Commit Graph

544 Commits

Author SHA1 Message Date
Benedikt Meurer
62649c8e7e [cleanup] Drop obsolete %StringCharCodeAt intrinsic.
The previous %StringCharCodeAt runtime entry (and the inlined intrinsic)
are obsolete and not used anymore (except in dedicated tests for this
runtime function), so remove it. And rename the %StringCharCodeAtRT
function, which is actually used to %StringCharCodeAt instead to have
a consistent naming scheme for runtime fallbacks.

Bug: v8:5049
Change-Id: I619429ef54f6efea61fc51ab9ed1d5cfe4417f99
Reviewed-on: https://chromium-review.googlesource.com/657719
Commit-Queue: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47928}
2017-09-08 15:45:44 +00:00
Jaroslav Sevcik
6e8c00f7df Introduce an Abort bytecode and turbofan operator.
The advantage of an explicit Abort that the interpreter and the compiler know
that aborting cannot continue or throw or deopt. As a result we generate less
code and we do not confuse the compiler if the environment is not set up for
throwing (as in the generator dispatch that fails validation in
crbug.com/762057).

Bug: chromium:762057
Change-Id: I3e88f78be32f31ac49b1845595255f802c405ed7
Reviewed-on: https://chromium-review.googlesource.com/657025
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47922}
2017-09-08 12:16:23 +00:00
Benedikt Meurer
1f3f8f3e69 [turbofan] Optimize Object constructor subclassing.
Add support to the JSCallReducer to recognize JSConstruct nodes where
the target is the Object constructor, and reduce them to JSCreate
nodes if either

 (a) no value is passed to the Object constructor, or
 (b) the target and new.target are definitely not identical, by checking
     whether both target and new.target are different HeapConstants
     (if they are not, then the JSCreateLowering will not be able to
     do a lot with the JSCreate anyways).

This should cover the relevant cases for subclassing appropriately. It
fixes the 3-4x slowdown on the micro-benchmark mentioned in the linked
bug,

  baseNoExtends: 752 ms.
  baseExtendsObject: 752 ms.
  baseExtendsViaFactory: 751 ms.

and thus removes the performance cliff.

R=jarin@chromium.org

Bug: v8:6801
Change-Id: Id265fd1399302a67b5790a6d0156679920c58bdd
Reviewed-on: https://chromium-review.googlesource.com/657019
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47913}
2017-09-08 07:57:52 +00:00
Benedikt Meurer
5fe0c6c63e [test] Increase for..in test coverage for optimized code.
Bug: v8:6702
Change-Id: I6e2fc1a56035b9841ad5c71504b74a89d7259ad1
Reviewed-on: https://chromium-review.googlesource.com/651366
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47851}
2017-09-06 13:57:32 +00:00
Jaroslav Sevcik
ae28e0cff1 Revert "[turbofan] Reland^2 "Polymorphic inlining - try merge map check dispatch with function call dispatch.""
This reverts commit 8cf4aafc21.

Reason for revert: Likely crashes Canary.

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Mac%27%20AND%20product.version%3D%2763.0.3207.0%27%20AND%20custom_data.ChromeCrashProto.channel%3D%27canary%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3Ainternal%3A%3Acompiler%3A%3AGraphTrimmer%3A%3ATrimGraph%27&sql_dialect=dremelsql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D&unnest=

Original change's description:
> [turbofan] Reland^2 "Polymorphic inlining - try merge map check dispatch with function call dispatch."
> 
> This reverts commit e26e6d8857.
> 
> Bug: chromium:758096
> Change-Id: I1d8ecda995c93c84a9a3c24da041fdb730dbd3b2
> Reviewed-on: https://chromium-review.googlesource.com/628169
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47812}

TBR=jarin@chromium.org,tebbi@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:758096
Change-Id: I96b62d08efa25ac1ead30e08401919d42a20ca1b
Reviewed-on: https://chromium-review.googlesource.com/652370
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47845}
2017-09-06 11:41:28 +00:00
Jaroslav Sevcik
4bce2509a8 [turbofan] Fix truncation for number feedback.
Checked number is not automatically truncating to float64.

Bug: chromium:761892
Change-Id: I34bd5d7867cd38b2be18cd39a810605603f515e2
Reviewed-on: https://chromium-review.googlesource.com/649513
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47824}
2017-09-05 14:48:08 +00:00
Jaroslav Sevcik
8cf4aafc21 [turbofan] Reland^2 "Polymorphic inlining - try merge map check dispatch with function call dispatch."
This reverts commit e26e6d8857.

Bug: chromium:758096
Change-Id: I1d8ecda995c93c84a9a3c24da041fdb730dbd3b2
Reviewed-on: https://chromium-review.googlesource.com/628169
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47812}
2017-09-05 07:32:16 +00:00
Juliana Franco
d5c1730a27 [Test] Deoptimization and exception.
Simple example with exception handling and deoptimization.

BUG=v8:6563

Change-Id: I0a82b72e10f12355b2eb351fde3c1be84455da66
Reviewed-on: https://chromium-review.googlesource.com/645854
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47755}
2017-09-01 04:17:56 +00:00
Jaroslav Sevcik
b1c1228981 [turbofan] Fix arm backend matching of (x >>> 24) & 0xffff.
We emitted rotation by 24 bits with bitwise and, but that is wrong
because the low 8 bits can wrap around and "leak" into the result.

Bug: chromium:739902
Change-Id: Id49251e89405afb1581b8c60cde808c2d8bf693d
Reviewed-on: https://chromium-review.googlesource.com/645848
Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47746}
2017-08-31 13:50:07 +00:00
Benedikt Meurer
226e63fc13 [turbofan] Fold Object constructor calls with certain values.
When calling

  Object(value)

where the value is known to be a JSReceiver, we can just replace it with
value, as the Object constructor call is a no-op in that case. Otherwise
when value is known to be not null or undefined then we can replace the
Object constructor call with an invocation of ToObject.

This covers the common pattern found in bundles generated by Webpack,
where the Object constructor is used to call imported functions, i.e.

  Object(module.foo)(1, 2, 3)

There's a lot of detail in https://github.com/webpack/webpack/issues/5600
on this matter and why this pattern was chosen.

Bug: v8:6772
Change-Id: I2b4f0b4542b68b97b337ce571d6d79946c73d8bb
Reviewed-on: https://chromium-review.googlesource.com/643868
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47728}
2017-08-31 06:36:06 +00:00
Jaroslav Sevcik
a529f128a3 [turbofan] Retype ConvertTaggedHoleToUndefined in representation selection.
Bug: chromium:758983
Change-Id: Iea65c6c6330b4eed0969eee1f8b261e1446771f5
Reviewed-on: https://chromium-review.googlesource.com/640382
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47669}
2017-08-29 08:56:07 +00:00
Jaroslav Sevcik
cf65162ae6 [turbofan] Work around lowering uninhabited ReferenceEqual.
This change prevents constant folding of uninhabited RefenceEqual node
because that could widen a type (from None type to the type of the
boolean constant).

Hopefully, this is a temporary workaround that will be replaced
by a better dead code elimination.

Bug: v8:6631
Change-Id: Ie25e7d710aaf1d37c9adba60f92438570843dd5d
Reviewed-on: https://chromium-review.googlesource.com/627916
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47545}
2017-08-23 10:45:26 +00:00
Tobias Tebbi
14b8db68bf [turbofan] escape analysis: support type None as ObjectState input
Bug: chromium:753616
Change-Id: I0e9495184d83f30b91ba0c813c4222a962ec235e
Reviewed-on: https://chromium-review.googlesource.com/610003
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47278}
2017-08-10 13:00:27 +00:00
Michael Starzinger
45b4522e40 [fullcodegen] Remove --stress-fullcodegen flag.
This is in preparation to the removal of the FullCodeGenerator, we no
longer need the ability to stress the underlying implementation.

R=rmcilroy@chromium.org
BUG=v8:6409

Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Iad3177d6de4a68b57c12a770b6e85ed7a9710254
Reviewed-on: https://chromium-review.googlesource.com/584747
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47276}
2017-08-10 09:52:49 +00:00
Tobias Tebbi
688689d309 [turbofan] new escape analysis reducer: look through newly introduced typeguards
Bug: chromium:752438
Change-Id: I6e168f0e8101cf9f28915ca94c40d408ed75d079
Reviewed-on: https://chromium-review.googlesource.com/603612
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47203}
2017-08-07 17:33:27 +00:00
Jaroslav Sevcik
aaac2f8e66 [Test] Test case for the GC failure with non-patching lazy deopt.
Bug: v8:6563
Change-Id: Id4578b90133ef4a6797233ff0e859ddc3dfbb54f
Reviewed-on: https://chromium-review.googlesource.com/599848
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47165}
2017-08-04 12:34:47 +00:00
Tobias Tebbi
68fb62152a Reland2: [turbofan] staging new implementation of escape analysis
Reland of https://chromium-review.googlesource.com/c/591667/, removing thread-local variable

Bug: 
Change-Id: Ia9bc73be4a46a6bf052220726193c8b6634eb73e
Reviewed-on: https://chromium-review.googlesource.com/593559
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47001}
2017-07-31 10:01:07 +00:00
Tobias Tebbi
c87a3ddaf1 Revert "Reland: [turbofan] staging new implementation of escape analysis"
This reverts commit ccd8bb692b.

Reason for revert: https://build.chromium.org/p/client.v8.fyi/builders/Mac%20Release%20%28Intel%29/builds/2643

Original change's description:
> Reland: [turbofan] staging new implementation of escape analysis
> 
> Reland of https://chromium-review.googlesource.com/c/565720, fixing compilation issues on the waterfall.
> 
> Bug: 
> Change-Id: Ide4f1ea4470e946820edc990c9bf027f04844efe
> Reviewed-on: https://chromium-review.googlesource.com/591667
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46975}

TBR=jarin@chromium.org,tebbi@chromium.org

Change-Id: I30016fd8d71535c02bab8678b02147195c3e97a6
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/591672
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46980}
2017-07-28 19:16:17 +00:00
Tobias Tebbi
ccd8bb692b Reland: [turbofan] staging new implementation of escape analysis
Reland of https://chromium-review.googlesource.com/c/565720, fixing compilation issues on the waterfall.

Bug: 
Change-Id: Ide4f1ea4470e946820edc990c9bf027f04844efe
Reviewed-on: https://chromium-review.googlesource.com/591667
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46975}
2017-07-28 14:29:34 +00:00
Tobias Tebbi
8616be0c94 Revert "[turbofan] staging new implementation of escape analysis"
This reverts commit d230b44f0c.

Reason for revert: compile errors on the waterfall

Original change's description:
> [turbofan] staging new implementation of escape analysis
> 
> Bug: 
> Change-Id: Idebe4fa6d651a404a0dc1947ed4a34a8dc9707a9
> Reviewed-on: https://chromium-review.googlesource.com/565720
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46966}

TBR=mstarzinger@chromium.org,jarin@chromium.org,tebbi@chromium.org

Change-Id: I73c3cb270d498aeb181e31bad04f1c73d5ca6741
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/591370
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46968}
2017-07-28 12:18:38 +00:00
Tobias Tebbi
d230b44f0c [turbofan] staging new implementation of escape analysis
Bug: 
Change-Id: Idebe4fa6d651a404a0dc1947ed4a34a8dc9707a9
Reviewed-on: https://chromium-review.googlesource.com/565720
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46966}
2017-07-28 11:45:25 +00:00
Leszek Swirski
1c02987d2d [compiler] Kill the deoptimized too many times bailout
With TurboFan, there should no longer be any deopt loops (aside from
bugs). So, the "too many deopts" bailout is no longer needed, at least
in its current form.

This fixes an issue where deopt counts are leaked between native
contexts, resulting in optimization being disabled unnecessarily.

Bug: v8:6402
Change-Id: Ia06374ae6b5c2d473bcdd8eef1284bf02766c2fb
Reviewed-on: https://chromium-review.googlesource.com/588894
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46961}
2017-07-28 10:08:29 +00:00
Juliana Franco
337f38e0ec Deoptimizer tests
Adding (very) small tests for deoptimization.
Some of these tests were failing when the safepoints were not found,
after setting the return address.

BUG=V8:6563

Change-Id: I3af36b193a5982cd73414cc1884c5f0a7a727f5a
Reviewed-on: https://chromium-review.googlesource.com/584751
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Juliana Patricia Vicente Franco <jupvfranco@google.com>
Cr-Commit-Position: refs/heads/master@{#46922}
2017-07-27 07:21:46 +00:00
Alexandre Talon
231bb1a2ec [Turbofan] Merged the OSR phase into the graph building phase (reland)
Reland of https://chromium-review.googlesource.com/c/543042/.

Now the OSR phase is only used when OSRing from the ast graph builder.
When OSRing from Turbofan, the implementation is now in the graph
building phase, at the beginning of the VisitBytecode function.
We are no longer generating any OSRLoopEntry or OSRNormalEntry nodes,
nor nodes for the possible code of the OSRed function which is before
the OSRed loops.

The trimming and reducing of the OSR phase is not done either. This
change in the way the way the OSR is done enabled to remove the
workaround to the bug mentioned below.

Bug: v8:6112
Bug: v8:6518
Change-Id: Ia02f2138f54fc79cab2f02fed68d9bb522d6ce14
Reviewed-on: https://chromium-review.googlesource.com/584756
Commit-Queue: Alexandre Talon <alexandret@google.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46899}
2017-07-26 13:15:16 +00:00
Peter Marshall
e8c9649e25 [builtins] Increase the maximum string length on 64-bit platforms.
Increase from 2^28 - 16 to 2^30 - 25 for 64-bit platforms.

Bug: v8:6148
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I3529d7ed757a7ab49a001af8641cf888db171cdb
Reviewed-on: https://chromium-review.googlesource.com/570047
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46838}
2017-07-24 10:38:55 +00:00
Ross McIlroy
5d0a4327c7 Revert "[Turbofan] Merged the OSR phase into the graph building phase."
This reverts commit 69c8f16da7.

Reason for revert: Causing crashes on Clusterfuzz - http://crbug.com/747154

BUG=chromium:747154

Original change's description:
> [Turbofan] Merged the OSR phase into the graph building phase.
> 
> Now the OSR phase is only used when OSRing from the ast graph builder.
> When OSRing from Turbofan, the implementation is now in the graph
> building phase, at the beginning of the VisitBytecode function.
> We are no longer generating any OSRLoopEntry or OSRNormalEntry nodes,
> nor nodes for the possible code of the OSRed function which is before
> the OSRed loops.
> 
> The trimming and reducing of the OSR phase is not done either. This
> change in the way the way the OSR is done enabled to remove the
> workaround to the bug mentioned below.
> 
> Bug: v8:6112
> Bug: v8:6518
> Change-Id: I1c9231810b923486d55ea618d550d981d695d797
> Reviewed-on: https://chromium-review.googlesource.com/543042
> Commit-Queue: Alexandre Talon <alexandret@google.com>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46801}

TBR=rmcilroy@chromium.org,mstarzinger@chromium.org,leszeks@chromium.org,alexandret@google.com

Change-Id: Ifa9bf5d86e888a47cad7fb10446b36fda5029604
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6112, v8:6518
Reviewed-on: https://chromium-review.googlesource.com/581288
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46817}
2017-07-21 11:12:51 +00:00
Alexandre Talon
69c8f16da7 [Turbofan] Merged the OSR phase into the graph building phase.
Now the OSR phase is only used when OSRing from the ast graph builder.
When OSRing from Turbofan, the implementation is now in the graph
building phase, at the beginning of the VisitBytecode function.
We are no longer generating any OSRLoopEntry or OSRNormalEntry nodes,
nor nodes for the possible code of the OSRed function which is before
the OSRed loops.

The trimming and reducing of the OSR phase is not done either. This
change in the way the way the OSR is done enabled to remove the
workaround to the bug mentioned below.

Bug: v8:6112
Bug: v8:6518
Change-Id: I1c9231810b923486d55ea618d550d981d695d797
Reviewed-on: https://chromium-review.googlesource.com/543042
Commit-Queue: Alexandre Talon <alexandret@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46801}
2017-07-20 17:10:05 +00:00
Tobias Tebbi
a224eff455 [turbofan] escape analysis: fix typing of new phi nodes
Bug: chromium:744584
Change-Id: Ie25c2ba63e4764f359de38e53c2f3f3222877e0e
Reviewed-on: https://chromium-review.googlesource.com/577690
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46792}
2017-07-20 13:04:02 +00:00
Mythri
3e47cb87d6 [Turbofan] Use bytecode size for inlining heuristics.
Inlining heuristics in Turbofan used ast node count. Bytecode size
is a better approximation of the size of the graph than the
ast node count. This cl changes the heuristics to use the bytecode
size instead. Also removing the ast_node_count filed in the shared
function info. It was used only for the inlining heuristics.

Also removed the max_inlined_source_size flag which is no longer used.

Bug: 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I8a2d2509c8e8d2779b33b817bb217de203d54ec3
Reviewed-on: https://chromium-review.googlesource.com/570055
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46771}
2017-07-19 17:01:55 +00:00
Ross McIlroy
2da7a9b110 [Ignition / TurboFan] Revert all StringConcat bytecode implementation.
There remained a few of regressions and we didn't see any significant
improvement in the real world with this turned on. This CL reverts all the
StringConcat bytecode work which landed.

BUG=v8:6243

Change-Id: I832eb72e880ad41411dbec8fe29f71ef0f2025c8
Reviewed-on: https://chromium-review.googlesource.com/575130
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46769}
2017-07-19 16:03:46 +00:00
Adam Klein
1769f892ce [cleanup] Remove always-off support for tail calls
The tail call implementation is hidden behind the --harmony-tailcalls
flag, which is off-by-default (and has been unstaged since February).
It is known to be broken in a variety of cases, including clusterfuzz
security issues (see sample Chromium issues below). To avoid letting
the implementation bitrot further on trunk, this patch removes it.

Bug: v8:4698, chromium:636914, chromium:724746
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng;master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I9cb547101456a582374fdf7b1a3f044a9ef33e5c
Reviewed-on: https://chromium-review.googlesource.com/569069
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46651}
2017-07-13 19:29:05 +00:00
Ross McIlroy
632221acc5 [Compiler] Remove unnecessary UseTurboFan function and turbo_asm flag.
These are no longer necessary since we only have one optimizing compiler.
Also avoid changing --turbo-filter when --no-opt is set, and instead
explicitly check both the FLAG_opt and FLAG_turbo_filter in 
GetOptimizedCode to check whether optimization is disabled.

BUG=v8:6408

Change-Id: I0948f788e8ff111c08022270d86c22f848da300a
Reviewed-on: https://chromium-review.googlesource.com/568484
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46648}
2017-07-13 16:53:46 +00:00
Michael Starzinger
05f3b27cdd Reland "[flags] Remove some dead Crankshaft flags."
This is a reland of ec6da23bfe
Original change's description:
> [flags] Remove some dead Crankshaft flags.
> 
> R=bmeurer@chromium.org
> BUG=v8:6408
> 
> Change-Id: I34abbcdc2fc47df44938bac0e59f9982c935c657
> Reviewed-on: https://chromium-review.googlesource.com/569963
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46631}

Bug: v8:6408
Change-Id: I8a856e25d56e27bccb79588b2e5ee4369d7c5fe5
Reviewed-on: https://chromium-review.googlesource.com/570050
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46637}
2017-07-13 13:15:34 +00:00
Ross McIlroy
05207b098a [Interpreter] Replace --ignition flag with a --stress-fullcodegen
Removes the --ignition flag which is now on by default. Adds a
--stress-fullcodegen flag which enables running all functions supported
by fullcodegen to be compiled by fullcodegen.

This will enable moving parser internalization later when we are not
stressing fullcodegen or compiling asm.js functions.

BUG=v8:5203, v8:6409, v8:6589

Change-Id: I7fa68016d4e734755434ec0b4e749ef65ffa7f4e
Reviewed-on: https://chromium-review.googlesource.com/565569
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46635}
2017-07-13 13:05:00 +00:00
Michael Starzinger
5d16e866e7 Revert "[flags] Remove some dead Crankshaft flags."
This reverts commit ec6da23bfe.

Reason for revert: Requires infrastructure changes first. Will reland after changes have happened.

Original change's description:
> [flags] Remove some dead Crankshaft flags.
> 
> R=​bmeurer@chromium.org
> BUG=v8:6408
> 
> Change-Id: I34abbcdc2fc47df44938bac0e59f9982c935c657
> Reviewed-on: https://chromium-review.googlesource.com/569963
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46631}

TBR=mstarzinger@chromium.org,bmeurer@chromium.org

Change-Id: Iee077911ae7d877c6a9d2edb548e3c04345b47ce
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6408
Reviewed-on: https://chromium-review.googlesource.com/570049
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46632}
2017-07-13 12:24:56 +00:00
Michael Starzinger
ec6da23bfe [flags] Remove some dead Crankshaft flags.
R=bmeurer@chromium.org
BUG=v8:6408

Change-Id: I34abbcdc2fc47df44938bac0e59f9982c935c657
Reviewed-on: https://chromium-review.googlesource.com/569963
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46631}
2017-07-13 11:56:14 +00:00
Camillo Bruni
36421dc467 [literals] Disable double lazy boilerplate for literals containing Arrays
By creating the boilerplate only on the second instantiation we cannot
propagate back the elements transitions early enough. The resulting literals
would change the initial ElementsKind one step too late and already pollute
ICs that went to monomorphic state.

- Disable lazy AllocationSites for literals containing arrays
- Introduce new ComplexLiteral class to share code between ObjectLiteral
  and ArrayLiteral
- RegexpLiteral now no longer needs a depth_ field

Bug: v8:6517, v8:6519, v8:6211
Change-Id: Ia88d1878954e8895c3d00a7dda8d71e95bba005c
Reviewed-on: https://chromium-review.googlesource.com/563305
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46603}
2017-07-12 19:11:04 +00:00
Ross McIlroy
d8d8f8b316 [TurboFan] Add constant folding for StringConcat to NativeContextSpecialization.
Adds constant folding for the StringConcat bytecode to
NativeContextSpecialization. Can reduce operator to either a fully folded
constant string, or a JSAdd or a StringConcat with a reduced number of
operators.

BUG=v8:6243, chromium:738312

Change-Id: I6b2be6a3d95230a23f3c7390a4f7be5181c49a2a
Reviewed-on: https://chromium-review.googlesource.com/559146
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46461}
2017-07-06 22:37:32 +00:00
Camillo Bruni
bbc89774a6 [runtime] Enable double-lazy boilerplate creation again
This mostly reverts commit c503b80595 but fixes
an issue where literals would always be pretenured on first instantiation.

As a cleanup we pass in a PretenureFlag instead of using the FeedbackVector as
indicator.

Bug: v8:6211
Change-Id: Id328552620e33f5083519bcba1e24396d162d516
Reviewed-on: https://chromium-review.googlesource.com/555670
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46342}
2017-06-30 09:30:17 +00:00
Michael Starzinger
95a436b271 [turbofan] Lower {JSToObject} nodes inside try-block.
This adds support for lowering of nodes having the {JSToObject} operator
even if they have exceptional control projections (e.g. are inside of a
try-block).

R=bmeurer@chromium.org
TEST=mjsunit/compiler/optimized-with

Change-Id: I711ff4935db68c43243a971a8b21989487c86317
Reviewed-on: https://chromium-review.googlesource.com/554628
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46318}
2017-06-29 12:27:19 +00:00
Michael Starzinger
2f5e0bac8d [turbofan] Lower {JSCreateArray} nodes inside try-block.
This adds support for lowering of nodes having the {JSCreateArray}
operator even if they have exceptional control projections (e.g. are
placed inside a try-block).

R=mvstanton@chromium.org
TEST=mjsunit/compiler/array-constructor

Change-Id: I2fe34dbb3729b4763471f2638a960b01c531c038
Reviewed-on: https://chromium-review.googlesource.com/554732
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46315}
2017-06-29 10:26:35 +00:00
jarin
e14c4c9592 [turbofan] Add toLowerCase, toUpperCase operators to the infamous escape analysis list.
BUG=chromium:733181

Review-Url: https://codereview.chromium.org/2962853002
Cr-Commit-Position: refs/heads/master@{#46279}
2017-06-28 11:12:24 +00:00
Ross McIlroy
6321916c46 [TurboFan] Ensure typer knows all inputs to StringConcat are Strings.
Adds a CheckString to all operand inputs of JSStringConcat. The operands are
already known to be strings, so this will get eliminated in almost all cases,
however, if there is a yield within the concatenation then we lose the
knowledge that the previous operands are strings since the values are loaded
from the generator object. Adds a test for this case.

BUG=v8:6243

Change-Id: I1601a316e6efbed1c53486f1027cb0ea023ff030
Reviewed-on: https://chromium-review.googlesource.com/549301
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46243}
2017-06-27 11:07:25 +00:00
jarin
bdf1b0a84a [turbofan] Fix an assertion in representation selection for BooleanNot.
BUG=chromium:736567

Review-Url: https://codereview.chromium.org/2962503002
Cr-Commit-Position: refs/heads/master@{#46216}
2017-06-26 13:49:06 +00:00
Camillo Bruni
c503b80595 [runtime] Enable eager boilerplate creation again
This partially reverts commit 015edc60ff.

Reason for revert: Performance regression on richards

Bug: v8:6211
Change-Id: Ib69a1ed90b2015addcc54d7f299bdd654d964b54
Reviewed-on: https://chromium-review.googlesource.com/544992
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46174}
2017-06-23 13:12:06 +00:00
Michael Starzinger
8d921ca7f3 [turbofan] Remove --turbo shorthand for --turbo-filter.
This removes the --turbo flag and solely relies on the filter pattern
provided via --turbo-filter when deciding whether to use TurboFan. Note
that disabling optimization wholesale can still be done with --no-opt,
which should be used in favor of --no-turbo everywhere.

Also note that this contains semantic changes to the TurboFan activation
criteria. We respect the filter pattern more stringently and no longer
activate TurboFan just because the source contains patterns forcing use
of Ignition via {AstNumberingVisitor::DisableFullCodegenAndCrankshaft}.

R=rmcilroy@chromium.org
BUG=v8:6408

Change-Id: I0c855f6a62350eb62283a3431c8cc1baa750950e
Reviewed-on: https://chromium-review.googlesource.com/528121
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46167}
2017-06-23 11:19:19 +00:00
Ross McIlroy
69a645d3c6 [TurboFan] Enable typed lowering of JSStringConcat to ConsString allocation.
Adds typed lowering of JSStringConcat to ConsString allocation if the
following conditions hold:
 - All concatinations will result in a ConsString of >= ConString::kMinLength
 - No concatinations will result in a empty string in the RHS unless there is
   a sequential string in the LHS.

This also means JSStringConcat needs an eager checkpoint since it can
deopt if throwing a RangeError when the string length protector is valid.

BUG=v8:6243

Change-Id: I01ca79f884df467c10f2c032c72d51b5199c1a3c
Reviewed-on: https://chromium-review.googlesource.com/526636
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46093}
2017-06-21 13:31:45 +00:00
bmeurer
217012973c [turbofan] Introduce new JSConstructWithArrayLike operator.
Add a new JSConstructWithArrayLike operator that is backed by the
ConstructWithArrayLike builtin (similar to what was done before
for the JSCallWithArrayLike operator), and use that operator to
optimize Reflect.construct inlining in TurboFan. This is handled
uniformly with JSConstructWithSpread in the JSCallReducer.

Also add missing test coverage for Reflect.construct in optimized
code, especially for some interesting corner cases.

R=petermarshall@chromium.org
BUG=v8:4587,v8:5269

Review-Url: https://codereview.chromium.org/2949813002
Cr-Commit-Position: refs/heads/master@{#46087}
2017-06-21 12:31:59 +00:00
bmeurer
767ce78871 [turbofan] Introduce new JSCallWithArrayLike operator.
Add a new JSCallWithArrayLike operator that is backed by the
CallWithArrayLike builtin, and use that operator for both
Function.prototype.apply and Reflect.apply inlining. Also unify
the handling of JSCallWithArrayLike and JSCallWithSpread in
the JSCallReducer to reduce the copy&paste overhead.

Drive-by-fix: Add a lot of test coverage for Reflect.apply and
Function.prototype.apply in optimized code, especially for some
corner cases, which was missing so far.

BUG=v8:4587,v8:5269
R=petermarshall@chromium.org

Review-Url: https://codereview.chromium.org/2950773002
Cr-Commit-Position: refs/heads/master@{#46041}
2017-06-20 12:36:43 +00:00
Peter Marshall
a971a64d1c [runtime] Port SpreadCall code to CSA.
We can remove a lot of native code and rely on CallOrConstructVarargs
to do the stack manipulation for us.

This will also take advantage of the fast-path for double arrays in
CallOrConstructDoubleVarargs.

We can also remove Runtime_SpreadIterableFixed because it isn't used
anymore. We just call directly into spread_iterable from CSA.

Bug: v8:6488, chromium:704966
Change-Id: I81a18281f062619851134fff7ce88471566ee3b5
Reviewed-on: https://chromium-review.googlesource.com/535615
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46038}
2017-06-20 11:44:02 +00:00