This eliminates a large amount of hand-written assembly in the platforms.

BUG=
R=danno@chromium.org, mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/16453002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15328 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-25 16:31:07 +00:00
mvstanton@chromium.org
5b2c1a50d9 HCheckFunction is needed to protect new array constructors in
crankshafted code.

BUG=
R=danno@chromium.org

Review URL: https://codereview.chromium.org/16944006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15118 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-13 14:29:01 +00:00
mvstanton@chromium.org
a9a80fb422 Allocation type info advice consumed in bailout path leads to assert failure.
If the runtime is taken for a constructor like "new Array(100000)", where
allocation site info already led to an elements kind of DOUBLE, then the runtime
would fail to transition the array to dictionary mode. Better to recognize this
case and avoid wasting time by following the advice. Furthermore, it offers a
way to recognize that the array should be in dictionary mode (though a future
checkin will capitalize on that).

BUG=
R=danno@chromium.org

Review URL: https://codereview.chromium.org/15993012

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14966 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-06 09:26:30 +00:00
mvstanton@chromium.org
3d3c6b1599 Special Array constructor type feedback erroneously recorded when Array
was called as a function. Issue was found with optimize_constructed_array
turned on. This patch makes the fix, and turns the flag back on.

BUG=244461
R=danno@chromium.org

Review URL: https://codereview.chromium.org/16057005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14917 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-06-03 14:46:23 +00:00
mstarzinger@chromium.org
26e7936e27 Re-enable allocation-site-info test case.
R=svenpanne@chromium.org
TEST=mjsunit/allocation-site-info

Review URL: https://codereview.chromium.org/16192002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14867 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-29 08:29:25 +00:00
mvstanton@chromium.org
1a4482ab3f Missing type cell on ia32 from bindings.
Javascript constructors called from C++ code didn't have a type cell
properly filled in on ia32. This showed up as a bug in webkit bindings.
Re-enabled flag optimize-constructed-arrays.

BUG=
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/15870002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14775 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-23 13:45:33 +00:00
mvstanton@chromium.org
239b2830cc Turning off optimize-constructed-arrays to investigate a WebKit/bindings issue.
BUG=
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/15303002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14718 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-17 12:33:48 +00:00
mvstanton@chromium.org
31b8fc19c3 With flag optimize-constructed-arrays on, ARM and MIPS suffered a performance degrade due to incorrect code in GenerateRecordCallTarget().
The CL also enables flag optimize-constructed-arrays.

BUG=
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/14772043

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14692 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-15 15:17:01 +00:00
mvstanton@chromium.org
f5ad8e4469 Turn off optimize-constructed-arrays flag to investigate ARM perf issue
BUG=
R=danno@chromium.org

Review URL: https://codereview.chromium.org/14753007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14588 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-08 08:49:29 +00:00
mvstanton@chromium.org
d7b013de57 Becuase of cross-context calls, hydrogen-based Array constructor needs to ensure
the array constructor pointer passed in matches that of the current context.

BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/14846017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14581 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-05-07 21:01:53 +00:00
dslomov@chromium.org
1da21f1868 Revert "Flag optimize-constructed-arrays turned on."
This reverts commit r14491.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14492 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-30 11:23:34 +00:00
mvstanton@chromium.org
ff57a1062b Flag optimize-constructed-arrays turned on.
This routes array construction through a hydrogen stub, and enables use of
allocation site info tracking.

BUG=

Review URL: https://codereview.chromium.org/14616010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14490 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-30 08:22:05 +00:00
mvstanton@chromium.org
e751ad06d9 Constructed arrays can be created with Hydrogen code stubs. The feature is still off by default (--optimize-constructed-arrays).
BUG=

Review URL: https://codereview.chromium.org/12385014

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14441 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-25 16:00:32 +00:00
hpayer@chromium.org
2db9e62fc8 Build fast literals in hydrogen.
BUG=

Review URL: https://codereview.chromium.org/12880017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@14211 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-04-10 13:52:08 +00:00
mvstanton@chromium.org
c4caf766bf Allocation Info Tracking, continued.
Addresses missing cases for array literals.
Adds support for "new Array()" call sites. This isn't complete yet, I have to run with --noinline_new.

BUG=

Review URL: https://codereview.chromium.org/11818021

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13790 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-03-01 16:06:34 +00:00
mvstanton@chromium.org
90d0f18007 Incorrect ARM assembly in MacroAssembler::TestJSArrayForAllocationSiteInfo
Restored test code in allocation-site-info.js that was failing on ARM because of this bug.

BUG=

Review URL: https://codereview.chromium.org/12045017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13462 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-22 10:49:23 +00:00
mvstanton@chromium.org
c3746b4388 allocation-site-info.js broken on arm with new changes. Reverting to previous version until diagnosed.
Regress-2185.js test takes too long on slow path when allocation site info is discovered.

BUG=

Review URL: https://codereview.chromium.org/12049003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13456 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-21 16:15:08 +00:00
mvstanton@chromium.org
3414a514cd Fixed test failure.
A test case erroneously expected a transition to a double array, but the array remains FAST_SMI.

In person LGTM from Danno...
BUG=

Review URL: https://codereview.chromium.org/12038008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13447 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-21 13:21:53 +00:00
mvstanton@chromium.org
d7d917e6f0 Out of bounds memory access in TestJSArrayForAllocationSiteInfo.
The function intended to check the map pointer of an AllocationSiteInfo object, but neglected to
subtract an offset to do so.

BUG=169928

Review URL: https://codereview.chromium.org/11931037

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13444 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-21 12:26:29 +00:00
mvstanton@chromium.org
7884216804 Additional work to get array literal allocation tracking working, even with --always-opt
BUG=

Review URL: https://codereview.chromium.org/11817017

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@13406 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
2013-01-17 08:41:27 +00:00