The access check is generated as a:
- Equality check of an execution-time and a compile-time native contexts
for primitive receivers.
- Equality check of an execution-time and a compile-time native contexts
or equality check of a respective security tokens for global proxy receivers.
- No-op for other kinds of receivers.
BUG=v8:5561
Review-Url: https://codereview.chromium.org/2482913002
Cr-Commit-Position: refs/heads/master@{#40829}
This CL adds support for primitive maps to
1) PrototypeIterator,
2) PropertyHandlerCompiler::CheckPrototypes(),
3) Map::GetOrCreatePrototypeChainValidityCell(),
4) Prototype checks in data-driven ICs.
BUG=v8:5561
Review-Url: https://codereview.chromium.org/2466553002
Cr-Commit-Position: refs/heads/master@{#40673}
The reasons are:
1) Type feedback vectors are not shared between different native contexts and
therefore the IC handler created for one native context will not be reused
in other native context.
2) Access rights revocation is not supported at all, therefore given (1) once
we pass the access check we don't have to check access rights again.
BUG=v8:5561
Review-Url: https://codereview.chromium.org/2455953002
Cr-Commit-Position: refs/heads/master@{#40627}
Introduce AccessCompilerData which hangs off the Isolate, and initialize
it when the first PropertyAccessCompiler is instantiated. This avoids
TSAN failures when trying to access load/store calling convention arrays.
BUG=v8:5427
Review-Url: https://codereview.chromium.org/2389313002
Cr-Commit-Position: refs/heads/master@{#40055}
According to new store IC calling convention the value, slot and vector are passed
on the stack and there's no need in trying to preserve values or respective registers
in store handlers.
Nice bonus: we also don't need virtual registers anymore.
BUG=v8:5407
Review-Url: https://codereview.chromium.org/2357323003
Cr-Commit-Position: refs/heads/master@{#39672}
This will allow to simplify the miss part of store IC handlers when we decide
to pass value/slot/vector on the stack.
BUG=v8:5407
Review-Url: https://codereview.chromium.org/2351643005
Cr-Commit-Position: refs/heads/master@{#39549}
This CL also cleans up related interface descriptors:
1) unused StoreTransitionDescriptor is removed and VectorStoreTransitionDescriptor is
renamed to StoreTransitionDescriptor.
2) on ia32/x87 architectures slot and vector are passed on the stack (dispatcher/handlers
cleanup will be addressed in a separate CL).
These two stub ports have to be combined in one CL because:
1) without changing the StoreTransitionDescriptor TF was not able to compile them
on ia32/x87 (because of lack of registers),
2) it was not possible to change the descriptor first because Crankshaft was not able
to deal with the stack allocated parameters in case of a stub failure.
TBR=jkummerow@chromium.org
BUG=v8:5269
Review-Url: https://codereview.chromium.org/2313093002
Cr-Commit-Position: refs/heads/master@{#39476}
This CL fixes weird performance implications when changing layout of Code::flags field:
it happened that the unused ICStateField with MONOMORPHIC value in the handlers' flags
was accidentally offsetting the underflow bug in stub cache probing code on arm, arm64,
mips and mips64.
Stub cache tests now work even when snapshot is enabled.
Drive-by-change: Fixed counters manipulation on arm64 and mips64.
BUG=chromium:618701
Review-Url: https://codereview.chromium.org/2161153002
Cr-Commit-Position: refs/heads/master@{#37910}
Reason for revert:
Unfortunately, the performance issues are still there on Android.
Original issue's description:
> [ic] [stubs] Don't use Code::flags in megamorphic stub cache hash computations.
>
> This should avoid weird performance issues when changing layout of Code::flags field.
>
> BUG=chromium:618701
>
> Committed: https://crrev.com/aa4140b1ccc114b82700471513c715f68b7c5dac
> Cr-Commit-Position: refs/heads/master@{#37755}
TBR=jkummerow@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:618701
Review-Url: https://codereview.chromium.org/2147213004
Cr-Commit-Position: refs/heads/master@{#37801}
All stores require a Slot parameter so VectorStoreICTrampolineDescriptor is a new StoreDescriptor.
VectorStoreICDescriptor renamed to StoreWithVectorDescriptor.
Review-Url: https://codereview.chromium.org/2147043002
Cr-Commit-Position: refs/heads/master@{#37779}
This should avoid weird performance issues when changing layout of Code::flags field.
BUG=chromium:618701
Review-Url: https://codereview.chromium.org/2147433002
Cr-Commit-Position: refs/heads/master@{#37755}
This CL also combines Runtime::GetGlobalInsideTypeof and Runtime::kGetGlobalNotInsideTypeof
to Runtime::GetGlobal with explicit typeof_mode parameter.
Drive-by-fix: tail call to correct Slow builtin from LoadCallback handlers when --runtime-call-stats is on.
BUG=chromium:576312
Review-Url: https://codereview.chromium.org/2144643004
Cr-Commit-Position: refs/heads/master@{#37710}
After this CL we can avoid using Code::flags in hash computations for megamorphic
stub caches and therefore the unused ICState field can be finally removed from flags.
BUG=chromium:618701
Review-Url: https://codereview.chromium.org/2123983004
Cr-Commit-Position: refs/heads/master@{#37708}
Now LookupIterator follows the same pattern of prepare transition, apply transition
and write value when adding new properties to dictionary objects.
JSGlobalObject case:
* Prepare transition phase ensures that there is a "transition" property cell
prepared for receiving a value.
* Apply transition phase does nothing.
* Prepare for data property phase ensures that the existing property cell can
receive the value.
* Write value phase writes value directly to the current property cell.
JSObject case:
* Prepare transition phase prepares the object for receiving a data value (which
could switch an object to dictionary mode).
* Apply transition phase migrates object to a transition map. If the map happened
to be a dictionary mode object's map then an uninitialized entry added to the
properties dictionary.
* Prepare for data property phase does nothing.
* Write value phase just puts value to the properties dictionary.
BUG=chromium:576312
Review-Url: https://codereview.chromium.org/2127583002
Cr-Commit-Position: refs/heads/master@{#37585}
When running with FLAG_runtime_call_stats, native accessor accesses must
go through the runtime for accurate accounting. Previously the slow_stub()
was used as a handler in order to accomplish this, but it could never be
looked up from the code cache successfully due to mismatched code flags,
which could cause more handler recompilations than in normal operation.
This patch fixes that by emitting a runtime call into the compiled
handler instead of using the slow_stub().
Drive-by cleanup: drop the unused StoreIC_Megamorphic builtin.
Review-Url: https://codereview.chromium.org/2054133002
Cr-Commit-Position: refs/heads/master@{#36926}
Passing in the isolate and pointer compare the instnance against the
corresponding constant is always faster than decoding the instance types.
BUG=
Review-Url: https://codereview.chromium.org/2028983002
Cr-Commit-Position: refs/heads/master@{#36744}
For cross-compiler-compatibility and standards compliance %p
requires a void*, rather than any pointer type.
BUG=chromium:474921
Review-Url: https://codereview.chromium.org/2001073002
Cr-Commit-Position: refs/heads/master@{#36466}
This flag has been on by default for a while, along with
FLAG_track_prototype_users which provides the prerequisite
infrastructure. We are now sure that this is the direction
we want to go in, so in order to simplify the code, this CL
drops the respective flag-off code paths.
Review-Url: https://codereview.chromium.org/1993913002
Cr-Commit-Position: refs/heads/master@{#36445}
The feature was deprecated in M49 and flagged off in M50.
This patch removes it entirely from the codebase.
Review URL: https://codereview.chromium.org/1909433003
Cr-Commit-Position: refs/heads/master@{#35714}
Otherwise the megamorphic stubcache will miss. It only probes for
non-keyed handlers.
BUG=
Review URL: https://codereview.chromium.org/1883533003
Cr-Commit-Position: refs/heads/master@{#35492}
The previous code cache system required stubs to be marked with a StubType, causing them to be inserted either into a fixed array or into a dictionary-mode code cache. This could cause names to be in both cases, and lookup would just find the "fast" one first. Given that we clear out the caches on each GC, the memory overhead shouldn't be too bad. Additionally, the dictionary itself should just stay linear for small arrays; that's faster anyway.
This CL additionally deletes some dead IC code.
BUG=
Review URL: https://codereview.chromium.org/1846963002
Cr-Commit-Position: refs/heads/master@{#35291}
The HandlerCompiler did not properly handle the weird edge case when a
sloppy mode function was installed as an accessor on one of the value
wrapper prototypes and then accessed via a load from a primitive value.
In this case we just passed the primitive value untouched instead of
properly wrapping it first. The CallFunction builtin properly deals with
all the funny edge cases, so we use it instead of duplicating almost all
of the logic here (the performance difference is neglible).
R=verwaest@chromium.org
BUG=chromium:599073, v8:4413
LOG=n
Review URL: https://codereview.chromium.org/1845243005
Cr-Commit-Position: refs/heads/master@{#35187}
- Eliminate stubs with a variable number of arguments.
(That only worked due to their very limited use. These
stubs' interface descriptors were basically lying
about their number of args, which will fail when used
generically.)
- Fix all CallApi*Stubs' interface descriptors to no
longer lie about their arguments.
- Unify CallApi*Stub, for * in Function, Accessor,
FunctionWithFixedArgs.
(Since these are now all doing the same thing.)
- Rename the unified stub (and interface descriptors) to
*ApiCallback*, since that's really what they're doing.
- Refuse inlining an API callback if its number of
parameters exceeds the supported number of args.
BUG=
Committed: https://crrev.com/d238b953a474272c0e3ea22ef6a9b63fa9729340
Cr-Commit-Position: refs/heads/master@{#34614}
Review URL: https://codereview.chromium.org/1748123003
Cr-Commit-Position: refs/heads/master@{#34627}
Reason for revert:
Breaks Chromium.
Original issue's description:
> Rework CallApi*Stubs.
>
> - Eliminate stubs with a variable number of arguments.
> (That only worked due to their very limited use. These
> stubs' interface descriptors were basically lying
> about their number of args, which will fail when used
> generically.)
> - Fix all CallApi*Stubs' interface descriptors to no
> longer lie about their arguments.
> - Unify CallApi*Stub, for * in Function, Accessor,
> FunctionWithFixedArgs.
> (Since these are now all doing the same thing.)
> - Rename the unified stub (and interface descriptors) to
> *ApiCallback*, since that's really what they're doing.
> - Refuse inlining an API callback if its number of
> parameters exceeds the supported number of args.
>
> BUG=
>
> Committed: https://crrev.com/d238b953a474272c0e3ea22ef6a9b63fa9729340
> Cr-Commit-Position: refs/heads/master@{#34614}
TBR=danno@chromium.org,jkummerow@chromium.org,mstarzinger@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=
Review URL: https://codereview.chromium.org/1775933005
Cr-Commit-Position: refs/heads/master@{#34624}
- Eliminate stubs with a variable number of arguments.
(That only worked due to their very limited use. These
stubs' interface descriptors were basically lying
about their number of args, which will fail when used
generically.)
- Fix all CallApi*Stubs' interface descriptors to no
longer lie about their arguments.
- Unify CallApi*Stub, for * in Function, Accessor,
FunctionWithFixedArgs.
(Since these are now all doing the same thing.)
- Rename the unified stub (and interface descriptors) to
*ApiCallback*, since that's really what they're doing.
- Refuse inlining an API callback if its number of
parameters exceeds the supported number of args.
BUG=
Review URL: https://codereview.chromium.org/1748123003
Cr-Commit-Position: refs/heads/master@{#34614}
Before this CL, various code stubs used different techniques
for marking their frames to enable stack-crawling and other
access to data in the frame. All of them were based on a abuse
of the "standard" frame representation, e.g. storing the a
context pointer immediately below the frame's fp, and a
function pointer after that. Although functional, this approach
tends to make stubs and builtins do an awkward, unnecessary
dance to appear like standard frames, even if they have
nothing to do with JavaScript execution.
This CL attempts to improve this by:
* Ensuring that there are only two fundamentally different
types of frames, a "standard" frame and a "typed" frame.
Standard frames, as before, contain both a context and
function pointer. Typed frames contain only a minimum
of a smi marker in the position immediately below the fp
where the context is in standard frames.
* Only interpreted, full codegen, and optimized Crankshaft and
TurboFan JavaScript frames use the "standard" format. All
other frames use the type frame format with an explicit
marker.
* Typed frames can contain one or more values below the
type marker. There is new magic macro machinery in
frames.h that simplifies defining the offsets of these fields
in typed frames.
* A new flag in the CallDescriptor enables specifying whether
a frame is a standard frame or a typed frame. Secondary
register location spilling is now only enabled for standard
frames.
* A zillion places in the code have been updated to deal with
the fact that most code stubs and internal frames use the
typed frame format. This includes changes in the
deoptimizer, debugger, and liveedit.
* StandardFrameConstants::kMarkerOffset is deprecated,
(CommonFrameConstants::kContextOrFrameTypeOffset
and StandardFrameConstants::kFrameOffset are now used
in its stead).
LOG=N
Review URL: https://codereview.chromium.org/1696043002
Cr-Commit-Position: refs/heads/master@{#34571}
Field types can contain at most one map, so we can just use IsClass().
Review URL: https://codereview.chromium.org/1633213003
Cr-Commit-Position: refs/heads/master@{#33533}
This replace HeapType with a dedicated class that implements just what we need for field type tracking. In the next CL, I plan to remove FieldType::Iterator because FieldType can iterate over at most one map.
The ultimate plan is to get rid of templates in types.(h|cc) and remove type-inl.h.
TBR=rossberg@chromium.org
Review URL: https://codereview.chromium.org/1636013002
Cr-Commit-Position: refs/heads/master@{#33521}
When accessor getter callback is called the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, since according to ES6 there's no difference between strict and non-strict property loads. For the setter case the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true if the property is set in strict context.
Interceptors follow same idea: for getter, enumerator and query callbacks the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, and for setter and deleter callback the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true in strict context.
This CL also cleans up the CallApiGetterStub and removes bogus asserts from [arm] Push(reg1, reg2, ..., regN) that prevented from pushing a set of registers containing duplicates.
BUG=v8:4267
LOG=Y
Committed: https://crrev.com/1d3e837fcbbd9d9fd5e72dfe85dfd47c025f3c9f
Cr-Commit-Position: refs/heads/master@{#33438}
Review URL: https://codereview.chromium.org/1587073003
Cr-Commit-Position: refs/heads/master@{#33461}
Reason for revert:
[Sheriff] Breaks layout tests. Please fix upstream.
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/4077
Original issue's description:
> Array length reduction should throw in strict mode if it can't delete an element.
>
> When accessor getter callback is called the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, since according to ES6 there's no difference between strict and non-strict property loads. For the setter case the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true if the property is set in strict context.
>
> Interceptors follow same idea: for getter, enumerator and query callbacks the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, and for setter and deleter callback the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true in strict context.
>
> This CL also cleans up the CallApiGetterStub and removes bogus asserts from [arm] Push(reg1, reg2, ..., regN) that prevented from pushing a set of registers containing duplicates.
>
> BUG=v8:4267
> LOG=Y
>
> Committed: https://crrev.com/1d3e837fcbbd9d9fd5e72dfe85dfd47c025f3c9f
> Cr-Commit-Position: refs/heads/master@{#33438}
TBR=verwaest@chromium.org,ishell@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4267
Review URL: https://codereview.chromium.org/1611313003
Cr-Commit-Position: refs/heads/master@{#33444}
When accessor getter callback is called the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, since according to ES6 there's no difference between strict and non-strict property loads. For the setter case the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true if the property is set in strict context.
Interceptors follow same idea: for getter, enumerator and query callbacks the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, and for setter and deleter callback the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true in strict context.
This CL also cleans up the CallApiGetterStub and removes bogus asserts from [arm] Push(reg1, reg2, ..., regN) that prevented from pushing a set of registers containing duplicates.
BUG=v8:4267
LOG=Y
Review URL: https://codereview.chromium.org/1587073003
Cr-Commit-Position: refs/heads/master@{#33438}