This can be useful when there may be multiple callbacks attached by
code that's not directly tied to a single isolate, e.g. working
on a per-context basis.
This also allows rephrasing the global non-isolate APIs in terms
of this new API, rather than working around it inside `src/heap`.
TBR=hpayer@chromium.org
Bug:
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I2e490ec40d1a34ea812f25f41ef9741d2116d965
Reviewed-on: https://chromium-review.googlesource.com/647548
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47923}
The advantage of an explicit Abort that the interpreter and the compiler know
that aborting cannot continue or throw or deopt. As a result we generate less
code and we do not confuse the compiler if the environment is not set up for
throwing (as in the generator dispatch that fails validation in
crbug.com/762057).
Bug: chromium:762057
Change-Id: I3e88f78be32f31ac49b1845595255f802c405ed7
Reviewed-on: https://chromium-review.googlesource.com/657025
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47922}
JavaScript is a dynamically typed language. But most code is
written with fixed types in mind. When debugging JavaScript,
it is helpful to know the types of variables and parameters
at runtime. It is often hard to infer types for complex code.
Type profiling provides this information at runtime.
Node.js uses the inspector protocol. This CL allows Node.js users
to access and analyse type profile for via Node modules or the
in-procress api. Type Profile helps developers to analyze
their code for correctness and performance.
Design doc: https://docs.google.com/a/google.com/document/d/1O1uepXZXBI6IwiawTrYC3ohhiNgzkyTdjn3R8ysbYgk/edit?usp=sharing
Add `takeTypeProfile` to the inspector protocol. It returns a list
of TypeProfileForScripts, which in turn contains the type profile for
each function. We can use TypeProfile data to annotate JavaScript code.
Sample script with data from TypeProfile:
function f(/*Object, number, undefined*/a,
/*Array, number, null*/b,
/*boolean, Object, symbol*/c) {
return 'bye';
/*string*/};
f({}, [], true);
f(3, 2.3, {a: 42});
f(undefined, null, Symbol('hello'));/*string*/
Bug: v8:5933
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I626bfb886b752f90b9c86cc6953601558b18b60d
Reviewed-on: https://chromium-review.googlesource.com/508588
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47920}
Add support to the JSCallReducer to recognize JSConstruct nodes where
the target is the Object constructor, and reduce them to JSCreate
nodes if either
(a) no value is passed to the Object constructor, or
(b) the target and new.target are definitely not identical, by checking
whether both target and new.target are different HeapConstants
(if they are not, then the JSCreateLowering will not be able to
do a lot with the JSCreate anyways).
This should cover the relevant cases for subclassing appropriately. It
fixes the 3-4x slowdown on the micro-benchmark mentioned in the linked
bug,
baseNoExtends: 752 ms.
baseExtendsObject: 752 ms.
baseExtendsViaFactory: 751 ms.
and thus removes the performance cliff.
R=jarin@chromium.org
Bug: v8:6801
Change-Id: Id265fd1399302a67b5790a6d0156679920c58bdd
Reviewed-on: https://chromium-review.googlesource.com/657019
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47913}
This is revert of commit aee1e1fb8d with the fix for A1 and N6 jetstream failure.
R=bradnelson@chromium.org,mtrofin@chromium.org,clemensh@chromium.org
Bug: chromium:750828
Change-Id: Id38896af51315f76a0667ace32c77a2ba7287eec
Reviewed-on: https://chromium-review.googlesource.com/607092
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47910}
This is a reland of a2ed05144c
Original change's description:
> [debug] Add test for promise finally
>
> As of v8:6536, we no longer have to mark builtins explicitly.
>
> Also remove test whitelist for promise finally
> builtins.
>
> Bug: v8:6088, v8:5967
> Change-Id: I7f98dfe7708678653e944ac76ba9938205490b16
> Reviewed-on: https://chromium-review.googlesource.com/654067
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47896}
TBR=jgruber@chromium.org
Bug: v8:6088, v8:5967
Change-Id: I25a1820e04596a44769fc8ded80678f3663bbcd5
Reviewed-on: https://chromium-review.googlesource.com/655740
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47906}
When the bailout triggered, we assumed we're generating data (i.e., we're inside
a non-arrow function). This is not true; it's possible that we're already inside
an arrow function and not generating data anyway.
BUG=v8:5516,chromium:761980
Change-Id: Iad9c8dde283031630953ef9a46c1e68bc0cee048
Reviewed-on: https://chromium-review.googlesource.com/655081
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47905}
Tracking labels for most of these statements made no difference: only
try-statements require the special treatment of being wrapped in a
block. The previous code existed to support strong mode, which is
long gone.
This also results in a tiny regression of the error message for
a labelled `continue` statement targeting itself, but I'm not
convinced that anyone would ever intend to label a continue
statement (and Chakra and SpiderMonkey give similarly inaccurate
error messages for this case).
This is effectively a revert of d8bccfe974.
Bug: v8:6092
Change-Id: I25b62e10f6a20597e9686f08df76ba9724249618
Reviewed-on: https://chromium-review.googlesource.com/653380
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47904}
The spec calls out to Promise.prototype.then and also passes around
the constructor of the receiver to Promise.prototype.finally.
Adds a new constructor slot to PromiseFinallyContext enum and this is
used to create a new promise in the thenFinally/catchFinally callbacks.
Created a new PromiseResolve TFS builtin refactored from
the existing PromiseResolve builtin. PromiseResolveWrapper
calls out to this TFS Builtin and is now exposed as Promise.resolve.
The thenFinally and catchFinally callbacks also call out to the
PromiseResolve TFS builtin.
Spec -- https://tc39.github.io/proposal-promise-finally/
Bug: v8:5967
Change-Id: I2ce89f14d3b149619d11e424b6e37062e466c4d5
Reviewed-on: https://chromium-review.googlesource.com/652026
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47898}
As of v8:6536, we no longer have to mark builtins explicitly.
Also remove test whitelist for promise finally
builtins.
Bug: v8:6088, v8:5967
Change-Id: I7f98dfe7708678653e944ac76ba9938205490b16
Reviewed-on: https://chromium-review.googlesource.com/654067
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47896}
Runtime.CallFrame has url already. It allows to show stack traces on pause
without tacking all parsed scripts.
R=alph@chromium.org,pfeldman@chromium.org
Bug: chromium:762982
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ic4f096ade1cb6c9de42fec77280dcc3007c6a5cf
Reviewed-on: https://chromium-review.googlesource.com/648068
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47895}
Use operator== and operator!= instead.
Implemented for x64, ia32, arm, arm64, mips and mips64.
R=mstarzinger@chromium.org,ishell@chromium.org,jgruber@chromium.org
Change-Id: Iad0f03f7f442709dcaa12d6a49a8bc4b03b9cdae
Reviewed-on: https://chromium-review.googlesource.com/654857
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47889}
This speeds up the baseline performance of Object by 20%.
With this change, the callViaObject when run with --noopt
goes from 10718ms to 8577ms on the benchmark from:
http://benediktmeurer.de/2017/08/31/object-constructor-calls-in-webpack-bundles
Bug: v8:6772
Change-Id: Id0e54ba44204a1700885185ec360e1c56834fb73
Reviewed-on: https://chromium-review.googlesource.com/654900
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47888}
Lazy deserialization requires a fully set-up isolate (in particular, we
need Isolate::snapshot_blob). This CL disables lazy deserialization in
affected tests. This should be fixed at some point by setting up the
isolate as needed.
Bug: v8:6624
Change-Id: I94f792d9dcc8a3ba2d91fdeadd9e04ebb0bb50cf
Reviewed-on: https://chromium-review.googlesource.com/655162
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47887}
What happened:
- When rewriting in DoParseFunction, the relevant function scope is no longer in
the scope stack.
- The correct scope is given to the PatternRewriter.
- PatternRewriter called to Parser::BuildIteratorCloseForCompletion.
- BuildIteratorCloseForCompletion would just call NewTemporary (which creates
a new temporary in Parser's current scope) instead of using the scope passed to
it and calling NewTemporary on it.
- Normally this went unnoticed, since it doesn't matter that much where the
temporary is.
- But in the lazy arrow func case, the Parser's scope at that point was the
already-resolved outer scope, and a DCHECK detected this problem.
Kudos & thanks to verwaest@ for a debugging session :)
BUG=chromium:761831
Change-Id: I1e8474ce927be0330f4ba4efc0fc08fdcc328809
Reviewed-on: https://chromium-review.googlesource.com/650297
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47877}
Given that we no longer need to iterate over lists of optimized JS functions
(c.f. https://chromium-review.googlesource.com/c/v8/v8/+/647596), we can
remove this field. Thus saving the size of one pointer per function.
Bug: v8:6637
Change-Id: If77951f2eddba33ba350fa9ddf03a4edb3f7c7d8
Reviewed-on: https://chromium-review.googlesource.com/652373
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Juliana Patricia Vicente Franco <jupvfranco@google.com>
Cr-Commit-Position: refs/heads/master@{#47875}
The wasm-async fuzzer uses the bytes provided by the fuzzer engine
directly as wasm module bytes, compiles them with async compilation, and
then tries to execute the "main" function of the module. This "main"
can have an infinite loop which causes a timeout in the fuzzer. With
this CL the "main" function is first executed with the interpreter. If
the execution in the interpreter finishes within 16k steps, which means
that there is no infinite loop, also the compiled code is executed.
I added the raw fuzzer input as a test case because in this case I
really want to test the fuzzer and not V8.
R=clemensh@chromium.org
Bug: chromium:761784
Change-Id: Id1fe5da0da8670ec821ab9979fdb9454dbde1162
Reviewed-on: https://chromium-review.googlesource.com/651046
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47874}
JS runtime calls are always created with undefined recievers, so make the
bytecode behave similarly to CallUndefinedReciever such that we don't need
to push an explicit undefined register for the receiver for such calls.
Modifies the Async[Generator/Function]Await[Caught/Uncaught] runtime calls
to pass the generator in the first argument rather than the reciever since
these runtime calls were desugered in the bytecode generator and explicitly
passed the generator in the receiver.
Change-Id: I36c8087bb3b663dccd805bfdb1eea04eb6a73269
Reviewed-on: https://chromium-review.googlesource.com/654257
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47870}
This came up in the context of a Twitter discussion, see this particular
tweet https://twitter.com/hashseed/status/905684048382754817 and the
relevant thread.
Change-Id: If2447169df999b64ce701a44321d48ba1bff2a06
Reviewed-on: https://chromium-review.googlesource.com/654598
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47864}
This reduces the arm32 binary by around 20kB.
R=jkummerow@chromium.org, mstarzinger@chromium.org
Bug: v8:6055
Change-Id: If9098e49793b29dceb8292aff6f668ca28a07728
Reviewed-on: https://chromium-review.googlesource.com/652427
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47863}
JSTests.json had some poor/wrong settings.
Bug:
Change-Id: Id30589ba2392d2561037fd55d9e77a31ca6c7ad9
Reviewed-on: https://chromium-review.googlesource.com/649534
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47850}
Up to now, each architecture defined all Register types as structs,
with lots of redundancy. An often found comment noted that they cannot
be classes due to initialization order problems. As these problems are
gone with C++11 constexpr constants, I now tried making Registers
classes again.
All register types now inherit from RegisterBase, which provides a
default set of methods and named constructors (like ::from_code,
code(), bit(), is_valid(), ...).
This design allows to guarantee an interesting property: Each register
is either valid, or it's the no_reg register. There are no other
invalid registers. This is guaranteed statically by the constexpr
constructor, and dynamically by ::from_code.
I decided to disallow the default constructor completely, so instead of
"Register reg;" you now need "Register reg = no_reg;". This makes
explicit how the Register is initialized.
I did this change to the x64, ia32, arm, arm64, mips and mips64 ports.
Overall, code got much more compact and more safe. In theory, it should
also increase performance (since the is_valid() check is simpler), but
this is probably not measurable.
R=mstarzinger@chromium.org
Change-Id: I5ccfa4050daf4e146a557970e9d37fd3d2788d4a
Reviewed-on: https://chromium-review.googlesource.com/650927
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47847}
args.Call() sets a return value on args. Do not reuse the
same args object, otherwise the return value might be from the previous Call().
Bug: v8:6627
Change-Id: I05fb2d8036f94908a492d46cc5d746bc145e419e
Reviewed-on: https://chromium-review.googlesource.com/651407
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47843}
This is a reland of 56772de7f9
Original change's description:
> [api] Add test for EnumeratorCallback and for...in.
>
> If a QueryCallback is present, it is used to
> filter the result from the EnumeratorCallback for
> enumerable properties. This tests assures that
> for...in loops work correctly with these interceptors.
>
> Bug: v8:6627
> Change-Id: I1e568beac1e138a330034492b87bd49c22e0c804
> Reviewed-on: https://chromium-review.googlesource.com/609982
> Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47445}
TBR=adamk@chromium.org
Bug: v8:6627
Change-Id: I509016a879d175b01f7cc7918758354fe0df8ebf
Reviewed-on: https://chromium-review.googlesource.com/650906
Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47838}
Only the error cases of overwriting readonly properties need the
language_mode to decide whether to throw or be silent. Reading it
from the feedback vector's metadata (just like the C++ code in
ic.cc does) removes the need to duplicate each stub for each
language_mode ("StoreIC" + "StoreICStrict" etc.).
Change-Id: Ic0c67f9d40ca36c65e41b4f162b2ab70d155e549
Reviewed-on: https://chromium-review.googlesource.com/647373
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47836}
The V8 API provides interceptors. They are not part of the
EcmaScript specification. But their behavior should be consistent.
For example, when an EnumeratorInterceptor is defined, Object.keys(),
Object.entries(), and Object.values() should all have the
same number of entries.
This CL creates consistent behavior among these
functions. If a QueryCallback is present, it is used to
filter the result from the EnumeratorCallback for
enumerable properties.
Bug: v8:6627
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I4f4271ddeb99a5e85918148c5033923c149b9468
Reviewed-on: https://chromium-review.googlesource.com/649786
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47831}
Using the Builtins::Name type doesn't give use any range safety benefits
over simply using int id's, and it complicates use sites by always
forcing a static_cast<Builtins::Name>(id).
Bug: v8:6624
Change-Id: Id5fcf6800c781c637145ab1d00d821f9ad473321
Reviewed-on: https://chromium-review.googlesource.com/650247
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47823}
This CL removes the weak-list of JS functions from the context
and all the code that iterares over it. This list was being used
mainly during deoptimization (for code unlinking) and during
garbage collection. Removing it will improve performance of
programs that create many closures and trigger many scavenge GC
cycles.
No extra work is required during garbage collection. However,
given that we no longer unlink code from JS functions during
deoptimization, we leave it as it is, and on its next activation
we check whether the mark_for_deoptimization bit of that code is
set, and if it is, than we unlink it and jump to lazy compiled
code. This check happens in the prologue of every code object.
We needed to change/remove the cctests that used to check
something on this list.
Working in x64, ia32, arm64, arm, mips64 and mips.
Bug: v8:6637
Change-Id: Ica99a12fd0351ae985e9a287918bf28caf6d2e24
TBR: mstarzinger@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/647596
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47808}
Evalling multiple long strings makes compilation cache the bottleneck: See
https://bugs.chromium.org/p/v8/issues/detail?id=6779 for more information.
BUG=v8:6779
Change-Id: I0014b1aca1258a643cbeb441a82707b163f8166d
Reviewed-on: https://chromium-review.googlesource.com/649146
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47801}
When setting a typed array from an array like object, the
length of the source can only be converted to a unit32 if
it is not too large.
Bug: v8:6704, chromium:761654
Change-Id: I8f89aa348093d8bd4d54aa16d6b5f255d3cb7adc
Reviewed-on: https://chromium-review.googlesource.com/648976
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47798}
Rename Managed::New to Managed::From (since it takes ownership of an
existing object), and re-introduce Managed::Allocate, which allocates
a new object and stores it in a Managed.
R=titzer@chromium.org
Change-Id: I20b0750697fbe7d56d3816b19919c31e389278b3
Reviewed-on: https://chromium-review.googlesource.com/645806
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47794}
This reverts commit 84c2dfce43.
Reason for revert:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosnap%20-%20debug/builds/14876
Original change's description:
> Remove weak-list of optimized JS functions.
>
> This CL removes the weak-list of JS functions from the context
> and all the code that iterares over it. This list was being used
> mainly during deoptimization (for code unlinking) and during
> garbage collection. Removing it will improve performance of
> programs that create many closures and trigger many scavenge GC
> cycles.
>
> No extra work is required during garbage collection. However,
> given that we no longer unlink code from JS functions during
> deoptimization, we leave it as it is, and on its next activation
> we check whether the mark_for_deoptimization bit of that code is
> set, and if it is, than we unlink it and jump to lazy compiled
> code. This check happens in the prologue of every code object.
>
> We needed to change/remove the cctests that used to check
> something on this list.
>
> Working in x64, ia32, arm64, arm, mips64 and mips.
>
> Bug: v8:6637
> Change-Id: I7f192652c8034b16a9ea71303fa8e78cda3c48f3
> Reviewed-on: https://chromium-review.googlesource.com/600427
> Commit-Queue: Juliana Patricia Vicente Franco <jupvfranco@google.com>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47790}
TBR=mstarzinger@chromium.org,jarin@chromium.org,leszeks@chromium.org,bmeurer@chromium.org,jupvfranco@google.com
Change-Id: Ia4f1a8acf6ca5cd5c74266437a03d854b3739af2
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6637
Reviewed-on: https://chromium-review.googlesource.com/647540
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47792}
This CL removes the weak-list of JS functions from the context
and all the code that iterares over it. This list was being used
mainly during deoptimization (for code unlinking) and during
garbage collection. Removing it will improve performance of
programs that create many closures and trigger many scavenge GC
cycles.
No extra work is required during garbage collection. However,
given that we no longer unlink code from JS functions during
deoptimization, we leave it as it is, and on its next activation
we check whether the mark_for_deoptimization bit of that code is
set, and if it is, than we unlink it and jump to lazy compiled
code. This check happens in the prologue of every code object.
We needed to change/remove the cctests that used to check
something on this list.
Working in x64, ia32, arm64, arm, mips64 and mips.
Bug: v8:6637
Change-Id: I7f192652c8034b16a9ea71303fa8e78cda3c48f3
Reviewed-on: https://chromium-review.googlesource.com/600427
Commit-Queue: Juliana Patricia Vicente Franco <jupvfranco@google.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47790}
These will tight-loop scanning primitives.
BUG=v8:6092
Change-Id: I9bf0f1952755bbede3c545c45fe2c4a210548171
Reviewed-on: https://chromium-review.googlesource.com/647526
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47788}
Prior to this, AllocateJSArray would go ahead and allocate an empty
FixedArray as elements if passed any capacity that is not a compile-time
constant 0.
Things break later on since we rely on the fact that empty fixed arrays
are always canonicalize, and we use
obj.elements == empty_fixed_array_constant
interchangeably with
obj.elements.length == 0.
This CL introduces two new branches in AllocateJSArray: one if the
capacity is known to be non-zero; and another that explicitly
distinguishes between 0 and non-zero capacities.
Bug: chromium:760790
Change-Id: I7c22b19ce9ce15a46f91b0f75e6b4a1ff3a29a0f
Reviewed-on: https://chromium-review.googlesource.com/645959
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47776}
This violates the style guide, and causes problems for jumbo builds.
R=ahaas@chromium.orgCC=mostynb@opera.com
Bug: chromium:746958
Change-Id: Ic583c41b94bfd9ecdb31a9ccadb2e842861fe7f4
Reviewed-on: https://chromium-review.googlesource.com/647710
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47774}
This required splitting wasm-run-utils.h in header and implementation,
since the anonymous namespace in wasm-run-utils.h is now gone.
This is a reasonable refactoring in itself.
R=titzer@chromium.orgCC=mstarzinger@chromium.org, mostynb@opera.com
Bug: chromium:746958
Change-Id: I0f3b30fef1865cd88eca37b69d0c3a9eb19e77ea
Reviewed-on: https://chromium-review.googlesource.com/647587
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47773}
This CL adds support to optimize for..in in fast enum-cache mode to the
same degree that it was optimized in Crankshaft, without adding the same
deoptimization loop that Crankshaft had with missing enum cache indices.
That means code like
for (var k in o) {
var v = o[k];
// ...
}
and code like
for (var k in o) {
if (Object.prototype.hasOwnProperty.call(o, k)) {
var v = o[k];
// ...
}
}
which follows the https://eslint.org/docs/rules/guard-for-in linter
rule, can now utilize the enum cache indices if o has only fast
properties on the receiver, which speeds up the access o[k]
significantly and reduces the pollution of the global megamorphic
stub cache.
For example the micro-benchmark in the tracking bug v8:6702 now runs
faster than ever before:
forIn: 1516 ms.
forInHasOwnProperty: 1674 ms.
forInHasOwnPropertySafe: 1595 ms.
forInSum: 2051 ms.
forInSumSafe: 2215 ms.
Compared to numbers from V8 5.8 which is the last version running with
Crankshaft
forIn: 1641 ms.
forInHasOwnProperty: 1719 ms.
forInHasOwnPropertySafe: 1802 ms.
forInSum: 2226 ms.
forInSumSafe: 2409 ms.
and V8 6.0 which is the current stable version with TurboFan:
forIn: 1713 ms.
forInHasOwnProperty: 5417 ms.
forInHasOwnPropertySafe: 5324 ms.
forInSum: 7556 ms.
forInSumSafe: 11067 ms.
It also improves the throughput on the string-fasta benchmark by
around 7-10%, and there seems to be a ~5% improvement on the
Speedometer/React benchmark locally.
For this to work, the ForInPrepare bytecode was split into
ForInEnumerate and ForInPrepare, which is very similar to how it was
handled in Fullcodegen initially. In TurboFan we introduce a new
operator LoadFieldByIndex that does the dynamic property load.
This also removes the CheckMapValue operator again in favor of
just using LoadField, ReferenceEqual and CheckIf, which work
automatically with the EscapeAnalysis and the
BranchConditionElimination.
Bug: v8:6702
Change-Id: I91235413eea478ba77ace7bd14bb2f62e155dd9a
Reviewed-on: https://chromium-review.googlesource.com/645949
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47768}
After the FallThruTo in kExprEnd, the current block {c} is never
unreachable. Hence, the check for {c->unreachable} afterwards can be
removed.
In the loop case, the {TypeCheckFallThru} already adds entries for
non-existing values to the stack, so no need to {PushEndValues}.
Also, add more tests for the loop case.
R=titzer@chromium.org
Change-Id: I8737affaeed2ea663bd6ddafa36532ca9a7379bb
Reviewed-on: https://chromium-review.googlesource.com/645859
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47765}
This adds support for lowering {JSCreateArguments} within outermost
frames of type {CreateArgumentsType::kMappedArguments}. It will hence
enable escape analysis to work with such objects and allow for further
optimization.
This also adds a new {NewMappedArgumentsElements} simplfied operator.
Note that escape analysis support for this new operator will be done as
a follow-up.
R=tebbi@chromium.org
Change-Id: I0e2fac25c654f796433f57b116964053b6b68635
Reviewed-on: https://chromium-review.googlesource.com/641454
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47761}
This makes several changes to SwitchStatement handling:
- Store the CaseClause list inline (as it's always allocated)
- Only rewrite with additional blocks if the Block Scope for
the switch statement isn't empty
- Use Parser::IgnoreCompletion() instead of inserting an additional
`undefined` ExpressionStatement
Bug: v8:6092
Change-Id: Ib08d0ba851dd8e78b3dc74782b8e554541e79182
Reviewed-on: https://chromium-review.googlesource.com/644176
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47751}
We emitted rotation by 24 bits with bitwise and, but that is wrong
because the low 8 bits can wrap around and "leak" into the result.
Bug: chromium:739902
Change-Id: Id49251e89405afb1581b8c60cde808c2d8bf693d
Reviewed-on: https://chromium-review.googlesource.com/645848
Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47746}
Use int instead of byte to store the source position when computing a
location based on the stack trace stored in an error object.
Also add tests, since this code path was not covered before (not even
for small position where it would have succeeded).
Also, add some comments about which positions are 0-based and 1-based.
R=titzer@chromium.org
Change-Id: I313dcd6c47b77093ced9bb687415715d04eafb97
Reviewed-on: https://chromium-review.googlesource.com/645527
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47739}
This test documents the basic behavior of the EnumCache which is shared
on the DescriptorArray.
Change-Id: Idd40670d99d81bb5e4b6161ffc47f2898ca9d2a9
Reviewed-on: https://chromium-review.googlesource.com/643297
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47735}
This reverts commit c6b153fd69.
Reason for revert: Doesn't compile on the tree.
Original change's description:
> [cctest] Add fuzz tests for generating parallel moves.
>
> These new tests are somewhat similar to the existing gap resolver tests except
> we use the code generator and eventually run the generated code. The main idea
> is to cover cases that are difficult to hit, such as move from/to slots which
> are out of range of loads and stores, but may happen nonetheless.
>
> At this time, the tests only make sure the code generator actually generated
> some code, and that this code runs. In the future, it would be great to also
> check that the moves were actually performed.
>
> Bug: v8:6553
> Change-Id: I089a25fa05b3a20649658bb8952926ab11f91d68
> Reviewed-on: https://chromium-review.googlesource.com/574850
> Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47733}
TBR=bbudge@chromium.org,danno@chromium.org,jarin@chromium.org,pierre.langlois@arm.com,bmeurer@chromium.org
Change-Id: I875ab38e039fdbf58b8f08658c391147d2ec01fa
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6553
Reviewed-on: https://chromium-review.googlesource.com/645446
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47734}
These new tests are somewhat similar to the existing gap resolver tests except
we use the code generator and eventually run the generated code. The main idea
is to cover cases that are difficult to hit, such as move from/to slots which
are out of range of loads and stores, but may happen nonetheless.
At this time, the tests only make sure the code generator actually generated
some code, and that this code runs. In the future, it would be great to also
check that the moves were actually performed.
Bug: v8:6553
Change-Id: I089a25fa05b3a20649658bb8952926ab11f91d68
Reviewed-on: https://chromium-review.googlesource.com/574850
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47733}
heap-inl.h exposes the whole world, which is fine from other inline
files but not from regular headers.
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I09ec67c6558682cb0d5181031bc39341a3f4c5bf
Reviewed-on: https://chromium-review.googlesource.com/643294
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47729}
When calling
Object(value)
where the value is known to be a JSReceiver, we can just replace it with
value, as the Object constructor call is a no-op in that case. Otherwise
when value is known to be not null or undefined then we can replace the
Object constructor call with an invocation of ToObject.
This covers the common pattern found in bundles generated by Webpack,
where the Object constructor is used to call imported functions, i.e.
Object(module.foo)(1, 2, 3)
There's a lot of detail in https://github.com/webpack/webpack/issues/5600
on this matter and why this pattern was chosen.
Bug: v8:6772
Change-Id: I2b4f0b4542b68b97b337ce571d6d79946c73d8bb
Reviewed-on: https://chromium-review.googlesource.com/643868
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47728}
PreParser and Parser didn't agree whether a generator in a sloppy block is a
sloppy block function or not, and thus the data generated by PreParser was
inconsistent with what the Parser wanted to restore.
BUG=v8:5516, chromium:760116
Change-Id: I0fd3c267691b8afd63a1336774769caf551c143e
Reviewed-on: https://chromium-review.googlesource.com/642886
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47727}
This patch introduces a new container type ScriptOrModule which
provides the name and the host defined options of the script/module.
This patch also introduces a new PrimitivesArray that can hold
Primitive values, which the embedder can use to store metadata.
The HostDefinedOptions is passed to V8 through the ScriptOrigin, and
passed back to the embedder through HostImportModuleDynamically for
module loading.
Bug: v8:5785, v8:6658, v8:6683
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I56c26fc9a680b273ac0a6691e5ad75f15b8dc80a
Reviewed-on: https://chromium-review.googlesource.com/622158
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47724}
intl_date_time_format_function is only set in i18n builds. Use
opaque_reference_function to test for Builtins::kIllegal instead.
TBR=yangguo@chromium.org
NOTREECHECKS=true
NOTRY=true
Bug: v8:6624
Change-Id: I0631862e6e022d222b52dceb58a8fe65f7d6a4e8
Reviewed-on: https://chromium-review.googlesource.com/643506
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47714}
Lazy deserialization needs to determine the underlying builtin by looking at
the SharedFunctionInfo.
This packs the builtin_id into the SFI::function_data field, and adds
convenience functions to Code as a drive-by addition.
Bug: v8:6624
Change-Id: I59093815aa6937342302153ebc95dd60edb0064e
Reviewed-on: https://chromium-review.googlesource.com/641490
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47712}
To deserialize builtins individually, we need to preserve their starting
offsets within the serialized data.
Bug: v8:6624
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I48a48330aeb63de2c8cfcbea6fb94e1b2917495c
Reviewed-on: https://chromium-review.googlesource.com/637774
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47708}
This is a reland of 49e3bfd572
Original change's description:
> [snapshot] Move builtins to dedicated snapshot area
>
> As a first step towards lazy builtin deserialization, this CL moves
> builtins to their own dedicated area in the snapshot blob, physically
> located after startup data and before context-specific data.
>
> The startup- and partial serializers now serialize all seen builtins as
> references, i.e. they only encode the relevant builtin id (taking care
> to preserve special behavior around the interpreter trampoline and
> CompileLazy). Builtins are later fully serialized by the
> BuiltinSerializer. The separate blobs are finally glued together by
> CreateSnapshotBlob.
>
> Deserialization takes the same steps: when we see builtin reference
> bytecodes before builtins have been deserialized, we push to a list of
> deferred builtin references. After builtin deserialization, this list is
> iterated and all builtin references are fixed up.
>
> Bug: v8:6624
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: Idee42fa9c92bdbe8d5b8c4b8bf3ca9dd39634004
> Reviewed-on: https://chromium-review.googlesource.com/610225
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47596}
Bug: v8:6624
Change-Id: I8bfac56c482d992987c270bf0fea7acd9e4ca0c7
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/638271
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47705}
This CL introduces two tests to verify that the correct memory is
accessed when a wasm module invokes an wasm function imported from a
second module that accesses its (i.e., second module's) memory.
The first test verifies that the second module's memory is accessed in
case the first module does not have memory. In the second test, both the
modules have memory.
R=ahaas@chromium.org,clemensh@chromium.org,gdeepti@chromium.org
Change-Id: I75c3a5335583a91af0e7e4179c482142165b1c01
Reviewed-on: https://chromium-review.googlesource.com/637837
Commit-Queue: Enrico Bacis <enricobacis@google.com>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47702}
To enable executing code in a context of a particular time or date (e.g. when
codepath depends on whether it's say evening or New Year) there is a need for
a way to provide it bypassing actual system time.
Bug: chromium:751993
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Iee35d97b74345f63fff814a65a6f134d7c970341
Reviewed-on: https://chromium-review.googlesource.com/598666
Commit-Queue: Sergei Datsenko <dats@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47700}
Introduce a proper empty_descriptor_array, which has the proper layout
(length is 2 and the two fields are set properly). Also add a special
EnumCache class and a matching empty_enum_cache. The contract now is
that we only need to check the EnumLength on the map to know whether we
are allowed to use the enum cache. This greatly simplifies the handling
of the enum cache (and also the descriptor arrays), especially for the
future work on optimizing keyed access via the enum cache indices.
Bug: v8:6702
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I5ef517a3041163cd65ef003f691139ea52233e83
Reviewed-on: https://chromium-review.googlesource.com/641030
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47697}
Also remove last internal callers of the to-be-deprecated APIs.
Bug: v8:2487
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng;master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Id72cf363eac86e4b4dbf7df83bdb848071260b90
Reviewed-on: https://chromium-review.googlesource.com/639326
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47690}
This reimplements functionality that was present before the decoder
refactoring. It's implemented a bit differently though by generating
the code for re-throwing an uncaught exception earlier (when generating
code for the catch).
R=titzer@chromium.org, kschimpf@chromium.org
Bug: v8:6600
Change-Id: Ie2f11837851c0602ab31506fa63475fc2d0b5047
Reviewed-on: https://chromium-review.googlesource.com/641550
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47687}
The score is computed based on how often the benchmark's function can
be run within one second. Simply importing a Module repeatedly doesn't
do any work, so to make the test score meaningful, we must wrap the
payload into a function that can be called explicitly for every run.
NOTRY=true
Bug: v8:1569
Change-Id: Iadaed6df1f1652d8860271e327c505f0b8f20c2d
Reviewed-on: https://chromium-review.googlesource.com/639396
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47686}
Crashes are still happening despite tentative fixes, but unfortunately
without a local repro. This adds a couple of additional checks to help
flush out the root cause.
TBR=yangguo@chromium.org
Bug: chromium:754422
Change-Id: Ib3c8a2e0271fc724a4351ce6aec8298cf520a20a
Reviewed-on: https://chromium-review.googlesource.com/640691
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47684}
This is a reland of 6b4dc039a6
Original change's description:
> [wasm] Refactor function body decoder
>
> This refactoring separates graph building from wasm decoding. The
> WasmGraphBuilder is just a consumer of the decoded information.
> Decoding without any consumer (i.e. just validation) gets 16% faster by
> this refactoring, because no TFNode* have to be stored in the value
> stack, and all dynamic tests to determine whether the graph should be
> build are gone (measured on AngryBots; before: 110.2 +- 3.3ms, after:
> 92.2 +- 3.1 ms).
>
> This new design will allow us to also attach other consumers, e.g. a
> new baseline compiler.
>
> R=titzer@chromium.org
>
> Bug: v8:6600
> Change-Id: I4b60f2409d871a16c3c52a37e515bcfb9dbb8f54
> Reviewed-on: https://chromium-review.googlesource.com/571010
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47671}
TBR=titzer@chromium.org
Bug: v8:6600
Change-Id: Idd867c5a1917437de5b6e3de5917cc1c9f194489
Reviewed-on: https://chromium-review.googlesource.com/640591
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47678}
This adds support to specify the maximum memory size when building a
WebAssembly module. Default is not maximum, one can be explicitly set.
It is mainly used by the WebAssembly fuzzers to prevent OOMs.
R=ahaas@chromium.org
BUG=chromium:759973
Change-Id: Ibf5fa63a7e36e5f3b65ced528c73a65355d5632f
Reviewed-on: https://chromium-review.googlesource.com/640386
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47676}
This CL introduces 4 test that verify that the effects of a grow_memory
instruction executed in a function invoked inside a loop are visible
also when the loop is over. This is needed because the
AnalyzeLoopAssignment method in function-body-decoder.cc is creating Phi
nodes only for variables assigned inside the loop. The test cases
introduced by this CL verify that the mem_size and mem_start variables
are always correct.
The tests verify the output of the current_memory instruction and the
result of loading a variable stored in the grown memory inside the
loop in the following cases:
* the memory is grown in a directly called function inside a loop;
* the memory is grown in an indirectly called function inside a loop.
R=ahaas@chromium.org,clemensh@chromium.org,gdeepti@chromium.org
Change-Id: I2992bf4086b5eac9580c87e2e0ca06364b99714c
Reviewed-on: https://chromium-review.googlesource.com/637911
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Enrico Bacis <enricobacis@google.com>
Cr-Commit-Position: refs/heads/master@{#47674}
This reverts commit 6b4dc039a6.
Reason for revert: Mips build failure: https://build.chromium.org/p/client.v8.ports/builders/V8%20Mips%20-%20builder/builds/11749
Original change's description:
> [wasm] Refactor function body decoder
>
> This refactoring separates graph building from wasm decoding. The
> WasmGraphBuilder is just a consumer of the decoded information.
> Decoding without any consumer (i.e. just validation) gets 16% faster by
> this refactoring, because no TFNode* have to be stored in the value
> stack, and all dynamic tests to determine whether the graph should be
> build are gone (measured on AngryBots; before: 110.2 +- 3.3ms, after:
> 92.2 +- 3.1 ms).
>
> This new design will allow us to also attach other consumers, e.g. a
> new baseline compiler.
>
> R=titzer@chromium.org
>
> Bug: v8:6600
> Change-Id: I4b60f2409d871a16c3c52a37e515bcfb9dbb8f54
> Reviewed-on: https://chromium-review.googlesource.com/571010
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47671}
TBR=titzer@chromium.org,clemensh@chromium.org
Change-Id: I76a50e355f0390cc53a2da4ceedd8830ca20a9c6
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6600
Reviewed-on: https://chromium-review.googlesource.com/640870
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47672}
This refactoring separates graph building from wasm decoding. The
WasmGraphBuilder is just a consumer of the decoded information.
Decoding without any consumer (i.e. just validation) gets 16% faster by
this refactoring, because no TFNode* have to be stored in the value
stack, and all dynamic tests to determine whether the graph should be
build are gone (measured on AngryBots; before: 110.2 +- 3.3ms, after:
92.2 +- 3.1 ms).
This new design will allow us to also attach other consumers, e.g. a
new baseline compiler.
R=titzer@chromium.org
Bug: v8:6600
Change-Id: I4b60f2409d871a16c3c52a37e515bcfb9dbb8f54
Reviewed-on: https://chromium-review.googlesource.com/571010
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47671}
As part of J2V8 development (https://github.com/eclipsesource/J2V8),
we realized that we had a subtle bug in how Isolate scope was created
and it's lifetime managed, see:
https://github.com/eclipsesource/J2V8/issues/313.
Mentioned above bug was fixed, however, what we also noticed is that
V8 API has been constantly and slowly moving to such an API, in which
one has to pass Isolate explicitly to methods and/or constructors. We
found two more places that might have been overlooked. This contribution
adds passing of Isolate pointer explicitly to constructors of
String::Utf8Value and String::Value classes.
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng;master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I61984285f152aba5ca922100cf3df913a9cb2cea
Reviewed-on: https://chromium-review.googlesource.com/593309
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47656}
We now only require API references to be provided when we
actually deserialize them. Also changed the internal implementation
to avoid copying API references into V8.
R=petermarshall@chromium.org
Bug: v8:6448
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Iddb0465ff6e95020006d41b5e87614dce8f0140b
Reviewed-on: https://chromium-review.googlesource.com/632098
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47649}
This reverts commit 49e3bfd572.
Reason for revert: Primary suspect for blocked roll: 759552
Original change's description:
> [snapshot] Move builtins to dedicated snapshot area
>
> As a first step towards lazy builtin deserialization, this CL moves
> builtins to their own dedicated area in the snapshot blob, physically
> located after startup data and before context-specific data.
>
> The startup- and partial serializers now serialize all seen builtins as
> references, i.e. they only encode the relevant builtin id (taking care
> to preserve special behavior around the interpreter trampoline and
> CompileLazy). Builtins are later fully serialized by the
> BuiltinSerializer. The separate blobs are finally glued together by
> CreateSnapshotBlob.
>
> Deserialization takes the same steps: when we see builtin reference
> bytecodes before builtins have been deserialized, we push to a list of
> deferred builtin references. After builtin deserialization, this list is
> iterated and all builtin references are fixed up.
>
> Bug: v8:6624
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: Idee42fa9c92bdbe8d5b8c4b8bf3ca9dd39634004
> Reviewed-on: https://chromium-review.googlesource.com/610225
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47596}
TBR=yangguo@chromium.org,mlippautz@chromium.org,jgruber@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug: v8:6624
Change-Id: I9906c9ea15a623226b890f63bc65876a6f5203f8
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/638331
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47648}
This makes sure the minimum memory size for WebAssembly modules derived
from asm.js is set to zero. It allows instatiation without allocating an
underlying memory, when such memory is unused. It also fixes a bug in
patching of embedded memory sizes for asm.js modules.
R=ahaas@chromium.org
TEST=mjsunit/regress/regress-crbug-759327
BUG=chromium:759327
Change-Id: If5a965b96a03cbb5ba15bc41fbaf359f74961f41
Reviewed-on: https://chromium-review.googlesource.com/637912
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47646}
This removes dangerous accessors method from the arguments object
accessor classes. The shape of an arguments object might transition,
turning the fields into dictionary mode, making the accessors invalid.
It also fixes a bug in the reported number of embedder fields on the
arguments object.
R=ishell@chromium.org
TEST=cctest/test-api/InternalFieldsOfRegularObjects
Change-Id: Ib7a73608c6236fe8864434e0cfdcb754ae012a75
Reviewed-on: https://chromium-review.googlesource.com/636368
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47643}
This reverts commit 1169f55bbc.
Reason for revert: http://crbug.com/758994
Original change's description:
> Remove obsolete kNumber binop feedback.
>
> With the removal of Crankshaft, kNumber has become obsolete as
> BinaryOperationFeedback. Turbofan uses kNumberOrOddball.
>
> Bug:
> Change-Id: If577f5efcc81d7c08f43908f2764ff0ec6f8747c
> Reviewed-on: https://chromium-review.googlesource.com/628376
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Mythri Alle <mythria@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47555}
TBR=jkummerow@chromium.org,jarin@chromium.org,neis@chromium.org,mythria@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Change-Id: I1b33f572f3e6865e00d2468bffcce2ea466814b3
Reviewed-on: https://chromium-review.googlesource.com/637711
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47642}
Get the old table size after converting integer of 'delta' argument.
Converting integer of the argument can execute another javascript code,
and the code can trigger mismatching between table sizes of instance and
table object, which causes redundant memory allocation.
http://webassembly.org/docs/js/#webassemblytableprototypegrow
Bug: chromium:752423
Change-Id: If9a576d20625d0c39342ea5de114e9fc9f230125
Reviewed-on: https://chromium-review.googlesource.com/627248
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47641}
TryCatch only clears the pending exception if it has been propagated
through OptionalRescheduleException. This is another tentative fix for
https://crbug.com/754422.
Bug: chromium:754422
Change-Id: Ifbbeed8ef44131a0a010ac6bde3adbbf9fb4c4af
Reviewed-on: https://chromium-review.googlesource.com/637305
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47634}
There's no need to have the StringLengthProtector as a PropertyCell,
since it's only used to guard against deoptimization loops. This also
allows us to remove the use of the CompilationDependencies from the
JSTypedLowering.
R=jarin@chromium.org
Bug: v8:6759
Change-Id: I54a37be6b8064ca3475e3b321f928b6a9903f209
Tbr: mstarzinger@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/637303
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47633}
This is so that precise coverage starts with a clean slate.
The old behavior can be emulated by calling getBestEffortCoverage
before starting precise coverage.
R=jgruber@chromium.org
Bug: chromium:757998
Change-Id: Ib3ee2316966f676456198159bdcf8ba8b9d3896f
Reviewed-on: https://chromium-review.googlesource.com/635084
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47629}
Instead of using a word to store the status of the promise, this
patch uses 2 bit on flags.
Bug: v8:5046
Change-Id: Ic651338230dbe1704c68de8652676f236a3298f0
Reviewed-on: https://chromium-review.googlesource.com/634623
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47628}
Currently, injected script source adds natural object properties before
internal properties. This can result in important ones such as
"[[PrimitiveValue]]" being left out. This CL
- makes sure internal properties are always added to preview
- removes unused "[[Iterator*]]" properties from preview
- boxed strings (e.g. new String("foo")) will not send unnecessary
properties 0:"f", 1:"o", 2:"o" if the [[PrimitiveValue]] is sent.
Bug: chromium:567265
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Icd5c7410351f371055277ce471226cc6fb5a861f
Reviewed-on: https://chromium-review.googlesource.com/634584
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Erik Luo <luoe@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47622}
This patch re-writes the call-function-on-async.js test according
to the new style.
R=kozy
Change-Id: I0541d336fe2bba3197170b0cc22c70e96d8543aa
Reviewed-on: https://chromium-review.googlesource.com/636691
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Commit-Queue: Andrey Lushnikov <lushnikov@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47621}
We're moving the code table off the heap, while the export wrappers
are instance-specific, and, thus, won't move off the heap.
Bug:
Change-Id: I392fb537c7708a0a06f3468f714335df29bc401b
Reviewed-on: https://chromium-review.googlesource.com/636309
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47619}
All microbenchmarks now add 20 variables together per iteration, rather than
just a single variable.
Also re-add a sanity check after the loop, and fix a missing variable add (a15)
from the loop.
Bug: v8:1569
Change-Id: Ie54357b5cedaafd85f01c699c08b24a5ee6468c9
Reviewed-on: https://chromium-review.googlesource.com/636284
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47618}
This change adapts the Call bytecode handlers such that they don't require
a stack frame. It does this by modifying the call bytecode handler to
tail-call the Call or InterpreterPushArgsAndCall builtins. As a result, the
callee function will return to the InterpreterEntryTrampoline when it returns
(since this is the return address on the interpreter frame), which is
adapted to dispatch to the next bytecode handler. The return bytecode
handler is modified to tail-call a new InterpreterExitTramoline instead
of returning to the InterpreterEntryTrampoline.
Overall this significanlty reduces the amount of stack space required for
interpreter frames, increasing the maximum depth of recursive calls from
around 6000 to around 12,500 on x64.
BUG=chromium:753705
Change-Id: I23328e4cef878df3aca4db763b47d72a2cce664c
Reviewed-on: https://chromium-review.googlesource.com/634364
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47617}
For deferred commands (such as in try-finally), some deferred commands
save and restore the accumulator using a result register (e.g. return,
throw, rethrow), while others don't (e.g. break, continue,
fall-through).
However, conditionally reading this result register that may not ever be
written caused it to be considered live from the start of the function,
as far as the liveness analysis could statically tell.
Now, we write the result register for all deferred commands, including
the fall-through. As a micro-optimization, we re-use the Smi command
tokeen to clobber the result, rather than emitting an LdaUndefined.
Bug: chromium:758472
Change-Id: I2ea65e2249b40ee6403216e654a8bb88d50bec3b
Reviewed-on: https://chromium-review.googlesource.com/635592
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47612}
We cannot assume that the receiver is a JSObject, nor can we assume
ToObject() completes successfully.
TBR=yangguo@chromium.org
Bug: chromium:739954
Change-Id: Id55571131ef8755e86f15cd2acb918ff0f1b7788
Reviewed-on: https://chromium-review.googlesource.com/632376
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47611}
The Uint32(limit) conversion can end up transitioning the regexp
instance to slow mode. In this case we need to bail out to runtime while
ensuring that ToUint32 is not observably called a second time. We do
this by passing the already-converted value to runtime.
This particular path was broken and we ended up passing the original
maybe_limit value to runtime instead.
TBR=yangguo@chromium.org
Bug: chromium:758763
Change-Id: If7f23b452d2e134ad9be3d4ef1d78d1c946fcef0
Reviewed-on: https://chromium-review.googlesource.com/635588
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47609}
Compile the module created in trap-location.js with both synchronous and
asynchronous compilation. Thereby I can reuse the test for streaming
compilation later.
R=clemensh@chromium.org
Change-Id: Id2e0c70886ddd1b11d51f614d02757099541aedd
Reviewed-on: https://chromium-review.googlesource.com/635165
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47600}
This makes sure instantiate of asm.js modules fails gracefully on heap
buffers exceeding the uint32_t range supported by WebAssembly.
R=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-754175
BUG=chromium:754175
Change-Id: I4a9c6791beaab6da826b5b6b5a495f97e9d3b4e9
Reviewed-on: https://chromium-review.googlesource.com/632618
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47598}
As a first step towards lazy builtin deserialization, this CL moves
builtins to their own dedicated area in the snapshot blob, physically
located after startup data and before context-specific data.
The startup- and partial serializers now serialize all seen builtins as
references, i.e. they only encode the relevant builtin id (taking care
to preserve special behavior around the interpreter trampoline and
CompileLazy). Builtins are later fully serialized by the
BuiltinSerializer. The separate blobs are finally glued together by
CreateSnapshotBlob.
Deserialization takes the same steps: when we see builtin reference
bytecodes before builtins have been deserialized, we push to a list of
deferred builtin references. After builtin deserialization, this list is
iterated and all builtin references are fixed up.
Bug: v8:6624
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Idee42fa9c92bdbe8d5b8c4b8bf3ca9dd39634004
Reviewed-on: https://chromium-review.googlesource.com/610225
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47596}
Tentative fix for the CF crashes in https://crbug.com/754422.
Bug: chromium:754422
Change-Id: I0dcb6b8860cb0bf20b3566ffba08e6772398ee65
Reviewed-on: https://chromium-review.googlesource.com/632176
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47591}
Change-Id: Id9f60cdafc486de2b04684de84174f9765637c12
Reviewed-on: https://chromium-review.googlesource.com/601328
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47586}
This flag allows invalid escape sequences in tagged templates, which is
a stage-4 TC39 proposal shipping in other browsers.
Bug: v8:5546
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I3e7c374c9b547f62d5976f76a7208d05fe9decf8
Reviewed-on: https://chromium-review.googlesource.com/581885
Commit-Queue: Kevin Gibbons <bakkot@gmail.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47584}
U+feff is the UTF BOM but if it occurs inside the text, it's a "zero-width
no-break space". However, the UTF-8 decoder in script streaming still thought
it's a BOM and skipped it. The correct way to handle it would be to create a
U+feff code point instead - the Scanner will then handle it as whitespace.
This is a discrepancy between the Blink UTF-8 decoder and the V8 UTF-8 decoder,
and caused the source positions be off by one. This bug went unnoticed, since
normally off-by-one in this situation doesn't make the code to break.
BUG=chromium:758508,chromium:758236
Change-Id: Ib92a3ee65c402e21b77e42537db2a021cff55379
Reviewed-on: https://chromium-review.googlesource.com/632096
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47583}
In case of LAP(lazy accessor pair), the function's creation context
must be equal to the accessor holder's creation context, so this CL
changes the current context to the accessor holder's creation context.
Note that this is the second attempt after https://crrev.com/2770003002
The change from the previous attempt is to skip looking for the
object's constructor if the object itself is a function.
Also some of Blink's LAP-context-sensitive tests got updated at
https://crrev.com/c/597990 and the rest of the tests will get
temporarily disabled at https://crrev.com/c/605408 .
TBR=verwaest@chromium.org
Bug: v8:6156
Change-Id: I09709a90995d82a03996d0347e5a1d8425b5db9c
Reviewed-on: https://chromium-review.googlesource.com/563152
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47572}
DEBUG builds pull in all sorts of instrumentation infrastructure that
leads to larger heaps. The check for intial size is only useful for
release builds.
Bug: v8:6746
Change-Id: I5ab220d21167e69d7fb32c9db68045368c4ef178
R: ulan@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/631876
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47565}
The {WireBytesRef} constructor checks that {offset + length} does not
overflow. Hence we need to check for illegal sizes before constructing
the {WireBytesRef}.
The {consume_bytes} function already does that, so remove the
redundant hand-written checking.
R=titzer@chromium.org
Bug: chromium:752781
Change-Id: If3a2946a62fa38cc668695ed7186b9751a1f356f
Reviewed-on: https://chromium-review.googlesource.com/605894
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47563}
API resolves functions to its .prototype property to make possible
queries like queryObjects(Object), queryObjects(HTMLElement), e.t.c.
R=dgozman@chromium.org
Bug: v8:6732
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ie8dc2288fa7e59c69f9b2647a9d5e35f0ac9215f
Reviewed-on: https://chromium-review.googlesource.com/630244
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47561}
With the removal of Crankshaft, kNumber has become obsolete as
BinaryOperationFeedback. Turbofan uses kNumberOrOddball.
Bug:
Change-Id: If577f5efcc81d7c08f43908f2764ff0ec6f8747c
Reviewed-on: https://chromium-review.googlesource.com/628376
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47555}
BytecodeGenerator previously assumed that any UNALLOCATED variable
must be a global object property, but that's incorrect for global
lexical variables declared in a different script.
This patch fixes the behavior by always falling back to the runtime
to deal with deleting UNALLOCATED variables. This is sub-optimal,
but should be correct, and it's unclear if speed is important for
this case.
Bug: v8:6733
Change-Id: I83c2a0b6e30e5e5f4c79bfe14ebf196529816c71
Reviewed-on: https://chromium-review.googlesource.com/627636
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47554}
- Convert S.p.includes builtin from CPP to TFJ
- Fast paths S.p.includes(str) and S.p.includes(str, smi)
- Add Runtime kStringIncludes
- Add StringIncludesIndexOfAssembler (Generate is based on
StringPrototypeIndexOf builtin)
- S.p.includes and S.p.indexOf both use StringIncludesIndexOfAssembler
Quick measurements show 3x improvement for S.p.includes(str).
More about the measurements: https://gist.github.com/peterwmwong/7a2a96f3171a52f16ca8125a089f38e7
Bug: v8:6680
Change-Id: I79cb8dbe2b79e6df15aa734e128eee25c7e6aaf5
Reviewed-on: https://chromium-review.googlesource.com/620150
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47546}
This change prevents constant folding of uninhabited RefenceEqual node
because that could widen a type (from None type to the type of the
boolean constant).
Hopefully, this is a temporary workaround that will be replaced
by a better dead code elimination.
Bug: v8:6631
Change-Id: Ie25e7d710aaf1d37c9adba60f92438570843dd5d
Reviewed-on: https://chromium-review.googlesource.com/627916
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47545}
Due to shortcuts we take on the RegExp.p[@@split] fast path (we don't allocate
a new instance), we need to send sticky regexps to the slow path.
The problem is a slight impedance mismatch between the spec and our fast-path
implementation.
Spec: Creates a new regexp instance `splitter` that is guaranteed to be sticky,
uses `splitter.lastIndex` to advance the search range, advances by itself using
AdvanceStringIndex if `splitter` did not match at the current position.
Our fast path: Uses the given regexp instance and does not modify stickyness,
uses last_match_info to advance search range, returns (and assumes no more
matches) once RegExpExecInternal fails to match.
This is fine if the given regexp is non-sticky, since 1. the value of lastIndex
is ignored, and 2. non-sticky regexps match if a match is found anywhere in the
string, not just exactly at the current lastIndex.
Sticky regexps though are a problem. If no match is found exactly at the current
position, @@split assumes no more matches and exits.
In a follow-up, we could explore other options, such as allocating a new
instance or saving/restoring flags and lastIndex.
Bug: v8:6706
Change-Id: I6da2266df72b2f80f00c1ce3cd7c8655de91f680
Reviewed-on: https://chromium-review.googlesource.com/626065
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47543}
The initialization code of all modules must have been run
before running any module's main code. This should have been
fixed quite a while ago as part of another CL but somehow
wasn't.
In the process of fixing it now, I'm also moving the initialization
phase out of Evaluate into Instantiatiate. This corresponds more
closely to the specification and avoids confusion.
Bug: v8:1569
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I3ea5d6be0f5d371e6a4c641778c51762f1867dc8
Reviewed-on: https://chromium-review.googlesource.com/620653
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47537}
Add "detailed" flag to Profiler.startPreciseCoverage to specify
granularity (block coverage vs function coverage).
The default value is currently set to FLAG_block_coverage, which
is currently true. This is so that the V8 roll does not break
LayoutTests. I'll set it to false once I made changes to Blink.
R=jgruber@chromium.org, pfeldman@chromium.org
Bug: v8:6738
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I7242e897ab02713188a5292ca8c8bb58985e3a9b
Reviewed-on: https://chromium-review.googlesource.com/625616
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47533}
Code size in snapshot can be reduced ~41KB
Contributed by kanghua.yu@intel.com
Bug: None
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ib73af39fe97cd38728affea40c593236f15bf6e5
Reviewed-on: https://chromium-review.googlesource.com/588751
Commit-Queue: Pan Deng <pan.deng@intel.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47531}
It caused crashes in the extension process on Canary.
This reverts commit b6059a67ca.
Also revert followup test CL:
"[api] Add test for EnumeratorCallback and for...in."
as it depends on the logic in the reverted change.
This reverts commit 56772de7f9.
Bug: chromium:757371, v8:6627
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Id110128e6dc858a5a60ffc0175e8bb927b90bfc5
Reviewed-on: https://chromium-review.googlesource.com/626720
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47522}
Code aging is no longer supported by any remaining compilers now
that full codegen has been removed. This CL removes all vestiges of
code aging.
BUG=v8:6409
Change-Id: I945ebcc20c7c55120550c8ee36188bfa042ea65e
Reviewed-on: https://chromium-review.googlesource.com/619153
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47501}
Instead of creating a new character stream to re-parse the asm.js module,
use the existing stream which was used by the parser. By doing this, we
avoid accessing the heap if the original character stream is a streaming
source or an external string, which will enable asm.js verification to run
off-thread in those situations.
BUG=v8:5203
Change-Id: I5dbf83c993512eb2f3dd709120e152e3f9900bdf
Reviewed-on: https://chromium-review.googlesource.com/616723
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47500}
This makes sure that shift expressions (not wrapped in parentheses) can
appear as part of the index in a valid heap access expression. Only the
last operand of a sequence of shift expressions is taken into account
when validating the heap access.
R=jarin@chromium.org
TEST=mjsunit/regress/regress-6700
BUG=v8:6700,chromium:754751
Change-Id: Icc7a71bd64461da4d3daea41b995964e3dfc6dc6
Reviewed-on: https://chromium-review.googlesource.com/623811
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47497}
If the elements fixed array is large enough, it must be allocated in
large-object space. This fixes two cases in which we'd incorrectly
assume elements fits into new space.
There are potentially quite a few other spots affected by a similar
issue, and we should find a more robust solution. See also:
crbug.com/636391.
Bug: v8:6716
Change-Id: I91f09355ac6b7cf399e13cc21d34113a506e58fb
Reviewed-on: https://chromium-review.googlesource.com/623808
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47495}
There's no need for these to be static.
Bug: v8:5717
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ia704cdcb9ee9666c7724b78d58c56217cd5876ae
Reviewed-on: https://chromium-review.googlesource.com/624869
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47490}
This no longer causes allocation, so it's safe to unhandlify.
This will allow us to use directly call into C++ (via CallCFunction)
to calculate the hash instead of going through the runtime (via
%GenericHash).
Bug: v8:5717
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ia561efb4d89d7a3d10c28913537b45b3ce477bb3
Reviewed-on: https://chromium-review.googlesource.com/624519
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47489}
This feature is a stage 3 proposal implemented as a
wrapper around ICU that categorizes singular/plural/etc
grammatical forms based on a number and locale.
Based on littledan's work started here:
https://codereview.chromium.org/2736543002/
Bug: v8:5601
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I4107cd28be72413ec43aa1ff0f4fe6e181a290f4
Reviewed-on: https://chromium-review.googlesource.com/562298
Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47485}
This API generates inspectRequested call with hints.queryObjects flag.
It's not possible to expose this method by itself since command line
API methods can leak.
R=pfeldman@chromium.org
Bug: v8:6732
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I3c582186f65d84a25eed910925a1b6ab36966a72
Reviewed-on: https://chromium-review.googlesource.com/622370
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47480}
The new node behave the same as its counterpart, CallCFunction, with the
additional saving and restoring caller saved registers before and after
the function call.
Bug: chromium:749486
Change-Id: I0a1dfb2e4e55f7720541a00e6d16fd20220f39ed
Reviewed-on: https://chromium-review.googlesource.com/620709
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47479}
Runtime.queryObjects method:
1. force gc,
2. iterate through heap and get all objects with passed constructorName
or with passed constructor name in prototype chain,
3. return these objects as JSArray.
Main use case is regression tests for memory leaks.
R=pfeldman@chromium.org,alph@chromium.org,ulan@chromium.org
Bug: v8:6732
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I52f0803366f14bb24376653615d870a4f21f83e7
Reviewed-on: https://chromium-review.googlesource.com/619594
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47478}
Changes the contract of the parser to have a valid character stream passed
in the ParseInfo rather than the current situation where either:
- it is passed explicitly (e.g., for streaming scripts)
- a Script is passed and a character stream is created for this
- or a source and encoding is passed in ParseInfo and the character stream
is created from this.
The parse info also now owns the character stream (in a unique_ptr). It
can be destroyed using a new ResetCharacterStream() function. This will
enable the character stream to be kept live if any functions are asm.js
modules which were parsed, in order to be reused by the asm.js parser.
BUG=v8:5203
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ifda167391b2eadb38ebf9fcb2f565d2ed9ea3c6f
Reviewed-on: https://chromium-review.googlesource.com/616767
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47474}
This reverts commit a241576fa1.
Bytecode array visitor has a side-effect of incrementing the age counter.
This patch makes the increment atomic and thus safe for the concurrent
marker.
Bug: chromium:694255
Change-Id: Ibe1d75714a5911385b06e52ed50b5f152ec6b73d
Reviewed-on: https://chromium-review.googlesource.com/622432
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47472}
The quite common empty object literal doesn't need an AllocationSite
since it starts off with the general ElementsKind. By using a separate
bytecode we can directly instantiate the empty object without jumping
to the runtime first.
Note: this experimentally disables pretenuring for empty object
literals. Depending on the outcome of our benchmarks pretenuring
will be enabled again or fully removed for empty object literals.
Bug: v8:6211
Change-Id: I2fee81cbefc70865fc436dbd3bc5fc8de04db91c
Reviewed-on: https://chromium-review.googlesource.com/577555
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47467}
This CL introduces 4 tests that verify that the effects of a grow_memory
instruction executed inside a loop are visible also when the loop is over.
The tests verify the output of the current_memory instruction and the
result of loading a variable stored in the grown memory inside the
loop in the following cases:
* the memory is grown inside the loop (no memory operation outside);
* the memory is grown both inside and outside the loop;
R=ahaas@chromium.org,clemensh@chromium.org,gdeepti@chromium.org
Change-Id: I1670aa4d8274f6c54dced98cced7b51534552c36
Reviewed-on: https://chromium-review.googlesource.com/619207
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Enrico Bacis <enricobacis@google.com>
Cr-Commit-Position: refs/heads/master@{#47466}
The effect of array/string trimming on space size is postponed until sweeping
completes. This simplifies runtime code and fixes live byte update race with
the concurrent marker.
This patch restores monotonicity of PromotedSinceLastGC by notify the heap
when sweeper discovers more free space than estimated.
Bug: chromium:694255
Change-Id: I7a8c24f2c3398bc0c8a43ffd1d35ace68010cd65
Reviewed-on: https://chromium-review.googlesource.com/621326
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47464}
As specified in Annex B.3.6., initializers are allowed in sloppy mode var
declarations in for-in loops.
As a consequence, "in" is one of the tokens that can follow an
AssignmentExpression - this was not recognized before.
BUG=v8:6715
Change-Id: Idbf79bda39beef4e568d630e0b5e239a34397952
Reviewed-on: https://chromium-review.googlesource.com/620728
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47463}
This is a reland of decf5750c6
This patch fixes the hash code migration in the backing store
transition case from Smi to PropertyArray in the IC system and
Turbofan. Also, adds tests.
Bug: v8:6413, v8:6404
Original change's description:
> [runtime] Store hash code in length field
>
> Store the hash code in 21 bits of the length field.
>
> Change the GetIdentityHash API to be unhandlified, since there's no
> property lookup anymore.
>
> Update js/ and test/ to match new API and expections.
>
> Bug:
> Change-Id: I8dc75de4021f59e79b45f3f38ec997c3b3687b24
> Reviewed-on: https://chromium-review.googlesource.com/589688
> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47259}
Change-Id: I69289113c4b7978c46f6f9373cc972086ecb6822
Bug:
Reviewed-on: https://chromium-review.googlesource.com/614903
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47459}
This reverts commit af37f6b970.
Reason for revert: Reverted dependency fixed.
Original change's description:
> Revert "[wasm] Reference indirect tables as addresses of global handles"
>
> This reverts commit 186099d49f.
>
> Reason for revert: Need to revert:
> https://chromium-review.googlesource.com/c/613880
>
> Original change's description:
> > [wasm] Reference indirect tables as addresses of global handles
> >
> > This sets us up for getting the wasm code generation off the GC heap.
> > We reference tables as global handles, which have a stable address. This
> > requires an extra instruction when attempting to make an indirect call,
> > per table (i.e. one for the signature table and one for the function
> > table).
> >
> > Bug:
> > Change-Id: I83743ba0f1dfdeba9aee5d27232f8823981288f8
> > Reviewed-on: https://chromium-review.googlesource.com/612322
> > Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
> > Reviewed-by: Brad Nelson <bradnelson@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#47444}
>
> TBR=bradnelson@chromium.org,titzer@chromium.org,mtrofin@chromium.org
>
> Change-Id: Ic3dff87410a51a2072ddc16cfc83a230526d4c56
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Reviewed-on: https://chromium-review.googlesource.com/622568
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47450}
TBR=bradnelson@chromium.org,machenbach@chromium.org,titzer@chromium.org,mtrofin@chromium.org
Change-Id: I3dc5dc8be26b5462703edac954cbedbb8f504c1e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/622035
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47455}
This reverts commit e79d4f06fd.
Reason for revert: Fixed compile error
Original change's description:
> Revert "[wasm] Move the ModuleEnv to compiler and make it immutable."
>
> This reverts commit d04660db3f.
>
> Reason for revert: Suspect for blocking the roll:
> https://chromium-review.googlesource.com/c/621191
>
> See:
> https://build.chromium.org/p/tryserver.chromium.win/builders/win_optional_gpu_tests_rel/builds/13583
>
> Original change's description:
> > [wasm] Move the ModuleEnv to compiler and make it immutable.
> >
> > This CL (finally) makes the contract between the compiler and the module
> > environment clear. In order to compile a function, the caller must provide
> > an instance of the compiler::ModuleEnv struct, which contains references
> > to code, function and signature tables, memory start, etc.
> >
> > R=mtrofin@chromium.org,ahaas@chromium.org
> >
> > Bug:
> > Change-Id: I68e44d5da2c5ad44dad402029c2e57f2d5d25b4f
> > Reviewed-on: https://chromium-review.googlesource.com/613880
> > Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
> > Reviewed-by: Andreas Haas <ahaas@chromium.org>
> > Commit-Queue: Ben Titzer <titzer@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#47418}
>
> TBR=titzer@chromium.org,mtrofin@chromium.org,ahaas@chromium.org
>
> Change-Id: I60a369a43121720fbb13ea6c2ec6ca948d60a20b
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Reviewed-on: https://chromium-review.googlesource.com/622547
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47451}
TBR=machenbach@chromium.org,titzer@chromium.org,mtrofin@chromium.org,ahaas@chromium.org
Change-Id: Ie0efa6204c41b2cb672586a7ac0a622ca13ce5fe
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/622033
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47453}
This CL introduces 8 tests that verify that the effects of a grow_memory
instruction executed inside a conditional branch are visible also when
the branch is merged.
The tests verify the output of the current_memory instruction and the
result of loading a variable stored in the grown memory inside the
branch in the following cases:
* the memory is grown inside the if branch (with no else branch);
* the memory is grown inside the if branch (when an else branch exists);
* the memory is grown inside the else branch;
* the memory is grown by different amount of pages inside both the if
and else branches.
R=ahaas@chromium.org,clemensh@chromium.org,gdeepti@chromium.org
Change-Id: I8127ebdf959eed5b7b5ca5aa6033a7ea41465f32
Reviewed-on: https://chromium-review.googlesource.com/617222
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Enrico Bacis <enricobacis@google.com>
Cr-Commit-Position: refs/heads/master@{#47452}
This reverts commit d04660db3f.
Reason for revert: Suspect for blocking the roll:
https://chromium-review.googlesource.com/c/621191
See:
https://build.chromium.org/p/tryserver.chromium.win/builders/win_optional_gpu_tests_rel/builds/13583
Original change's description:
> [wasm] Move the ModuleEnv to compiler and make it immutable.
>
> This CL (finally) makes the contract between the compiler and the module
> environment clear. In order to compile a function, the caller must provide
> an instance of the compiler::ModuleEnv struct, which contains references
> to code, function and signature tables, memory start, etc.
>
> R=mtrofin@chromium.org,ahaas@chromium.org
>
> Bug:
> Change-Id: I68e44d5da2c5ad44dad402029c2e57f2d5d25b4f
> Reviewed-on: https://chromium-review.googlesource.com/613880
> Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47418}
TBR=titzer@chromium.org,mtrofin@chromium.org,ahaas@chromium.org
Change-Id: I60a369a43121720fbb13ea6c2ec6ca948d60a20b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/622547
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47451}
This reverts commit 186099d49f.
Reason for revert: Need to revert:
https://chromium-review.googlesource.com/c/613880
Original change's description:
> [wasm] Reference indirect tables as addresses of global handles
>
> This sets us up for getting the wasm code generation off the GC heap.
> We reference tables as global handles, which have a stable address. This
> requires an extra instruction when attempting to make an indirect call,
> per table (i.e. one for the signature table and one for the function
> table).
>
> Bug:
> Change-Id: I83743ba0f1dfdeba9aee5d27232f8823981288f8
> Reviewed-on: https://chromium-review.googlesource.com/612322
> Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
> Reviewed-by: Brad Nelson <bradnelson@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47444}
TBR=bradnelson@chromium.org,titzer@chromium.org,mtrofin@chromium.org
Change-Id: Ic3dff87410a51a2072ddc16cfc83a230526d4c56
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/622568
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47450}
This reverts commit ed06fc9127.
Reason for revert: Need to revert previous CL
Original change's description:
> [wasm] Rename TestingModule to TestingModuleBuilder.
>
> This is a followup to moving the ModuleEnv to the compiler directory and
> making it immutable.
>
> R=mtrofin@chromium.org, ahaas@chromium.org
>
> Bug:
> Change-Id: I0f5ec1b697bdcfad0b4dc2bca577cc0f40de8dc0
> Reviewed-on: https://chromium-review.googlesource.com/616762
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47419}
TBR=titzer@chromium.org,mtrofin@chromium.org,ahaas@chromium.org
Change-Id: I9b3b379e89f523c2fcf205a1d268aa294bbc44ff
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/622567
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47448}
Parse tasks are not currently used, and will need to be changed significantly
for background compilation, so we remove them for now.
BUG=v8:6093,v8:5203
Change-Id: I44559a94ecca85668f0117629d35aaa5f4075745
Reviewed-on: https://chromium-review.googlesource.com/617140
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47446}
If a QueryCallback is present, it is used to
filter the result from the EnumeratorCallback for
enumerable properties. This tests assures that
for...in loops work correctly with these interceptors.
Bug: v8:6627
Change-Id: I1e568beac1e138a330034492b87bd49c22e0c804
Reviewed-on: https://chromium-review.googlesource.com/609982
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47445}
This sets us up for getting the wasm code generation off the GC heap.
We reference tables as global handles, which have a stable address. This
requires an extra instruction when attempting to make an indirect call,
per table (i.e. one for the signature table and one for the function
table).
Bug:
Change-Id: I83743ba0f1dfdeba9aee5d27232f8823981288f8
Reviewed-on: https://chromium-review.googlesource.com/612322
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47444}
The V8 API provides interceptors. They are not part of the
EcmaScript specification. But their behavior should be consistent.
For example, when an EnumeratorInterceptor is defined, Object.keys(),
Object.entries(), and Object.values() should all have the
same number of entries.
This CL creates consistent behavior among these
functions. If a QueryCallback is present, it is used to
filter the result from the EnumeratorCallback for
enumerable properties.
Bug: v8:6627
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ie51e69bb77099d9fafc4b1ea02671eced610edba
Reviewed-on: https://chromium-review.googlesource.com/609068
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47442}
Currently, Declaration stores a Scope pointer to whichever Scope the
declaration appeared in. This is used to disallow var declarations
being hoisted over lexical declarations. For example:
{
let x;
{ var x; }
}
But in fact this is the only sort of case where storing the scope
is required: for lexical declarations (including function declarations
appearing in blocks), Declaration::scope() was always identical to
Declaration::proxy()->var()->scope(). That is, only var declarations
end up "nested" in this way.
This patch adds a subclass of VariableDeclaration to store the Scope.
Since the only thing that cares about that data is Scope analysis,
this isn't treated as a distinct AstNode::NodeType from VariableDeclaration,
leaving all AstVisitors untouched in the process.
Also reworked the logic in Scope::CheckConflictingVarDeclarations() for
clarity after making changes to accomodate the new code.
Change-Id: I6ee4298700508ab9e28a76ddb8504bae68bc473f
Reviewed-on: https://chromium-review.googlesource.com/619595
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47441}
This fixes layering between page and its owner, so that the page does
not update the owner state.
Bug: chromium:694255
Change-Id: Ic4f594340bed42d4f2c13d0a30f451317cbc9f50
Reviewed-on: https://chromium-review.googlesource.com/620732
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47437}
Before 983eec8979, RewritableExpressions
which had been queued for destructuring assignment rewriting but which
turned out to be part of a binding pattern in arrow function parameters
would be silently ignored by the PatternRewriter. After that CL, they
failed with a DCHECK.
This patch reverts to the previous behavior, with a TODO to handle this
in a better way by dequeuing RewritableExpressions that turned out
to be part of an inner arrow function.
Bug: chromium:756332
Change-Id: I0a9bf51499940c944034d9a8128e89950de38059
Reviewed-on: https://chromium-review.googlesource.com/619506
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47435}
Many handlers are not used again, so we can improve the cache hit rate
by caching fewer handlers. Specifically, in this CL, when a StoreIC
miss causes a new map transition to be created, then the handler is not
cached right away yet (it will be cached next time, when the transition
exists already).
Also, fix an embarrassing bug where growing a TransitionArray dropped
cached handlers. That further improves the cache hit rate. ;-)
Bug: chromium:752867, chromium:753819
Change-Id: Id8db5ca1e780a5fe8fc61db7f20996e61c65a90e
Reviewed-on: https://chromium-review.googlesource.com/619851
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47433}
(source_length - 1) can be overflowed, and cause OOB access when source_length
is zero. Thus, just do not operate setting if source_length is zero when
starting TypedArraySetFromOverlapping.
Bug: v8:6704
Change-Id: I5da60590c9a197eae96625a12720f6818b8c598a
Reviewed-on: https://chromium-review.googlesource.com/620452
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47430}
The crash used to happen when trap is a Smi.
Bug: chromium:756608
Change-Id: I0a6f0328afc64d8e521b5b370a291f9aef6b08d0
Reviewed-on: https://chromium-review.googlesource.com/620647
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@google.com>
Cr-Commit-Position: refs/heads/master@{#47429}
Fix MaxIndex in test-gap-resolver.cc so that the above check doesn't
fire.
Change-Id: I6588800281d797f3f8b33ced4c1b03315196fe44
Reviewed-on: https://chromium-review.googlesource.com/618809
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Cr-Commit-Position: refs/heads/master@{#47421}
This is a followup to moving the ModuleEnv to the compiler directory and
making it immutable.
R=mtrofin@chromium.org, ahaas@chromium.org
Bug:
Change-Id: I0f5ec1b697bdcfad0b4dc2bca577cc0f40de8dc0
Reviewed-on: https://chromium-review.googlesource.com/616762
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47419}
This CL (finally) makes the contract between the compiler and the module
environment clear. In order to compile a function, the caller must provide
an instance of the compiler::ModuleEnv struct, which contains references
to code, function and signature tables, memory start, etc.
R=mtrofin@chromium.org,ahaas@chromium.org
Bug:
Change-Id: I68e44d5da2c5ad44dad402029c2e57f2d5d25b4f
Reviewed-on: https://chromium-review.googlesource.com/613880
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47418}
This patch changes how space size and capacity are updated in GC:
- space capacity changes only when a page added/removed from the space.
- space size is reset to zero before sweeping and incremented by
page->live_bytes_count_ for each to-be-swept page.
- space size is refined after sweeping using the accurate
page->allocated_bytes counter produces by the sweeper.
Invariants:
1. space.capacity = sum [page.size | for page in space].
2. After marking, before sweeping:
a) space.size = sum [page.live_bytes_count | for page in space].
3. After sweeping, before marking ends:
a) space.size = sum [page.allocated_bytes | for page in space].
b) page.allocated_bytes >= (sum [object.size | for object in page] +
page.linear_allocation_area).
c) page.area_size = (page.allocated_bytes + page.wasted_memory +
sum [free_list_entry.size | for free_list_entry in page].
3.b becomes equality if the mutator is not doing array trimming,
object slack tracking during sweeping.
Bug: chromium:694255
Change-Id: Ic8d16a8171187a113fee2df8bf3c2a4c5e77bc08
Reviewed-on: https://chromium-review.googlesource.com/618889
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47409}
The bug was that we didn't track using await as a class name inside
arrow function formal parameters, and hence didn't recognize the error
in this case:
async(x = class await {}) => {}
BUG=v8:6714
Change-Id: Iabe6c947a4f621fb72361671d77f4765ba1a9578
Reviewed-on: https://chromium-review.googlesource.com/616776
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47407}
Move the desugaring into BytecodeGenerator per TODOs.
BUG=v8:6472
R=tebbi@chromium.org, rmcilroy@chromium.org, jgruber@chromium.org
Change-Id: Ic482bee18d6e6fe73de4c5f9abaf4feda7be2dd5
Reviewed-on: https://chromium-review.googlesource.com/550396
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#47403}
Make it consistent so that registers in all architecture have a member
function called `bit()`.
Bug:
Change-Id: Ie6323f81d4ecab1557259a43a30100d8da8b35f1
Reviewed-on: https://chromium-review.googlesource.com/618872
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47401}
This is a reland of 21da12a983
Original change's description:
> [Compiler] Remove CompileDebugCode and EnsureBytecode and replace with Compile
>
> Removes the Compiler::CompileDebugCode and Compiler::EnsureBytecode functions
> and replaces them with a Compiler::Compile(Handle<SharedFunctionInfo> shared)
> function. The code in compiler.cc is refactored to use this function to compile
> the SharedFunctionInfo when compiling a JSFunction.
>
> Also does some other cleanup:
> - Removes CompileUnoptimizedFunction and inlines into new Compiler function
> - Moves code to create top level SharedFunctionInfo into CompilerTopLevel and
> out of FinalizeUnoptimizedCompile.
>
> BUG=v8:6409
>
> Change-Id: Ic54afcd8eb005c17f3ae6b2355060846e3091ca3
> Reviewed-on: https://chromium-review.googlesource.com/613760
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47394}
TBR=yangguo@chromium.orgTBR=jarin@chromium.org
Bug: v8:6409
Change-Id: If2eae66a85f129e746a5ca5c04935540f3f86b04
Reviewed-on: https://chromium-review.googlesource.com/618886
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47399}
This CL introduces 6 tests that verify that the effects of a grow_memory
instruction executed inside a function are visible also from the caller of
the function.
The tests verify that:
* the current_memory instruction returns the correct value after
returning from a function that grew memory;
* accessing a memory page that has been created inside a function does
not trap in the caller;
* when a function grows the memory and then store something in the grown
memory, the caller always reads from the grown memory. This checks that
the memory start address gets updated in the caller (the memory buffer
could in fact be relocated by the grow_memory instruction).
These tests are implemented for direct and indirect function calls.
R=ahaas@chromium.org,clemensh@chromium.org
Change-Id: Iac8db0fa7a6dd6f530e090af5423fc165d87e863
Reviewed-on: https://chromium-review.googlesource.com/616150
Commit-Queue: Enrico Bacis <enricobacis@google.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47398}
This reverts commit 21da12a983.
Reason for revert: Failing on arm64 simulator
Original change's description:
> [Compiler] Remove CompileDebugCode and EnsureBytecode and replace with Compile
>
> Removes the Compiler::CompileDebugCode and Compiler::EnsureBytecode functions
> and replaces them with a Compiler::Compile(Handle<SharedFunctionInfo> shared)
> function. The code in compiler.cc is refactored to use this function to compile
> the SharedFunctionInfo when compiling a JSFunction.
>
> Also does some other cleanup:
> - Removes CompileUnoptimizedFunction and inlines into new Compiler function
> - Moves code to create top level SharedFunctionInfo into CompilerTopLevel and
> out of FinalizeUnoptimizedCompile.
>
> BUG=v8:6409
>
> Change-Id: Ic54afcd8eb005c17f3ae6b2355060846e3091ca3
> Reviewed-on: https://chromium-review.googlesource.com/613760
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47394}
TBR=rmcilroy@chromium.org,yangguo@chromium.org,jarin@chromium.org,leszeks@chromium.org
Change-Id: I4ba63e82417a185f1528ff2633eb6c8872fbbfe5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6409
Reviewed-on: https://chromium-review.googlesource.com/618687
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47397}
The WASM spec maximum memory size is higher than internal V8 maximum object
size. When a memory object grows above this limit (and only in that case), we
should signal an error.
This worked for not-exported memory; however when growing exported memory, the
code was comparing the V8 memory limit with the maximum number of pages defined
in the module, instead of the current number of pages + the number of new
required pages. This lead to signaling errors even when growing exported memory
below the V8 limit if the maximum number of pages specified in the module was
higher than the V8 limit.
GrowMemoryBuffer already checks that we do not grow a memory buffer past the
maximum size specified as parameter, so we can pass it the minimum between the
the V8 limit and the maximum number of pages specified in the module.
This CL introduces a test in test/mjsunit/wasm/import-memory.js that triggers
the problematic path and a patch to fix it.
R=ahaas@chromium.org,clemensh@chromium.org,gdeepti@chromium.org
Change-Id: I5a8da420418b394d61e1ba3cdf4408c3c09e61b6
Reviewed-on: https://chromium-review.googlesource.com/600217
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Enrico Bacis <enricobacis@google.com>
Cr-Commit-Position: refs/heads/master@{#47395}
Removes the Compiler::CompileDebugCode and Compiler::EnsureBytecode functions
and replaces them with a Compiler::Compile(Handle<SharedFunctionInfo> shared)
function. The code in compiler.cc is refactored to use this function to compile
the SharedFunctionInfo when compiling a JSFunction.
Also does some other cleanup:
- Removes CompileUnoptimizedFunction and inlines into new Compiler function
- Moves code to create top level SharedFunctionInfo into CompilerTopLevel and
out of FinalizeUnoptimizedCompile.
BUG=v8:6409
Change-Id: Ic54afcd8eb005c17f3ae6b2355060846e3091ca3
Reviewed-on: https://chromium-review.googlesource.com/613760
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47394}
The accumulator should never be alive when jumping back to a loop
header, or jumping out of a loop. This means that as far as far as
TurboFan is concerned, we never need to create Phis or LoopExitValues
for the accumulator, as its value should not escape the loop.
For safety, this also augments the IsLivenessValid DCHECK in the
liveness analysis to check that the accumulator is not live in these
cases, and amends the bytecode analysis tests to kill the accumulator
where necessary to ensure this.
As a drive-by, added some comments to the more complex bytecode analysis
tests, since figuring out what they were for and how to fix them took a
non-trivial amount of time.
Change-Id: Idecf76a36681d724134c59768650c23cc6b0e9ef
Reviewed-on: https://chromium-review.googlesource.com/615168
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47388}
This removes brittle Scope walking in FinalizeForOfStatement()
by making ParserBase call InitializeForEachStatement() while
in the proper Scope.
Bug: v8:6724
Change-Id: I6e828ccb3a5e4d98633a95a2bfb8d255ad0fc0eb
Reviewed-on: https://chromium-review.googlesource.com/614654
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47376}
Makes ClusterFuzz start fuzzing with the flag on.
BUG=v8:5516
Change-Id: Ia80f7d22f12fe25efb226102a896e8b0e3537947
Reviewed-on: https://chromium-review.googlesource.com/610000
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47366}
This removes:
- CodeBreakIterator for FCG code.
- RelocModes for debug breaks.
- Code generator for debug break slots.
- GC support for debug break slots.
- Code flag to indicate code with debug break slots.
- Builtin type DBG.
- Mechanisms to replace FCG code in the debugger and LiveEdit.
- Runtime entry to the debugger from debug break slots.
R=bmeurer@chromium.org, rmcilroy@chromium.org, ulan@chromium.org
Bug: v8:6409
Change-Id: I5662c8800e3ef1b1584ad107bfe0aae26c9d8abb
Reviewed-on: https://chromium-review.googlesource.com/613263
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47364}
This one allows us to support custom promises implementation.
With awaitPromise flag Runtime.evaluate awaits
Promise.resolve(<expression result>).
This also allows to await for any non-Promise value, similar to await
expression, which is more convenient for most protocol users.
R=dgozman@chromium.org
Bug: chromium:755104
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Iee798b33b6fb7de7d393372e164c0481d1bbf7eb
Reviewed-on: https://chromium-review.googlesource.com/614308
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47354}
Tests were monolithic, with large loops, and slow on ARM64. Refactor to
small tests so they can be sharded better, reduce page size to 1 to
keep the loops small.
BUG=v8:6532
Change-Id: I712551564d4a70fc12acdf114922feb614aeb271
Reviewed-on: https://chromium-review.googlesource.com/611614
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47353}
In the case of a function constructor or eval, we create a new script
object which doesn't have a script name. In this case, we traverse
upwards on the list of SFI's through script->eval_from_shared() to get
the outermost script that was not an eval script and get the script
name from that script.
Bug: chromium:746909, v8:6683, v8:5785
Change-Id: I430459f632a0e3b18fc3111a5cf1c00cedb9f520
Reviewed-on: https://chromium-review.googlesource.com/606701
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47352}
* Avoid "using namespace" statements, which trigger clang's -Wheader-hygiene
warnings in jumbo builds.
* Undefine created macros at the end of source files.
BUG=chromium:746958
Change-Id: I5d25432c314437f607b0e1be22765a6764267ba6
Reviewed-on: https://chromium-review.googlesource.com/610962
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Mostyn Bramley-Moore <mostynb@opera.com>
Cr-Commit-Position: refs/heads/master@{#47347}
Fixes the implementation of wasm exceptions to use a WasmRuntimeError
object, and set the exception tag value as a property of the
object. This guarantees that an uncaught wasm exception is treated
like all other runtime errors.
Bug: v8:6577
Change-Id: I0ab0130444e745178e86c23b3bc9fc9f385c8d05
Reviewed-on: https://chromium-review.googlesource.com/611124
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Commit-Queue: Karl Schimpf <kschimpf@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47346}
Add a benchmark for TypedArray.prototype.set when
setting from another TypedArray with a different type.
Bug: v8:6704
Change-Id: Iad5585fe7d3a28b5b1a1b1f85ec81be659959239
Reviewed-on: https://chromium-review.googlesource.com/613267
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47343}
Add benchmark for TypedArray.prototype.set when
setting from another TypedArray with the same type.
Bug: v8:6704
Change-Id: Ibde60b17aa32fb9c8237b2ab766d2b2913e256d7
Reviewed-on: https://chromium-review.googlesource.com/613264
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47342}
This follows up 4af9cfcc by separating incremental marking state
from the full MC marking state. Runtime and tests now use only
the incremental marking state. The full MC marking state used
by MC during atomic pause.
This separation decouples atomicity of markbit accesses
during incremental marking and during full MC.
Bug: chromium:694255
TBR: mlippautz@chromium.org
Change-Id: Ia409ab06515cd0d1403a272a016633295c0d6692
Reviewed-on: https://chromium-review.googlesource.com/612350
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47336}
This reverts commit 01cae9efe4.
Reason for revert: Seeing several flaky crashes on windows associated to this change:
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20debug/builds/18407https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20debug/builds/18408
Original change's description:
> [Memory] Improve OOM callback tests.
>
> - Changes OOM tests to keep allocating more and more, starting from a
> large amount, until we exhaust address space and get a failure.
>
> Bug: v8:6635
> Change-Id: I007927c5f639ed395d90198272c93b6ee0e58249
> Reviewed-on: https://chromium-review.googlesource.com/609264
> Commit-Queue: Bill Budge <bbudge@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47328}
TBR=bbudge@chromium.org,mlippautz@chromium.org
Change-Id: Ibe49f99040e1a3c595ed836d1d40dbd0c7247d1c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6635
Reviewed-on: https://chromium-review.googlesource.com/612288
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47332}
- Changes OOM tests to keep allocating more and more, starting from a
large amount, until we exhaust address space and get a failure.
Bug: v8:6635
Change-Id: I007927c5f639ed395d90198272c93b6ee0e58249
Reviewed-on: https://chromium-review.googlesource.com/609264
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47328}
- See bug for the reduced test case.
- Not adding a regression test here: I don't want to assert that PreParser
doesn't detect the redeclaration error, OTOH I don't want to make it detect
the error either (in order to not couple detecting the error with
FLAG_experimental_preparser_analysis).
BUG=chromium:753896, v8:5516
Change-Id: I0f1beffe30e5cb48d6dbec35181980864e6df153
Reviewed-on: https://chromium-review.googlesource.com/608976
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47326}
These operators were only used by the old asm.js pipeline (with
fullcodegen and the AstGraphBuilder). When going through the new
pipeline, accesses to TypedArrays are handled by the native
context specialization during inlining.
Bug: v8:6409
Change-Id: Ib9b888c0b96f297a335580ee42dfa951bde566be
Reviewed-on: https://chromium-review.googlesource.com/612347
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47322}
Removes the new.target slot from the interpreter's fixed frame. Instead
adds a field to BytecodeArray to get the bytecode's incoming
new.target or generator object register. The InterpreterEntryTrampoline
then sets this register with the incoming new.target (or generator object)
when the function is called. This register can be directly the new.target
or generator object variable if they are LOCAL location, otherwise it is a
temporary register which is then moved to the variable's location during the
function prologue.
This fixes a hack in the deoptimizer where we would set the new.target fixed
slot to undefined in order to avoid extending it's lifetime through the
optimized code - now it's just a standard register and can be optimized away
as normal.
Bug=v8:6644
Change-Id: Ieb8cc34cccefd9fb6634a90cbc77c6002a54f2ae
Reviewed-on: https://chromium-review.googlesource.com/608966
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47320}
